Secure Chip for Fun and Digital Forensics Chip Chop ...
Transcript of Secure Chip for Fun and Digital Forensics Chip Chop ...
![Page 1: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/1.jpg)
Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics
Gunnar AlendalNorwegian University of Science and Technology (NTNU)
@gradoisageek
#BHUSA @BlackHatEvents
![Page 2: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/2.jpg)
![Page 3: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/3.jpg)
#BHUSA @BlackHatEvents
Digital forensics (simplified)
Acquisition
Extract data to be analysed
=
Digital Forensics Acquisition (DFA)
Analysis
Identify and analyse data relevant to investigation
Report
Report on positive and negative findings
Seize
Identifying and seizing, e.g. devices, hard drives, ...
![Page 4: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/4.jpg)
Digital Forensic Acquisition (DFA)
pixabay.com
![Page 5: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/5.jpg)
Before
pixabay.com
![Page 6: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/6.jpg)
Now
pixabay.com
![Page 7: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/7.jpg)
Android Security 101
![Page 8: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/8.jpg)
Untrusted & Trusted worlds
![Page 9: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/9.jpg)
Towers preventing DFA
<= Galaxy S10
“Breaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot”Jeff Chao / Black Hat 2020
![Page 10: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/10.jpg)
Towers preventing DFA
>= Galaxy S20
![Page 11: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/11.jpg)
#BHUSA @BlackHatEvents
1 + 1 = Digital Forensic Acquisition
Break REE + break => DFA
This talk
![Page 12: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/12.jpg)
#BHUSA @BlackHatEvents
(embedded) Secure Element - eSE
● Model in Galaxy S20 (Exynos): S3K250AF *● Separate HW chip● Protects encryption key material● Prevents brute force from compromised system (“root”)
● Break eSE => gain access to encryption key material
* Full paper presented @DFRWS USA 2021: “Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics”
![Page 13: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/13.jpg)
Android File-based Encryption (FBE)
![Page 14: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/14.jpg)
#BHUSA @BlackHatEvents
Android FBE States
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device off Power on / no unlockBefore-first-unlock (BFU)
Power on / first unlockAfter-first-unlock (AFU)
![Page 15: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/15.jpg)
#BHUSA @BlackHatEvents
Android FBE States & eSE
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device off Power on / no unlockBefore-first-unlock (BFU)
Power on / first unlockAfter-first-unlock (AFU)
![Page 16: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/16.jpg)
#BHUSA @BlackHatEvents
Attack phase 1: “root” REE
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device off Power on / no unlockBefore-first-unlock (BFU)
Power on / first unlockAfter-first-unlock (AFU)
E.g. break secure boot
![Page 17: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/17.jpg)
#BHUSA @BlackHatEvents
Attack phase 2: eSE: Force BFU to AFU
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device off Power on / no unlockBefore-first-unlock (BFU)
Power on / first unlockAfter-first-unlock (AFU)
BFU => AFU: Break eSE
![Page 18: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/18.jpg)
BFU => AFUw/ weaver
pw/pin/pattern
+
SALT (DE)
+
SECRET (eSE)
=
AFU
eSE
![Page 19: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/19.jpg)
Brute force
pw/pin/pattern
=
BruteForce( SALT (DE)
+
CHALLENGE (eSE) )
eSE
![Page 20: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/20.jpg)
Attack Summary*
*Executive edition
![Page 21: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/21.jpg)
#BHUSA @BlackHatEvents
Attacking the FBE (CE)REE
1. Break REE: “root” / SALT
2. Attack eSE
3. Get CHALLENGE + (SECRET)
4. Off-device brute force pw/pin/pattern
![Page 22: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/22.jpg)
#BHUSA @BlackHatEvents
Off-device brute force pw/pin/patternfor pin in all_pins:
# KDF(PIN, SALT)
computePasswordTokenRes = scrypt.hash(pin,SALT,N=scryptN,r=scryptR,p=scryptP,buflen=PASSWORD_TOKEN_LENGTH)
# Generate CHALLENGE candidate
sha512 = hashlib.sha512(PERSONALISATION_WEAVER_KEY)
sha512.update(computePasswordTokenRes)
personalisedHash = sha512.digest()
# Compare candidate CHALLENGE with stolen CHALLENGE
if personalisedHash[:stolenCHALLENGELen] == stolenCHALLENGE:
print("\n=================================\n")
print(" Correct pin is: %s"%pin)
print("\n=================================\n\n")
print(" pwdToken hash : " + computePasswordTokenRes.hex())
print(" weaver CHALLENGE hash : " + personalisedHash[:stolenCHALLENGELen].hex())
![Page 23: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/23.jpg)
The eSE attackfrom 0 to 0-day
![Page 24: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/24.jpg)
#BHUSA @BlackHatEvents
Enter S3K250AF eSE!
