Welcome to a journey of AArch64 kernel exploitation, from the least privileged, to the most secure privilege level on the ARMv8 platform. For this year’s HITCON CTF, I played with my academic team, Kernel Sanders. When scanning through the problems, I quickly latched on to the Super Hexagon challenge once I heard it involved ARM exploitation.
The Embedded Base Boot Requirements (EBBR) specification defines requirements for embedded systems to enable inter-operability between SoCs, hardware platforms, firmware implementations, and operating system distributions. The aim is to establish consistent boot ABIs and behaviour so that supporting new hardware platforms does not require custom engineering work.
Server partners expect to be able to deploy new systems directly from the shipping box, with straightforward integration of the operating systems and applications of their choosing. To achieve this, it is necessary for the Arm server ecosystem to define and comply to a minimal set of standards. This is of particular importance for the server and infrastructure market, as unlike the mobile sector, it is not acceptable to have to modify the operating system for every platform. Standards allow compatibility across different products, while enabling the individual partners to innovate and differentiate within these boundaries.[…]
Linaro Community Projects Division announces the Trusted Firmware open project
San Jose – WEBWIRE – Tuesday, October 16, 2018
The Trusted Firmware project promises to provide an important software foundation to further security development for both Cortex-A and Cortex-M/R processors. Linaro Community Projects Division, the division of Linaro managing open source community projects with open governance, today announced that Trusted Firmware is available as a Linaro Community Projects Division open project. Trusted Firmware provides a reference implementation of Secure World software for Armv7, Armv8-A and Armv8-M architectures. It provides SoC developers and OEMs with a reference trusted code base complying with the relevant Arm specifications. This forms the foundations of a Trusted Execution Environment (TEE) on application processors, or the Secure Processing Environment (SPE) on microcontrollers.[…]
LAVA is a test harness for ARM hardware.
It appears to be changing from a Linaro project to more of a community project.
New web site:
Security: Limiting Exploits
Once an attacker has found a vulnerability to exploit, their next aim is to execute code to gain control of the machine they have accessed. Techniques used include ROP and JOP Attacks (Return- and Jump-Oriented Programming). These techniques find small sections (called gadgets) of vulnerable programs that chain together to run the code the attacker wants. These methods work because the architecture puts no restrictions on where code can branch to, or where branches can have come from. This enables attackers to use small snippets of functions, which do what they want.
In Armv8.3-A, we introduced the Pointer Authentication feature, which can be used to ensure functions return to the location expected by the program.
In Armv8.5-A, we introduce Branch Target Indicators (BTI). Systems supporting BTI can enforce that indirect branches only go to code locations where the instruction is one of a small acceptable list. This reduces the ability of an attacker to execute arbitrary code.
These two features work together to significantly reduce the number of gadgets available to an attacker. The gadgets that remain available are large in size, making it much harder for an attacker to make a viable exploit, even if they find a vulnerability that lets them gain access to a machine.
The third-annual Arm Research Summit – an academic summit to discuss future trends and disruptive technologies across all sectors of computing – will be returning to Cambridge, UK on 17-19 September 2018.
it appears ARM pulled the site. I can’t see this site anymore:
But the Wayback Machine appears to have made a snapshot:
This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware’s Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC’s BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.[…]