exploring your system deeper
play

Exploring Your System Deeper [with CHIPSEC] is Not Naughty - PowerPoint PPT Presentation

Oct 11, 2022 •25 likes •755 views

Exploring Your System Deeper [with CHIPSEC] is Not Naughty Presenting: Oleksandr Bazhaniuk (@ABazhaniuk), Andrew Furtak Mikhail Gorobets (@mikhailgorobets), Yuriy Bulygin (@c7zero) Advanced Threat Research Agenda Intro to firmware security

  1. Exploring Your System Deeper [with CHIPSEC] is Not Naughty Presenting: Oleksandr Bazhaniuk (@ABazhaniuk), Andrew Furtak Mikhail Gorobets (@mikhailgorobets), Yuriy Bulygin (@c7zero) Advanced Threat Research

  2. Agenda Intro to firmware security Finding vulnerabilities in firmware Checking hardware protections Finding “problems” in firmware Finding vulnerabilities in hypervisors Conclusions

  3. Intro to firmware security

  4. Firmware Everywhere FW FW FW FW FW FW FW FW FW Image source FW 4

  5. Firmware Everywhere  GBe NIC, WiFi, Bluetooth, WiGig  Baseband (3G, LTE) Modems  Sensor Hubs  NFC, GPS Controllers  HDD/SSD  Keyboard and Embedded Controllers  Battery Gauge  Baseboard Management Controllers (BMC)  Graphics/Video  USB Thumb Drives, keyboards/mice  Chargers, adapters  TPM, security coprocessors  Routers, network appliances  Main system firmware (BIOS, UEFI firmware, Coreboot) 5

  6. Why Attack Firmware?  Getting extreme persistence  Getting stealth  Bypassing OS or VMM based security  Having unobstructed access to hardware  OS independent  Making the system unbootable 6

  7. Some In-the-wild Firmware Attacks  Mebromi BIOS rootkit  EQUATION Group HDD firmware malware  ] Hacking Team [ UEFI rootkit  Vault 7 Mac EFI implants (DerStarke/DarkMatter, Sonic Screwdriver)

  8. CHIPSEC Framework  Open Source Platform Security Assessment Framework https://github.com/chipsec/chipsec  OS support: Windows, Linux, UEFI Shell. Added alpha version for Mac OS  Architecture support: x86, ARM (WIP experimental)

  9. Finding Vulnerabilities in System Firmware (BIOS, UEFI, Mac EFI, Coreboot)

  10. Example: S3 Boot Script Vuln in PC UEFI and Mac EFI [*] running module : chipsec . modules . common . uefi . s3bootscript [ x ][ ======================================================================= [ x ][ Module : S3 Resume Boot - Script Protections [ x ][ ======================================================================= [!] Found 1 S3 boot - script ( s ) in EFI variables [*] Checking S3 boot - script at 0x00000000DA88A018 [!] S3 boot-script is in unprotected memory (not in SMRAM) [*] Reading S3 boot-script from memory .. [*] Decoding S3 boot - script opcodes .. [*] Checking entry - points of Dispatch opcodes .. ... [-] FAILED : S3 Boot Script and entry - points of Dispatch opcodes do not appear to be protected Technical Details of the S3 Resume Boot Script Vulnerabilities

  11. Example: exploiting flash protections via S3 boot script vuln on Mac EFI Technical Details of the S3 Resume Boot Script Vulnerabilities

  12. Example: Mac EFI leaving SMM unlocked after S3 Issue. Loosing SMRAM protections after S3 sleep Step 1. chipsec_main – m common.smrr PASSED Step 2. Go to sleep. Resume from sleep Step 3. chipsec_main – m common.smrr FAILED

  13. Testing S3 Vulnerabilities  Validate your system for S3 boot script vulnerabilities chipsec_main – m common.uefi.s3bootscript  Also run before and after resuming from sleep! chipsec_main – m common.smrr chipsec_main – m common.spi_lock [or just run all modules] chipsec_main  Manually test S3 boot script protections: chipsec_main – m tools.uefi.s3script_modify

