SLIDE 1
Firmware Biopsy
tweek <tweek@google.com>
Enterprise Infrastructure Protection
Agenda
- Context
- Read Primitives
- More Read Primitives
- Collection at Scale
- Findings
- Q & A
Firmware Biopsy tweek <tweek@google.com> Enterprise - - PowerPoint PPT Presentation
Firmware Biopsy tweek <tweek@google.com> Enterprise - - PowerPoint PPT Presentation
Firmware Biopsy tweek <tweek@google.com> Enterprise Infrastructure Protection Agenda Context Read Primitives More Read Primitives Collection at Scale Findings Q & A Context x86 in 2016 (Skylake) DDR SDRAM PEG
SLIDE 2
SLIDE 3
Context
SLIDE 4
x86 in 2016 (Skylake)
CPU PCH
DDR SDRAM
SMBus DMI
GPU
PEG
DDR SDRAM
SLIDE 5
x86 in 2016 (Skylake)
CPU PCH
System Flash DDR SDRAM
SMBus DMI
GPU
SPI PEG
DDR SDRAM
SLIDE 6
x86 in 2016 (Skylake)
CPU PCH
System Flash
Embedded Controller
DDR SDRAM
SMBus DMI
GPU
SPI SMBUS SPI PEG
DDR SDRAM
SLIDE 7
x86 in 2016 (Skylake)
CPU PCH
System Flash
Embedded Controller
DDR SDRAM
SMBus DMI
EC Flash GPU
SPI SMBUS SPI SPI PEG
DDR SDRAM
SLIDE 8
x86 in 2016 (Skylake)
CPU PCH
System Flash
Embedded Controller
DDR SDRAM
SMBus DMI
EC Flash GPU
SPI SMBUS SPI SPI PEG SSD
SSD Flash
SPI
DDR SDRAM
SATA/PCIe
SLIDE 9
x86 in 2016 (Skylake)
CPU PCH
System Flash
Embedded Controller
DDR SDRAM
SMBus DMI
EC Flash GPU
SPI SMBUS SPI SPI PEG Thunderbolt Controller (w EEPROM) USB-C Switch Controller USB-C Controller Flash SSD
SSD Flash
SPI
DDR SDRAM
SATA/PCIe
SLIDE 10
Firmware on Pixel 2
SLIDE 11
Firmware on Pixel 2
CPU MC BIOS/ME TPM SILEGO EC PD SSD BATTERY FUEL GAUGE AUDIO CODEC AUDIO DSP GPU EC SD CARD WIFI/BT
SLIDE 12
Research
Firmware / Topic Published Research PCI Option ROM Heasman (2007) Snare (2013) Kovah & LegbaCore (2015) Hard Drive Goodspeed et al. (2013) Network Controller Triulzi (2008) x86 Modes and Design flaws Rutkowska (2009-2015) Cr4sh SMM research (2015-2016)
SLIDE 13
What is happening in the wild?
- State-sponsored attackers exploiting firmware implants
○ Equation Group, IRATEMONK, DEITYBOUNCE
- Non-state-sponsored attackers picking up
○ Hacking Team
SLIDE 14
Why is this attractive to attackers?
- High initial investment, but lasts for a long time
- Very low chance of detection
- Remote deployment or hardware interception is still easy
SLIDE 15
What do defenders want? Increase costs of performing firmware attacks
- Removing trivial to find security flaws
- Increasing chance of detection in the wild
- Reduce length of time you can expect capability will last
before being disclosed
Ultimately, protecting our users and their data.
SLIDE 16
Improving the state of detection
SLIDE 17
Increase knowledge & visibility
- Where is firmware running?
- What firmware is running?
- Is that the firmware intended to be run by the vendor?
- Does this firmware contains known vulnerability?
SLIDE 18
How to verify that a fleet of devices is running the original vendor firmware?
SLIDE 19
Read Primitives
SLIDE 20
Read Primitive
- Method to extract a copy of the running firmware
○ Reliable ○ Generic ○ Complete
- Physical vs Software
○ Trade-off between integrity and scalability of measurement ○ Physical: hook onto pins = easiest, not practical for internal flash
- Limited read primitive
○ Hash of firmware ○ Partial copy
SLIDE 21
Read Primitive (cont’d)
- Detection method more than prevention
- PCR of TPM
○ Similar objective ○ Partial measure of boot environment ○ Limited to boot path ○ Preventative method
SLIDE 22
Software Read Primitive Flaw
Kernel Userspace Firmware
Measuring this
Hardware
SLIDE 23
Software Read Primitive Flaw
Kernel Userspace Firmware
Measuring this From here
Hardware
SLIDE 24
One solution
- Similar flaw in today live forensic
○ Investigate the OS from the running kernel
- Increase the number and type of measures
○ For a specific firmware => have two or more read primitives ○ Increase the cost of hiding for an attacker
SLIDE 25
BIOS/UEFI Read Primitives
SLIDE 26
- The most well-known firmware
- Stored on the SPI flash
- Descriptor defines access control between regions
- All latest chipset generation follow a specific Intel standard
for their format
BIOS/UEFI
Descriptor BIOS Image Management Engine (ME) Image Ethernet Controller Firmware
SLIDE 27
SPI Flash
8-PIN WSON Debug Header 8-PIN SOP
SLIDE 28
Hardware Acquisition
SLIDE 29
BIOS/UEFI Read Primitive (SPIBAR)
- PCI device exposed by the PCH
- Interact with the flash using memory access
- Used by Flashrom and Chipsec
- Multiple modes
○ Software sequencing: Deprecated, forward white-listed operations to the flash ○ Hardware sequencing: PCH offers standard “API” to interact with flash
SLIDE 30
BIOS/UEFI Read Primitive (SPIBAR)
[1]
SLIDE 31
Memory-mapped I/O
[2]
SLIDE 32
/dev/mem
- CONFIG_STRICT_DEVMEM ?
