Tapping into the core
Dec. 29, 2016•0 likes•32,783 views
Download to read offline
Report
Technology
Intel® Direct Connect Interface as a basis for hardware Trojans
Positive Hack DaysFollow
More Related Content
What's hot
Instruction Set ArchitectureDilum Bandara
Intel+80286Dhanwantari Sali
Introduction to-microprocessorsVolodymyr Ushenko
Unit III ARM Interface and ARM Programming Dr. Pankaj Zope
Input output organisationSanjeev Patel
Motherboard + ports & connectornorhaslinamj
Similar to Tapping into the core
Kernel Memory Protection
by an Insertable Hypervisor
which has VM Introspec...Kuniyasu Suzaki
Stuxnet dc9723Iftach Ian Amit
Tkos secure boot_lecture_20190605benavrhm
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
Faults inside System SoftwareNational Cheng Kung University
More from Positive Hack Days
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
Аналитика в проектах: TFS + QlikPositive Hack Days
Использование анализатора кода SonarQubePositive Hack Days
Развитие сообщества Open DevOps CommunityPositive Hack Days
Recently uploaded
UiPath Tips and Techniques for Error Handling - Session 2DianaGray10
Future of SkillsAlison B. Lowndes
Need for Speed: Removing speed bumps in API ProjectsŁukasz Chruściel
Product Research Presentation-Maidy Veloso.pptxMaidyVeloso
BuilderAI Proposal_MalesniakMichael Lesniak
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
Tapping into the core
- 1. Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
- 2. Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
- 3. mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
- 4. Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use. Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009 Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
- 5. mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan (E xample) 5
- 6. What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
- 7. What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
- 8. Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
- 9. JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
- 10. C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform: USB3 Hosting DCI (USB Debug cable) BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
- 11. Intel ITP-XDP https://designintools.intel.com Direct connection to CPU debugging interface Price $3,000 Special board socket is required Supported by Intel System Studio trial version Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
- 12. Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
- 13. BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms. Supported by Intel System Studio trial version Price $390 Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
- 14. USB3 Hos ting DC I http://www.datapro.net/ No extra hardware required (standard USB 3.0 cable) OTG device, “magic” port needs to be found Deep Sleep mode not supported Supported by Intel System Studio trial version Run through the device integrated to the target platform Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
- 15. USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
- 16. What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
- 17. DEMO ptsecurity.com 17 17
- 18. How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
- 19. Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
- 20. Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
- 21. Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
- 22. Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
- 23. How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
- 24. IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
- 25. New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
- 26. Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26
- 27. Thank you! Questions? mgoryachiy@ptsecurity.com mermolov@ptsecurity.com github.com/ptresearch 27