SlideShare a Scribd company logo

44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick

44CON
44CON

Joe FitzPatrick gave a presentation on exploiting PCIe (Peripheral Component Interconnect Express) buses for hardware attacks. He discussed using DMA (direct memory access) over PCIe to read and write system memory, modify firmware, and potentially bypass mitigations like IOMMU (input-output memory management unit). FitzPatrick demonstrated proof-of-concept attacks on Macs and Windows PCs using custom PCIe devices and software. However, he noted that fully bypassing protections like VT-d on Macbooks had not yet been achieved and more work is needed to build attacks without imitating a genuine device.

Technology
1 of 93
Download to read offline
Stupid PCIe Tricks Joe FitzPatrick 44Con 2014
whoami ● Electrical Engineering education with focus on CS and Infosec ● 8 years doing security research, speed debug, and tool development for CPUs ● Hardware Pen Testing of CPUs ● Security training for functional validators worldwide ● Software Exploitation via Hardware Exploits, AKA SExViaHEx Joe FitzPatrick @securelyfitz joefitz@securinghardware.com
If Joe Fitz... Joe Sitz
Disclaimer This is not academic-caliber research. Lots of this stuff has been done before. The difference is that I aim to show that PCIe attacks can be easy and cheap
What is PCIe?
PCIe is PCI!
PCIe is NOT PCI! Foto tomada por Jorge González http://es.wikipedia.org Photo by snikerdo http://en.wikipedia.org
Links and Lanes Diagram: PCIe 2.1 specification
Hierarchy Diagram: PCIe 2.1 specification
Switching and Routing Diagram: PCIe 2.1 specification
Layers Diagram: PCIe 2.1 specification
Configuration Space Diagram: PCIe 2.1 specification
Configuration Space Diagram: PCIe 2.1 specification
Configuration Space Diagram: PCIe 2.1 specification
Configuration Space Diagram: PCIe 2.1 specification
Configuration Space Diagram: PCIe 2.1 specification
Enumeration Diagram: PCIe 2.1 specification
Routing PCIe
The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe:
The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length
The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length … that’s mostly it
Routing PCIe System Board Traces 12 Inches Add-in Card Traces 3.5 inches Chip-to-Chip Routes 15 inches Follow these rules and your board might work. Break them and it might not.
Routing PCIe Minimum PCIe: ● 2.5GHz TX ● 2.5GHz RX ● 100MHz Clock (optional)
Routing PCIe Cross-section of a USB 3.0 cable. Image courtesy of USB Implementers Forum
A brief history of DMA attacks
Tribble
Firewire Attacks
Thunderbolt
Thunderbolt
USB3380 Firmware
USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........
USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........
USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........ That’s all!
nsaplayset.org
Hardware http://www.hwtools.net/PLX.html
Software tools used in preparing this presentation: ● plx’s flashing software ● pyusb + scripts ● inception_pci ● volatility for memory analysis
Attack-side Software Quick ‘n’ dirty PCIe memory read/write with PyUSB
More attack-side Software
More attack-side Software # EQUALS: # # |-- Offset 0x00 # / # / |-patchoffset--------------->[b0 01] # 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f .. (byte offset) # ----------------------------------------------- # c6 0f 85 a0 b8 00 00 b8 ab 05 03 ff ef 01 00 00 .. (chunk of memory data) # ----------------------------------------------- # ______/ ___/ ______/ # # |-- Chunk 2 at internaloffset 0x05 # |-- Some data (ignore, don't match this) # |-- Chunk 1 at internaloffset 0x00 # _____________________/ # # |-- Entire signature #
More attack-side Software {'OS': 'Mac OS X 10.9', 'versions': ['10.9'], 'architectures': ['x64'], 'name': 'DirectoryService/OpenDirectory unlock/privilege escalation', 'notes': 'Overwrites the DoShadowHashAuth/ODRecordVerifyPassword return value. 'signatures': [{'offsets': [0x1e5], # 10.9 'chunks': [{'chunk': 0x4488e84883c4685b415c415d415e415f5d, 'internaloffset': 0x00, 'patch': 0x90b001, # nop; mov al,1; 'patchoffset': 0x00}]}]}]
Attacking via PCIe
MRd Find important values at known locations Take memory dumps for later analysis Example: Dump memory and use Volatility to analyze it
DMA Stool Analysis with Volatility dmesg log of the attack recovered from the memory dump of the victim
DMA Stool Analysis with Volatility names, pids, and uids for dumped processes
DMA Stool Analysis with Volatility extracted machine info the perfect amount of memory to dump!
MWr Modify values at known locations Manipulate code!!! Example: Use Inception to modify lock screen checking, or drop a metasploit payload!
Inception with Metasploit (W7sp1 POC only)
IORd/IOWr Only for legacy devices (legacy means not thoroughly tested recently)
CfgRd/CfgWr Interact with other PCI devices’ config spaces Yet another separate address space/different means of accessing hardware
Msg/MsgD Messages send things like interrupts and vendor-defined configuration Many message types are very rarely used Example: Johanna Rutkowska SNB VT-D stuff
Mitigations
Bus Master Enable joefitz@linUX31a:~/Documents/pcie/SLOTSCREAMER/inception_pci$ lspci -vv | grep BusMaster Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Access Control Services
IOMMU
Mitigating the Mitigations
VID:PID ● Identifies device to the OS ● OS chooses which driver to load ● OS configures ACS, BME, etc… ● OS loads driver
Default Drivers ● Some drivers are ‘class’ drivers (think USB MSC, etc...) ● Some device specific drivers might be installed by default (OSX) ● Drivers contain bugs ● Think facedancer for PCIE or Thunderbolt
Early Boot ● IOMMU is not configured yet ● Neither is much else ● Wishlist: Volatility support for EFI shell
Option ROM/EFI drivers ● Some devices have firmware that gets run at early boot ● Some systems block this (but usually for anti-competitive reasons, not security) ●
Breaking the rules ● Spoof requesterID for posted transactions ● Well-timed spoofed requesterID for non-posted transactions ● Setting the ‘translated request’ bit
Misconfigurations ● Everything is MMIO now - memory protections are essential ● Memory protections are not enough - need Cfg and IO protections as well - don’t forget about them ● Does installing a hypervisor change how your OS uses its IOMMU?
Putting it all together because 0.01% is too much
Thunderbolt Diagram: Apple Thunderbolt Device Driver Programming Guide
HALIBUTDUGOUT
Sorry, Previous Track 2 Speakers ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
Building ALLOYVIPER
MITMing
⇐ Thanks for the slides, snare & rzn
⇐ Thanks for the slides, snare & rzn
Bypassing VT-d on Macbooks? ● VT-d is off at boot/reboot ● Broadcom Ethernet drivers crash the system ● System reboots - all the doors are open for a few moments No POC yet (I’ll GTFO soon…)
Can we do it without imitating a device? ● Some PCIe switches have ‘transparent’ mode ● Some PCIe switches have TLP injection debug features ● Can we build one into a genuine device? ● Can we build one into a cable? No POC yet here either
Potential enhancements ● 64-bit DMA (>4gb access!) ● Full control over TLP Header ○ spoofing requester ID ○ testing ‘reserved’ bits Enough unproven concepts… time to GTFO...
Joe FitzPatrick @securelyfitz Questions? joefitz@securinghardware.com http://www.securinghardware.com

