funderbolt
play

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A - PowerPoint PPT Presentation

Sep 08, 2022 •650 likes •1.23k views

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip Down Memory Lanes Background Thunderbolt Apple and Intel External Port PCI Express (PCIe) and DisplayPort using the same port

  1. Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky

  2. A Trip Down Memory Lanes

  3. A Trip Down Memory Lanes • Background • Thunderbolt • Apple and Intel • External Port • PCI Express (PCIe) and DisplayPort using the same port • DMA • Direct Memory Access • Processor becomes bottleneck for high-speed transfers • Lets devices read and write directly to RAM

  4. A Trip Down Memory Lanes • Why external buses matter for security experts? • Digital Forensics • Getting data to solve a mystery • User protection • So RAM contents can be safe • Sneaky DRM • Bus encryption

  5. A Trip Down Memory Lanes • PCI Express (PCIe) • High-speed serial bus • Data sent via “lanes” • A Lane is made up of differential wire pairs • One + and one – wire offset a small amount • Helps reducing noise • One lane (x1) is made up of two differential pairs • Transmit pair (PET) • Receive pair (PER)

  6. A Trip Down Memory Lanes • PCIe (cont) • Four lanes (x4) has eight pairs, x8 has 16 pairs, etc… • All lanes use another differential pair for clock • REFCLK • So… x1 uses 6 wires for data communication • PET, PER and REFCLK • Data sent via “packets” • Point-to-point topology using Root Complex • Requests for devices and memory go to “root complex”

  7. A Trip Down Memory Lanes

  8. A Trip Down Memory Lanes • Mitigations • Epoxy (really?) • Input/Output Memory Management Units (IOMMUs) • Maps physical memory addresses to logical addresses • Think “VM for DMA” • Prevents devices from requesting physical addresses directly • Secure Configurations • Current attacks? • Daisy chaining Thunderbolt and Firewire • Inception

  9. How My Adventures Went

  10. How My Adventures Went • Improvised Tools for Analysis • Multimeter • Soldering station • Heat gun • Desoldering tools • Ethernet cable • Epoxy (really?) • Logic Analyzer • Image Editor

  11. How My Adventures Went • Reversing Thunderbolt – The Process • Research a product • Take it apart • Trace all interesting chips • Look for datasheets • Sniff buses • Develop a map

  12. How My Adventures Went • Looking at consumer products • Buffalo MiniStation Thunderbolt/USB3 Hard Drive • 500GB and 1TB model • USB3 and Thunderbolt • Decent form factor for reversing • Apple Thunderbolt to Gigabit Ethernet Adapter • Tiny • Small • Little

  13. How My Adventures Went • External Hard Drive • Researching the product • Taking it apart • Tracing all interesting chips • Looking for datasheets • Sniffing buses • Developing a map

  14. How My Adventures Went • Excellent Anandtech review: • http://www.anandtech.com/show/6127/buffalo- ministation-thunderbolt-review-an-external-with-usb-30- and-thunderbolt • Identified ICs for us!

  15. How My Adventures Went • Main ICs • MLDU03 • Medial Logic USB3.0 to SATA 6G Bridge • ASM1061 • ASMedia PCIe to SATA Controller • DSL2210 (Peak Ridge) • Intel Thunderbolt Controller • Supports PCIe x1 • LPC1114 • NXP ARM Cortex M0

  16. How My Adventures Went

  17. How My Adventures Went

  18. How My Adventures Went

  19. How My Adventures Went

  20. How My Adventures Went

  21. How My Adventures Went

  22. How My Adventures Went • ASMedia ASM1061 • PCIe/SATA Controller • Datasheets? • ROMs/Flashes?

  23. How My Adventures Went

  24. How My Adventures Went

  25. How My Adventures Went • Patch PCIe Controllers’ SPI ROM to send DMA read requests?

  26. How My Adventures Went • NXP LPC1114 • ARM Cortex M0 • Used for… ?? • No ROMs or Flashes • TONS of info • Connects into DSL2201 • How do I know?

  27. How My Adventures Went

  28. How My Adventures Went

  29. How My Adventures Went

  30. How My Adventures Went

  31. How My Adventures Went • Intel DSL2210 • Thunderbolt Controller • No Datasheets • Promo info only • ROMs/Flashes?

  32. How My Adventures Went

  33. How My Adventures Went

  34. How My Adventures Went

  35. How My Adventures Went • Thunderbolt Connector • 1 pair of High Speed lanes • TX and RX • All others pulled to ground • “ LowSpeed ” lines go into ARM’s UART?