  14. Decoding S3 Boot Script Opcodes… [ 000 ] Entry at offset 0x0000 ( length = 0x21 ): Data : 02 00 0f 01 00 00 00 00 00 00 c0 fe 00 00 00 00 01 00 00 00 00 00 00 00 00 Decoded : chipsec_util uefi s3bootscript Opcode : S3_BOOTSCRIPT_MEM_WRITE ( 0x02 ) Width : 0x00 ( 1 bytes ) Address : 0xFEC00000 Count : 0x1 Values : 0x00 .. [ 359 ] Entry at offset 0x2F2C ( length = 0x20 ): Data : 01 02 30 04 00 00 00 00 21 00 00 00 00 00 00 00 de ff ff ff 00 00 00 00 Decoded : Opcode : S3_BOOTSCRIPT_IO_READ_WRITE ( 0x01 ) Width : 0x02 ( 4 bytes ) Address : 0x00000430 Value : 0x00000021 Mask : 0xFFFFFFDE

  15. Vulnerabilities in SMM of UEFI Firmware Via ACPI table Phys Memory “UEFI” ACPI SMI SMI Handlers in EDKII SMRAM Comm Buffer Fake SMM comm buffer Directly in registers OS Memory RAX (code) RBX (pointer) EDKI Exploit tricks SMI handler to write to an address in SMRAM (Attacking and Defending BIOS in 2015)

  16. Example: Attacking hypervisors via SMM pointers… Via ACPI table Phys Memory “UEFI” ACPI SMI SMI Handlers in EDKII SMRAM Comm Buffer Directly in registers OS Memory RAX (code) Fake SMM comm buffer RBX (pointer) EDKI VMM protected page Even though SMI handler check pointers for overlap with SMRAM, exploit can trick it to write to VMM protected page (Attacking Hypervisors via Firmware and Hardware)

  17. Finding SMM “Pointer” vulnerabilities [ x ][ ======================================================================= [ x ][ Module : Testing SMI handlers for pointer validation vulnerabilities [ x ][ ======================================================================= ... [*] Allocated memory buffer ( to pass to SMI handlers ) : 0x00000000DAAC3000 [*] >>> Testing SMI handlers defined in 'smm_config.ini' .. ... [*] testing SMI# 0x1F (data: 0x00) SW SMI 0x1F [*] writing 0x500 bytes at 0x00000000DAAC3000 > SMI 1F ( data : 00 ) RAX : 0x5A5A5A5A5A5A5A5A RBX : 0x00000000DAAC3000 RCX : 0x0000000000000000 RDX : 0x5A5A5A5A5A5A5A5A RSI : 0x5A5A5A5A5A5A5A5A RDI : 0x5A5A5A5A5A5A5A5A < checking buffers contents changed at 0x00000000DAAC3000 +[ 29 , 32 , 33 , 34 , 35 ] [!] DETECTED : SMI# 1F data 0 (rax=5A5A5A5A5A5A5A5A rbx=DAAC3000 rcx=0 rdx=...) [-] <<< Done : found 2 potential occurrences of unchecked input pointers https://www.youtube.com/watch?v=z2Qf45nUeaA

  19. MMIO BAR Issues in Coreboot and UEFI Phys Memory Firmware configures chipset and devices MMIO range through MMIO (registers) SMI handlers communicate SMI Handlers in SMRAM with devices via MMIO registers OS Memory Device PCI CFG Base Address (BAR)

  20. Example: MMIO BAR Issues in Coreboot and UEFI Phys Memory Exploit with PCI access can modify BAR register and relocate MMIO range MMIO range (registers) On SMI interrupt, SMI handler firmware attempts to communicate with device(s) SMI Handlers in SMRAM SMI It may read or write “registers” within relocated MMIO OS Memory Device PCI CFG Base Address (BAR)

  21. SPI Controller MMIO BAR (Access to SPI Flash) chipsec_util uefi var-write B 55555555-4444-3333-2211-000000000000 B.bin chipsec_util mmio dump SPIBAR SPI Status and Control SPI Flash Address (address variable is written to in flash) SPI Flash Data (Variable contents)