Recommended

Pci express modi
Pci express modiPci express modi
Pci express modi
proma_goswami
 
Pc ie tl_layer (3)
Pc ie tl_layer (3)Pc ie tl_layer (3)
Pc ie tl_layer (3)
Rakeshkumar Sachdev
 
Slideshare - PCIe
Slideshare - PCIeSlideshare - PCIe
Slideshare - PCIe
Jin Wu
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
gnkeshava
 
Session 8,9 PCI Express
Session 8,9 PCI ExpressSession 8,9 PCI Express
Session 8,9 PCI ExpressSubhash Iyer
 
PCIe
PCIePCIe
PCIeChiaYang Tsai
 
PCI express
PCI expressPCI express
PCI express
sarangaprabod
 
Pcie drivers basics
Pcie drivers basicsPcie drivers basics
Pcie drivers basics
Venkatesh Malla
 

Recommended

Pci express modi
Pci express modiPci express modi
Pci express modi
proma_goswami
 
Pc ie tl_layer (3)
Pc ie tl_layer (3)Pc ie tl_layer (3)
Pc ie tl_layer (3)
Rakeshkumar Sachdev
 
Slideshare - PCIe
Slideshare - PCIeSlideshare - PCIe
Slideshare - PCIe
Jin Wu
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
gnkeshava
 
Session 8,9 PCI Express
Session 8,9 PCI ExpressSession 8,9 PCI Express
Session 8,9 PCI ExpressSubhash Iyer
 
