People keep talking about Thunderbolt DMA attacks as though they're a foregone conclusion. Thus far, we haven't seen one that doesn't involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we've seen since Kiwicon's very own Metlstorm winlockpwned his way to fame in 2006.
In this talk, rzn and snare will discuss their approach to attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?
This document discusses software defined radio (SDR) hacking and provides steps to solve real-world problems using SDR. It begins with an introduction to SDR hardware and software. It then outlines seven steps to SDR hacking, including tuning a receiver to the right frequency, finding the correct modulation, demodulating the signal, finding the clock speed, decoding using tools like Universal Radio Hacker, and implementing a solution. The goal is to use SDR to solve problems without illegal activity.
Functional MCU programming #0: Development environmentKiwamu Okabe
This document provides an overview of using functional programming languages for microcontroller (MCU) development. It discusses common MCU architectures like ARM Cortex-M, MSP430, and AVR. It recommends the Ajhc Haskell compiler, Rust, and ATS as functional languages suitable for MCUs. It also discusses debuggers like OpenOCD, pyOCD, STLINK, and AVaRICE. Real-time operating systems like FreeRTOS, ChibiOS/RT, and mbed RTOS are presented. Setup instructions are provided for Ajhc, GCC toolchain, pyOCD, and STLINK. Example code links are included.
- The document discusses techniques for man-in-the-middle (MiTM) attacks in various conditions and networks.
- MiTM attacks are fundamental to communications and can be implemented in different data channels like Ethernet, WiFi, and mobile networks.
- The author has experience with historical MiTM techniques from the 1990s as well as more modern approaches like ARP cache poisoning to intercept traffic on local networks.
More Mad Science for the Commodore 64 (ECCC 2015)Leif Bloomquist
This document provides updates on multiple projects including a gaming glove Kickstarter, a Wi-Fi modem for the Commodore 64, and a virtual input device. It discusses progress made on prototypes, issues encountered like high component costs, and plans to launch the Kickstarter and sell completed products. Details are given on the Wi-Fi modem design which uses an Arduino, RN-XV module, and OLED display to provide Wi-Fi connectivity and TCP/IP networking to the C64 via its user port. Potential configurations and pricing around $160 are mentioned.
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
Множественные уязвимости высокой степени риска в программном обеспечении Yota были обнаружены экспертами HeadLigt Security в августе 2015 года. Одна из уязвимостей позволяет выполнить код на удаленном компьютере не имея каких-либо прав доступа. В сентябре Yota была неоднократно проинформирована о наличие проблем безопасности в выпускаемых этой компанией модемах, однако обновлений ПО так и не последовало.
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
This document discusses asynchronous vulnerabilities and callback-oriented hacking techniques. It describes how asynchronous issues are often invisible and outlines solutions using callbacks, such as through DNS requests. It provides examples of payload techniques for issues like SQL injection, command injection, and XSS that call out to an external domain to confirm exploitation. Finally, it notes hazards like friendly fire and ways adversaries may detect the callbacks.
This document discusses software defined radio (SDR) hacking and provides steps to solve real-world problems using SDR. It begins with an introduction to SDR hardware and software. It then outlines seven steps to SDR hacking, including tuning a receiver to the right frequency, finding the correct modulation, demodulating the signal, finding the clock speed, decoding using tools like Universal Radio Hacker, and implementing a solution. The goal is to use SDR to solve problems without illegal activity.
Functional MCU programming #0: Development environmentKiwamu Okabe
This document provides an overview of using functional programming languages for microcontroller (MCU) development. It discusses common MCU architectures like ARM Cortex-M, MSP430, and AVR. It recommends the Ajhc Haskell compiler, Rust, and ATS as functional languages suitable for MCUs. It also discusses debuggers like OpenOCD, pyOCD, STLINK, and AVaRICE. Real-time operating systems like FreeRTOS, ChibiOS/RT, and mbed RTOS are presented. Setup instructions are provided for Ajhc, GCC toolchain, pyOCD, and STLINK. Example code links are included.
- The document discusses techniques for man-in-the-middle (MiTM) attacks in various conditions and networks.
- MiTM attacks are fundamental to communications and can be implemented in different data channels like Ethernet, WiFi, and mobile networks.
- The author has experience with historical MiTM techniques from the 1990s as well as more modern approaches like ARP cache poisoning to intercept traffic on local networks.
More Mad Science for the Commodore 64 (ECCC 2015)Leif Bloomquist
This document provides updates on multiple projects including a gaming glove Kickstarter, a Wi-Fi modem for the Commodore 64, and a virtual input device. It discusses progress made on prototypes, issues encountered like high component costs, and plans to launch the Kickstarter and sell completed products. Details are given on the Wi-Fi modem design which uses an Arduino, RN-XV module, and OLED display to provide Wi-Fi connectivity and TCP/IP networking to the C64 via its user port. Potential configurations and pricing around $160 are mentioned.
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
Множественные уязвимости высокой степени риска в программном обеспечении Yota были обнаружены экспертами HeadLigt Security в августе 2015 года. Одна из уязвимостей позволяет выполнить код на удаленном компьютере не имея каких-либо прав доступа. В сентябре Yota была неоднократно проинформирована о наличие проблем безопасности в выпускаемых этой компанией модемах, однако обновлений ПО так и не последовало.
