A team at the University of California found vulnerabilities in code execution and DOS security in bootloaders for major mobile platforms. The researchers found six newly discovered vulnerabilities using BootStomp, five of which were identified by vendors. There was also a previously reported security flaw.



In a paper presented at USENIX 2017 (BootStomp: On the Security of Bootloaders in Mobile Devices), Experts indicate that these security problems affect the Trusted Boot and Verified Boot mechanisms in the Chain of Trust provided by vendors. This process should be effective in preventing an attacker from gaining full control of the operating system, however the researchers found that many of the trust chain verification steps were ineffective when the bootloader received untrusted input from the attacker.

Some of these vulnerabilities allow an attacker to execute binary code as part of a bootloader, or to conduct a permanent DOS attack. BootStomp, a tool developed by the researchers, identifies two bootloader vulnerabilities that an attacker can exploit under root to unlock the device and break the trust chain.

Bootloaders are generally not open source, so it is difficult to do analysis, especially dynamic analysis outside the target platform. Therefore, researchers developed their own analysis tool BootStomp, which combined static analysis technology and symbolic execution under constraints to establish multi-label tag analysis to identify vulnerabilities in bootloader.

The researchers analyzed bootloader’s performance on Huawei P8 ALE-L23 (Hays chip), SONY Xperia XA (Mediatek chip), Nexus 9 (NVIDIA chip), and two LK-based Bootloader (Qualcomm chip) platforms.

Huawei P8 Android Bootloader found 5 important vulnerabilities, including arbitrary memory write and analysis stored in the Boot partition Linux device tree (DTB) vulnerability, root writable oEM_info heap overflow vulnerability. Root writable NVE and OEM_INFO partition vulnerabilities, which can lead to a permanent rootkit installation memory error vulnerability, allowing an attacker to run arbitrary memory writes of arbitrary code like a bootloader.

BootStomp also found bugs in the NVIDIA HBoot and Qualcomm Aboot. The NVIDIA Hboot vulnerability runs on layer EL1, which is the hardware equivalent of having access to the Linux kernel. The vulnerability in Qualcomm Aboot (CVE-2014-9798) has been previously reported and can be exploited for DOS attacks.

The exploit of these vulnerabilities depends on the attacker’s ability to write to non-volatile memory, which the bootloader also reads from. Therefore, researchers propose methods such as using the hardware characteristics of the new device to prevent the attacker from writing to solve these problems.

* References:securityweek, ang010ela, FreeBuf.COM