, 12 tweets, 5 min read Read on Twitter
Next up on the Scruffy City Hall stage of @BSidesKnoxville is @bxsays. Drop what you are doing and catch this talk!
In Bx' view, a bootloader is just another type of executable loader. ELF, PE or Uboot, they are still loading a program into memory before jumping into it.
A few years back, Bx found a way to make an ELF loader parse its own output as metadata. This and a fancy trick for calling I/O functions gave a complete brainfuck implementation that runs before loading completes!
github.com/bx/elf-bf-tools
Generally all of these IO registers are available to the bootloader, even at times when they aren't needed. Bx proposes that an MMU might enforce access to these pages, just as it does to RAM pages.
You can even have your image be loaded *into I/O*!

"What you are loading tells you what it needs, and it is the loader's responsibility to know whether this is safe."
Her toolsuite instruments a real bootloader process through GCC, as a way to measure and test write restrictions.
typedregions.com
She logs all memcpy()-type calls, then works backward from that to divide them by purpose. (Reading SD card, zeroing the .bss region, etc.)
Combining this with uboot's call graph, she can divide uboot's behavior into stages behaviorally, more accurately than by reading the code.
And knowing the stages, she can measure which resources each stage accesses, in order to know the implicit rules for what good page permissions might be.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Travis Goodspeed
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!