SlideShare a Scribd company logo

CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow

CanSecWest
CanSecWest

This document discusses how abusing CPU hot-add weaknesses could allow escalating privileges in server datacenters. It describes how CPU hot-add works, allowing addition of new CPUs to a running system without shutting down. Two memory regions important for hot-add are identified as assets to protect: 0x38000 holding SMI code, and 0x0e2000 holding SIPI vectors. An attack corrupting 0x38000 to inject malicious SMI code and escalate to SMM privileges is demonstrated. Mitigation using hardware protection of memory regions from DMA is discussed.

Internet
1 of 64
Download to read offline
Abusing CPU Hot-Add weaknesses to escalate privileges in Server Datacenters Cuauhtemoc Chavez-Corona, Jorge Gonzalez-Diaz, Rene Henriquez-Garcia, Laura Fuentes-Castaneda, Jan Seidl Intel Corporation Security Center of Excellence cuauhtemoc.chavez.corona@intel.com rene.e.henriquez.garcia@intel.com March 16, 2017 CanSecWest 2017 Vancouver, Canada 1/24
Legal Disclaimer The comments and statements are from the authors and not necessarily Intel's Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer No computer system can be absolutely secure CanSecWest 2017 Vancouver, Canada 2/24
Background: Datacenter’s landscape CLOUD Server Server Server CanSecWest 2017 Vancouver, Canada 3/24
Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime CanSecWest 2017 Vancouver, Canada 4/24
Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime As a response, solutions comprised of robust Hardware + reliable/serviceable FW/SW are continuously being designed CanSecWest 2017 Vancouver, Canada 4/24
Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime As a response, solutions comprised of robust Hardware + reliable/serviceable FW/SW are continuously being designed Are these new systems being architected such that the attack surface is not increased? We’ll see.. CanSecWest 2017 Vancouver, Canada 4/24
Background: Attacks coming from DMA entry point Understanding DMA Malware ,Patrick Stewin and Iurii Bystrov, Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment,2013 CanSecWest 2017 Vancouver, Canada 5/24
Background: Attacks coming from DMA entry point Understanding DMA Malware ,Patrick Stewin and Iurii Bystrov, Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment,2013 Direct Memory Attack the KERNEL, ULF FRISK, DEFCON 24 August 4-7 2016 CanSecWest 2017 Vancouver, Canada 5/24
Definition: RAS features Reliability Can be defined as the characteristic that ensures the system will provide correct outputs, and any corrupted data will be detected and repaired. Availability Means that the system will be operating during the planned time, avoiding unexpected crashes. Serviceability Refers to the simplicity and speed of maintenance and repara- tion. CanSecWest 2017 Vancouver, Canada 6/24
Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. CanSecWest 2017 Vancouver, Canada 7/24
Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. In a multi-CPU system comprised of n processors, one can therefore choose to boot with m CPUs where m < n CanSecWest 2017 Vancouver, Canada 7/24
Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. In a multi-CPU system comprised of n processors, one can therefore choose to boot with m CPUs where m < n This allows the possibility to increase the computing power later if required by bringing up new CPUs to the already running system CanSecWest 2017 Vancouver, Canada 7/24
Definition: CPU Hot Add CPU On-lining requires coordinated support from the complete application stack to ensure correctness while adding a new CPU. Hardware. Internal logic in the CPU to drain transactions and prevent originators from sending new ones. Firmware. BIOS and SMM routines to trigger, handle and coordinate CPU on-lining. Operating System. Currently several OS’s support this feature. CanSecWest 2017 Vancouver, Canada 8/24
High level overview of Hot Add flow MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Interesting! 1. Boot flow is very sensitive CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Interesting! 1. Boot flow is very sensitive 2. Quiesced CPUs need reconfiguration CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON CanSecWest 2017 Vancouver, Canada 9/24
High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Release quiesced CPUs MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 CanSecWest 2017 Vancouver, Canada 9/24
Brief overview of Boot Flow The Boot Strap Processor (BSP) is chosen BSP Fetch Code from the Flash Minimum System Configuration Memory Initialization. Memory Reference Code (MRC) BIOS Shadowing PAM (Programmable Attribute Maps) registers are used to make a copy of BIOS code into memory SMI initialization BSP sends the SIPI indication trough the Local Advance Programmable Controller Advanced Configuration Other platform & devices init; dispatch drivers (network, I/O, etc.); Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/ Apps; OS Boot Loader(s) Boot Flow END CanSecWest 2017 Vancouver, Canada 10/24
Security Claims from CPU Hot Add definition One fundamental Security Objective related to CPU Hot Add is that any new CPU to be introduced in the running system must execute a trusted path to ensure its security won't be subverted by any attacker already present in the system CanSecWest 2017 Vancouver, Canada 11/24
Security Claims from CPU Hot Add definition One fundamental Security Objective related to CPU Hot Add is that any new CPU to be introduced in the running system must execute a trusted path to ensure its security won't be subverted by any attacker already present in the system By attackers we mean Any rogue code already running in system’s CPUs DMA agents whose internal FW has been compromised CanSecWest 2017 Vancouver, Canada 11/24
Assets There are two interesting regions to be protected in order to ensure security claim presented previously CanSecWest 2017 Vancouver, Canada 12/24