  36. How My Adventures Went

  37. How My Adventures Went

  38. How My Adventures Went

  39. How My Adventures Went • ARM UART Traffic • String “EM “

  40. How My Adventures Went • Thunderbolt Firmware Update • Display contents of Application Package • Decompress “Payload” file

  41. How My Adventures Went • Two Firmwares for Thunderbolt? • One is probably ARM • Let’s look for string “EM “

  42. How My Adventures Went Jackpot!

  43. How My Adventures Went • Round 2… • String “ \x27\x0a\x00\ x00“

  44. How My Adventures Went Successaroo!

  45. How My Adventures Went • Gigabit Ethernet Adapter • Researching the product • Taking it apart • Attack vectors

  46. How My Adventures Went

  47. How My Adventures Went

  48. How My Adventures Went

  49. How My Adventures Went

  50. How My Adventures Went

  51. How My Adventures Went

  52. How My Adventures Went

  53. How My Adventures Went • Altera Cyclone IV GX Transceiver Starter Kit • Hard IP for PCIe • PCIe x1 • ~$450

  54. How My Adventures Went

  55. How My Adventures Went • Tips and Tricks • Get A LOT of devices! • Heat up everything SLOWLY! • Continuity testing WINS • Sniff EVERYTHING • Read all ROMs/Flashes

  56. Thank You • Russ Sevinsky • Security Consultant at iSEC Partners • rsevinsky@isecpartners.com • Special thanks to: • Jesse Burns • Everyone @ iSEC Partners

  57. UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for

New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for

New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for Automated Molecular Microscopy The Scripps Research Institute NRAMM Workshop 10 November 2014 T he overall mission of NRAMM is to develop, test and

497 views • 27 slides
Welcome to Insite Breese Printing & Publishings prepress portal for uploading,

Welcome to Insite Breese Printing & Publishings prepress portal for uploading,

Welcome to Insite Breese Printing & Publishings prepress portal for uploading, reviewing and approving files. Once you have received an email notifjcation from Insite with your user name and password, using your web browser you can

365 views • 4 slides
Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon

Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon

Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon University Introduction n Audacity n Audacity Implementation n The Nyquist Plug-in Architecture 2 Carnegie Mellon University 2019 by Roger B.

520 views • 9 slides
Building a Search Engine for the Cuban Web Jorge Luis Betancourt Search/Crawl Engineer N O V E

Building a Search Engine for the Cuban Web Jorge Luis Betancourt Search/Crawl Engineer N O V E

Building a Search Engine for the Cuban Web Jorge Luis Betancourt Search/Crawl Engineer N O V E M B E R 1 6 - 1 8 , 2 0 1 6 S E V I L L E , S PA I N Who am I 01 Jorge Luis Betancourt Gonzlez Search/Crawl Engineer Apache Nutch

681 views • 28 slides
Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami Electrical Engineering education

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami Electrical Engineering education

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami Electrical Engineering education with focus on CS and Infosec 8 years doing security research, speed debug, and tool development for CPUs Hardware Pen Testing of CPUs

1.06k views • 95 slides
Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is

Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is

Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is Outpace? pros and cons of traditional work settings benefits of remote pairing developer setup and tools process with videos q

415 views • 25 slides
Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and

Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and

Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and FZUG Pany About me Fedora L10n Fedora Zhongwen(Chinese) User Group FAS pany pany@FedoraProject.org Today's topic Whats new in

548 views • 35 slides
St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk

St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk

Modern Open Source Mac Management Jon Rhoades St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk at auc.edu.au/xworld/sessions Why Open Source? Proprietary software

721 views • 70 slides
Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products

Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products

OpenStack Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products Department Lei Xu, Lina Hu, Weizhong Yu The Open Infrastructure Summit P A R T o n e Problems in High Performance Computing The

710 views • 31 slides
K?D+!/"#66+$,5,',/7,+%(/)8('9L+ ,( BF'',/8+#/*'()*+:)3)82.(/9+

K?D+!/"#66+$,5,',/7,+%(/)8('9L+ ,( BF'',/8+#/*'()*+:)3)82.(/9+

!"#$%"&'()* + #+$,-')./0+1'23,-('4+5('++ !/"#66+$,5,',/7,+%(/)8('9++ 5('+#/*'()*+#66:)72.(/9 + !"#$%&'#()%*'+ ;+<,/+=2/*,'9;+#'3,/+>?(*2@,'*)2/;+A2(+B?,/+ C/)@,'9)8D+(5+B2:)5('/)2;+&2@)9+

749 views • 15 slides
Intro to Analysis of Algorithms Preliminaries Chapter 1 Michael Soltys CSU Channel Islands [

Intro to Analysis of Algorithms Preliminaries Chapter 1 Michael Soltys CSU Channel Islands [

Intro to Analysis of Algorithms Preliminaries Chapter 1 Michael Soltys CSU Channel Islands [ Git Date:2019-09-11 Hash:a3f8aea Ed:3rd ] IAA Chp 1 - Michael Soltys c September 11, 2019 (a3f8aea; ed3) Introduction - 1/41 1. Precondition

923 views • 44 slides
EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture) Dept. of

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture) Dept. of

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture) Dept. of Computer Science & Engineering Chentao Wu wuct@cs.sjtu.edu.cn Download lectures ftp://public.sjtu.edu.cn User: wuct Password:

806 views • 49 slides
IEEE PES 1 st GENERAL MEETING SIGN IN HERE: tinyurl.com/pesgm1 A worldwide, professional

IEEE PES 1 st GENERAL MEETING SIGN IN HERE: tinyurl.com/pesgm1 A worldwide, professional