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
This document discusses asynchronous vulnerabilities and callback-oriented hacking techniques. It describes how asynchronous issues are often invisible and outlines solutions using callbacks, such as through DNS requests. It provides examples of payload techniques for issues like SQL injection, command injection, and XSS that call out to an external domain to confirm exploitation. Finally, it notes hazards like friendly fire and ways adversaries may detect the callbacks.
This document summarizes how to exploit vulnerabilities in fixed wireless terminals to remotely root the devices. It describes examining the hardware components and boot process to find entry points. Exploits discussed include using removable media to gain root access, cracking weak passwords, and exploiting unpickle serialization and remote code execution via eval. A demonstration shows using these techniques to remotely root a terminal via its management interface and UDP vulnerabilities. Potential further attacks discussed include installing backdoors, intercepting data and calls, and creating botnets.
This document discusses techniques for finding and stealing source code from unprotected Git repositories, including cloning exposed repositories, exploiting path and file disclosures, recovering deleted files and credentials from commit logs, and using tools to conduct aggressive cloning attacks. It warns developers to secure access to Git configurations and repositories and not check in sensitive data, and cautions attackers to carefully inspect exposed repositories for hostnames, paths, files and credentials that could be abused.
The document discusses running OSv virtual machines on the BitVisor hypervisor. It describes implementing virtio network device support for OSv on BitVisor by para-virtualizing the physical network interface and emulating virtio rings and operations. This avoids expensive VM exits by using a dedicated core to handle virtio operations in host mode while the guest runs on another core. Performance tests show the exitless virtio approach achieves network throughput and latency comparable to running on bare metal. Future work includes further optimizing exitless virtio and adding support for other virtio devices like block and random number generators.
The document discusses running OSv (a lightweight hypervisor) on BitVisor (a virtualization platform). It summarizes steps taken to implement a virtual Virtio NIC on BitVisor by faking the PCI configuration space, memory mapped I/O, and interrupts of the physical NIC (PRO/1000) to appear as a Virtio NIC to the OSv hypervisor. This allows OSv network drivers to function without modification by redirecting requests to the real NIC through hooks installed by BitVisor.
This document provides an introduction to the VeriFast program verifier. It describes how to set up VeriFast, including downloading required files. It explains that VeriFast can verify single-threaded and multi-threaded C/Java programs annotated with preconditions and postconditions written in separation logic, and that it avoids illegal memory accesses like buffer overflows. The document demonstrates running VeriFast on sample code, showing how it finds errors, and provides references for more information.
The document discusses the evolution of OSv from running on BitVisor (OSb) to running directly on hardware (OSp). It provides details on implementing a 10GbE network driver for the Intel X540 NIC in OSp. The driver implementation covers initialization, TX and RX operations using descriptor rings, and the interface with OSv. Performance is improved over OSb but there is still work needed on interrupts and advanced features. Additional scripts are discussed that allow OSv to directly access PCI devices when running on KVM/Linux for further optimization.
Linux on RISC-V with Open Hardware (ELC-E 2020)Drew Fustini
Want to run Linux on open hardware? This talk will explore how the RISC-V, an open instruction set (ISA), and open source FPGA tools can be leveraged to achieve that goal. I will explain how myself and others at Hackaday Supercon teamed up to get Linux running on a RISC-V soft-core in the ECP5 FPGA on the conference badge. I will introduce Migen, LiteX and Vexriscv, and explain how they enabled us to quickly implement an SoC in the FPGA capable of running Linux. I will also explore other Linux-capable open source RISC-V implementations, and how some are being used in industry. I will highlight that OpenHW Group has adopted the PULP Ariane from ETH Zurich for its Core-V CVA64 implementation. Finally, I will look at what Linux-capable "hard" RISC-V SoC's currently exist, and what is on the horizon for 2020 and 2021. This talk is should be relevant to people who are interested in building open hardware systems capable of running Linux. It should also be useful to people who are curious about RISC-V. Software engineers may find it exciting to learn how Python can be used to for chip-level design with Migen and LiteX, and simplify building a System-on-Chip (SoC) for an FPGA.
May 2013 HUG: Building common denominator of Hadoop distributions with BigtopYahoo Developer Network
Bigtop is stepping up in its role as the foundation of a standard Hadoop-based data analytics stack, essentially bringing most of the commercial offering to the standard footing. 6 out of 7 commercial vendors using Bigtop framework to power their distributions based on ASF Hadoop.
Bigtop is also the must have stabilization tool for Hadoop platform where's any downstream application or system developer can make sure that their software would work with the next version of Hadoop.
Presenter(s):
Dr. Konstantin Boudnik, ASF Hadoop committer, Bigtop PMC; Director of Engineering, WANdisco
Roman Shaposhnik, VP, Apache Bigtop, IPMC member at ASF; Software engineer, Cloudera inc.
This document discusses IPv6 Secure Neighbor Discovery (SeND) and Cryptographically Generated Addresses (CGA). It begins by explaining the need for SeND due to vulnerabilities in the IPv6 neighbor discovery process. It then provides an overview of SeND, including how it uses a PKI system with CGA to secure neighbor discovery packets. The document discusses support for SeND on routers and hosts, and demonstrates SeND in action between a CA router, segment router, and host. It concludes by addressing current issues with SeND deployment and stating that SeND can be deployed in enterprises when following guidance.