- Access to MMIO for uid 0 is allowed
- OSX and Windows requires extra driver for such access
SLIDE 33
SPIBAR example
SLIDE 34
SPIBAR example
SPIBAR is at: 0xfed1c000 + 0x3800 (constant) = 0xfed1f800
SLIDE 35
SPIBAR example
SLIDE 36
SPIBAR example
SLIDE 37
SPIBAR example
Where? (0x00533e63)
SLIDE 38
SPIBAR example
Where? (0x00533e63) How much? [1-64]
SLIDE 39
SPIBAR example
Where? (0x00533e63) How much? [1-64] What? (r/w) + Go!
SLIDE 40
SPIBAR example
Where? (0x00533e63) How much? [1-64] What? (r/w) + Go! Content of the Flash
SLIDE 41
BIOS/UEFI Read Primitive (0xFF000000)
- 16MB forwarded to the PCH
- “For security reasons, the processor will positively decode
this range to DMI. This positive decode ensures any
- verlapping ranges will be ignored. This ensures that the
boot vector and BIOS execute off the PCH.” - Intel Skylake datasheet
SLIDE 42
PCH caching?
SLIDE 43
More Read Primitives
SLIDE 44
PCI Option ROM
- Stored on the PCI device
- Executed by CPU when the device is initialised
- By design, execution of unknown code
- Leveraged by Thunderstrike
SLIDE 45
GPU Read Primitives
- Multiple memory areas
○ VRAM ○ PCI Option ROM ○ GPU firmware
- Documentation from Nouveau project
○ Describes low-level interface of cards ○ Highly dependent on card generation
SLIDE 46
Embedded Controller
- Manage battery, fans, sensors
- No standard interface
○ ACPI define two IO port ○ Index I/O for extra reads
- Moving proprietary tech from BIOS to EC
○ Lenovo’s ThinkEngine ○ Apple’s SMC
- Chrome OS
○ Open Source EC ○ Read primitive available using flashrom (in dev mode)
SLIDE 47
Collection at Scale
SLIDE 48
Chipsec
- From Intel Advanced Threat research, published in 2014
- https://github.com/chipsec/chipsec
- Allow inspection of hardware/firmware
- By default, requires kernel driver
- /dev/mem is enough for PCI memory access
- Port to OSX for similar functionalities
SLIDE 49
GRR
- Google’s IR tool
- Open Source, https://github.com/google/grr
- Highly customizable
○ Integrate Sleuthkit for live disk forensic ○ Integrate Rekall for memory forensic
- Stable
- Design for low-impact (memory footprint) on client
SLIDE 50
GRR Chipsec
- Integrate Chipsec to GRR
- Open Source since April
- Implemented as a GRR component
- Able to dump the SPI flash image
- Able to inspect hardware/firmware status
○ Quickly extend the functionality in case of incident or public release
SLIDE 51
GRR Chipsec - BIOS collection
SLIDE 52
GRR Chipsec - BIOS collection
Execution Time (s) # clients
SLIDE 53
What can go wrong?
- Unsupported platform
○ Older generation only supports software sequencing ○ Unsupported hardware by Chipsec ○ Execution on a VM
- Lack of space to ...
○ Load Chipsec ○ Dump the flash image
SLIDE 54
Analysis
SLIDE 55
Comparison
- With what?
○ Previous versions from the same host ○ Official version ○ Other machine with the same BIOS version ○ Different read primitives
SLIDE 56
Granularity
- Considering one blob and hash
○ Lots of noise ○ E.g., BIOS contains variable areas, all flash images will be different
- Deconstructing the blob
○ Vendor specific format ○ Extra care to consider “in-between” regions ○ Some regions will still be out of analysis ○ May need to run control flow analysis to uncover similar code
SLIDE 57
Implementation
- Leverage existing parsing code
○ UEFI: UEFITools, uefi-firmware-parser ○ ME: me-tools, unhuffme
- Separate server to receive collected images and compare
with official versions
- Using manually rules to match / ignore false positives, per
vendor/BIOS version
SLIDE 58
Findings
SLIDE 59
Unexpected Flash Descriptor content
- Descriptor has access control info for each regions
- When running in OS, CPU should only be able to read certain
regions
- Found some flashes with full access to other regions
Descriptor BIOS Image Management Engine (ME) Image Ethernet Controller Firmware
SLIDE 60
Unexpected Management Engine images
- While collecting and analysing BIOS:
○ Able to dump the ME part of the flash image ○ While the flash descriptor explicitly forbid such operation ??
- ME is usually not readable (Mac excepted)
- Similar machines (manufacturer, BIOS version) did not
expose such behaviour
SLIDE 61
SPI FDOPSS
- Pin strap on the PCH
- If (de)asserted, override flash protection
- Some vendors allow overwrite of this bit using a jumper
- Some vendors connect this pin to the Embedded Controller
SLIDE 62
SPI FDOPSS
[1]
SLIDE 63
SPI FDOPSS
- Use Chipsec module of GRR to verify if that bit is set
- 4 lines of Python (hack) to read a specific hardware register
- Can also be implemented as a Chipsec module:
○ chipsec/modules/common/spi_fdopss.py
SLIDE 64
SPI FDOPSS
SLIDE 65
Conclusion
- Context shows firmware attacks are to be considered
- Bring some visibility to the x86 platform
- First tooling for enterprise-wide hunting
Huge thanks to the team: Ben, Darren, Jan, Parth and Mario.
SLIDE 66
Thank you!
SLIDE 67
References
- 1. Intel 9 Series Chipset Family Platform Controller Hub (PCH)
datasheet
- 2. Diagram by Michael Cohen