Presentation Material
Abstract
Modern mobile bootloaders play an important role in both the function and the security of the device. They help ensure the Chain of Trust (CoT), where each stage of the boot process verifies the integrity and origin of the following stage before executing it. This process, in theory, should be immune even to attackers gaining full control over the operating system, and should prevent persistent compromise of a device’s CoT. However, not only do these bootloaders necessarily need to take untrusted input from an attacker in control of the OS in the process of performing their function, but also many of their verification steps can be disabled (“unlocked”) to allow for development and user customization. Applying traditional analyses on bootloaders is problematic, as hardware dependencies hinder dynamic analysis, and the size, complexity, and opacity of the code involved preclude the usage of many previous techniques.
In this paper, we explore vulnerabilities in both the design and implementation of mobile bootloaders. We examine bootloaders from four popular manufacturers, and discuss the standards and design principles that they strive to achieve. We then propose BOOTSTOMP, a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features. Using our tool, we find six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscover one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks. Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT. We conclude by proposing simple mitigation steps that can be implemented by manufacturers to safeguard the bootloader and OS from all of the discovered attacks, using already deployed hardware features.
AI Generated Summary
This research investigates the security of Android bootloaders, focusing on violations of critical safety properties such as immutable chain-of-trust verification and secure bootloader unlocking mechanisms. The study assumes an attacker with root privileges on the Android OS and examines how compromised OS components can manipulate bootloader behavior via persistent storage.
The authors present BootsStomp, an automatic static binary analysis tool designed to identify vulnerabilities in proprietary bootloader blobs. It employs multi-tag taint analysis guided by under-constrained dynamic symbolic execution. The tool automatically identifies taint sources (data read from persistent storage during boot and unlock procedures) and sinks (functions enabling arbitrary memory read/write, loop control, and writes to persistent storage). It detects flows where attacker-controlled data can influence these sinks, indicating potential exploits.
Evaluation against four commercial bootloaders (Qualcomm, NVIDIA, Huawei) yielded 36 alerts, identifying seven distinct vulnerabilities, including six zero-day flaws. These vulnerabilities enable arbitrary code execution within the bootloader’s privileged execution level (EL3), granting an attacker full device control, including peripheral configuration. The analysis also revealed multiple bootloader unlocking bypasses, where the security state stored on persistent storage could be manipulated to unlock the device without proper authorization.
Practical implications are severe: a compromised bootloader can install persistent rootkits, brick devices, or bypass hardware-backed security features. The authors propose mitigations, such as storing the security state in a replay-protected memory block (RPMB) accessible only to the bootloader. All discovered vulnerabilities were responsibly disclosed and have been patched by the respective vendors. The work demonstrates the fragility of the mobile boot chain and provides a scalable methodology for its analysis. The BootsStomp tool has been open-sourced to aid the security community.