Assets There are two interesting regions to be protected in order to ensure security claim presented previously 0x38000: Holds the code to be executed in the first SMI by the newly-added CPU in order to perform SMBASE relocation. CanSecWest 2017 Vancouver, Canada 12/24
Assets There are two interesting regions to be protected in order to ensure security claim presented previously 0x38000: Holds the code to be executed in the first SMI by the newly-added CPU in order to perform SMBASE relocation. 0xe2000: Holds SIPI initialization vector code vital for the newly-added CPU and its integration into the running system. CanSecWest 2017 Vancouver, Canada 12/24
Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS CanSecWest 2017 Vancouver, Canada 13/24
Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS In Servers, it is usually referred to as ring -2 whereas OS is being considered as ring 0 CanSecWest 2017 Vancouver, Canada 13/24
Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS In Servers, it is usually referred to as ring -2 whereas OS is being considered as ring 0 Corrupting Startup Inter-Process Interrupt vector code is also interesting for an attacker as it could potentially be used to misconfigure initial configuration of the newly-added CPU CanSecWest 2017 Vancouver, Canada 13/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0x3FFFF 0x30000 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System CanSecWest 2017 Vancouver, Canada 15/24
0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System Firmware BMC Firwmare supporting CPU Hot-Add flow System FW (aka BIOS) supporting CPU Hot-Add Flow CanSecWest 2017 Vancouver, Canada 15/24
0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System Firmware BMC Firwmare supporting CPU Hot-Add flow System FW (aka BIOS) supporting CPU Hot-Add Flow Software PCILeech solution and a batch script to automate data writes to memory Operating System supporting CPU Hot-Add (i.e. Windows 2008/2012 Server) CanSecWest 2017 Vancouver, Canada 15/24
PCILeech Configuration Place jumper on J3 at PP3380-AB board and start platform Run PCILeechFlash Installer.exe Wait a while (1 min or so) Shutdown the platform Remove jumper on J3 at PP3380-AB board and start platform Use our simple batch script to write 0x38000 region to inject arbitrary code CanSecWest 2017 Vancouver, Canada 16/24
Time to watch the DEMO CanSecWest 2017 Vancouver, Canada 17/24
Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) CanSecWest 2017 Vancouver, Canada 18/24
Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) To mitigate this, BIOS leverages existing HW protection mechanism in Intel CPUs against rogue DMA engines: GENPROTRANGE register programming CanSecWest 2017 Vancouver, Canada 18/24
Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) To mitigate this, BIOS leverages existing HW protection mechanism in Intel CPUs against rogue DMA engines: GENPROTRANGE register programming This mitigation is already in place as part of BIOS reference code delivered to OEMs CanSecWest 2017 Vancouver, Canada 18/24
0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected CanSecWest 2017 Vancouver, Canada 19/24
0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected However, rogue code already present in other CPUs could try to corrupt the vector either before CPU on-lining flow gets triggered or in between SMIs CanSecWest 2017 Vancouver, Canada 19/24
0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected However, rogue code already present in other CPUs could try to corrupt the vector either before CPU on-lining flow gets triggered or in between SMIs Mitigation: Secure Integrity check before attempting SIPI vector code execution CanSecWest 2017 Vancouver, Canada 19/24
Depiction of 0xe2000 attack part I MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0xE2000 CanSecWest 2017 Vancouver, Canada 20/24
Depiction of 0xe2000 attack part I MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
Depiction of 0xe2000 attack part I MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function CanSecWest 2017 Vancouver, Canada 21/24
0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum CanSecWest 2017 Vancouver, Canada 21/24
0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum In fact, this confusion led to erroneously implement an integrity verification mechanism in the form of a weak checksum (from a security standpoint) CanSecWest 2017 Vancouver, Canada 21/24
0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum In fact, this confusion led to erroneously implement an integrity verification mechanism in the form of a weak checksum (from a security standpoint) Such mechanism can easily be bypassed by crafting a special rogue code through some tweaks to arithmetically map it to the expected checksum CanSecWest 2017 Vancouver, Canada 21/24
Mitigating 0xe2000 attack Instead of verifying code vector’s integrity, always shadow a fresh copy into 0xe2000 region before its execution This mitigation is already in place as well by Intel into the BIOS reference code CanSecWest 2017 Vancouver, Canada 22/24
Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls CanSecWest 2017 Vancouver, Canada 23/24
Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls DMA remains as an interesting entry point since it might enable remote exploitation of security weaknesses; also, it turns out this entry point might be overlooked while architecturing new technologies CanSecWest 2017 Vancouver, Canada 23/24
Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls DMA remains as an interesting entry point since it might enable remote exploitation of security weaknesses; also, it turns out this entry point might be overlooked while architecturing new technologies Implementation-wise, it is critical to ensure developers correctly understand the exact security mechanism that mitigates a corresponding threat; failure in this regard could lead to mistakenly break overall system’s security CanSecWest 2017 Vancouver, Canada 23/24
Thank you! Time for Q&As CanSecWest 2017 Vancouver, Canada 24/24

