A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving

Xiaomei Zeng; Liu Qing; Samuel Chef; Chee Lip Gan

doi:10.1109/HOST55342.2024.10545381

A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving

Xiaomei Zeng, Liu Qing, Samuel Chef, Chee Lip Gan

Nanyang Technological University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Execute-only memory acts as a security scheme intended to protect critical microcontroller firmware, including Intellectual Property (IP) and sensitive configuration functions related to system security. The execute-only firmware exclusively permits code execution and prevents any external attempts at reading the content. As part of a hardware security assessment, this research reveals a potential vulnerability in protected execute-only firmware, illustrating that its content can be fully extracted using the invasive selective chemical engraving technique. This technique relies on visualizing the data of '0' and '1' through electrochemical reactions. The subsequent firmware recovery process involves direct binary extraction, physical-to-Iogical mapping, and error correction to obtain machine code with 100% accuracy. The resulting machine code can be further disassembled to analyse various instructions, functions, and data libraries. This bottom-up approach of firmware recovery can be invaluable for assessing the integrity and authenticity of the execute-only memory. On the other hand, these findings demonstrate the significant threat posed by the invasive selective chemical engraving technique to protected execute-only firmware in widely deployed microcontrollers. Consequently, there is a pressing need to reassess the current hardware security schemes and implement robust measures to effectively counteract such invasive attacks.

Original language	English
Title of host publication	Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	12-20
Number of pages	9
ISBN (Electronic)	9798350373943
DOIs	https://doi.org/10.1109/HOST55342.2024.10545381
Publication status	Published - 2024
Externally published	Yes
Event	2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024 - McLean, United States Duration: May 6 2024 → May 9 2024

Publication series

Name	Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024

Conference

Conference	2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024
Country/Territory	United States
City	McLean
Period	5/6/24 → 5/9/24

Bibliographical note

Publisher Copyright:
© 2024 IEEE.

ASJC Scopus Subject Areas

Artificial Intelligence
Hardware and Architecture
Safety, Risk, Reliability and Quality

Keywords

data extraction
execute-only firmware
protected flash memory
selective chemical engraving

Access to Document

10.1109/HOST55342.2024.10545381

Cite this

Zeng, X., Qing, L., Chef, S., & Gan, C. L. (2024). A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving. In Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024 (pp. 12-20). (Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/HOST55342.2024.10545381

Zeng, Xiaomei ; Qing, Liu ; Chef, Samuel et al. / A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving. Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024. Institute of Electrical and Electronics Engineers Inc., 2024. pp. 12-20 (Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024).

@inproceedings{78d431de4dfe41b9bf3d7bddc931e3df,

title = "A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving",

abstract = "Execute-only memory acts as a security scheme intended to protect critical microcontroller firmware, including Intellectual Property (IP) and sensitive configuration functions related to system security. The execute-only firmware exclusively permits code execution and prevents any external attempts at reading the content. As part of a hardware security assessment, this research reveals a potential vulnerability in protected execute-only firmware, illustrating that its content can be fully extracted using the invasive selective chemical engraving technique. This technique relies on visualizing the data of '0' and '1' through electrochemical reactions. The subsequent firmware recovery process involves direct binary extraction, physical-to-Iogical mapping, and error correction to obtain machine code with 100% accuracy. The resulting machine code can be further disassembled to analyse various instructions, functions, and data libraries. This bottom-up approach of firmware recovery can be invaluable for assessing the integrity and authenticity of the execute-only memory. On the other hand, these findings demonstrate the significant threat posed by the invasive selective chemical engraving technique to protected execute-only firmware in widely deployed microcontrollers. Consequently, there is a pressing need to reassess the current hardware security schemes and implement robust measures to effectively counteract such invasive attacks.",

keywords = "data extraction, execute-only firmware, protected flash memory, selective chemical engraving",

author = "Xiaomei Zeng and Liu Qing and Samuel Chef and Gan, {Chee Lip}",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024 ; Conference date: 06-05-2024 Through 09-05-2024",

year = "2024",

doi = "10.1109/HOST55342.2024.10545381",

language = "English",

series = "Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "12--20",

booktitle = "Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024",

address = "United States",

}

Zeng, X, Qing, L, Chef, S & Gan, CL 2024, A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving. in Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024. Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024, Institute of Electrical and Electronics Engineers Inc., pp. 12-20, 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024, McLean, United States, 5/6/24. https://doi.org/10.1109/HOST55342.2024.10545381

