0
ME
Igor Skochinsky
Hex-Rays
CODE BLUE 2014
Tokyo
2(c) 2014 Igor Skochinsky
	
  
!   ME 	
  
!   	
  
!   ME 	
  
!   	
  
!   	
  
!   	
  
3(c) 2014 Igor Skochinsky
	
  
!   15 	
  
!   IDA 	
  
!   2008 Hex-­‐Rays 	
  
!   IDA (
)	
  
!   ( Kindle
Sony	
  Read...
4(c) 2014 Igor Skochinsky
ME:	
   	
  
!   ( )
	
  
!  
(GMCH,	
  PCH,	
  MCH) 	
  
!   BIOS CPU
	
  
!  
( CPU ) 	
  
!  ...
5(c) 2014 Igor Skochinsky
ME:	
   	
  
Credit: Intel 2009
6(c) 2014 Igor Skochinsky
ME:	
   	
  
OS
!   HECI	
  (MEI):	
  Host	
  Embedded	
  Controller	
  Interface;	
  	
  
PCI 	...
7(c) 2014 Igor Skochinsky
ME:	
   	
  
ME 	
  
!   (AMT):	
  
KVM	
  
!   :	
  
/ 	
  
!   IDE (IDE-­‐R) LAN	
  (SOL):	
  ...
8(c) 2014 Igor Skochinsky
ME:	
   	
  
	
  
!  
PC
” ” PC
	
  
!   3G SMS
	
  
!   HDD
	
  
!  
	
  
9(c) 2014 Igor Skochinsky
ME:
10(c) 2014 Igor Skochinsky
ME:	
   	
  
	
  
!   ( )	
  
!   	
  
!   HECI	
   	
  
!   AMT	
  SDK 	
  
!   Linux	
   ;	
 ...
11(c) 2014 Igor Skochinsky
ME	
   	
  
	
  
!   ME 	
  
	
  	
  	
  	
   	
  
!  
FTP 	
  
!   	
  	
  	
  	
  	
  	
  	
 ...
12(c) 2014 Igor Skochinsky
FSP	
  
!   2013
	
  
!  
	
  
!   Intel 	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	...
13(c) 2014 Igor Skochinsky
SPI 	
  
!   SPI BIOS ME GbE
	
  
!   BIOS( OS) ME
	
  
!   Descriptor
ME
	
  
!   Descriptor
	...
14(c) 2014 Igor Skochinsky
ME 	
  
!   ME 	
  
!  
	
  
15(c) 2014 Igor Skochinsky
ME 	
  
!   “ " 	
  
!  
RSA 	
  
16(c) 2014 Igor Skochinsky
ME 	
  
!  
2 	
  
!   Gen	
  2:	
  Intel	
  5	
  Series( Ibex	
  Peak)
	
  
Gen 1 Gen 2
ME ver...
17(c) 2014 Igor Skochinsky
ME 	
  
Module name Description
BUP Bringup (hardware initialization/configuration)
KERNEL Sche...
18(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!  
ROM
	
  
!  
	
  
!  
	
  
!   ME
"ROMB"
	
  
19(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ROM
	
  
!   	
  
20(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ME
	
  
!   ROMB 	
  
21(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ROMB ROM
	
  
!   ROM :	
  
!   C (memcpy,	
  memset,	
  strcpy )	
  
!   T...
22(c) 2014 Igor Skochinsky
ME:
23(c) 2014 Igor Skochinsky
ME:	
   	
  
!   ME
!   : ME RSA
ROM
“During the design phase, a Firmware Signing Key (FWSK) pu...
24(c) 2014 Igor Skochinsky
ME: (UMA) 	
  
!   ME
RAM	
  (UMA) (MCU
) 	
  
!   ME BIOS
CPU 	
  
!   2009 Invisible	
  Thing...
25(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!  
UMA
	
  
!   #1:	
  BIOS MESEG
	
  
!   [
...]	
  
!   	
  
!   UEFI 	
  
!...
26(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #2:	
   	
  
!   DRAM UMA
	
  
!   ...	
  