● Introduced 2020 in Galaxy S20 models (Exynos)● Black box IC● ARM BE8 THUMB● 252 kB on-board flash + 16 kB RAM● CC EAL 5+ certification● Designed to protect against HW attacks, like Side-Channel attacks● Brute force protection
● Features: Weaver / SecNVM / Device Attestation / Keystore / ..
![Page 25: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/25.jpg)
#BHUSA @BlackHatEvents
eSE = “Black box”REE
● REE talks to eSE○ hermesd process○ Frida instrumentation○ Reimplement in chip_breaker
● Talks APDU○ Just like a SIM card○ APDU handlers in eSE FW
● Reverse engineer REE commands○ REE .so + small FW part○ We can talk “dirty” to it!
● But no debug / info leak○ Locate oracles!
![Page 26: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/26.jpg)
Info leak Oracles needed
![Page 27: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/27.jpg)
#BHUSA @BlackHatEvents
Oracle 1REE
● APDU handler error:○ APDU response w/error code○ Error = APDU SW (Status Word)
● APDU handler crash:○ No APDU response!
![Page 28: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/28.jpg)
#BHUSA @BlackHatEvents
Oracle 2REE
● Promising eSE ADPU handlers:○ APDU_readWeaver
Send CHALLENGE○ APDU_writeWeaver
Set CHALLENGE / SECRET
nC nS CHALLENGE
SECRET
1 nC1
nS
![Page 29: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/29.jpg)
#BHUSA @BlackHatEvents
Oracle 2 (simplified)
● APDU_writeWeaver
First: Set CHALLENGE / SECRET
32 32 f0b90d..1c1b
2bf11f..d582
1 32
1 255
“Secret”
Normally What if?
1
1
32
1 1 1
32
![Page 30: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/30.jpg)
#BHUSA @BlackHatEvents
Oracle 2 (actual)
● APDU_writeWeaver
First: Set CHALLENGE / SECRET
1 40 “Secret” + 000..0
Footer overwrite trick
1
1 1 1 32
1 204
4 4
![Page 31: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/31.jpg)
#BHUSA @BlackHatEvents
Oracle 2
● APDU_readWeaver
Second: Send CHALLENGE
32 f0b90d..1c1b
2bf11f..d582
Send: Send:
1
Receive:
“Secret” + stack dataaaaaaaaaaaaaaa
Receive:
1
32
20432
1 1 1
![Page 32: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/32.jpg)
#BHUSA @BlackHatEvents
Oracle 2 - Stack leak!
0000 53 65 63 72 65 74 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 00 00 00 01 00 00 00 D0 00 00 00 00 00 00 00 00
0030 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 05
0040 01 22 49 31 20 00 14 28 20 00 27 C0 00 00 00 00
0050 20 00 14 80 FF FF FF FF 00 02 85 F9 20 00 14 80
0060 20 00 27 C0 00 02 85 8B 00 00 00 00 20 00 0B 50
0070 00 00 00 00 FF FF FF FF 00 01 04 7F 00 00 00 00
“Secret”
Data addresses (RAM) Code addresses (flash) (ARM THUMB)
SECRET(32)
![Page 33: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/33.jpg)
#BHUSA @BlackHatEvents
Oracle 2 features
● Leak RAM address range + pointers● Leak CODE (flash) address range + pointers● Stack layout of APDU_readWeaver● Enable dynamic reverse engineering● Further experimenting different APDU handlers● BlindROP / DarkROP like testing
![Page 34: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/34.jpg)
#BHUSA @BlackHatEvents
From Oracle to 0-day
● APDU_writeWeaver
Set CHALLENGE / SECRET
1 255
4141414141...41
1
1 1 1
255
==>
Oracle 1 hit!
APDU_writeWeaver crashed?
What if?
![Page 35: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/35.jpg)
#BHUSA @BlackHatEvents
S3K250AF Attack so far
● Have stack leak, but only for APDU_readWeaver● APDU_writeWeaver triggers Oracle 1 on nS > 84● Back to skool:
○ “Smashing the stack for fun and profit” (Aleph One,1996)
● Next move, alternative 1:○ secret[84:88] assumed code pointer? ○ Brute force => hit ROP gadget w/ no Oracle 1 trigger
● Next move, alternative 2:○ Assume stack APDU_readWeaver ~= APDU_writeWeaver ○ Manual stack guesstimating
![Page 36: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/36.jpg)
#BHUSA @BlackHatEvents
Alternative 2: stack guesstimating
● Partial S3K250AF FW found on Galaxy S20 filesystem○ Most of FW is encrypted :(
● Contains unencrypted “dev” version of IWEA code● IWEA is short for IWEAVER
○ APDU_readWeaver_dev disassembly possible ○ APDU_writeWeaver_dev disassembly possible
● We can “simulate” stack use, and hope it fits “prod” code on chip○ <trial and error>
![Page 37: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/37.jpg)
Stack layout found
![Page 38: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/38.jpg)
#BHUSA @BlackHatEvents
Victory!
● Stack layout of APDU_writeWeaver guessed!● Know position of return address (PC) POP’ed from stack!● We can set R4-R7 and PC to return properly!