Recommended

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 

Recommended

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
SZ Lin
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Long-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux DistributionLong-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux Distribution
SZ Lin
 
y2038 issue
y2038 issuey2038 issue
y2038 issue
SZ Lin
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
Logic Solutions, Inc.
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploit
CanSecWest
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
Fast boot
Fast bootFast boot
Fast boot
SZ Lin
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
Yan Vugenfirer
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx series
Muhammad Denis Iqbal
 
Alessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocolAlessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
CanSecWest
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 

More Related Content

What's hot

淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
SZ Lin
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Long-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux DistributionLong-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux Distribution
SZ Lin
 
y2038 issue
y2038 issuey2038 issue
y2038 issue
SZ Lin
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
Logic Solutions, Inc.
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploit
CanSecWest
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
Fast boot
Fast bootFast boot
Fast boot
SZ Lin
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
Yan Vugenfirer
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx series
Muhammad Denis Iqbal
 
Alessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocolAlessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 

What's hot (20)

淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Long-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux DistributionLong-term Maintenance Model of Embedded Industrial Linux Distribution
Long-term Maintenance Model of Embedded Industrial Linux Distribution
 
y2038 issue
y2038 issuey2038 issue
y2038 issue
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systemsClaudio Scordino - Handling mixed criticality on embedded multi-core systems
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploit
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
Fast boot
Fast bootFast boot
Fast boot
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
 