  22. Monitoring changes in USB MMIO BAR

  23. Testing for MMIO BAR issues chipsec_main -i -m tools.smm.rogue_mmio_bar Reallocating MMIO BAR to new location Trigger SMIs and check new memory location

  24. Windows 10 Virtualization Based Security (VBS)

  25. Example: Bypassing Windows 10 Virtual Secure Mode

  26. Checking Hardware Protections

  27. Example: Unprotected UEFI Firmware in Flash

  28. Example: SMM Protections – Memory Sinkhole Vulnerability chipsec_main -m tools.cpu.sinkhole Attempting to overlap Local APIC page with SMRR region The Memory Sinkhole by Christopher Domas

  29. Checking Memory Protections sudo chipsec_main -m memconfig Checking LOCK bits in PCIe config registers

  30. Integrated Graphics Aperture Access to GFx Aperture 4GB (MMIO) is redirected to Low MMIO Range DRAM per GTT PTEs GTT MMIO Access to Graphics Aperture GFx Aperture GTT PTEs TOLUD GFx Memory DRAM

  31. Software DMA Access via IGD with CHIPSEC chipsec_util igd chipsec_util igd chipsec_util igd dmaread <address> [width] [file_name] chipsec_util igd dmawrite <address> <width> <value|file_name>  Cannot access certain memory ranges such as SMRAM  A way for Graphics kernel driver to access Graphics Stolen data memory  Separate graphics IOMMU/VT-d engine (controlled by GFXVTBAR ) References: Intel Graphics for Linux – Hardware Specification – PRMs

  32. Finding “Problems” With the Firmware

  33. Vault7 EFI DerStarke/DarkMatter Implant  DerStarke includes DarkMatter Mac EFI firmware persistence implant with multiple DXE and PEI executables  Doesn't just rely on unlocked flash like HackingTeam's UEFI rootkit  Re-infects EFI firmware updates with implants already in the firmware  Contains DarkDream exploit which appears to bypass firmware protections on resume from S3 sleep to permanently unlock SPI flash  Using S3 resume in the exploit suggests exploitation of one of S3 boot script vulns • Technical Details of the S3 Resume Boot Script Vulnerabilities • Attacks On UEFI Security by Rafal Wojtczuk and Corey Kallenberg • Reversing Prince Harming’s kiss of death by Pedro Vilaca • Exploiting UEFI boot script vulnerability by Dmytro Oleksiuk

  34. ]HackingTeam[ UEFI Rootkit

  35. ]HackingTeam[ UEFI Rootkit • rkloader is a DXE driver that is automatically executed during boot • The module simply registers a callback on READY_TO_BOOT event to execute the malicious payload Analysis of the HackingTeam's UEFI Rootkit

  36. ]HackingTeam[ UEFI Rootkit  The callback then loads a UEFI application, which checks for infection by looking for UEFI variable “ fTA ”  Use NTFS module to drop a backdoor (scoute.exe) and RCS agent (soldier.exe) onto the filesystem Analysis of the HackingTeam's UEFI Rootkit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Policy Makers Can Support Formative Assessment for Formative Assessment for Deeper Learning

How Policy Makers Can Support Formative Assessment for Formative Assessment for Deeper Learning

How Policy Makers Can Support Formative Assessment for Formative Assessment for Deeper Learning Robert Linquanti WestEd Formative Assessment for Deeper Learning of College and Career Readiness Standards: Exploring Educator Practices and

483 views • 20 slides
CONNECT Deeper Friendships! Deeper Faith! Where Is God In All This? Why F y Frien iendship

CONNECT Deeper Friendships! Deeper Faith! Where Is God In All This? Why F y Frien iendship

CONNECT Deeper Friendships! Deeper Faith! Where Is God In All This? Why F y Frien iendship is hip is Challen Challenging ing A suffering Job longed for his day in court. Transience Job 13:3 &amp; 22, NIV But I desire to speak to the

316 views • 4 slides
A Deeper Deeper Look Look at at Ba Bay Ar Area ea Opportunity Opportunity Zo Zones August 13,

A Deeper Deeper Look Look at at Ba Bay Ar Area ea Opportunity Opportunity Zo Zones August 13,