: ME UMA
:
UMA
27(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   – 	
  
!   – 	
  
!   DDR3
	
  
“The memory controller incorporates a DDR3 ...
28(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #3:	
   UMA 	
  
!   UMA FPT 1 	
  
!   FPT
	
  
!   :	
  
1)	
  32MB FPT B...
29(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #4:	
   	
  
!   BIOS
	
  
!   UEFI
"Setup" ( Breakpoint	
  
2012 ) 	
  
! ...
30(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #5:	
   	
  
!   	
  
!   	
  
!   ...	
  
31(c) 2014 Igor Skochinsky
	
  
!   ME 	
  
!   	
  
!   (SPS) 	
  
!   BUP KERNEL
	
  
!   #1:	
  BUP !	
  
!   KERNEL " ...
32(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   JOM ME 7.1
!   (DAL)
!   ME ( )
!  
( IPT)
!   ME
!   ...
33(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   :
!   Java
Could	
  not	
  allocate	
  an	
  instance	
  of	
  
java.lang.O...
34(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   Java VM
!   ME Base64 BLOB "oath.dalp"
!  
!   "Medal App"
!   JOM "JEFF"
!...
35(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   ...
!   Java
...
.ascii	
  "Invalid	
  constant	
  offset	
  in	
  the	
  S...
36(c) 2014 Igor Skochinsky
JEFF 	
  
!   JEFF
!   J 2001
!   ISO (ISO/IEC 20970)
!  
!  
!  
!  
!  
!  
37(c) 2014 Igor Skochinsky
JEFF 	
  
!   Python
!   oath.dalp JEFF
!  
!   Java
!   :
!  
!   UI ( )
!  
!  
38(c) 2014 Igor Skochinsky
JEFF	
   	
  
!   ( )
Class	
  com.intel.util.IntelApplet	
  
private:	
  
	
  	
  /*	
  0x0C	
...
39(c) 2014 Igor Skochinsky
IPT	
   	
  
!  
!   OATH :
package	
  com.intel.dal.ipt.framework;	
  
public	
  class	
  Appl...
40(c) 2014 Igor Skochinsky
IPT	
   	
  
!   ME
!  
!  
!   ...
41(c) 2014 Igor Skochinsky
IPT	
   	
  
!   C/C++, Java, .NET
API DLL
!   DLL JHI
COM TCP/IP
!   ME HECI/MEI
!   ME JOM
! ...
42(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   JOM Trusted Logic Mobility (
Trustonic) "Trusted Fou...
43(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   Trusted Foundations
!   ARM TrustZone
!   GPL Truste...
44(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   GlobalPlatform (Trusted Logic Mobililty/
Trustonic )...
45(c) 2014 Igor Skochinsky
	
  
!   ME
!   ME
!   ROM BUP KERNEL
!   API
!   JEFF DAL/IPT
!   ARC IDA 6.4 IDA 6.5
46(c) 2014 Igor Skochinsky
	
  
!   	
  
!   JEFF .class JEFF
	
  
!  
	
  
!   Linux	
  IPT 	
  
!   EFFS 	
  
!   ME 	
 ...
47(c) 2014 Igor Skochinsky
	
  
!   	
  
!  
	
  
!   	
  
!   UMA 	
  
!   	
  
!   ME	
  ↔ 	
  
!  
	
  
!   ;	
  
	
  
...
48(c) 2014 Igor Skochinsky
	
  
!   BIOS	
  RE	
  
!   ME
	
  
!   ME BIOS
	
  
!   BIOS 	
  
!   Nikolaj	
  Schlej UEFITo...
49(c) 2014 Igor Skochinsky
	
  
http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-techno...
50(c) 2014 Igor Skochinsky
	
  
	
  
igor@hex-­‐rays.com	
  
skochinsky@gmail.com	
  
Upcoming SlideShare
Loading in...5
×

インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

7,630

Published on

最近のすべてのIntelのマザーボードのチップセットに組み込まれた専用マイクロコントローラであるIntel Management Engine(ME)はシステム電源がオフの場合でもメインCPUから独立して動作しネットワークインターフェースへの専用接続を持っている。その構造分析と攻撃を受ける可能性および対策について解説。