This document provides instructions on how to install the tools and software needed to develop applications for the STM32F429I-Discovery board, including installing the toolchain, ST-Link utilities, and OpenOCD. It also describes updating the board's firmware, provides an example of using USART communication, and lists traffic simulation and ball platform examples.
Home Automation with Asterisk - Astricon 2015 - Alberto Sagredo CastroAlberto Sagredo Castro
This document discusses using Asterisk to integrate with a home automation system using OpenHab. It provides instructions on installing OpenHab on a Raspberry Pi or Banana Pi, connecting Z-Wave devices, and configuring Asterisk dialplan to interact with OpenHab items via REST calls and trigger automations. Demo dialplan examples are given to control lights, alarms, sprinklers by phone and using speech recognition to control devices by voice.
"Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?
The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.
What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.
Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.
This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!"
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Hands-on VeriFast with STM32 microcontrollerKiwamu Okabe
The document discusses setting up the development environment for hands-on verification of STM32 microcontroller applications using VeriFast. It describes installing ChibiOS/RT real-time operating system, the STM32 toolchain, VeriFast verification tool, and connecting an STM32 board. The document provides instructions for setting up the environment on Windows and MacOS.
This document provides an overview of CPU hardware, including:
- A CPU contains many transistors and acts as the miniature calculator of a computer using a very fast clock.
- There are two main CPU architectures: RISC and CISC. RISC includes ARM and MIPS, while CISC includes x86 and VAX.
- CPUs use caches, have either little-endian or big-endian instruction ordering, can support multiple threads, and come in 32-bit or 64-bit varieties.
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...Felipe Prado
The document provides an introduction to hardware hacking using a case study of exploiting a decade old bug in widely deployed Avaya 9600 deskphones. It outlines the speaker's background and experience. It then discusses prior work in hardware hacking and walks through the process of analyzing the phone firmware, including performing reconnaissance, identifying components, accessing debug interfaces, analyzing the firmware, reversing the bootloader, and patching the EEPROM to achieve a shell on the device. The goal is to demonstrate that with the right skills and tools, hardware exploits are accessible to motivated individuals.
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
This document summarizes a presentation about insecure and obsolete Internet of Things (IoT) devices. It discusses how to obtain old IoT devices, disassemble them to identify components, reverse engineer interfaces like UART and JTAG, extract file systems, and use tools like OpenOCD to hack the firmware. It also covers software-defined radios and how emergency sirens can potentially be hacked by spoofing radio signals. The presentation aims to show how trivially many IoT devices can be hacked and encourages securing obsolete technology before it becomes a bigger problem.
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
The document discusses computing systems and the technologies that enable them. It notes that computing today involves many cooperating technologies, including digital electronics, software, memory, optics, analog electronics, sensors, mechanics, displays and more. It emphasizes that these diverse technologies must work seamlessly together to enhance human capabilities. The document also highlights how reuse of technologies and components is necessary for businesses to be competitive and deliver products to consumers affordably. While commercial systems rely on reuse of potentially undependable components, the document argues that probabilistically, today's systems are functional and dependable enough to satisfy billions of customers per year.
This document summarizes how to exploit vulnerabilities in fixed wireless terminals to remotely root the devices. It describes examining the hardware components and boot process to find entry points. Exploits discussed include using removable media to gain root access, cracking weak passwords, and exploiting unpickle serialization and remote code execution via eval. A demonstration shows using these techniques to remotely root a terminal via its management interface and UDP vulnerabilities. Potential further attacks discussed include installing backdoors, intercepting data and calls, and creating botnets.
This document discusses techniques for finding and stealing source code from unprotected Git repositories, including cloning exposed repositories, exploiting path and file disclosures, recovering deleted files and credentials from commit logs, and using tools to conduct aggressive cloning attacks. It warns developers to secure access to Git configurations and repositories and not check in sensitive data, and cautions attackers to carefully inspect exposed repositories for hostnames, paths, files and credentials that could be abused.
The document discusses running OSv virtual machines on the BitVisor hypervisor. It describes implementing virtio network device support for OSv on BitVisor by para-virtualizing the physical network interface and emulating virtio rings and operations. This avoids expensive VM exits by using a dedicated core to handle virtio operations in host mode while the guest runs on another core. Performance tests show the exitless virtio approach achieves network throughput and latency comparable to running on bare metal. Future work includes further optimizing exitless virtio and adding support for other virtio devices like block and random number generators.
The document discusses running OSv (a lightweight hypervisor) on BitVisor (a virtualization platform). It summarizes steps taken to implement a virtual Virtio NIC on BitVisor by faking the PCI configuration space, memory mapped I/O, and interrupts of the physical NIC (PRO/1000) to appear as a Virtio NIC to the OSv hypervisor. This allows OSv network drivers to function without modification by redirecting requests to the real NIC through hooks installed by BitVisor.
This document provides an introduction to the VeriFast program verifier. It describes how to set up VeriFast, including downloading required files. It explains that VeriFast can verify single-threaded and multi-threaded C/Java programs annotated with preconditions and postconditions written in separation logic, and that it avoids illegal memory accesses like buffer overflows. The document demonstrates running VeriFast on sample code, showing how it finds errors, and provides references for more information.
