Veranstaltung
23:00
-
00:00
Tag 1
Hacking the RP2350
aufgezeichnet
Security
Raspberry Pi's RP2350 microcontroller introduced a multitude of new hardware security features over the RP2040, and included a Hacking Challenge which began at DEF CON to encourage researchers to find bugs. The challenge has been defeated and the chip is indeed vulnerable (in at least one way). This talk will cover the process of discovering this vulnerability, the method of exploiting it, and avenues for deducing more about the relevant low-level hardware behavior.

The RP2350 security architecture involves several interconnected mechanisms which together provide authentication of code running on the chip, protected one-time-programmable storage, fine-grained control of debug features, and so on. An antifuse-based OTP memory serves as the root of trust of the system, and informs the configuration of ARM TrustZone as well as additional attack mitigations such as glitch detectors. Raspberry Pi even constructs an impressive, bespoke Redundancy Coprocessor (RCP), which hardens execution of boot ROM code on the Cortex-M33 cores with stack protection, data validation, and instruction latency randomization.

Since there are many potential incorrect guesses to be made about where problems might lie, here I begin with the most fundamental features of the chip logic, including the reset process. Even small oversights at this level can entirely defeat sophisticated security efforts if higher-level mechanisms place complete trust in seemingly simple hardware operations. I show how cursory research into the design details of IP blocks used in the SoC can help inform an attack, and demonstrate the importance of fully testing new features which are built atop older IP. Ultimately, the significant amount of luck (or lack thereof) involved is a reminder of the need to meticulously understand and validate complex systems.