High availability deep dive high-end srx series
High availability deep dive high-end srx seriesHigh availability deep dive high-end srx series
High availability deep dive high-end srx series
 
Alessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocolAlessio Lama - Development and testing of a safety network protocol
Alessio Lama - Development and testing of a safety network protocol
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 

Viewers also liked

CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
CanSecWest
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CanSecWest
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
CanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CanSecWest
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
CanSecWest
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
CanSecWest
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
CanSecWest
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 

Viewers also liked (20)

CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 

Similar to CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow

Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
VMware Tanzu
 
cynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guidecynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guide
cynapspro GmbH
 
VMWARE VS MS-HYPER-V
VMWARE VS MS-HYPER-VVMWARE VS MS-HYPER-V
VMWARE VS MS-HYPER-V
David Ramirez
 
Data Center Transformation
Data Center TransformationData Center Transformation
Data Center Transformation
Arraya Solutions
 
Chris Bucklin LinkedIn Resume
Chris Bucklin LinkedIn ResumeChris Bucklin LinkedIn Resume
Chris Bucklin LinkedIn ResumeChris Bucklin
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
Trivadis
 
IBM AIX&SAN systems engineer
IBM AIX&SAN systems engineer IBM AIX&SAN systems engineer
IBM AIX&SAN systems engineer
Boni Prasad
 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First Look
VMware Tanzu
 
SUSE Expert Days 2017 FUJITSU
SUSE Expert Days 2017 FUJITSUSUSE Expert Days 2017 FUJITSU
SUSE Expert Days 2017 FUJITSU
SUSE España
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administratorskiankumar
 
TechWiseTV Workshop: Cisco HyperFlex Systems
TechWiseTV Workshop: Cisco HyperFlex SystemsTechWiseTV Workshop: Cisco HyperFlex Systems
TechWiseTV Workshop: Cisco HyperFlex Systems
Robb Boyd
 
Systems engineer ( rhce certified )
Systems engineer ( rhce certified )Systems engineer ( rhce certified )
Systems engineer ( rhce certified )
Aman Ullah - RHCE®
 
Pre-Con Ed: Upgrading to CA Service Management
Pre-Con Ed: Upgrading to CA Service ManagementPre-Con Ed: Upgrading to CA Service Management
Pre-Con Ed: Upgrading to CA Service Management
CA Technologies
 
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
ldangelo0772
 
Katia frye resume 2016 no address
Katia frye resume 2016 no addressKatia frye resume 2016 no address
Katia frye resume 2016 no address
Katia Frye
 
Capito Ardoe House VMWare Presentation
Capito Ardoe House VMWare PresentationCapito Ardoe House VMWare Presentation
Capito Ardoe House VMWare Presentation
Capito Livingstone
 
ShubhashisshubhankarJena
ShubhashisshubhankarJenaShubhashisshubhankarJena
ShubhashisshubhankarJenaShubhashis Jena
 
Comprehensive and Simplified Management for VMware vSphere Environments - now...
Comprehensive and Simplified Management for VMware vSphere Environments - now...Comprehensive and Simplified Management for VMware vSphere Environments - now...
Comprehensive and Simplified Management for VMware vSphere Environments - now...
Hitachi Vantara
 
Profile narendraredy
Profile narendraredyProfile narendraredy
Profile narendraredy
NARENDRA REDDY S
 

Similar to CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow (20)

Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
 
cynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guidecynapspro endpoint data protection - installation guide
cynapspro endpoint data protection - installation guide
 
VMWARE VS MS-HYPER-V
VMWARE VS MS-HYPER-VVMWARE VS MS-HYPER-V
VMWARE VS MS-HYPER-V
 
Data Center Transformation
Data Center TransformationData Center Transformation
Data Center Transformation
 