PCIe
PCIePCIe
PCIeChiaYang Tsai
 
PCI express
PCI expressPCI express
PCI express
sarangaprabod
 
Pcie drivers basics
Pcie drivers basicsPcie drivers basics
Pcie drivers basics
Venkatesh Malla
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA CampPCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
FPGA Central
 
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010Altera Corporation
 
Pcie basic
Pcie basicPcie basic
Pcie basic
Saifuddin Kaijar
 
PCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-ReviewPCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-Review
IOSRJVSP
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-ExpressDVClub
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)
Rakeshkumar Sachdev
 
IP PCIe
IP PCIeIP PCIe
IP PCIe
SILKAN
 
PCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingPCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingDVClub
 
Difference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIeDifference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIe
SUNODH GARLAPATI
 
Axi
AxiAxi
Axi
Azad Mishra
 
axi protocol
axi protocolaxi protocol
axi protocol
Azad Mishra
 
Pci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentationPci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentationjkcontee
 
Amba axi 29 3_2015
Amba axi 29 3_2015Amba axi 29 3_2015
Amba axi 29 3_2015
kiemnhatminh
 
AMBA AHB 5
AMBA AHB 5AMBA AHB 5
AMBA AHB 5
SUNODH GARLAPATI
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 
SPI Protocol
SPI ProtocolSPI Protocol
SPI Protocol
Anurag Tomar
 
AMBA Ahb 2.0
AMBA Ahb 2.0AMBA Ahb 2.0
AMBA Ahb 2.0
Akhil Srivastava
 
Axi protocol
Axi protocolAxi protocol
Axi protocol
Rohit Kumar Pathak
 
AMBA 2.0 REPORT
AMBA 2.0 REPORTAMBA 2.0 REPORT
AMBA 2.0 REPORTNirav Desai
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON
 

More Related Content

What's hot

Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA CampPCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
FPGA Central
 
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010Altera Corporation
 
Pcie basic
Pcie basicPcie basic
Pcie basic
Saifuddin Kaijar
 
PCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-ReviewPCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-Review
IOSRJVSP
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-ExpressDVClub
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)
Rakeshkumar Sachdev
 
IP PCIe
IP PCIeIP PCIe
IP PCIe
SILKAN
 
PCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingPCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingDVClub
 
Difference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIeDifference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIe
SUNODH GARLAPATI
 
Axi
AxiAxi
Axi
Azad Mishra
 
axi protocol
axi protocolaxi protocol
axi protocol
Azad Mishra
 
Pci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentationPci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentationjkcontee
 
Amba axi 29 3_2015
Amba axi 29 3_2015Amba axi 29 3_2015
Amba axi 29 3_2015
kiemnhatminh
 
AMBA AHB 5
AMBA AHB 5AMBA AHB 5
AMBA AHB 5
SUNODH GARLAPATI
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 
SPI Protocol
SPI ProtocolSPI Protocol
SPI Protocol
Anurag Tomar
 
AMBA Ahb 2.0
AMBA Ahb 2.0AMBA Ahb 2.0
AMBA Ahb 2.0
Akhil Srivastava
 
Axi protocol
Axi protocolAxi protocol
Axi protocol
Rohit Kumar Pathak
 

What's hot (20)

Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
 
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA CampPCIe Gen 3.0 Presentation @ 4th FPGA Camp
PCIe Gen 3.0 Presentation @ 4th FPGA Camp
 
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
Creating Your Own PCI Express System Using FPGAs: Embedded World 2010
 
Pcie basic
Pcie basicPcie basic
Pcie basic
 
PCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-ReviewPCIe BUS: A State-of-the-Art-Review
PCIe BUS: A State-of-the-Art-Review
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-Express
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)
 
IP PCIe
IP PCIeIP PCIe
IP PCIe
 
PCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingPCI Express Verification using Reference Modeling
PCI Express Verification using Reference Modeling
 
Difference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIeDifference between PCI PCI-X PCIe
Difference between PCI PCI-X PCIe
 
Axi
AxiAxi
Axi
 
axi protocol
axi protocolaxi protocol
axi protocol
 
Pci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentationPci express3-device-architecture-optimizations-idf2009-presentation
Pci express3-device-architecture-optimizations-idf2009-presentation
 
Amba axi 29 3_2015
Amba axi 29 3_2015Amba axi 29 3_2015
Amba axi 29 3_2015
 
AMBA AHB 5
AMBA AHB 5AMBA AHB 5
AMBA AHB 5
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled Interrupts
 
