Upload
positive-hack-days
View
25.769
Download
1
Embed Size (px)
Citation preview
Tapping into the C ore
Maxim Goryac hy
Mark E rmolov
C haos C omputer C lub (33C 3), Hamburg , 2016
Intel® Direc t C onnec t Interfac e as a bas is for hardware Trojans
Maxim Goryac hy
Mark E rmolov
P os itive R esearch C entermgoryachiy@ ptsecurity.com
mermolov@ ptsecurity.com
[email protected]@ptsecurity.com
Ag enda 3
• Definition of a Hardware Trojan• Debugging features as a basis of a Hardware Trojan• An overview of the debugging features in modern Intel CPUs• Activating debugging • Detecting enabled debugging
Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system.Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.
Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup BhuniaHardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009
Xiaoxiao Wang and Mohammad TehranipoorDetecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008
http://spywareremovers.com/
[email protected]@ptsecurity.com
Hardware Trojan 4
[email protected]@ptsecurity.com
Hardware Trojan (E xample) 5
What Is JTAG ?
Joint Test Action Group IEEE 1149.1• https://en.wikipedia.org/wiki/JTAG• IEEE Standard 1149.1
https://standards.ieee.org/findstds/standard/1149.1-2013.html• Blackbox JTAG Reverse Engineering [26C3]
https://www.youtube.com/watch?v=Up0697E5DGc
https://www.xjtag.com
[email protected]@ptsecurity.com
7
Us es of JTA G
• Forensics (Dump Flash, rootkit detection)• Research (Cache as RAM, Secure Boot, Boot Guard, SMM)• Low-level debugging (UEFI DXE/PEI, drivers, hypervisor)• Performance analysis
[email protected]@ptsecurity.com
http://partsolutions.com/
8
JTAG in Intel C PUs
• JTAG 101 IEEE 1149.x and Software Debughttp://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101-ieee-1149x-paper.pdf
• Debug Port Design Guide for UP/DP Systemshttp://download.intel.com/support/processors/pentium4/sb/31337301.pdf
https://upload.wikimedia.org
[email protected]@ptsecurity.com
9
C onnec tion Types
• Intel In-Target Probe eXtended Debug Port (ITP-XDP)
• Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon.There are two types of DCI hosting interfaces in the platform:
USB3 Hosting DCI (USB Debug cable)
BSSB Hosting DCI (Intel SVT Closed Chassis Adapter)
[email protected]@ptsecurity.com
10
Intel ITP-XDP
https://designintools.intel.com
Direct connection to CPU debugging interface
Price $3,000
Special board socket is required
Supported by Intel System Studio trial version
Protocol covered by NDA
[email protected]@ptsecurity.com
11
Intel® Direc t C onnec t Interfac e (DC I)
Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH)
Works with U series out-of-box chipsets only
[email protected]@ptsecurity.com
12
BSSB Hos ting DC I
https://designintools.intel.com
Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA orBSSB) provides access to DFx features, like JTAG and run control, through USB3ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.
Supported by Intel System Studio trial version
Price $390
Private protocol using physical USB links
[email protected]@ptsecurity.com
13
USB3 Hos ting DC I
http://www.datapro.net/
No extra hardware required (standard USB 3.0 cable)
OTG device, “magic” port needs to be found
Deep Sleep mode not supported
Supported by Intel System Studio trial version
Run through the device integrated to the target platform
Standard USB protocol used
[email protected]@ptsecurity.com
14
DEMO
ptsecurity.com
17
17
How to Ac tivate DC I?
• UEFI Human Interface Infrastructure (UEFI HII)
• PCH Strap (Intel Flash Image Tool)
• P2SB device
[email protected]@ptsecurity.com
18
Ac tivation via UE FI HII
• UEFI Human Interface Infrastructurehttp://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF
• AMI BIOS Configuration Program 5.0https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/
• It is possible to reprogram BIOS by programmer or through SPI controller (ifprivileges allow), but the target platform could shut down with an errorif Boot Guard is running.
http://www.dediprog.com/
[email protected]@ptsecurity.com
19
Ac tivation via PC H Strap
• Intel® Flash Image Toolhttp://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html
• Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow)
[email protected]@ptsecurity.com
21
How to Fig ht Bac k?
• BootGuard
• Direct Connect Interface Enable bit check
• MSR IA32_DEBUG_INTERFACE
[email protected]@ptsecurity.com
23
New Ag e of BadUSB?
http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg
[email protected]@ptsecurity.com
25
Summary
• Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system;
• Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers;
• Big vendor of motherboard vendor (we aren’t disclose);
• Ensure that your Skylake laptop has DCI disabled.
[email protected]@ptsecurity.com
26