The document discusses the evolution of OSv from running on BitVisor (OSb) to running directly on hardware (OSp). It provides details on implementing a 10GbE network driver for the Intel X540 NIC in OSp. The driver implementation covers initialization, TX and RX operations using descriptor rings, and the interface with OSv. Performance is improved over OSb but there is still work needed on interrupts and advanced features. Additional scripts are discussed that allow OSv to directly access PCI devices when running on KVM/Linux for further optimization.
Linux on RISC-V with Open Hardware (ELC-E 2020)Drew Fustini
Want to run Linux on open hardware? This talk will explore how the RISC-V, an open instruction set (ISA), and open source FPGA tools can be leveraged to achieve that goal. I will explain how myself and others at Hackaday Supercon teamed up to get Linux running on a RISC-V soft-core in the ECP5 FPGA on the conference badge. I will introduce Migen, LiteX and Vexriscv, and explain how they enabled us to quickly implement an SoC in the FPGA capable of running Linux. I will also explore other Linux-capable open source RISC-V implementations, and how some are being used in industry. I will highlight that OpenHW Group has adopted the PULP Ariane from ETH Zurich for its Core-V CVA64 implementation. Finally, I will look at what Linux-capable "hard" RISC-V SoC's currently exist, and what is on the horizon for 2020 and 2021. This talk is should be relevant to people who are interested in building open hardware systems capable of running Linux. It should also be useful to people who are curious about RISC-V. Software engineers may find it exciting to learn how Python can be used to for chip-level design with Migen and LiteX, and simplify building a System-on-Chip (SoC) for an FPGA.
May 2013 HUG: Building common denominator of Hadoop distributions with BigtopYahoo Developer Network
Bigtop is stepping up in its role as the foundation of a standard Hadoop-based data analytics stack, essentially bringing most of the commercial offering to the standard footing. 6 out of 7 commercial vendors using Bigtop framework to power their distributions based on ASF Hadoop.
Bigtop is also the must have stabilization tool for Hadoop platform where's any downstream application or system developer can make sure that their software would work with the next version of Hadoop.
Presenter(s):
Dr. Konstantin Boudnik, ASF Hadoop committer, Bigtop PMC; Director of Engineering, WANdisco
Roman Shaposhnik, VP, Apache Bigtop, IPMC member at ASF; Software engineer, Cloudera inc.
This document discusses IPv6 Secure Neighbor Discovery (SeND) and Cryptographically Generated Addresses (CGA). It begins by explaining the need for SeND due to vulnerabilities in the IPv6 neighbor discovery process. It then provides an overview of SeND, including how it uses a PKI system with CGA to secure neighbor discovery packets. The document discusses support for SeND on routers and hosts, and demonstrates SeND in action between a CA router, segment router, and host. It concludes by addressing current issues with SeND deployment and stating that SeND can be deployed in enterprises when following guidance.
This document provides instructions on how to install the tools and software needed to develop applications for the STM32F429I-Discovery board, including installing the toolchain, ST-Link utilities, and OpenOCD. It also describes updating the board's firmware, provides an example of using USART communication, and lists traffic simulation and ball platform examples.
Home Automation with Asterisk - Astricon 2015 - Alberto Sagredo CastroAlberto Sagredo Castro
This document discusses using Asterisk to integrate with a home automation system using OpenHab. It provides instructions on installing OpenHab on a Raspberry Pi or Banana Pi, connecting Z-Wave devices, and configuring Asterisk dialplan to interact with OpenHab items via REST calls and trigger automations. Demo dialplan examples are given to control lights, alarms, sprinklers by phone and using speech recognition to control devices by voice.
"Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?
The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.
What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line -- thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.
Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.
This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!"
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Hands-on VeriFast with STM32 microcontrollerKiwamu Okabe
The document discusses setting up the development environment for hands-on verification of STM32 microcontroller applications using VeriFast. It describes installing ChibiOS/RT real-time operating system, the STM32 toolchain, VeriFast verification tool, and connecting an STM32 board. The document provides instructions for setting up the environment on Windows and MacOS.
This document provides an overview of CPU hardware, including:
- A CPU contains many transistors and acts as the miniature calculator of a computer using a very fast clock.
- There are two main CPU architectures: RISC and CISC. RISC includes ARM and MIPS, while CISC includes x86 and VAX.
- CPUs use caches, have either little-endian or big-endian instruction ordering, can support multiple threads, and come in 32-bit or 64-bit varieties.
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...Felipe Prado
The document provides an introduction to hardware hacking using a case study of exploiting a decade old bug in widely deployed Avaya 9600 deskphones. It outlines the speaker's background and experience. It then discusses prior work in hardware hacking and walks through the process of analyzing the phone firmware, including performing reconnaissance, identifying components, accessing debug interfaces, analyzing the firmware, reversing the bootloader, and patching the EEPROM to achieve a shell on the device. The goal is to demonstrate that with the right skills and tools, hardware exploits are accessible to motivated individuals.
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
This document summarizes a presentation about insecure and obsolete Internet of Things (IoT) devices. It discusses how to obtain old IoT devices, disassemble them to identify components, reverse engineer interfaces like UART and JTAG, extract file systems, and use tools like OpenOCD to hack the firmware. It also covers software-defined radios and how emergency sirens can potentially be hacked by spoofing radio signals. The presentation aims to show how trivially many IoT devices can be hacked and encourages securing obsolete technology before it becomes a bigger problem.
