SlideShare ist ein Scribd-Unternehmen logo

Tapping into the core

Positive Hack Days
Positive Hack Days

The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan (E xample) 5
What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
DEMO ptsecurity.com 17 17
How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26
Thank you! Questions? mgoryachiy@ptsecurity.com mermolov@ptsecurity.com github.com/ptresearch 27

Empfohlen

Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Web hacking-dvwa-publish-130131073605-phpapp01
Web hacking-dvwa-publish-130131073605-phpapp01Web hacking-dvwa-publish-130131073605-phpapp01
Web hacking-dvwa-publish-130131073605-phpapp01Jalil Mashab-Crew
 
Sistemas operativos ficha formativa nº3 - resolução
Sistemas operativos ficha formativa nº3 - resoluçãoSistemas operativos ficha formativa nº3 - resolução
Sistemas operativos ficha formativa nº3 - resoluçãoteacherpereira
 
Arquitetura de Von Neumann
Arquitetura de Von NeumannArquitetura de Von Neumann
Arquitetura de Von NeumannWanessa Ribeiro
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 

Empfohlen

Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Web hacking-dvwa-publish-130131073605-phpapp01
Web hacking-dvwa-publish-130131073605-phpapp01Web hacking-dvwa-publish-130131073605-phpapp01
Web hacking-dvwa-publish-130131073605-phpapp01Jalil Mashab-Crew
 
Sistemas operativos ficha formativa nº3 - resolução
Sistemas operativos ficha formativa nº3 - resoluçãoSistemas operativos ficha formativa nº3 - resolução
Sistemas operativos ficha formativa nº3 - resoluçãoteacherpereira
 
Arquitetura de Von Neumann
Arquitetura de Von NeumannArquitetura de Von Neumann
Arquitetura de Von NeumannWanessa Ribeiro
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformEmertxe Information Technologies Pvt Ltd
 
Linux boot process
Linux boot processLinux boot process
Linux boot processArchana Chandrasekharan
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
Ppt conhecendo o windows 7
Ppt conhecendo o windows 7Ppt conhecendo o windows 7
Ppt conhecendo o windows 7Eduardo Sena
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Linux Kernel Image
Linux Kernel ImageLinux Kernel Image
Linux Kernel Image艾鍗科技
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemdYusaku OGAWA
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFIAlea Soluciones, S.L.
 
Leveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory ProtocolLeveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory ProtocolGary Bisson
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0Pradhap M
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinityTakuya ASADA
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Cheklist manutenção de computadores
Cheklist manutenção de computadoresCheklist manutenção de computadores
Cheklist manutenção de computadoresgrgerenciaba
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 

Weitere ähnliche Inhalte

Was ist angesagt?

linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequenceHoucheng Lin
 
Ppt conhecendo o windows 7
Ppt conhecendo o windows 7Ppt conhecendo o windows 7
Ppt conhecendo o windows 7Eduardo Sena
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Linux Kernel Image
Linux Kernel ImageLinux Kernel Image
Linux Kernel Image艾鍗科技
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemdYusaku OGAWA
 
Leveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory ProtocolLeveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory ProtocolGary Bisson
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinityTakuya ASADA
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Cheklist manutenção de computadores
Cheklist manutenção de computadoresCheklist manutenção de computadores
Cheklist manutenção de computadoresgrgerenciaba
 

Was ist angesagt? (20)

linux device driver
linux device driverlinux device driver
linux device driver
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Linux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platformLinux systems - Getting started with setting up and embedded platform
Linux systems - Getting started with setting up and embedded platform
 
Linux boot process
Linux boot processLinux boot process
Linux boot process
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
 
Ppt conhecendo o windows 7
Ppt conhecendo o windows 7Ppt conhecendo o windows 7
Ppt conhecendo o windows 7
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Linux Kernel Image
Linux Kernel ImageLinux Kernel Image
Linux Kernel Image
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKB
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemd
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 
Leveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory ProtocolLeveraging the Android Open Accessory Protocol
Leveraging the Android Open Accessory Protocol
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity/proc/irq/<irq>/smp_affinity
/proc/irq/<irq>/smp_affinity
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
Cheklist manutenção de computadores
Cheklist manutenção de computadoresCheklist manutenção de computadores
Cheklist manutenção de computadores
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader
 

Ähnlich wie Tapping into the core

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerIJERA Editor
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processorsNebyueAwoke
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoTteam-WIBU
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsSpeck&Tech
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 

Ähnlich wie Tapping into the core (20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
Embedded C workshop
Embedded C workshopEmbedded C workshop
Embedded C workshop
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web Server
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
SoC: System On Chip
SoC: System On ChipSoC: System On Chip
SoC: System On Chip
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Resume
ResumeResume
Resume
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Kürzlich hochgeladen (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Tapping into the core

  • 1. Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
  • 2. Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
  • 3. mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
  • 4. Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
  • 6. What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
  • 7. What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
  • 8. Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
  • 9. JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
  • 10. C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
  • 11. Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
  • 12. Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
  • 13. BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
  • 14. USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
  • 15. USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
  • 16. What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
  • 18. How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
  • 19. Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
  • 20. Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
  • 21. Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
  • 22. Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
  • 23. How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
  • 24. IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
  • 25. New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
  • 26. Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26