A Deeper Deeper Look Look at at Ba Bay Ar Area ea Opportunity Opportunity Zo Zones August 13, 2018 MISSION STATEMENT To transform public health practice for the purpose of eliminating health inequities using a broad spectrum of approaches that

375 views • 22 slides
Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization with R Introduction Introduction Presented by Di Cook Department of Econometrics and Business Statistics 12 Nov 2020 @ Statistical Society of

250 views • 8 slides
Exploring Sculpt a component-based operating system Josef Sntgen &lt;

Exploring Sculpt a component-based operating system Josef Sntgen &lt;

Exploring Sculpt a component-based operating system Josef Sntgen &lt; josef.soentgen@genode-labs.com &gt; Outline 1. Background 2. Sculpt OS overview 3. Extending the system 4. Sculpt Road Map Exploring Sculpt a component-based operating

568 views • 36 slides
Exploring Fulton as a Charter System Results of Community Input Board Worksession January 20,

Exploring Fulton as a Charter System Results of Community Input Board Worksession January 20,

Exploring Fulton as a Charter System Results of Community Input Board Worksession January 20, 2011 System Charter Description A five year contract between the school system and the state Describes specific operational and instructional

946 views • 50 slides
GoogLeNet Deeper than deeper Some slides are from Christian Szegedy GoogLeNet Convolution

GoogLeNet Deeper than deeper Some slides are from Christian Szegedy GoogLeNet Convolution

GoogLeNet Deeper than deeper Some slides are from Christian Szegedy GoogLeNet Convolution Pooling Softmax Other GoogLeNet vs Previous GoogLeN Convolution et Pooling Softmax Other Zeiler-Fergus Architecture (1 tower) Why is the deep

473 views • 35 slides
Nonprofit Financial Basics (a deeper dive) Nonprofit Financial Basics-(a deeper dive) Today

Nonprofit Financial Basics (a deeper dive) Nonprofit Financial Basics-(a deeper dive) Today

Nonprofit Financial Basics (a deeper dive) Nonprofit Financial Basics-(a deeper dive) Today Welcome and Introduction About todays class Reserves-How much is enough? Audits, whats to know about the statements and those notes

1.16k views • 42 slides
Keeping old computers alive for deeper understanding of computer architecture Hisanobu Tomari and

Keeping old computers alive for deeper understanding of computer architecture Hisanobu Tomari and

Keeping old computers alive for deeper understanding of computer architecture Hisanobu Tomari and Kei Hiraki The University of Tokyo Background There are a number of options and trade-offs for designing a computer system Instruction set

607 views • 31 slides
Deeper Learning Presentation shared with Wellsprings GB and visiting teachers from TLP Cohort

Deeper Learning Presentation shared with Wellsprings GB and visiting teachers from TLP Cohort

Deeper Learning Presentation shared with Wellsprings GB and visiting teachers from TLP Cohort schools Deeper Learning needs to be: - enjoyable - context-based - assessed thoroughly to identify gaps - accessible to all levels of ability Whole

288 views • 13 slides
Exploring components of the innate immune system in a combined SAXS, NMR and crystallography

Exploring components of the innate immune system in a combined SAXS, NMR and crystallography

05/05/2011 Exploring components of the innate immune system in a combined SAXS, NMR and crystallography approach. Haydyn Mertens PhD The SAXS experiment Elastic &amp; coherent scattering only considered here. Wave vector k Detector Sample:

779 views • 58 slides
A Deeper Look at Induction Induction and recursion are key ideas in computer science. I think it is

A Deeper Look at Induction Induction and recursion are key ideas in computer science. I think it is

A Deeper Look at Induction Induction and recursion are key ideas in computer science. I think it is worth taking a deeper look at the role of induction in mathematics. The material today will be more abstract, but stick with me. Today: Finish up

415 views • 25 slides
A Visual Analytics System for Exploring, Monitoring, and Forecasting Road Traffic Congestion

A Visual Analytics System for Exploring, Monitoring, and Forecasting Road Traffic Congestion

