def findCriticalGadgets(p): # Try to defend against ROP attacks which could write to OTP memory print "\nCritical gadgets:\n" rom = ''.join(map(chr, p.rom)) opTable = FirmwareLib.opcodeTable() # Critical addresses CRITICAL_ADDRS = [ 0xA7, # MEMCON (allows executing code from RAM) 0x87, # PCON (allows read/write of program memory) ] numResults = 0 for op in FirmwareLib.IRAM_WRITE_OPCODES: for ramaddr in CRITICAL_ADDRS: pattern = chr(op) + chr(ramaddr) start = 0 while start < len(rom): addr = rom.find(pattern, start) if addr < 0: break else: start = addr + 1 print "\t@%04x: %02x %02x %s" % (addr, op, ramaddr, opTable[op]) numResults = numResults + 1 if numResults: raise ValueError("Found potential security holes") else: print "\tNone found"
def __init__(self, parser): self.p = parser self.opTable = FirmwareLib.opcodeTable()