Chris Bucklin LinkedIn Resume
Chris Bucklin LinkedIn ResumeChris Bucklin LinkedIn Resume
Chris Bucklin LinkedIn Resume
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
IBM AIX&SAN systems engineer
IBM AIX&SAN systems engineer IBM AIX&SAN systems engineer
IBM AIX&SAN systems engineer
 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First Look
 
SUSE Expert Days 2017 FUJITSU
SUSE Expert Days 2017 FUJITSUSUSE Expert Days 2017 FUJITSU
SUSE Expert Days 2017 FUJITSU
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
 
TechWiseTV Workshop: Cisco HyperFlex Systems
TechWiseTV Workshop: Cisco HyperFlex SystemsTechWiseTV Workshop: Cisco HyperFlex Systems
TechWiseTV Workshop: Cisco HyperFlex Systems
 
CV
CVCV
CV
 
Systems engineer ( rhce certified )
Systems engineer ( rhce certified )Systems engineer ( rhce certified )
Systems engineer ( rhce certified )
 
Pre-Con Ed: Upgrading to CA Service Management
Pre-Con Ed: Upgrading to CA Service ManagementPre-Con Ed: Upgrading to CA Service Management
Pre-Con Ed: Upgrading to CA Service Management
 
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
Cisco at v mworld 2015 cs integrated infrastructure_vmworld_cisco_v1
 
Katia frye resume 2016 no address
Katia frye resume 2016 no addressKatia frye resume 2016 no address
Katia frye resume 2016 no address
 
Capito Ardoe House VMWare Presentation
Capito Ardoe House VMWare PresentationCapito Ardoe House VMWare Presentation
Capito Ardoe House VMWare Presentation
 
ShubhashisshubhankarJena
ShubhashisshubhankarJenaShubhashisshubhankarJena
ShubhashisshubhankarJena
 
Comprehensive and Simplified Management for VMware vSphere Environments - now...
Comprehensive and Simplified Management for VMware vSphere Environments - now...Comprehensive and Simplified Management for VMware vSphere Environments - now...
Comprehensive and Simplified Management for VMware vSphere Environments - now...
 
Profile narendraredy
Profile narendraredyProfile narendraredy
Profile narendraredy
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 

CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow

  • 1. Abusing CPU Hot-Add weaknesses to escalate privileges in Server Datacenters Cuauhtemoc Chavez-Corona, Jorge Gonzalez-Diaz, Rene Henriquez-Garcia, Laura Fuentes-Castaneda, Jan Seidl Intel Corporation Security Center of Excellence cuauhtemoc.chavez.corona@intel.com rene.e.henriquez.garcia@intel.com March 16, 2017 CanSecWest 2017 Vancouver, Canada 1/24
  • 2. Legal Disclaimer The comments and statements are from the authors and not necessarily Intel's Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer No computer system can be absolutely secure CanSecWest 2017 Vancouver, Canada 2/24
  • 3. Background: Datacenter’s landscape CLOUD Server Server Server CanSecWest 2017 Vancouver, Canada 3/24
  • 4. Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime CanSecWest 2017 Vancouver, Canada 4/24
  • 5. Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime As a response, solutions comprised of robust Hardware + reliable/serviceable FW/SW are continuously being designed CanSecWest 2017 Vancouver, Canada 4/24
  • 6. Background: Datacenter’s landscape Mission-critical applications such as e-commerce, ERP, CRM, BI have low tolerance for downtime As a response, solutions comprised of robust Hardware + reliable/serviceable FW/SW are continuously being designed Are these new systems being architected such that the attack surface is not increased? We’ll see.. CanSecWest 2017 Vancouver, Canada 4/24
  • 7. Background: Attacks coming from DMA entry point Understanding DMA Malware ,Patrick Stewin and Iurii Bystrov, Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment,2013 CanSecWest 2017 Vancouver, Canada 5/24
  • 8. Background: Attacks coming from DMA entry point Understanding DMA Malware ,Patrick Stewin and Iurii Bystrov, Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment,2013 Direct Memory Attack the KERNEL, ULF FRISK, DEFCON 24 August 4-7 2016 CanSecWest 2017 Vancouver, Canada 5/24
  • 9. Definition: RAS features Reliability Can be defined as the characteristic that ensures the system will provide correct outputs, and any corrupted data will be detected and repaired. Availability Means that the system will be operating during the planned time, avoiding unexpected crashes. Serviceability Refers to the simplicity and speed of maintenance and repara- tion. CanSecWest 2017 Vancouver, Canada 6/24
  • 10. Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. CanSecWest 2017 Vancouver, Canada 7/24
  • 11. Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. In a multi-CPU system comprised of n processors, one can therefore choose to boot with m CPUs where m < n CanSecWest 2017 Vancouver, Canada 7/24
  • 12. Definition: CPU Hot Add CPU Hot Add (aka CPU on-lining) is a RAS feature that allows customers to increase computing power in a Server by adding a new socket to the already running system at Intel R QPI interface without the necessity of shutting down the machine. In a multi-CPU system comprised of n processors, one can therefore choose to boot with m CPUs where m < n This allows the possibility to increase the computing power later if required by bringing up new CPUs to the already running system CanSecWest 2017 Vancouver, Canada 7/24
  • 13. Definition: CPU Hot Add CPU On-lining requires coordinated support from the complete application stack to ensure correctness while adding a new CPU. Hardware. Internal logic in the CPU to drain transactions and prevent originators from sending new ones. Firmware. BIOS and SMM routines to trigger, handle and coordinate CPU on-lining. Operating System. Currently several OS’s support this feature. CanSecWest 2017 Vancouver, Canada 8/24
  • 14. High level overview of Hot Add flow MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF CanSecWest 2017 Vancouver, Canada 9/24
  • 15. High level overview of Hot Add flow Active CPUs enter in quiesce mode MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
  • 16. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
  • 17. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT CanSecWest 2017 Vancouver, Canada 9/24
  • 18. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Interesting! 1. Boot flow is very sensitive CanSecWest 2017 Vancouver, Canada 9/24
  • 19. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Interesting! 1. Boot flow is very sensitive 2. Quiesced CPUs need reconfiguration CanSecWest 2017 Vancouver, Canada 9/24
  • 20. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON CanSecWest 2017 Vancouver, Canada 9/24
  • 21. High level overview of Hot Add flow Active CPUs enter in quiesce mode HotAdd CPU boot process BSP initialization Memory config etc. Release quiesced CPUs MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 CanSecWest 2017 Vancouver, Canada 9/24
