BootStomp is a Python-based tool, with Docker support that helps you find two different classes of Android bootloader vulnerabilities and bugs. It looks for memory corruption and state storage vulnerabilities.
Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.
How does BootStomp find Android Bootloader Vulnerabilities?
BootStomp implements a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution or its security features.
Using the tool the team found six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscovered one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks.
The vulnerabilities impact the Trusted Boot or Verified Boot mechanisms implemented by vendors to establish a Chain of Trust (CoT). The team using BootStomp discovered vulnerabilities in the bootloaders used by Huawei, Qualcomm, MediaTek, and NVIDIA.
The team analyzed bootloader implementations in many platforms, including Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).
How to use BootStomp
The easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile, these are the commands to use it:
# build the docker image
docker build –t bootstomp .
# run the docker image (if you need, use proper options to have persistent changes or shared files)
docker run –it bootstomp
# now you are inside a docker container
# run BootStomp’s taint analysis on one of the examples
# this will take about 30 minutes
python taint_analysis/bootloadertaint.py config/config.huawei
# the last line of the output will be something like:
# INFO | 2017-10-14 01:54:10,617 | _CoreTaint | Results in /tmp/BootloaderTaint_fastboot.img_.out
# you can then “pretty print” the results using:
python taint_analysis/result_pretty_print.py /tmp/BootloaderTaint_fastboot.img_.out
You can download BootStomp here: