stupid pcie tricks
play

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami - PowerPoint PPT Presentation

Aug 21, 2022 •96 likes •1.06k views

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami Electrical Engineering education with focus on CS and Infosec 8 years doing security research, speed debug, and tool development for CPUs Hardware Pen Testing of CPUs

  1. Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014

  2. whoami ● Electrical Engineering education with focus on CS and Infosec ● 8 years doing security research, speed debug, and tool development for CPUs ● Hardware Pen Testing of CPUs ● Security training for functional validators worldwide ● Software Exploitation via Hardware Joe FitzPatrick Exploits, AKA SExViaHEx @securelyfitz joefitz@securinghardware.com

  3. If Joe Fitz... Joe Sitz

  4. Disclaimer This is not academic-caliber research. Lots of this stuff has been done before. The difference is that I aim to show that PCIe attacks can be easier and cheaper than previously thought

  5. What is PCIe?

  6. PCIe is PCI!

  7. PCIe is NOT PCI! Photo by snikerdo http://en.wikipedia.org Foto tomada por Jorge González http://es.wikipedia.org

  8. Links and Lanes Diagram: PCIe 2.1 specification

  9. Hierarchy Diagram: PCIe 2.1 specification

  10. Switching and Routing Diagram: PCIe 2.1 specification

  11. Layers Diagram: PCIe 2.1 specification

  12. Configuration Space Diagram: PCIe 2.1 specification

  13. Configuration Space Diagram: PCIe 2.1 specification

  14. Configuration Space Diagram: PCIe 2.1 specification

  15. Configuration Space Diagram: PCIe 2.1 specification

  16. Configuration Space Diagram: PCIe 2.1 specification

  17. Enumeration Diagram: PCIe 2.1 specification

  18. Routing PCIe

  19. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe:

  20. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length

  21. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length … that’s mostly it

  22. Routing PCIe System Board Traces 12 Inches Add-in Card Traces 3.5 inches Chip-to-Chip Routes 15 inches Follow these rules and your board might work. Break them and it might not.

  23. Routing PCIe Minimum PCIe: ● 2.5GHz TX ● 2.5GHz RX ● 100MHz Clock (optional)

  25. $ $ $ $ $

  26. Routing PCIe Cross-section of a USB 3.0 cable. Image courtesy of USB Implementers Forum

  27. PEXternalizer on github

  28. PEXternalizer on github

  29. PEXternalizer on github

  30. PEXternalizer on github

  32. mPEXternalizer on github

  33. POC || GTFO 0x05

  34. POC || GTFO 0x05

  35. POC || GTFO 0x05

  36. A brief history of DMA attacks

  37. Tribble

  38. Firewire Attacks

  40. Video Demo Slides SysCan ‘14

  41. PLX Technologies Buy one

  42. Thunderbolt

  43. Thunderbolt

  44. USB3380 Firmware

  45. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........

  46. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........

  47. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........ That’s all!

  49. Hardware http://www.hwtools.net/PLX.html

  50. Software tools used in preparing this presentation: ● plx’s flashing software ● pyusb + scripts ● inception_pci ● volatility for memory analysis

  51. Attack-side Software Quick ‘n’ dirty PCIe memory read/write with PyUSB

  52. More attack-side Software

  53. More attack-side Software # EQUALS: # # |-- Offset 0x00 # / # /\ |-patchoffset--------------->[b0 01] # 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f .. (byte offset) # ----------------------------------------------- # c6 0f 85 a0 b8 00 00 b8 ab 05 03 ff ef 01 00 00 .. (chunk of memory data) # ----------------------------------------------- # \______/ \___/ \______/ # \ \ \ # \ \ |-- Chunk 2 at internaloffset 0x05 # \ |-- Some data (ignore, don't match this) # |-- Chunk 1 at internaloffset 0x00 # \_____________________/ # \ # |-- Entire signature #

  54. More attack-side Software {'OS': 'Mac OS X 10.9', 'versions': ['10.9'], 'architectures': ['x64'], 'name': 'DirectoryService/OpenDirectory unlock/privilege escalation', 'notes': 'Overwrites the DoShadowHashAuth/ODRecordVerifyPassword return value. 'signatures': [{'offsets': [0x1e5], # 10.9 'chunks': [{'chunk': 0x4488e84883c4685b415c415d415e415f5d, 'internaloffset': 0x00, 'patch': 0x90b001, # nop; mov al,1; 'patchoffset': 0x00}]}]}]

  55. Attacking via PCIe

  57. MRd Find important values at known locations Take memory dumps for later analysis Example: Dump memory and use Volatility to analyze it

  58. Dump Analysis with Volatility dmesg log of the attack recovered from the memory dump of the victim

  59. Dump Analysis with Volatility names, pids, and uids for dumped processes

  60. Dump Analysis with Volatility extracted machine info the perfect amount of memory to dump!

  61. MWr Modify values at known locations Manipulate code!!! Example: Use Inception to modify lock screen checking, or drop a metasploit payload!

  62. Inception with Metasploit (W7sp1 POC only)

  63. IORd/IOWr Only for legacy devices (legacy means not thoroughly tested recently)

  64. CfgRd/CfgWr Interact with other PCI devices’ config spaces Yet another separate address space/different means of accessing hardware

  65. Msg/MsgD Messages send things like interrupts and vendor- defined configuration Many message types are very rarely used Example: Invisible Things Labs SNB VT-D

  66. Mitigations

  67. Bus Master Enable joefitz@linUX31a:~/Documents/pcie/SLOTSCREAMER/inception_pci$ lspci -vv | grep BusMaster Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+

  68. Access Control Services

  69. IOMMU

  70. Mitigating the Mitigations

  71. VID:PID ● Identifies device to the OS ● OS chooses which driver to load ● OS configures ACS, BME, etc… ● OS loads driver

  72. Default Drivers ● Some drivers are ‘class’ drivers (think USB MSC, etc...) ● Some device specific drivers might be installed by default (OSX) ● Drivers contain bugs ● Think facedancer for PCIE or Thunderbolt

  73. Early Boot ● IOMMU is not configured yet ● Neither is much else ● Wishlist: Volatility support for EFI shell

  74. Option ROM/EFI drivers ● Some devices have firmware that gets run at early boot ● Some systems block this (but usually for anti-competitive reasons, not security) ●

  75. Breaking the rules ● Spoof requesterID for posted transactions ● Well-timed spoofed requesterID for non- posted transactions ● Setting the ‘translated request’ bit

  76. Misconfigurations ● Everything is MMIO now - memory protections are essential ● Memory protections are not enough - need Cfg and IO protections as well - don’t forget about them ● Does installing a hypervisor change how your OS uses its IOMMU?

  77. Putting it all together

  78. Thunderbolt Diagram: Apple Thunderbolt Device Driver Programming Guide

  79. HALIBUTDUGOUT

  80. Sorry, Previous Speakers ALLOYVIPER

  81. Building ALLOYVIPER

  82. Building ALLOYVIPER

  83. Building ALLOYVIPER

  84. Building ALLOYVIPER

  85. Building ALLOYVIPER

  86. Building ALLOYVIPER

  87. Building ALLOYVIPER

  88. Building ALLOYVIPER

  89. MITMing

  90. ⇐ Thanks for the slides, snare & rzn

  91. ⇐ Thanks for the slides, snare & rzn

  92. Bypassing VT-d on Macbooks? ● VT-d is off at boot/reboot ● Broadcom Ethernet drivers crash the system ● System reboots - all the doors are open for a few moments No POC yet (I’ll GTFO soon…)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018 Agenda Analog Devices and Education Introduction to the ADALM-PLUTO Software support Libiio Supported applications Building

783 views • 35 slides
Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never

Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never

Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never underestimate the power of human stupidity. Robert A. Heinlein (P.s. Many highly intelligent people are actually stupid) Epistemology the

343 views • 16 slides
PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe

PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe

PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe Gen4 Update PCIe Gen3 Overview PCIe Gen3 Tx Solutions Tx Demo PCIe Gen3 Rx Solutions Rx Demo PCIe Gen3 Protocol

587 views • 48 slides
RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid

RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid

RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid Network HTTP email ftp telnet gopher TCP/IP HTTP URLs HTML WWW Ti e trick... is to make sure that each limited mechanical part of the web,

1k views • 66 slides
Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is

Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is

Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is limited by your ability to influence, understand and work with other people. Three laws of humanity 1. People believe what they want to believe

922 views • 16 slides
Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

The heart of the matter, part 2: Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid is a Bible word Stupid is a Bible word It occurs 17 times in the NLT. It occurs 17 times in the NLT.

815 views • 53 slides
S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior Research Scientist / Associate Professor Simula Research Laboratory / University of Oslo Outline Motivation PCIe Overview

645 views • 36 slides
S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student

S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student

S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student Simula Research Laboratory Outline Motivation PCIe Overview Non-Transparent Bridges Device Lending Distributed applications may need

571 views • 25 slides
Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor,

Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor,

Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com PCIe based Dual Express T1 E1

672 views • 22 slides
TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11 Tony Wasserka Meeting C ++ @ fail _ cluez 17 November 2018 WHO AM I ? WHO AM I ? Berlin - based consultant : Workflow optimization , Code

973 views • 24 slides
TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a proposed name for a co-operative can be reserved for 90 days before incorporation if you dont incorporate within 90 days, you cannot reserve

604 views • 38 slides
The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

W8 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks Presented by: Mike Cottmeyer VersionOne Presented at: Agile Development Practices

646 views • 60 slides
Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas AG The KISS principle. Herbstcampus 2010 Keep Persistence Simple, Stupid 2 Complexity Cost Functions (Lower) Cost (Higher) Complexity

211 views • 17 slides
AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on

AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on

AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on Volta) Running AMBER version 16.8 30 ns/day The blue node contains Dual Intel Xeon E5-2690 v4@2.6GHz [3.5GHz Turbo] (Broadwell) CPUs 20 The

590 views • 26 slides
AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35

AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35

AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35 Running AMBER version 16.3 30.00 30 The blue node contains Dual Intel Xeon E5-2699 v4@2.2GHz [3.6GHz Turbo] 25 12.8X ns/day 21.85 (Broadwell) CPUs

426 views • 20 slides
Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos

Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos

Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos Fernando Zazo, Yury Audzevich, Sergio Lpez-Buedo, Andrew W. Moore 1 The idea of end hosts participating in the implementation of network

451 views • 26 slides
Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip Down Memory Lanes Background Thunderbolt Apple and Intel External Port PCI Express (PCIe) and DisplayPort using the same port

1.23k views • 57 slides
New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for

New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for

New Approaches to Specimen Preparation for Molecular TEM Clint Potter National Resource for Automated Molecular Microscopy The Scripps Research Institute NRAMM Workshop 10 November 2014 T he overall mission of NRAMM is to develop, test and

497 views • 27 slides
Welcome to Insite Breese Printing & Publishings prepress portal for uploading,

Welcome to Insite Breese Printing & Publishings prepress portal for uploading,

Welcome to Insite Breese Printing & Publishings prepress portal for uploading, reviewing and approving files. Once you have received an email notifjcation from Insite with your user name and password, using your web browser you can

365 views • 4 slides
Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon

Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon

Week 13: Audacity Roger B. Dannenberg Professor of Computer Science and Art Carnegie Mellon University Introduction n Audacity n Audacity Implementation n The Nyquist Plug-in Architecture 2 Carnegie Mellon University 2019 by Roger B.

520 views • 9 slides
Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is

Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is

Best of Both Worlds: Remote Pairing in Action Joel Friedman Alex Rutkowski Overview what is Outpace? pros and cons of traditional work settings benefits of remote pairing developer setup and tools process with videos q

415 views • 25 slides
Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and

Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and

Fedora 28 Release Party (Beijing) Whats new in Fedora 28 & introduction to Fedora and FZUG Pany About me Fedora L10n Fedora Zhongwen(Chinese) User Group FAS pany pany@FedoraProject.org Today's topic Whats new in

548 views • 35 slides
St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk

St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk

Modern Open Source Mac Management Jon Rhoades St Vincent's Institute Melbourne Hashtag : #xw15 Please leave comments on this talk at auc.edu.au/xworld/sessions Why Open Source? Proprietary software

721 views • 70 slides
Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products

Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products

OpenStack Performance Enhancement in OpenStack for Elastic Hadoop Cluster CMSoft Cloud Computing Products Department Lei Xu, Lina Hu, Weizhong Yu The Open Infrastructure Summit P A R T o n e Problems in High Performance Computing The

710 views • 31 slides

More recommend