Pentest Tools

Published on June 26th, 2017 📆 | 6705 Views ⚑

0

Embedded Devices CPU Security: Maplesyrup


Powered by iSpeech

Maplesyrup is a tool that can be used to help determine the security state of an ARM-based device by examining the system register interface of the CPU.

 

Who is this for?

Maplesyrup is for anyone who has low level access to a handset or single-board PC running an ARMv7A/v8A based processor and is interested in knowing the register level configuration of their CPU at OS runtime. These registers contain featureset and security information that may influence operation of the system kernel and running applications.

 

Why was this created?

Linux provides featureset and platform information to the user in the /proc and /sys filesystems, but the configurations governing how these features operate is sometimes hidden to the user. In some cases, the OS will make use of the information to conform to implementation specific features and not indicate this to the user. In other cases, these features may not be managed by the operating system at all, but nevertheless could potentially affect the operation of the system by configuring how a CPU controls access to security domains, executes specific instructions, and handles CPU exceptions.

 

How does it work?

Maplesyrup consists of a kernel driver and a user mode component. The kernel driver collects the information and returns it to the user mode component which parses the information and presents it to the user.

 

What can I do with the results?

The results will show the low level operating configuration of the system, and can be used to help determine the security state of a device. They may include security settings such as the status of Virtualization Extensions, Security Extensions and coprocessor access restrictions. A few specific examples are listed below:

  • The UWXN and WXN fields within the SCTLR register on ARMv7A based processors will affect how the Execute Never (XN) feature will operate.
  • The Domain Access Control Register (DACR) defines access permissions for each of the 16 memory domain regions.
  • The coprocessor Access Control Register (CPACR) can be used to determine whether a coprocessor is implemented and what it’s access controls are.
  • Trap information details the execution level certain exceptions will be taken to and which stack pointer will be used (for AARCH64).
  • Debug Architecture access permissions

 





What do the results represent?

The data stored in the system registers may or may not represent how the chip actually operates and the nature of the value is entirely defined by the vendor implementing the device. In addition, some registers will be read at boot time and the results stored to memory. In these cases, manually flipping the bit after the OS has booted will likely not have any effect. Another thing to note is that several registers report information that is relevant to a procedure and may have no further relevance once that procedure has completed.

[adsense size='1']

Features/Limitations

  • Multi-core support
  • Memory-mapped system registers are currently not supported
  • Only EL0/EL1 are supported
  • Support for Cortex A7/A15/A53/A57
  • Support for memory-mapped devices

This application reads only a small portion of the available system registers on an ARM CPU. Please refer to the ARMv7A and ARMv8A Architecture Manuals and the appropriate Cortex TRM for official documentation.

WARNING: This application and kernel module are to be used only on test systems. Leaving the kernel module installed on a non-test system will compromise the system’s security.

 

Platforms Tested

  • Galaxy S5 Exynos Variant
  • ODROID-XU3
  • HOWCHIP 5250 Ver. C
  • Versatile Express-A9 (QEMU)
  • Android Goldfish 3.4 (QEMU)
  • Versatile JUNO Development Platform
  • Raspberry PI 2

 

Requirements

  • Ubuntu 14.04
  • sudo apt-get install libtool autoconf
  • Toolchain for target architecture (if cross compiling) to build usermode and kernel components
    • arm-linux-gnueabi for 32-bit
    • aarch64-linux-gnu for 64-bit
    • arm-linux-androideabi for Android
  • Kernel source tree (required for kernel module build)
  • Linux based device with root access and the ability to load unsigned kernel modules

 

Usage Instructions

Usage: maplesyrup --<register|group|bitfield|all> <NAME or ID> --arch=<ARCH> --impl=<IMPL or all> [--core=<CORE or -1>] [OTHER OPTIONS]

  --arch - armv7a or armv8a
  --impl - cortex-a7, cortex-a15, cortex-a53, cortex-a57, or all
  --core - core number, or -1 for all cores
  --calc - supply register value. Use with --register <regname>
  --help - show this menu
  --group - search by group
  --register - search by register
  --bitfield - search by bitfield
  --all - search all available bitfields
  --noparse - don't parse the results into bitfields
  --showfail - show all results regardless of success
  --el0 - force execution at pl0
  --el1 - force execution at pl1
  --devices - include memory-mapped devices (memory intensive)
  --show_groups - shows all valid functional groups
  --show_bitfields - shows all valid bitfields
  --show_registers - shows all valid register

Examples:
    (1) maplesyrup --register MIDR --arch=armv7a --impl=all
        to display the MIDR register
    (2) maplesyrup --all --arch=armv7a --impl=all
        to display the all registers
    (3) maplesyrup --register MIDR --arch=armv7a --impl=all --calc=0x410fc073
        supply a value

    Sample output 
    > maplesyrup --register MIDR --arch=armv7a --impl=all --core=0
    
    ============================
    || Maplesyrup 1.0         ||    
    ||    -linux              ||
    ||    -aarch32            ||
    ||                        ||
    || 000005/000040 entries  ||
    ============================
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/03:00/Revision]: 0x3 (Revision) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/15:04/Primary part number]: 0xc07 (Primary part number) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/19:16/Architecture]: 0xf (Architecture) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/23:20/Variant]: 0x0 (Variant) (0)
    [cpu0/cortex-a7/armv7a/1/ident/MIDR/31:24/Implementer]: 0x41 (Implementer) (0)
      |      |        |    |   |     |     |       |          |        |         |
      |      |        |    |   |     |     |       |          |        |         |
     Core #  |        |    |   |     |     |       |          |        |         |
         Part number  |    |   |     |     |       |          |        |         |
     The decode table used |   |     |     |       |          |        |         |
           The exception level |     |     |       |          |        |         |
                The functional group |     |       |          |        |         |
                         The register name |       |          |        |         |
                    The bitfield size and position |          |        |         |
                                             The field name   |        |         |
                                                 Actual result value   |         |
                                                            A brief description  |
                                                                            Result validity

 

https://github.com/iadgov/maplesyrup



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