SPI Protocol
SPI ProtocolSPI Protocol
SPI Protocol
 
AMBA Ahb 2.0
AMBA Ahb 2.0AMBA Ahb 2.0
AMBA Ahb 2.0
 
Axi protocol
Axi protocolAxi protocol
Axi protocol
 
AMBA 2.0 REPORT
AMBA 2.0 REPORTAMBA 2.0 REPORT
AMBA 2.0 REPORT
 

Viewers also liked

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
SATA Introduction
SATA IntroductionSATA Introduction
SATA Introduction
Gene Chang
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 

Viewers also liked (20)

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
SATA Introduction
SATA IntroductionSATA Introduction
SATA Introduction
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 

Similar to 44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick

x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
Naoto MATSUMOTO
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
Felipe Prado
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
National Cheng Kung University
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
Android Things Linux Day 2017
Android Things Linux Day 2017 Android Things Linux Day 2017
Android Things Linux Day 2017
Stefano Sanna
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
scooby_doo
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
NAVER D2
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !
Dobrica Pavlinušić
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
 
Tiny ML for spark Fun Edge
Tiny ML for spark Fun EdgeTiny ML for spark Fun Edge
Tiny ML for spark Fun Edge
艾鍗科技
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
ssuserfcf43f
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente Embarcado
Alvaro Viebrantz
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
Marian Marinov
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
Keisuke Takahashi
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
Jasper Nuyens
 

Similar to 44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick (20)

x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
 
Android Things Linux Day 2017
Android Things Linux Day 2017 Android Things Linux Day 2017
Android Things Linux Day 2017
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docxAll contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
 
Tiny ML for spark Fun Edge
Tiny ML for spark Fun EdgeTiny ML for spark Fun Edge
Tiny ML for spark Fun Edge
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente Embarcado
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick

  • 1. Stupid PCIe Tricks Joe FitzPatrick 44Con 2014
  • 2. whoami ● Electrical Engineering education with focus on CS and Infosec ● 8 years doing security research, speed debug, and tool development for CPUs ● Hardware Pen Testing of CPUs ● Security training for functional validators worldwide ● Software Exploitation via Hardware Exploits, AKA SExViaHEx Joe FitzPatrick @securelyfitz joefitz@securinghardware.com
  • 3. If Joe Fitz... Joe Sitz
  • 4. Disclaimer This is not academic-caliber research. Lots of this stuff has been done before. The difference is that I aim to show that PCIe attacks can be easy and cheap
  • 7. PCIe is NOT PCI! Foto tomada por Jorge González http://es.wikipedia.org Photo by snikerdo http://en.wikipedia.org
  • 8. Links and Lanes Diagram: PCIe 2.1 specification
  • 9. Hierarchy Diagram: PCIe 2.1 specification
  • 10. Switching and Routing Diagram: PCIe 2.1 specification
  • 11. Layers Diagram: PCIe 2.1 specification
  • 12. Configuration Space Diagram: PCIe 2.1 specification
  • 13. Configuration Space Diagram: PCIe 2.1 specification
  • 14. Configuration Space Diagram: PCIe 2.1 specification
  • 15. Configuration Space Diagram: PCIe 2.1 specification
  • 16. Configuration Space Diagram: PCIe 2.1 specification
  • 17. Enumeration Diagram: PCIe 2.1 specification
  • 19. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe:
  • 20. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length
  • 21. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length … that’s mostly it
  • 22. Routing PCIe System Board Traces 12 Inches Add-in Card Traces 3.5 inches Chip-to-Chip Routes 15 inches Follow these rules and your board might work. Break them and it might not.
  • 23. Routing PCIe Minimum PCIe: ● 2.5GHz TX ● 2.5GHz RX ● 100MHz Clock (optional)
  • 24. Routing PCIe Cross-section of a USB 3.0 cable. Image courtesy of USB Implementers Forum
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34. A brief history of DMA attacks
  • 37.
  • 38.
  • 39.
  • 43. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........
  • 44. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........
  • 45. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........ That’s all!
  • 48. Software tools used in preparing this presentation: ● plx’s flashing software ● pyusb + scripts ● inception_pci ● volatility for memory analysis
  • 49. Attack-side Software Quick ‘n’ dirty PCIe memory read/write with PyUSB
  • 51. More attack-side Software # EQUALS: # # |-- Offset 0x00 # / # / |-patchoffset--------------->[b0 01] # 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f .. (byte offset) # ----------------------------------------------- # c6 0f 85 a0 b8 00 00 b8 ab 05 03 ff ef 01 00 00 .. (chunk of memory data) # ----------------------------------------------- # ______/ ___/ ______/ # # |-- Chunk 2 at internaloffset 0x05 # |-- Some data (ignore, don't match this) # |-- Chunk 1 at internaloffset 0x00 # _____________________/ # # |-- Entire signature #
  • 52. More attack-side Software {'OS': 'Mac OS X 10.9', 'versions': ['10.9'], 'architectures': ['x64'], 'name': 'DirectoryService/OpenDirectory unlock/privilege escalation', 'notes': 'Overwrites the DoShadowHashAuth/ODRecordVerifyPassword return value. 'signatures': [{'offsets': [0x1e5], # 10.9 'chunks': [{'chunk': 0x4488e84883c4685b415c415d415e415f5d, 'internaloffset': 0x00, 'patch': 0x90b001, # nop; mov al,1; 'patchoffset': 0x00}]}]}]
  • 54.
  • 55. MRd Find important values at known locations Take memory dumps for later analysis Example: Dump memory and use Volatility to analyze it
  • 56. DMA Stool Analysis with Volatility dmesg log of the attack recovered from the memory dump of the victim
  • 57. DMA Stool Analysis with Volatility names, pids, and uids for dumped processes
  • 58. DMA Stool Analysis with Volatility extracted machine info the perfect amount of memory to dump!
  • 59. MWr Modify values at known locations Manipulate code!!! Example: Use Inception to modify lock screen checking, or drop a metasploit payload!
  • 60. Inception with Metasploit (W7sp1 POC only)
  • 61. IORd/IOWr Only for legacy devices (legacy means not thoroughly tested recently)
  • 62. CfgRd/CfgWr Interact with other PCI devices’ config spaces Yet another separate address space/different means of accessing hardware
  • 63. Msg/MsgD Messages send things like interrupts and vendor-defined configuration Many message types are very rarely used Example: Johanna Rutkowska SNB VT-D stuff
  • 65. Bus Master Enable joefitz@linUX31a:~/Documents/pcie/SLOTSCREAMER/inception_pci$ lspci -vv | grep BusMaster Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
  • 67. IOMMU
  • 69. VID:PID ● Identifies device to the OS ● OS chooses which driver to load ● OS configures ACS, BME, etc… ● OS loads driver
  • 70. Default Drivers ● Some drivers are ‘class’ drivers (think USB MSC, etc...) ● Some device specific drivers might be installed by default (OSX) ● Drivers contain bugs ● Think facedancer for PCIE or Thunderbolt
  • 71. Early Boot ● IOMMU is not configured yet ● Neither is much else ● Wishlist: Volatility support for EFI shell
  • 72. Option ROM/EFI drivers ● Some devices have firmware that gets run at early boot ● Some systems block this (but usually for anti-competitive reasons, not security) ●
  • 73. Breaking the rules ● Spoof requesterID for posted transactions ● Well-timed spoofed requesterID for non-posted transactions ● Setting the ‘translated request’ bit
  • 74. Misconfigurations ● Everything is MMIO now - memory protections are essential ● Memory protections are not enough - need Cfg and IO protections as well - don’t forget about them ● Does installing a hypervisor change how your OS uses its IOMMU?
  • 75. Putting it all together because 0.01% is too much
  • 76. Thunderbolt Diagram: Apple Thunderbolt Device Driver Programming Guide
  • 78. Sorry, Previous Track 2 Speakers ALLOYVIPER
  • 88. ⇐ Thanks for the slides, snare & rzn
  • 89. ⇐ Thanks for the slides, snare & rzn
  • 90. Bypassing VT-d on Macbooks? ● VT-d is off at boot/reboot ● Broadcom Ethernet drivers crash the system ● System reboots - all the doors are open for a few moments No POC yet (I’ll GTFO soon…)
  • 91. Can we do it without imitating a device? ● Some PCIe switches have ‘transparent’ mode ● Some PCIe switches have TLP injection debug features ● Can we build one into a genuine device? ● Can we build one into a cable? No POC yet here either
  • 92. Potential enhancements ● 64-bit DMA (>4gb access!) ● Full control over TLP Header ○ spoofing requester ID ○ testing ‘reserved’ bits Enough unproven concepts… time to GTFO...
  • 93. Joe FitzPatrick @securelyfitz Questions? joefitz@securinghardware.com http://www.securinghardware.com