インテルマネージメントエンジン("ME")は最近のインテル系マザーボードチップセットに組み込まれてる専用のマイクロコントローラです。 マザーボードのメインのCPUから完全に独立しており、システムが稼働していなくとも稼働でき、 ネットワークインターフェイスへの専属のコネクションを持っている為メインの CPUとインストールされているOSを回避するout-of-bound通信が可能です。 従来の目的に関連する管理タスクの処理だけに止まらず、Intel Identity Protection Technology(IPT)、Protected Audio-Video Path、Intel Anti-Theft, Intel TPM, NFC 通信などの様々な機能を実装しています。 現在、 このマイクロコントローラがどのように動くかについて関する情報は非常に少なく、本プレゼンテーションでは情報のギャップを埋める共に低レイヤーに関する詳細について話す予定です。

イゴール・スコチンスキー - Igor Skochinsky

イゴール・スコチンスキーは、世界的に有名なInteractive DissasemblerとHex-Rays Decompilerの主要開発者の1人として活躍中。 2008年にHex-Raysと合流する以前 からリバースエンジニアリングに興味を持ち、iTunesのDRMを解除するQTFairUse6と初期のアマゾンキンドル端末のハックで名声を得る。 Recon,Breakpointと Hack.LUなどにて講演。

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,630
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
50
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky"