IEEE PES 1 st GENERAL MEETING SIGN IN HERE: tinyurl.com/pesgm1 A worldwide, professional technical society for engineers in power & energy. PESenting IEEE Power and Energy Projects Society (PES) Socials Networking

315 views • 20 slides
Common visualization Issues & how to fix them Duen Horng (Polo) Chau Associate Professor,

Common visualization Issues & how to fix them Duen Horng (Polo) Chau Associate Professor,

http://poloclub.gatech.edu/cse6242 CSE6242: Data & Visual Analytics Common visualization Issues & how to fix them Duen Horng (Polo) Chau Associate Professor, College of Computing Associate Director, MS Analytics Georgia Tech Mahdi

815 views • 59 slides
cCOG Guidance on performing successful Site Initiation Visits 05 December 2017 Who is this guidance

cCOG Guidance on performing successful Site Initiation Visits 05 December 2017 Who is this guidance

cCOG Guidance on performing successful Site Initiation Visits 05 December 2017 Who is this guidance for This guidance has been produced based on feedback from: the review of SIVs at the NHS Tayside Board to optimise the current practice

251 views • 8 slides
Reactive flow Building Web Applications in R with Shiny Reactivity, in spreadsheets Building

Reactive flow Building Web Applications in R with Shiny Reactivity, in spreadsheets Building

BUILDING WEB APPLICATIONS IN R WITH SHINY Reactive flow Building Web Applications in R with Shiny Reactivity, in spreadsheets Building Web Applications in R with Shiny Reactivity, in spreadsheets Building Web Applications in R with Shiny

465 views • 45 slides
Th The 6 C e 6 Common C Challen llenges wit es with Calibration Sessions Ca an and h

Th The 6 C e 6 Common C Challen llenges wit es with Calibration Sessions Ca an and h

January 2019 January 2019 Th The 6 C e 6 Common C Challen llenges wit es with Calibration Sessions Ca an and h how t to o o overcom ome t them Reg Dutton, January 2019 www.evaluagent.com 1 About us January 2019 We

480 views • 19 slides
Dr Carol Rivas, Sydney Anstee Dr Daria Tkacz, Dr Don Cruickshank What is CPES? Cancer

Dr Carol Rivas, Sydney Anstee Dr Daria Tkacz, Dr Don Cruickshank What is CPES? Cancer

PRESENT: Pragmatic engineering of themes from large volume text to improve healthcare http://www.present.org.uk/ CPES Cancer Patient Experience Survey - Freetext comments Dr Carol Rivas, Sydney Anstee Dr Daria Tkacz, Dr Don Cruickshank

363 views • 13 slides
Contact Centre Agent Morale Carolyn Blunt FCIPD Nice to meet you Carolyn Blunt FCIPD

Contact Centre Agent Morale Carolyn Blunt FCIPD Nice to meet you Carolyn Blunt FCIPD

Contact Centre Agent Morale Carolyn Blunt FCIPD Nice to meet you Carolyn Blunt FCIPD (LinkedIn, Twitter) 15+ years contact centre operational and L&D experience with household names Leading award-winning performance improvement

300 views • 12 slides
F INAL C HAPTER 1 Web Applications W EB P ROGRAMS The programs in this chapter require the

F INAL C HAPTER 1 Web Applications W EB P ROGRAMS The programs in this chapter require the

F INAL C HAPTER 1 Web Applications W EB P ROGRAMS The programs in this chapter require the use of either Visual Web Developer 2010 (packaged with this textbook) or the complete version of Visual Studio 2010. We assume that you are using

1.75k views • 164 slides
1 A Macho Hello World A Macho Hello World The context class The class methods declares all

1 A Macho Hello World A Macho Hello World The context class The class methods declares all

A Macho Hello World The TOPSTATE has the same role as the top context class operational C++ Mach ine O bjects (MACHO) idle stop disabled H* tick[timer_exp] minute close programmed cooking start minute open Macho A Macho Hello

492 views • 8 slides
Impacts of Migration on Community Resilience and Service Delivery in Hounslow MHCLG, Controlling

Impacts of Migration on Community Resilience and Service Delivery in Hounslow MHCLG, Controlling

Impacts of Migration on Community Resilience and Service Delivery in Hounslow MHCLG, Controlling Migration Fund project Trends emerging 1) Hounslows East-West divide, seems to be widening, with higher scoring areas clustered in the East

108 views • 10 slides
What the GDPR means for HR 1 hour Gary Shipsey | Managing Director May 2017 Choose one of

What the GDPR means for HR 1 hour Gary Shipsey | Managing Director May 2017 Choose one of

Tick this data protection box? What the GDPR means for HR 1 hour Gary Shipsey | Managing Director May 2017 Choose one of the following audio options Your computer audio Your telephone When the webinar begins, you will be connected to

779 views • 38 slides
The New Standard Model (NSM) [pg. 23] Neutrino oscillaFons require that neutrinos must come

The New Standard Model (NSM) [pg. 23] Neutrino oscillaFons require that neutrinos must come

The New Standard Model (NSM) [pg. 23] Neutrino oscillaFons require that neutrinos must come with different masses, implying that at least two of them must have masses that are not zero. This discovery consFtutes the first change in several

198 views • 3 slides

More recommend