SlideShare una empresa de Scribd logo

Tapping into the core

Positive Hack Days
Positive Hack Days

The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.

Tecnología
1 de 27
Descargar para leer sin conexión
Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan (E xample) 5
What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
DEMO ptsecurity.com 17 17
How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26
Thank you! Questions? mgoryachiy@ptsecurity.com mermolov@ptsecurity.com github.com/ptresearch 27

Recomendados

[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
 
Process' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxProcess' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxVarun Mahajan
 
Nios2 and ip core
Nios2 and ip coreNios2 and ip core
Nios2 and ip coreanishgoel
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Poolguest215c4e
 
OPEN STA
OPEN STAOPEN STA
OPEN STAShourya Puri
 

Recomendados

[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
 
Process' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxProcess' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxVarun Mahajan
 
Nios2 and ip core
Nios2 and ip coreNios2 and ip core
Nios2 and ip coreanishgoel
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Poolguest215c4e
 
OPEN STA
OPEN STAOPEN STA
OPEN STAShourya Puri
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory ManagementSuvendu Kumar Dash
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
why we need ext4
why we need ext4why we need ext4
why we need ext4Hao(Robin) Dong
 
Introduction to UBI
Introduction to UBIIntroduction to UBI
Introduction to UBIRoy Lee
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
XPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARMXPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARMThe Linux Foundation
 
UVM Update: Register Package
UVM Update: Register PackageUVM Update: Register Package
UVM Update: Register PackageDVClub
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
VLSI based final year project topics and ideas
VLSI based final year project topics and ideas VLSI based final year project topics and ideas
VLSI based final year project topics and ideas Nxtlogic Software Solutions
 
Mapping functions
Mapping functionsMapping functions
Mapping functionsLahore Garrison University
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Computer architecture
Computer architecture Computer architecture
Computer architecture Ashish Kumar
 
Tizen Window System
Tizen Window SystemTizen Window System
Tizen Window SystemEun Young Lee
 
What is JTAG?
What is JTAG?What is JTAG?
What is JTAG?killerdolton
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 

Más contenido relacionado

La actualidad más candente

Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
Introduction to UBI
Introduction to UBIIntroduction to UBI
Introduction to UBIRoy Lee
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
XPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARMXPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARMThe Linux Foundation
 
UVM Update: Register Package
UVM Update: Register PackageUVM Update: Register Package
UVM Update: Register PackageDVClub
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Computer architecture
Computer architecture Computer architecture
Computer architecture Ashish Kumar
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
 

La actualidad más candente (20)

Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
why we need ext4
why we need ext4why we need ext4
why we need ext4
 
Introduction to UBI
Introduction to UBIIntroduction to UBI
Introduction to UBI
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
XPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARMXPDS16: Keeping coherency on ARM - Julien Grall, ARM
XPDS16: Keeping coherency on ARM - Julien Grall, ARM
 
UVM Update: Register Package
UVM Update: Register PackageUVM Update: Register Package
UVM Update: Register Package
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
VLSI based final year project topics and ideas
VLSI based final year project topics and ideas VLSI based final year project topics and ideas
VLSI based final year project topics and ideas
 
Mapping functions
Mapping functionsMapping functions
Mapping functions
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 
Computer architecture
Computer architecture Computer architecture
Computer architecture
 
Tizen Window System
Tizen Window SystemTizen Window System
Tizen Window System
 
What is JTAG?
What is JTAG?What is JTAG?
What is JTAG?
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
 

Similar a Tapping into the core

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerIJERA Editor
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processorsNebyueAwoke
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoTteam-WIBU
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsSpeck&Tech
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 

Similar a Tapping into the core (20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
Embedded C workshop
Embedded C workshopEmbedded C workshop
Embedded C workshop
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web Server
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
SoC: System On Chip
SoC: System On ChipSoC: System On Chip
SoC: System On Chip
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Resume
ResumeResume
Resume
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Tapping into the core

  • 1. Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
  • 2. Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
  • 3. mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
  • 4. Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
  • 6. What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
  • 7. What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
  • 8. Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
  • 9. JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
  • 10. C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
  • 11. Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
  • 12. Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
  • 13. BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
  • 14. USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
  • 15. USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
  • 16. What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
  • 18. How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
  • 19. Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
  • 20. Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
  • 21. Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
  • 22. Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
  • 23. How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
  • 24. IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
  • 25. New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
  • 26. Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26