A Visual Analytics System for Exploring, Monitoring, and Forecasting Road Traffic Congestion Presentation by Junfeng Xu Who? Chunggi Lee, Yeonjun Kim, Seungmin Jin, Dongmin Kim, Ross Maciejewski, Senior Member, IEEE, DavidEbert, Fellow,

914 views • 24 slides
Retwork: Exploring Reader Network with a COTS RFID System Jia Liu, Xingyu Chen, Shigang Chen, Wei

Retwork: Exploring Reader Network with a COTS RFID System Jia Liu, Xingyu Chen, Shigang Chen, Wei

Retwork: Exploring Reader Network with a COTS RFID System Jia Liu, Xingyu Chen, Shigang Chen, Wei Wang, Dong Jiang, Lijun Chen 01 Background 02 System design 03 Evaluation 04 Conclusion What is RFID? 01 Background RFID System Antenna

567 views • 34 slides
Are you experiencing the fullness of Christ? 2020 Vision: Deeper. Closer. Wider. Higher. Deeper

Are you experiencing the fullness of Christ? 2020 Vision: Deeper. Closer. Wider. Higher. Deeper

Are you experiencing the fullness of Christ? 2020 Vision: Deeper. Closer. Wider. Higher. Deeper in Christ, closer with each other, and wider through our influence/impact, and higher than our circumstances. 1. Deep is good. Deep implies

409 views • 28 slides
Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators Christian Tiefenau , Maximilian Hring, Katharina Krombholz, Emanuel von Zezschwitz @chrizzlz @cathykxx Usable Security and Privacy Lab,

596 views • 12 slides
VoIP and SS7 Chapter 7 Introduction Channel Associated Signaling Still widely deployed

VoIP and SS7 Chapter 7 Introduction Channel Associated Signaling Still widely deployed

VoIP and SS7 Chapter 7 Introduction Channel Associated Signaling Still widely deployed today Considered as old telephony Common Channel Signaling Separation of signaling and call paths Signaling System 7 (SS7) To

568 views • 41 slides
The dual life of giant gravitons David Berenstein UCSB Based on: hep-th/0306090, hep-th/0403110

The dual life of giant gravitons David Berenstein UCSB Based on: hep-th/0306090, hep-th/0403110

The dual life of giant gravitons David Berenstein UCSB Based on: hep-th/0306090, hep-th/0403110 hep-th/0411205 V. Balasubramanian, B. Feng, M Huang. Work in progress with S. Vazquez Also, Lin, Lunin, Maldacena, hep-th/0409174 1 Motivation

573 views • 40 slides
Associated Lighting Representatives The Opticom Value GTT builds on a 40 year legacy of

Associated Lighting Representatives The Opticom Value GTT builds on a 40 year legacy of

Associated Lighting Representatives The Opticom Value GTT builds on a 40 year legacy of leadership in the priority control market, providing: Highly reliable, scalable, and proven designs Solid integration and interoperability track

831 views • 39 slides
LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet

LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet

LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet work? Is a network of connected devices The goal, move information from one point to another point 2 What is an IP address. ? They are the

306 views • 17 slides
Truncation and Exponence How small can you get ? jollification joll-o Sabine Arndt-Lappe

Truncation and Exponence How small can you get ? jollification joll-o Sabine Arndt-Lappe

1 2 DFG Network Core Mechanisms of Exponence - o : Jan 11 12, 2008 aggravation aggr-o business bizz-o (Lappe 2007) Truncation and Exponence How small can you get ? jollification joll-o Sabine Arndt-Lappe (Universitt Siegen) 2

375 views • 11 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
Viscosity of glass-forming liquids Yuanzheng Yue Aalborg University, Denmark Wuhan University of

Viscosity of glass-forming liquids Yuanzheng Yue Aalborg University, Denmark Wuhan University of

Viscosity of glass-forming liquids Yuanzheng Yue Aalborg University, Denmark Wuhan University of Technology, China Joint ICTP-IAEA Workshop, Trieste, Italy, Nov. 6-10, 2017 Outline Background and motivation Viscosity models

679 views • 55 slides
TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication Ralph Holz School of Information Technologies Faculty of Engineering &amp; Information Technologies Team This is joint work with Johanna

678 views • 28 slides

More recommend