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
The document discusses computing systems and the technologies that enable them. It notes that computing today involves many cooperating technologies, including digital electronics, software, memory, optics, analog electronics, sensors, mechanics, displays and more. It emphasizes that these diverse technologies must work seamlessly together to enhance human capabilities. The document also highlights how reuse of technologies and components is necessary for businesses to be competitive and deliver products to consumers affordably. While commercial systems rely on reuse of potentially undependable components, the document argues that probabilistically, today's systems are functional and dependable enough to satisfy billions of customers per year.
Experiences building a distributed shared log on RADOS - Noah WatkinsCeph Community
This document summarizes Noah Watkins' presentation on building a distributed shared log using Ceph. The key points are:
1) Noah discusses how shared logs are challenging to scale due to the need to funnel all writes through a total ordering engine. This bottlenecks performance.
2) CORFU is introduced as a shared log design that decouples I/O from ordering by striping the log across flash devices and using a sequencer to assign positions.
3) Noah then explains how the components of CORFU can be mapped onto Ceph, using RADOS object classes, librados, and striping policies to implement the shared log without requiring custom hardware interfaces.
4) ZLog is presented
HIS'15 website tells us "Our lives increasingly depend on the correct functioning of software". But whilst true in itself, software is just one of the links in a system-chain; each needing to be as strong as the others for a satisfactory outcome. History may have branded software as the weakest link, but can that be said today? A system is an entity complete in its context; and judged subjectively by its black-box behaviour. And when faced with its failure it isn't acceptable to claim that "my bit worked"! All technologies we utilise are fallible, as are the processes we use to create them: Hardware, Software, Optics, Acoustics, RF, Mechanics, Test, Reproduction, Maintenance ... Perfection is still reserved for the gods. Technologies must work together in the system, and historic silos do nothing to encourage this. So how good do systems need to be; how close to achieving it are we; and does one size fit all? And perhaps most challengingly, can the disciplines complement one another so the whole is stronger than the weakest links?
Hands-on VeriFast with STM32 microcontroller @ OsakaKiwamu Okabe
The document discusses setting up a development environment for the ChibiOS/RT real-time operating system and VeriFast model checker on Windows and macOS systems. It provides instructions for installing necessary tools like GCC ARM, make, CMake, libUSB, ST-Link, ChibiOS/RT, and VeriFast from sources. It also explains downloading a custom ChibiOS/RT source code that is compatible with VeriFast verification.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
Joe FitzPatrick gave a presentation on exploiting PCIe (Peripheral Component Interconnect Express) buses for hardware attacks. He discussed using DMA (direct memory access) over PCIe to read and write system memory, modify firmware, and potentially bypass mitigations like IOMMU (input-output memory management unit). FitzPatrick demonstrated proof-of-concept attacks on Macs and Windows PCs using custom PCIe devices and software. However, he noted that fully bypassing protections like VT-d on Macbooks had not yet been achieved and more work is needed to build attacks without imitating a genuine device.
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
The document discusses several open hardware and software platforms for hobbyist programmers, including Arduino, MSP430, Pinguino, mbed, FreeRTOS, ChibiOS/RT, and chopstx. Each platform is summarized, including the microcontroller or CPU used, compilers, support for networking, available development boards, and costs. Overall, the document provides an overview of popular open-source hardware and software options for hobbyist IoT development.
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks
The document discusses the intersection of networks and DevOps. It covers challenges with traditional network operations including lack of programmability. It proposes distributed and software-defined networking approaches but notes hard problems remain. It emphasizes lessons learned around prototyping, understanding user needs, reliability, testing changes, and building a collaborative team culture.
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
Similar to Thunderbolts and Lightning: Very Very Frightening (20)
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Monitoring Java Application Security with JDK Tools and JFR Events
Thunderbolts and Lightning: Very Very Frightening
1. SNARE & RZN
@ SYSCAN
APRIL 2014
THUNDERBOLTS AND LIGHTNING
VERY, VERY FRIGHTENING
2. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHO ARE THESE IDIOTS?
OBLIGATORY INTRO SLIDE
‣ rzn aka Sam
‣PhD student at UoA
‣research into ray-tracing on FPGAs
‣extensive collection of name tags and hair nets
‣ snare aka Loukas
‣computer guy at Azimuth Security
‣did some OS X kernel and UEFI firmware stuff one time
‣world’s strongest millionaire
‣internet-famous feet
3. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHAT IS THIS TALK ABOUT?
‣ Apparently Thunderbolt DMA attacks are totally a
thing
‣ But we haven’t seen a PoC yet
‣ And it sounded like fun
‣ It’s not actually about Lightning (the iDevice
connector)
‣Sorry Stefan
4. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
THINGS WHAT WE IS GOING TO TALK ABOUT
AGENDA
‣ FireWire DMA attacks
‣ Thunderbolt
‣ How is PCIe formed?
‣ What the fuck is an FPGA?
‣ Our approach to attacking Thunderbolt
‣ Sweet stunt hack demo and stuff
‣ Defence
5. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
‣ See Metlstorm’s “Hit By A Bus” circa 2006 (Ruxcon)
‣ First done by Quinn the Eskimo (Apple awesome dude)
‣ Won MacHack 2002 by drawing a screensaver over FireWire!
‣ See also Inception - a FireWire DMA tool
‣ How does it work?