  • 22. Brief overview of Boot Flow The Boot Strap Processor (BSP) is chosen BSP Fetch Code from the Flash Minimum System Configuration Memory Initialization. Memory Reference Code (MRC) BIOS Shadowing PAM (Programmable Attribute Maps) registers are used to make a copy of BIOS code into memory SMI initialization BSP sends the SIPI indication trough the Local Advance Programmable Controller Advanced Configuration Other platform & devices init; dispatch drivers (network, I/O, etc.); Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/ Apps; OS Boot Loader(s) Boot Flow END CanSecWest 2017 Vancouver, Canada 10/24
  • 23. Security Claims from CPU Hot Add definition One fundamental Security Objective related to CPU Hot Add is that any new CPU to be introduced in the running system must execute a trusted path to ensure its security won't be subverted by any attacker already present in the system CanSecWest 2017 Vancouver, Canada 11/24
  • 24. Security Claims from CPU Hot Add definition One fundamental Security Objective related to CPU Hot Add is that any new CPU to be introduced in the running system must execute a trusted path to ensure its security won't be subverted by any attacker already present in the system By attackers we mean Any rogue code already running in system’s CPUs DMA agents whose internal FW has been compromised CanSecWest 2017 Vancouver, Canada 11/24
  • 25. Assets There are two interesting regions to be protected in order to ensure security claim presented previously CanSecWest 2017 Vancouver, Canada 12/24
  • 26. Assets There are two interesting regions to be protected in order to ensure security claim presented previously 0x38000: Holds the code to be executed in the first SMI by the newly-added CPU in order to perform SMBASE relocation. CanSecWest 2017 Vancouver, Canada 12/24
  • 27. Assets There are two interesting regions to be protected in order to ensure security claim presented previously 0x38000: Holds the code to be executed in the first SMI by the newly-added CPU in order to perform SMBASE relocation. 0xe2000: Holds SIPI initialization vector code vital for the newly-added CPU and its integration into the running system. CanSecWest 2017 Vancouver, Canada 12/24
  • 28. Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS CanSecWest 2017 Vancouver, Canada 13/24
  • 29. Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS In Servers, it is usually referred to as ring -2 whereas OS is being considered as ring 0 CanSecWest 2017 Vancouver, Canada 13/24
  • 30. Why do we care about those assets? SMM has superior privileges as it can change different settings which cannot be modified by OS In Servers, it is usually referred to as ring -2 whereas OS is being considered as ring 0 Corrupting Startup Inter-Process Interrupt vector code is also interesting for an attacker as it could potentially be used to misconfigure initial configuration of the newly-added CPU CanSecWest 2017 Vancouver, Canada 13/24
  • 31. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0x3FFFF 0x30000 CanSecWest 2017 Vancouver, Canada 14/24
  • 32. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 CanSecWest 2017 Vancouver, Canada 14/24
  • 33. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 CanSecWest 2017 Vancouver, Canada 14/24
  • 34. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 CanSecWest 2017 Vancouver, Canada 14/24
  • 35. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
  • 36. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
  • 37. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
  • 38. 0x38000 attack: Escalate to SMM privileges in a Server MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 DRAM 0x3FFFF 0x30000 0x38000 Malicious SMI Handler 0000000000000011111111111111 0000000000 00000 1111111111 11111 CanSecWest 2017 Vancouver, Canada 14/24
  • 39. 0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System CanSecWest 2017 Vancouver, Canada 15/24
  • 40. 0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System Firmware BMC Firwmare supporting CPU Hot-Add flow System FW (aka BIOS) supporting CPU Hot-Add Flow CanSecWest 2017 Vancouver, Canada 15/24
  • 41. 0x38000 attack: Lab Setup Hardware Intel Platform/Motherboard supporting CPU Hot-Add Intel Xeon E7-8800 V2 family processor PP3380-AB PCIe 2 x1 - USB3380-AB Evaluation board Attacker’s laptop with Windows 10 64bit Operating System Firmware BMC Firwmare supporting CPU Hot-Add flow System FW (aka BIOS) supporting CPU Hot-Add Flow Software PCILeech solution and a batch script to automate data writes to memory Operating System supporting CPU Hot-Add (i.e. Windows 2008/2012 Server) CanSecWest 2017 Vancouver, Canada 15/24
  • 42. PCILeech Configuration Place jumper on J3 at PP3380-AB board and start platform Run PCILeechFlash Installer.exe Wait a while (1 min or so) Shutdown the platform Remove jumper on J3 at PP3380-AB board and start platform Use our simple batch script to write 0x38000 region to inject arbitrary code CanSecWest 2017 Vancouver, Canada 16/24
  • 43. Time to watch the DEMO CanSecWest 2017 Vancouver, Canada 17/24