  1. 1. ME Igor Skochinsky Hex-Rays CODE BLUE 2014 Tokyo
  2. 2. 2(c) 2014 Igor Skochinsky   !   ME   !     !   ME   !     !     !    
  3. 3. 3(c) 2014 Igor Skochinsky   !   15   !   IDA   !   2008 Hex-­‐Rays   !   IDA ( )   !   ( Kindle Sony  Reader)   !   PC (BIOS,  UEFI,  ME)   !   reddit.com/r/ReverseEngineering/    
  4. 4. 4(c) 2014 Igor Skochinsky ME:     !   ( )   !   (GMCH,  PCH,  MCH)   !   BIOS CPU   !   ( CPU )   !   CPU  
  5. 5. 5(c) 2014 Igor Skochinsky ME:     Credit: Intel 2009
  6. 6. 6(c) 2014 Igor Skochinsky ME:     OS !   HECI  (MEI):  Host  Embedded  Controller  Interface;     PCI   !   SOAP ;   HTTP HTTPS  
  7. 7. 7(c) 2014 Igor Skochinsky ME:     ME   !   (AMT):   KVM   !   :   /   !   IDE (IDE-­‐R) LAN  (SOL):   OS CD/ HDD PC   !   :  2 (OTP)   !   :   PIN  
  8. 8. 8(c) 2014 Igor Skochinsky ME:       !   PC ” ” PC   !   3G SMS   !   HDD   !    
  9. 9. 9(c) 2014 Igor Skochinsky ME:
  10. 10. 10(c) 2014 Igor Skochinsky ME:       !   ( )   !     !   HECI     !   AMT  SDK   !   Linux   ;  coreboot   !   BIOS   !   ME BIOS   !   ME  
  11. 11. 11(c) 2014 Igor Skochinsky ME       !   ME             !   FTP   !                                                                                                                                   !                                                                                                                                                                             !                                                                                                                                                                   :)  
  12. 12. 12(c) 2014 Igor Skochinsky FSP   !   2013   !     !   Intel   !                                                                                                    HM76/QM77   !                                                                                            ME     http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp- overview "confidential“ :)
  13. 13. 13(c) 2014 Igor Skochinsky SPI   !   SPI BIOS ME GbE   !   BIOS( OS) ME   !   Descriptor ME   !   Descriptor  
  14. 14. 14(c) 2014 Igor Skochinsky ME   !   ME   !    
  15. 15. 15(c) 2014 Igor Skochinsky ME   !   “ "   !   RSA  
  16. 16. 16(c) 2014 Igor Skochinsky ME   !   2   !   Gen  2:  Intel  5  Series( Ibex  Peak)   Gen 1 Gen 2 ME versions 1.x-5.x 6.x-9.x Core ARCTangent-A4 ARC 600(?) Instruction set ARC (32-bit) ARCompact (32/16) Manifest tag $MAN $MN2 Module header tag $MOD $MME Code compression None, LZMA None, LZMA, Huffman
  17. 17. 17(c) 2014 Igor Skochinsky ME   Module name Description BUP Bringup (hardware initialization/configuration) KERNEL Scheduler, low-level APIs for other modules POLICY Secondary init tasks, some high-level APIs HOSTCOMM Handles high-level protocols over HECI/MEI CLS Capability Licensing Service – enable/disable features depending on SKU, SKU upgrades TDT Theft Deterrence Technology (Intel Anti-Theft) Pavp Protected Audio-Video Path JOM Dynamic Application Loader (DAL) – used to implement Identity Protection Technology (IPT)  
  18. 18. 18(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !     !     !   ME "ROMB"  
  19. 19. 19(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !    
  20. 20. 20(c) 2014 Igor Skochinsky ME:  ROM   !   ME   !   ROMB  
  21. 21. 21(c) 2014 Igor Skochinsky ME:  ROM   !   ROMB ROM   !   ROM :   !   C (memcpy,  memset,  strcpy )   !   ThreadX  RTOS     !   API   !   ROM   !   FTPR BUP   !   BUP KERNEL :(  
  22. 22. 22(c) 2014 Igor Skochinsky ME:
  23. 23. 23(c) 2014 Igor Skochinsky ME:     !   ME !   : ME RSA ROM “During the design phase, a Firmware Signing Key (FWSK) public/private pair is generated at a secure Intel Location, using the Intel Code Signing System. The Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus fixed. Each approved production firmware image is digitally signed by Intel with the private FWSK. The public FWSK and the digital signature are appended to the firmware image manifest. At runtime, a secure boot sequence is accomplished by means of the boot ROM verifying that the public FWSK on Flash is valid, based on the hash value in ROM. The ROM validates the firmware image that corresponds to the manifest’s digital signature through the use of the public FWSK, and if successful, the system continues to boot from Flash code.” “Architecture Guide: Intel® Active Management Technology”, 2009
  24. 24. 24(c) 2014 Igor Skochinsky ME: (UMA)   !   ME RAM  (UMA) (MCU )   !   ME BIOS CPU   !   2009 Invisible  Things  Lab   !   ...  
  25. 25. 25(c) 2014 Igor Skochinsky ME:  UMA   !   UMA   !   #1:  BIOS MESEG   !   [ ...]   !     !   UEFI   !     !   :     !   :   ...  
  26. 26. 26(c) 2014 Igor Skochinsky ME:  UMA   !   #2:     !   DRAM UMA   !   ...   : ME UMA : UMA
