Skip to content

anvilsecure/symlink-secure-boot-vm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

board/anvil/symlink-qemu

board/anvil/symlink-qemu

 
 

configs

configs

 
 

patches/lighttpd

patches/lighttpd

 
 

Config.in

Config.in

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

external.desc

external.desc

 
 

external.mk

external.mk

 
 

screenshot.png

screenshot.png

 
 

Repository files navigation

Defeating Secure Boot with Symlink (& Hard Link) Attacks

This project is a virtual machine created to demonstrate the various attacks detailed in Anvil's Defeating Secure Boot with Symlink and Hard Link Attacks white paper.

A typical Linux embedded system with secure boot cryptographically verifies the boot loader, kernel, and root file system. This can have the effect of making the root file system read only. This presents the embedded developer with a problem. Where then can an embedded developer store device-specific data such as configurations and logs between reboots? A common solution is to create an unprotected storage partition for non-volatile data (data that can be retrieved after power cycling) and mount it in a location such as /storage. Ideally, the non-volatile storage partition should be protected with cryptographic integrity checks, but from our experience, this is rarely done.

This virtual machine demonstrates how to attack systems configured with a split file system, a protected root file system, and a non-protected /storage partition.

Running

  1. Download the latest release.

  2. Install QEMU and ensure qemu-system-x86_64 is in your path.

  3. Start the virtual machine

    > cd symlink-secure-boot-vm
> ./start-qemu.sh serial-only

The virtual machine utilizes QEMU's user networking and forwards two ports, 8888 and 2121. The 8888 port runs a web server hosting services demonstrating the issues and can be reached at http://localhost:8888. The 2121 port is forwarded to an FTP service. Due to using QEMU's user networking to access the FTP service you need to use your interface's IP address and FTP active mode. Or modify the script to use Tap networking.

Browse to http://localhost:8888 to get started!

screenshot

Building

We used Buildroot's br2_external feature to construct the virtual machine.

  1. Download Buildroot (we used buildroot-2020.02.3)
  2. Download/clone source.
  3. Build using Buildroot's external
> cd buildroot
> make BR2_EXTERNAL=../symlink-secure-boot-vm anvil_symlink-qemu_defconfig
> make
> ./output/images/start-qemu.sh serial-only

About

All rights reserved. Copyright (C) 2020 by Anvil Ventures Inc. For licensing information see LICENSE. For more information contact Michael Milvich michael.milvich@anvilventures.com

To find updated source code or to contribute patches go to the following URL: https://github.com/anvilventures/symlink-secure-boot-vm

About

VM demonstration various symlink and hard link attacks against secure boot. See the whitepaper at: https://www.anvilventures.com/blog/defeating-secure-boot-with-symlink-attacks.html

www.anvilventures.com/blog/defeating-secure-boot-with-symlink-attacks.html

Topics

security boot hacking secure vms whitepaper symlinks attacks secureboot

Resources

Readme

License

View license
Activity
Custom properties

Stars

14 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases 1

Initial Release - v1.0 Latest
Aug 11, 2020

Packages

No packages published

Languages