A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving. / Zeng, Xiaomei; Qing, Liu; Chef, Samuel et al.
Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024. Institute of Electrical and Electronics Engineers Inc., 2024. p. 12-20 (Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving

AU - Zeng, Xiaomei

AU - Qing, Liu

AU - Chef, Samuel

AU - Gan, Chee Lip

PY - 2024

Y1 - 2024

N2 - Execute-only memory acts as a security scheme intended to protect critical microcontroller firmware, including Intellectual Property (IP) and sensitive configuration functions related to system security. The execute-only firmware exclusively permits code execution and prevents any external attempts at reading the content. As part of a hardware security assessment, this research reveals a potential vulnerability in protected execute-only firmware, illustrating that its content can be fully extracted using the invasive selective chemical engraving technique. This technique relies on visualizing the data of '0' and '1' through electrochemical reactions. The subsequent firmware recovery process involves direct binary extraction, physical-to-Iogical mapping, and error correction to obtain machine code with 100% accuracy. The resulting machine code can be further disassembled to analyse various instructions, functions, and data libraries. This bottom-up approach of firmware recovery can be invaluable for assessing the integrity and authenticity of the execute-only memory. On the other hand, these findings demonstrate the significant threat posed by the invasive selective chemical engraving technique to protected execute-only firmware in widely deployed microcontrollers. Consequently, there is a pressing need to reassess the current hardware security schemes and implement robust measures to effectively counteract such invasive attacks.

AB - Execute-only memory acts as a security scheme intended to protect critical microcontroller firmware, including Intellectual Property (IP) and sensitive configuration functions related to system security. The execute-only firmware exclusively permits code execution and prevents any external attempts at reading the content. As part of a hardware security assessment, this research reveals a potential vulnerability in protected execute-only firmware, illustrating that its content can be fully extracted using the invasive selective chemical engraving technique. This technique relies on visualizing the data of '0' and '1' through electrochemical reactions. The subsequent firmware recovery process involves direct binary extraction, physical-to-Iogical mapping, and error correction to obtain machine code with 100% accuracy. The resulting machine code can be further disassembled to analyse various instructions, functions, and data libraries. This bottom-up approach of firmware recovery can be invaluable for assessing the integrity and authenticity of the execute-only memory. On the other hand, these findings demonstrate the significant threat posed by the invasive selective chemical engraving technique to protected execute-only firmware in widely deployed microcontrollers. Consequently, there is a pressing need to reassess the current hardware security schemes and implement robust measures to effectively counteract such invasive attacks.

KW - data extraction

KW - execute-only firmware

KW - protected flash memory

KW - selective chemical engraving

UR - http://www.scopus.com/inward/record.url?scp=85196079408&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85196079408&partnerID=8YFLogxK

U2 - 10.1109/HOST55342.2024.10545381

DO - 10.1109/HOST55342.2024.10545381

M3 - Conference contribution

AN - SCOPUS:85196079408

T3 - Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024

SP - 12

EP - 20

BT - Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024

Y2 - 6 May 2024 through 9 May 2024

ER -

Zeng X, Qing L, Chef S, Gan CL. A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving. In Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024. Institute of Electrical and Electronics Engineers Inc. 2024. p. 12-20. (Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2024). doi: 10.1109/HOST55342.2024.10545381

A Security Assessment of Protected Execute-Only Firmware in Microcontrollers Through Selective Chemical Engraving

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus Subject Areas

Keywords

Access to Document

Other files and links

Fingerprint

Cite this