  • 44. Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) CanSecWest 2017 Vancouver, Canada 18/24
  • 45. Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) To mitigate this, BIOS leverages existing HW protection mechanism in Intel CPUs against rogue DMA engines: GENPROTRANGE register programming CanSecWest 2017 Vancouver, Canada 18/24
  • 46. Mitigating 0x38000 attack The attack just described is possible because DMA engines were still able to inject malicious code in 0x38000 region (despite Hardware effectively prevents code injection from existing cores in the system) To mitigate this, BIOS leverages existing HW protection mechanism in Intel CPUs against rogue DMA engines: GENPROTRANGE register programming This mitigation is already in place as part of BIOS reference code delivered to OEMs CanSecWest 2017 Vancouver, Canada 18/24
  • 47. 0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected CanSecWest 2017 Vancouver, Canada 19/24
  • 48. 0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected However, rogue code already present in other CPUs could try to corrupt the vector either before CPU on-lining flow gets triggered or in between SMIs CanSecWest 2017 Vancouver, Canada 19/24
  • 49. 0xe2000 attack part I: Take control of the system by inserting rogue code Corruption of SIPI initialization vector DMA malicious writes could be attempted to attack 0xe2000 if not properly protected However, rogue code already present in other CPUs could try to corrupt the vector either before CPU on-lining flow gets triggered or in between SMIs Mitigation: Secure Integrity check before attempting SIPI vector code execution CanSecWest 2017 Vancouver, Canada 19/24
  • 50. Depiction of 0xe2000 attack part I MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0xE2000 CanSecWest 2017 Vancouver, Canada 20/24
  • 51. Depiction of 0xe2000 attack part I MotherBoard CPU2 ON ON ON CPU3 CPU1 CPU4 OFF DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
  • 52. Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
  • 53. Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 BOOT x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
  • 54. Depiction of 0xe2000 attack part I MotherBoard ONON CPU1 CPU3CPU2 ON CPU4 ON x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
  • 55. Depiction of 0xe2000 attack part I MotherBoard ON ON CPU3 ON CPU1 CPU2 ON CPU4 x DRAM 0xE2000 Malicious Vector CanSecWest 2017 Vancouver, Canada 20/24
  • 56. 0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function CanSecWest 2017 Vancouver, Canada 21/24
  • 57. 0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum CanSecWest 2017 Vancouver, Canada 21/24
  • 58. 0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum In fact, this confusion led to erroneously implement an integrity verification mechanism in the form of a weak checksum (from a security standpoint) CanSecWest 2017 Vancouver, Canada 21/24
  • 59. 0xe2000 attack part II: Confusion due to name collision Integrity verification of 0xe2000 region was meant to be achieved through a cryptographically strong hash function It turns out sometimes one can refer to the output of a cryptographic hash function as a checksum In fact, this confusion led to erroneously implement an integrity verification mechanism in the form of a weak checksum (from a security standpoint) Such mechanism can easily be bypassed by crafting a special rogue code through some tweaks to arithmetically map it to the expected checksum CanSecWest 2017 Vancouver, Canada 21/24
  • 60. Mitigating 0xe2000 attack Instead of verifying code vector’s integrity, always shadow a fresh copy into 0xe2000 region before its execution This mitigation is already in place as well by Intel into the BIOS reference code CanSecWest 2017 Vancouver, Canada 22/24
  • 61. Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls CanSecWest 2017 Vancouver, Canada 23/24
  • 62. Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls DMA remains as an interesting entry point since it might enable remote exploitation of security weaknesses; also, it turns out this entry point might be overlooked while architecturing new technologies CanSecWest 2017 Vancouver, Canada 23/24
  • 63. Conclusions Datacenter products and their features deserve a thorough security analysis despite old assumptions of being isolated behind building walls DMA remains as an interesting entry point since it might enable remote exploitation of security weaknesses; also, it turns out this entry point might be overlooked while architecturing new technologies Implementation-wise, it is critical to ensure developers correctly understand the exact security mechanism that mitigates a corresponding threat; failure in this regard could lead to mistakenly break overall system’s security CanSecWest 2017 Vancouver, Canada 23/24
  • 64. Thank you! Time for Q&As CanSecWest 2017 Vancouver, Canada 24/24