‣ Using SBP-2
‣ Firewire chipset does DMA R/W on PCIe bus
‣ Stream data out FW interface
6. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
7. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
TARGET HOST
MEMORY
MCH FIREWIRE
PCI EXPRESS
8. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
TARGET HOST
MEMORY
MCH FIREWIRE
PCI EXPRESS
ANALYSIS HOST
FIREWIRE
PCI EXPRESS
STORAGE
9. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
TARGET HOST
MEMORY
MCH FIREWIRE
PCI EXPRESS
ANALYSIS HOST
FIREWIRE
PCI EXPRESS
STORAGEbro, read data
at 0xDEADBEA7
10. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
TARGET HOST
MEMORY
MCH FIREWIRE
PCI EXPRESS
ANALYSIS HOST
FIREWIRE
PCI EXPRESS
STORAGEDMA read
0xDEADBEA7
11. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FIREWIRE DMA ATTACKS
HIT BY THE SHORT BUS
TARGET HOST
MEMORY
MCH FIREWIRE
PCI EXPRESS
ANALYSIS HOST
FIREWIRE
PCI EXPRESS
STORAGEhere ya go pal
12. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
LIMITATIONS
HIT BY THE SHORT BUS
‣ Obviously requires that there be a FireWire interface
‣ 32-bit addressing = only lower 4GB of RAM
‣ On OS X FireWire DMA is disabled when the screen
is locked & FileVault is enabled
‣ Kernel tells FW chipset not to do DMA any more
‣ #sadface
13. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
EH?
‣ Thunderbolt == PCIe + DisplayPort + pixie dust
!
!
!
!
!
!
!
‣ Send DMA requests directly over PCIe?
WHAT’S A THUNDERBOLT?
14. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
EH?
‣ Thunderbolt == PCIe + DisplayPort + pixie dust
!
!
!
!
!
!
!
‣ Send DMA requests directly over PCIe?
WHAT’S A THUNDERBOLT?
PIXIE DUST
15. Thunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
PICS OR GTFO
WHAT’S A THUNDERBOLT?
Slightly more
useful diagram
16. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
CHEATING WITH FIREWIRE
THUNDERBOLT DMA THUS FAR
‣ “Thunderbolt DMA”
‣ Connect Thunderbolt to FireWire adapter
‣ ???
‣ Profit
‣ Subject to the same limitations as regular FireWire
17. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH
HOW IS PCIE FORMED?
‣ Serial point-to-point interconnect
18. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH
HOW IS PCIE FORMED?
‣ Serial point-to-point interconnect
‣ A lane consists of a tx and rx differential pair
(4 wires per lane)
19. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH
HOW IS PCIE FORMED?
‣ Serial point-to-point interconnect
‣ A lane consists of a tx and rx differential pair
(4 wires per lane)
‣ Scalable number of lanes, negotiated at link setup
20. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH
HOW IS PCIE FORMED?
‣ Serial point-to-point interconnect
‣ A lane consists of a tx and rx differential pair
(4 wires per lane)
‣ Scalable number of lanes, negotiated at link setup
‣ Layered, packet based, transaction protocol
‣ Physical layer
‣ Data link layer
‣ Transaction layer
21. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH
HOW IS PCIE FORMED?
‣ Serial point-to-point interconnect
‣ A lane consists of a tx and rx differential pair
(4 wires per lane)
‣ Scalable number of lanes, negotiated at link setup
‣ Layered, packet based, transaction protocol
‣ Physical layer
‣ Data link layer
‣ Transaction layer
‣ Level sensitive or message signaled interrupts
22. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
DMA
HOW IS PCIE FORMED?
‣ Four transaction types
‣ I/O read/write
‣ Configuration read/write
‣ Memory read/write
‣ Messaging
‣ DMA:
‣ Configuration write to grant device “bus master”
‣ Write target address and command to device
‣ Device interrupts when finished
23. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
24. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
‣ Matrix of configurable logic blocks, each containing ‘slices’
25. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
‣ Matrix of configurable logic blocks, each containing ‘slices’
‣ Slice contents are the core of FPGA functionality
‣ Look up tables (LUTs)
‣ Flip-flops
‣ Carry chain
‣ Muxes
26. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
‣ Matrix of configurable logic blocks, each containing ‘slices’
‣ Slice contents are the core of FPGA functionality
‣ Look up tables (LUTs)
‣ Flip-flops
‣ Carry chain
‣ Muxes
‣ Additional general features: blockRAMs, FIFOs, DSP blocks,
clocking resources (PLLs, DCMs)
27. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
‣ Matrix of configurable logic blocks, each containing ‘slices’
‣ Slice contents are the core of FPGA functionality
‣ Look up tables (LUTs)
‣ Flip-flops
‣ Carry chain
‣ Muxes
‣ Additional general features: blockRAMs, FIFOs, DSP blocks,
clocking resources (PLLs, DCMs)
‣ Device specific features: PCIe, Ethernet, DDR2/3
28. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
[1] WIKIPEDIA
WTF IS AN FPGA?
‣ Field Programmable Gatorade Gate Array
‣ Matrix of configurable logic blocks, each containing ‘slices’
‣ Slice contents are the core of FPGA functionality
‣ Look up tables (LUTs)
‣ Flip-flops
‣ Carry chain
‣ Muxes
‣ Additional general features: blockRAMs, FIFOs, DSP blocks,
clocking resources (PLLs, DCMs)
‣ Device specific features: PCIe, Ethernet, DDR2/3
‣ Reprogrammable
29. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
LUTS LUTS LUTS
WTF IS AN FPGA?