● Can now overflow stack and control execution on S3K250AF eSE!● Pwned!
![Page 39: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/39.jpg)
#BHUSA @BlackHatEvents
APDU_writeWeaver Stack smash!
secret[84:88]
APDU_writeWeaver
![Page 40: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/40.jpg)
#BHUSA @BlackHatEvents
Next goal: Execute something useful
● One ROP to rule them all○ Dumps 16 bytes from arbitrary address
MOVS R0, #0x10 ; size to read. Fixed size 0x10.
STR R7, [R4] ; R7 is address to read => We control R7!
STR R0, [R4,#4] ; Store size
MOVS R0, #0x90 ; SW1 => SW is just return code (Status Word). 0x90 == “Success”
STRB R0, [R4,#8] ; Store SW1
MOV R0, R5 ; SW2
STRB R5, [R4,#9] ; Store SW2
POP {R1-R7,PC} ; pop and return => We get 0x10 bytes from arbitrary address!
![Page 41: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/41.jpg)
chip_breaker
● Dump CHALLENGE● Remove “root” REE
requirement
![Page 42: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/42.jpg)
#BHUSA @BlackHatEvents
Full eSE flash dump
● We dump all code + metadata● We dump all sensitive data
○ “11: IWEAVER”:CHALLENGE + SECRET
● Off-device brute force: Check!● Digital Forensic Acquisition: Check!
![Page 43: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/43.jpg)
Mission accomplished!
![Page 44: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/44.jpg)
#BHUSA @BlackHatEvents
But wait! Can we do more?
● We can achieve arbitrary code execution (ACE)○ RAM/Stack is executable! ○ Return-to-APDU-buffer => ACE / (RCE)
shellcode
![Page 45: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/45.jpg)
#BHUSA @BlackHatEvents
Arbitrary code execution
● We can read flash + RAM○ Dump hardcoded AES key => Used for FW encryption○ No more encrypted FW updates○ No FW code or sensitive data safe
● We can write flash + RAM○ No eSE Secure Boot!○ Persistent(!) changes to any eSE feature○ Set up C build env.
■ “Breaking Samsung firmware, or turning your S8/S9/S10 into a DIY Proxmark” - Christopher Wade
![Page 46: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/46.jpg)
Write persistent changes => New attack variant?
● eSE only attack● Remove “root” REE
requirement
![Page 47: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/47.jpg)
Towers preventing DFA
>= Galaxy S20
![Page 48: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/48.jpg)
#BHUSA @BlackHatEvents
Potential “HW Trojan” attack
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device Encrypted (DE)
Credential Encrypted (CE)
Device off BFU AFU
BFU => AFU: Brute force
![Page 49: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/49.jpg)
“HW Trojan” attack PoC demo
● Rubber Ducky HID simulation
● Send all PINs● No timeouts!
Unpatched
Patched:eSE brute force protection
removed
Music: @dubmood
![Page 50: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/50.jpg)
ToDo: Test actual chip off, attack, chip on
![Page 51: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/51.jpg)
Certification⤋
Security?
"In theory, there is no difference between theory and practice, while in practice, there is"
- Benjamin Brewster
![Page 52: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/52.jpg)
#BHUSA @BlackHatEvents
CC EAL 5+ AVA_VAN.5
● Security Goals in “Security Target”:○ SG1 => Integrity of user data○ SG2 => Confidentiality of user data○ SG3 => Correct operation
● AVA_VAN.5:○ “A methodical vulnerability analysis is performed by the evaluator to ascertain
the presence of potential vulnerabilities”○ A certified stack smashing buffer overflow?
Broken by our attack
![Page 53: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/53.jpg)
#BHUSA @BlackHatEvents
Intended vs. achieved security
● S3K250AF meant to protect against state level actors○ Broken by 1 researcher, no special tools, ~1 month
● FW encryption AES key revealed○ No encrypted OTA possible for fielded devices
● Can fielded S3K250AF devices regain trust?○ Can we create undetectable / unremovable eSE FW modifications?
![Page 54: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/54.jpg)
#BHUSA @BlackHatEvents
Black Hat Sound Bytes
● One old skool stack buffer overflow to break the S3K250AF eSE
○ Patched by Samsung (CVE-2020-28341 / SVE-2020-18632)
● CC EAL 5+ AVA_VAN.5 gives no guarantees of achieved security
● Digital Forensic Acquisition in 2021: Finding and exploiting 0-days
![Page 55: Secure Chip for Fun and Digital Forensics Chip Chop ...](https://reader031.fdocuments.in/reader031/viewer/2022012101/61dba42ee03646307b4fc91c/html5/thumbnails/55.jpg)
#BHUSA @BlackHatEvents
Thank you(see full paper for details)
Gunnar Alendal@gradoisageek
Thanks:Geir Olav Dyrkolbotn, Stefan Axelsson, @zutle, @dubmood (music) and Samsung