  27. 27. 27(c) 2014 Igor Skochinsky ME:  UMA   !   –   !   –   !   DDR3   “The memory controller incorporates a DDR3 Data Scrambling feature to minimize the impact of excessive di/dt on the platform DDR3 VRs due to successive 1s and 0s on the data bus. [...] As a result the memory controller uses a data scrambling feature to create pseudo-random patterns on the DDR3 data bus to reduce the impact of any excessive di/ dt.” (from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel® Celeron® Processor Family Datasheet)
  28. 28. 28(c) 2014 Igor Skochinsky ME:  UMA   !   #3:   UMA   !   UMA FPT 1   !   FPT   !   :   1)  32MB FPT BIOS 32MB ME 16MB   2)  16MB FPT BIOS 16MB 16MB   !    
  29. 29. 29(c) 2014 Igor Skochinsky ME:  UMA   !   #4:     !   BIOS   !   UEFI "Setup" ( Breakpoint   2012 )   !    –  
  30. 30. 30(c) 2014 Igor Skochinsky ME:  UMA   !   #5:     !     !     !   ...  
  31. 31. 31(c) 2014 Igor Skochinsky   !   ME   !     !   (SPS)   !   BUP KERNEL   !   #1:  BUP !   !   KERNEL " " ...   !   #2:   ( )   !   2   !    
  32. 32. 32(c) 2014 Igor Skochinsky JOM   DAL   !   JOM ME 7.1 !   (DAL) !   ME ( ) !   ( IPT) !   ME !   ...
  33. 33. 33(c) 2014 Igor Skochinsky JOM   DAL   !   : !   Java Could  not  allocate  an  instance  of   java.lang.OutOfMemoryError   linkerInternalCheckFile:  JEFF  format  version  not   supported   com.intel.crypto   com.trustedlogic.isdi   Starting  VM  Server...  
  34. 34. 34(c) 2014 Igor Skochinsky JOM   DAL   !   Java VM !   ME Base64 BLOB "oath.dalp" !   !   "Medal App" !   JOM "JEFF" !   JEFF Java !   Java !  
  35. 35. 35(c) 2014 Igor Skochinsky JOM   DAL   !   ... !   Java ... .ascii  "Invalid  constant  offset  in  the  SLDC  instruction"  
  36. 36. 36(c) 2014 Igor Skochinsky JEFF   !   JEFF !   J 2001 !   ISO (ISO/IEC 20970) !   !   !   !   !   !  
  37. 37. 37(c) 2014 Igor Skochinsky JEFF   !   Python !   oath.dalp JEFF !   !   Java !   : !   !   UI ( ) !   !  
  38. 38. 38(c) 2014 Igor Skochinsky JEFF     !   ( ) Class  com.intel.util.IntelApplet   private:      /*  0x0C  */  boolean  m_invokeCommandInProcess;      /*  0x00  */  OutputBufferView  m_outputBuffer;      /*  0x0D  */  boolean  m_outputBufferTooSmall;      /*  0x04  */  OutputValueView  m_outputValue;      /*  0x08  */  byte[]  m_sessionId;   public:      void  <init>();      final  int  getResponseBufferSize();      final  int  getSessionId(byte[],  int);      final  int  getSessionIdLength();      final  String  getUUID();      final  abstract  int  invokeCommand(int,  byte[]);      int  onClose();      final  void  onCloseSession();      final  int  onCommand(int,  CommandParameters);      int  onInit(byte[]);      final  int  onOpenSession(CommandParameters);      final  void  sendAsynchMessage(byte[],  int,  int);      final  void  setResponse(byte[],  int,  int);      final  void  setResponseCode(int);  
  39. 39. 39(c) 2014 Igor Skochinsky IPT     !   !   OATH : package  com.intel.dal.ipt.framework;   public  class  AppletImpl  extends  com.intel.util.IntelApplet   {      final  int  invokeCommand(int,  byte[])      {          ...      }      int  onClose()      {          ...      }      int  onInit(byte[])      {          ...      }   }  
  40. 40. 40(c) 2014 Igor Skochinsky IPT     !   ME !   !   !   ...
  41. 41. 41(c) 2014 Igor Skochinsky IPT     !   C/C++, Java, .NET API DLL !   DLL JHI COM TCP/IP !   ME HECI/MEI !   ME JOM !   JOM !   !   out-of- bound
  42. 42. 42(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   JOM Trusted Logic Mobility ( Trustonic) "Trusted Foundations" Trusted Execution Environment (TEE) : Trusted Foundations
  43. 43. 43(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   Trusted Foundations !   ARM TrustZone !   GPL Trusted Foundations !   !   TrustZone ME/JOM HECI/MEI !  
  44. 44. 44(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   GlobalPlatform (Trusted Logic Mobililty/ Trustonic ) TEE !   API (TEE ) API !   ME http://www.globalplatform.org/specificationsdevice.asp
  45. 45. 45(c) 2014 Igor Skochinsky   !   ME !   ME !   ROM BUP KERNEL !   API !   JEFF DAL/IPT !   ARC IDA 6.4 IDA 6.5
  46. 46. 46(c) 2014 Igor Skochinsky   !     !   JEFF .class JEFF   !     !   Linux  IPT   !   EFFS   !   ME   !   EFFS   !     !    
  47. 47. 47(c) 2014 Igor Skochinsky   !     !     !     !   UMA   !     !   ME  ↔   !     !   ;     !   ...     !    
  48. 48. 48(c) 2014 Igor Skochinsky   !   BIOS  RE   !   ME   !   ME BIOS   !   BIOS   !   Nikolaj  Schlej UEFITool UEFI   hkps://github.com/NikolajSchlej/UEFITool   !   Coreboot ME   !     !   Open  Virtual  Plalorm  (www.ovpworld.org)   ARC600 ARC700(ARCompact )   !     !    
  49. 49. 49(c) 2014 Igor Skochinsky   http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/ http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html http://download.intel.com/technology/itj/2008/v12i4/paper[1-10].pdf http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf http://www.stewin.org/papers/dimvap15-stewin.pdf http://www.stewin.org/techreports/pstewin_spring2011.pdf http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf http://me.bios.io/ http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf
  50. 50. 50(c) 2014 Igor Skochinsky     igor@hex-­‐rays.com   skochinsky@gmail.com  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×