‣ logic ➤ truth table ➤ LUT
!
!
!
!
!
!
!
!
‣ A LUT is essentially a 6-input memory, containing the desired output for
each set of inputs (addresses)
‣ It doesn’t matter how simple or complex the function, it is only limited by
the inputs
S1 S0 D C B A F
0 0 0 0 0 0 0
0 0 0 0 0 1 0
0 0 0 0 1 0 0
0 0 0 0 1 1 1
⚡ ⚡ ⚡ ⚡ ⚡ ⚡ ⚡
1 1 1 1 0 0 1
1 1 1 1 0 1 0
1 1 1 1 1 0 1
1 1 1 1 1 1 0
LUT
I0
I1
I2
I3
I4
O
INIT=11110F0F0303
A
B
C
D
S0
F
S0
S1
F
A
B
C
D
30. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S ALL ABOUT THE LOLS
WTF IS AN FPGA?
‣ Application logic is described in an HDL; verilog or vhdl
31. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S ALL ABOUT THE LOLS
WTF IS AN FPGA?
‣ Application logic is described in an HDL; verilog or vhdl
‣ You can leave it all to the synthesis tool to infer logic,
but it is important to understand how a LUT works
32. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S ALL ABOUT THE LOLS
WTF IS AN FPGA?
‣ Application logic is described in an HDL; verilog or vhdl
‣ You can leave it all to the synthesis tool to infer logic,
but it is important to understand how a LUT works
‣ Maximum frequency determined by “levels of logic”
‣ A level of logic is the combination of LUT delay and routing
delay between two flip-flops
‣ LUT delay = static, constant property of the device
‣ Routing delay = dynamic, influenced my LUT placement
33. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S ALL ABOUT THE LOLS
WTF IS AN FPGA?
‣ Application logic is described in an HDL; verilog or vhdl
‣ You can leave it all to the synthesis tool to infer logic,
but it is important to understand how a LUT works
‣ Maximum frequency determined by “levels of logic”
‣ A level of logic is the combination of LUT delay and routing
delay between two flip-flops
‣ LUT delay = static, constant property of the device
‣ Routing delay = dynamic, influenced my LUT placement
‣ Reduce levels of logic, place LUTs closer together =
higher clock frequency
35. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
‣ Microblaze is a micro-controller that can be
implemented in FPGA logic
36. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
‣ Microblaze is a micro-controller that can be
implemented in FPGA logic
‣ Interfaces with AXI bus
‣ Standard interface to easily memory map other custom or
off-the-shelf IP blocks
37. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
‣ Microblaze is a micro-controller that can be
implemented in FPGA logic
‣ Interfaces with AXI bus
‣ Standard interface to easily memory map other custom or
off-the-shelf IP blocks
‣ Code is written in C or C++, compiled with XSDK
38. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
‣ Microblaze is a micro-controller that can be
implemented in FPGA logic
‣ Interfaces with AXI bus
‣ Standard interface to easily memory map other custom or
off-the-shelf IP blocks
‣ Code is written in C or C++, compiled with XSDK
‣ Really useful for writing control logic
‣ Previously you’d write large state machines in HDL
‣ Also means noobs (snare) can write code for it
39. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
‣ Microblaze is a micro-controller that can be
implemented in FPGA logic
‣ Interfaces with AXI bus
‣ Standard interface to easily memory map other custom or
off-the-shelf IP blocks
‣ Code is written in C or C++, compiled with XSDK
‣ Really useful for writing control logic
‣ Previously you’d write large state machines in HDL
‣ Also means noobs (snare) can write code for it
‣ Connect it via serial and you can printf debug your logic!
40. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
BUTT, HOW DO WE DO PCIE?
WTF IS AN FPGA?
41. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
BUTT, HOW DO WE DO PCIE?
WTF IS AN FPGA?
‣ AXI PCIE core uses FPGA device specific features to
implement PCIE
42. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
BUTT, HOW DO WE DO PCIE?
WTF IS AN FPGA?
‣ AXI PCIE core uses FPGA device specific features to
implement PCIE
‣ Memory mapped to MicroBlaze
‣ Read/write to memory mapped AXI core translates to
PCIE read/write TLPs
‣ Read/write TLPs from PCIe translate to memory mapped
AXI core read/write
43. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FAKE IT TILL YOU BREAK IT
OUR APPROACH
‣ Become bus master
‣ ???
‣ Profit
47. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
FAKE IT TILL YOU BREAK IT
OUR APPROACH
TARGET
HOST
XILINX SP605
THUNDERBOLT PCIE AXI PCIE
CORE
MICROBLAZE
BPLUS
TH05
DSL2210
ANALYSIS
HOST
SERIAL
AXI
‣ Board circuitry handles PCIE physical layer
‣ AXI PCIE core handles data link layer
‣ We write code for the MicroBlaze that
reads and writes to the AXI core
48. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
OK, SO FPGA TALKS PCIe
ATTACKING A MAC
‣ Phase 1 - write our own driver
‣ Make FPGA bus master
‣ Tell it what to do
!
‣ Phase 2 - imitate another device
‣ Change device id, vendor id in configuration space
‣ Trick the OS into loading an existing driver that will make
us bus master
49. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
STUNT HACK?!
ATTACKING A MAC
‣ PoC - patch auth handler to bypass login screen
‣ Return success? Nah return 1 bro
‣ Log in with any password
59. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
STUNT HACK?!
ATTACKING A MAC
‣ PRE-DEMOVIDEO THINGY
60. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
STUNT HACK?!
ATTACKING A MAC
‣ PRE-DEMOVIDEO THINGY
61. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
JUST IN CASE OUR STUPID DEMO DIDN’T WORK
OTTERSTORM
62. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S OK, WE MADE A VIDEO
63. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
IT’S OK, WE MADE A VIDEO
64. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
YEP
WAIT, THE DEMO
WORKED?
65. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
Y’KNOW, IF YOU LIKE SECURITY AND STUFF
THIS SEEMS BAD
‣ Intel realised this was not a good “feature”
‣ What to do about it?
‣Glue all the ports shut?
‣Voodoo curse?
‣Access controls on device I/O?
66. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
Y’KNOW, IF YOU LIKE SECURITY AND STUFF
THIS SEEMS BAD
‣ Intel realised this was not a good “feature”
‣ What to do about it?
‣Glue all the ports shut?
‣Voodoo curse?
‣Access controls on device I/O?
67. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
Y’KNOW, IF YOU LIKE SECURITY AND STUFF
THIS SEEMS BAD
‣ Intel realised this was not a good “feature”
‣ What to do about it?
‣Glue all the ports shut?
‣Voodoo curse?
‣Access controls on device I/O?
68. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
Y’KNOW, IF YOU LIKE SECURITY AND STUFF
THIS SEEMS BAD
‣ Intel realised this was not a good “feature”
‣ What to do about it?
‣Glue all the ports shut?
‣Voodoo curse?
‣Access controls on device I/O? 👍
69. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
INTEL, YOU BASTARDS
VT======D
‣ Virtualised I/O
‣ Hypervisor can now assign devices directly to guests
‣This is howVMDirectPath works
‣ DMA requests are remapped w/access controls
‣ Interrupts are remapped w/access controls
70. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
INTEL, YOU BASTARDS
VT======D
‣ VT-d unit has “domains”
‣ There is at least one domain (the host’s domain)
‣ In order to assign a device to a guest, theVMM
creates a domain for that guest
‣Assigns a device to it
71. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
A SECURITY FEATURE?
VT-D
‣ OS X kernel configuresVT-d
‣Actually it’s the IOPCIFamily driver
‣All the devices are configured in a singleVT-d “domain”
‣ Drivers allocate DMA buffers
‣New kernel memory allocator tellsVT-d unit about regions
‣Now when DMA requests come in on the PCIe bus,VT-d
says yea or nay
‣ If you are denied access, the kernel’sVT-d handler is
called and you see this in your console:
‣vtd[0] fault: device 0:20:0 reason 0x5 W:0x64c000
72. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
INTEL, YOU BASTARDS
VT-D
P
CPU/MCH
PCIe
DEVICE
PCI EXPRESS BUS
PCH
VT-D
!
MEMORY
73. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
INTEL, YOU BASTARDS
VT-D
‣ On all >=2012 Macs (Ivy Bridge)
‣Requires OS config - supported in OS X since 10.8.2
‣ Restricts PCIe device DMA access
‣This is balls
‣Means our trix don’t work on >=2012 machine running
>10.8.2
‣ Windows pre-8 (AFAIK) doesn’t configureVT-d
‣Pretty sure I remember reading that somewhere
‣ Linux does a much better job of configuringVT-d
74. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
PROBABLY NOT
AM I OWNED?
OWNED
NOT OWNED
:(
OWNED
OWNED
<10.8.2 >=10.8.2
Pre-Ivy Bridge
Ivy Bridge
and later
DUDE, WHAT THE HELL? UPGRADE YOUR SHIT
75. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
NEW TRIX
WHAT’S NEXT?
‣ Maybe make the kit a little bit smaller
‣ BypassVT-d?
‣ See if we can do it without imitating a device?
‣ Full memory capture
76. Thunderbolts and Lightning ⚡⚡⚡Very,Very FrighteningThunderbolts and Lightning ⚡⚡⚡Very,Very Frightening
REFERENCES
‣ Metlstorm - Hit by a Bus (Ruxcon 2006)
‣ http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf
‣ Quinn the Eskimo - FireStarter (MacHack 2002)
‣ http://www.anarchistturtle.com/Quinn/WWW/Hacks.html
‣ Inception (FireWire DMA tool)
‣ http://www.breaknenter.org/projects/inception/
‣ PCIe Base Specification (507 pages, great night time reading)
‣ http://read.pudn.com/downloads161/doc/729268/PCI_Express_Base_11.pdf
‣ Xilinx PCIe DMA Reference Design
‣ http://www.xilinx.com/support/documentation/application_notes/xapp1052.pdf
77. !
!
!
!
!
!
greetz:
vt, pipes, antic0de, quine, metlstorm, h1kar1, y011, radian
!
special thanks to:
thomas motherfuckin’ lim
statler and waldorf (nagy and grugq)
!
mad props to:
barns. now let’s get grimy.
KTHXBAI
@snare
snare@ho.ax
http://ho.ax
http://blog.azimuthsecurity.com
@scollinsonz
smc@affinity.net.nz
http://affinity.net.nz