tpm genie
play

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 - PowerPoint PPT Presentation

Mar 10, 2024 •855 likes •1.41k views

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

  1. TPM Genie Attacking the Hardware Root of Trust For Less Than $50

  2. Introduction Jeremy Boone @uffeux • Principal Consultant @ NCC Group • Focus on hardware and embedded systems security • Previously: 10 years product security @ BlackBerry & Motorola Mobility

  3. Agenda 1. Overview of Trusted Platform Module 2. Threat Model & Attack Surface 3. Bug Hunting 4. Interposer Design & Build 5. Demo 6. Conclusions 3

  4. The Trusted Platform Module

  5. What is a TPM? • A crypto-processor • Trusted Computing Group (TCG) consortium • Multiple versions: TPM v1.2 and v2.0 • Used practically everywhere • Servers, laptops, desktops, IoT devices, … • Over 2 billion computers use a TPM (allegedly) • The U.S. Army and DoD require that every new PC has one

  6. Functions of a TPM • Command-Response protocol w/ 100+ ordinals • Hardware random number generation • Secure (aka on-chip) generation of cryptographic keys • … plus many other crypto primitives • Primary use in “Trusted Computing” applications: • Measured Boot • Remote Attestation • Sealed Storage

  7. TPM Functions – Measured Boot • Each boot stage is hashed (measured) by previous stage • BIOS, MBR, UEFI, kernel command line … • Hashes extended into 160-bit Platform Configuration Registers (PCRs) • PCR is a shielded memory space within TPM chip. • PCR[i].new := HASH( PCR[i].old || new_data ) • Chain of trust: Code shouldn’t be executed until it’s been measured. • PCR set can be audited at any point to inspect measurements. • Intel Trusted eXecution Technology (TXT)

  8. TPM Functions – Remote Attestation • Prove to authorized remote party that platform is in a specific state. • The basic idea: • Remote party sends nonce to TPM • TPM generates a Quote: • Quote = sign( PCR[n..m] + nonce ) • TPM returns Quote to remote party • Remote party verifies Quote and decides if it can trust host • Next steps are application specific • Ex: Hand over some kind of secret, such as DRM key

  9. TPM Functions – Sealed Storage • Protects a secret stored in the TPM’s non -volatile memory • Ex: Bitlocker or dm-crypt keys • Binds the secret to a specific PCR set • cipher_txt = tpm_seal( plain_text, PCRs, [password, locality] ) • plain_txt = tpm_unseal( cipher_text, PCRs, [password, locality] ) • The secret can only be released when the system is in the correct state

  10. Attack Surface / Threat Model

  11. Discrete TPM • Manufacturers claim secure type of TPM • Tamper “resistant” against invasive silicon, fault injection and side channel attacks • Enter Chris Tarnovsky to prove everyone wrong • But… invasive attacks cost $$$ • I wanted an attack that works in 5 mins for < $50 • Threat Model – Those with physical access • Rogue data center employee • Supply chain interdiction attacks (NSA ANT-style implant) • Evil Maid scenario

  12. Discrete TPM Risks • Often on a daughter card • Connected to main board via a header • Communicate with host via serial bus: I2C, SPI, LPC • Exposes serial bus to tampering • A MITM on the bus can sniff/modify traffic • Non- invasive attacks via an “interposer” device • No need to cut traces or desolder TPM

  13. TPM Headers

  14. Uhhh …

  15. Serial Bus Interposer

  16. Hunting For Bugs

  17. Target Enumeration & Selection • Operating Systems: • Linux kernel: Hardware RNG, integrity subsystem • Plus other kernels that implement TPM drivers • Pre-kernel environments (Bootloader, Legacy BIOS, UEFI): • tboot, coreboot, GRUB, Tianocore EDK2, +more • Userspace stuff: • TrouSerS, OpenSSL TPM Engine, +more

  18. Linux Kernel TPM Driver Architecture

  19. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  20. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max ) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA) ; ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  21. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  22. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  23. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  24. Kernel Code Review int tpm_get_random( u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); ... tpm_cmd.header.in = tpm_getrandom_header; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); err = tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes ); ... recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(out, tpm_cmd.params.getrandom_out.rng_data, recd); ... }

  25. The Results • Many memory corruption issues: • Linux Kernel: 6 • U-Boot: 2 • Coreboot: 1 • tboot: 13 • Tianocore EDK2: 10 • Root cause: Fragile response payload parsing • Some bugs are specific to a TPM chipset vendor (lowest driver layer) • Other bugs affect the generic TPM command/response interface • Both TPM v1.2 and v2.0 • PCR Read, Get Random, Seal, Unseal, NV Read, Get Capability

  26. At the Packet Level: Request 00 C1 00 00 00 0E 00 00 00 46 00 00 00 10 +---+ +---------+ +---------+ +---------+ tag length ordinal size_req +---------------------------+ +---------+ header body tpm_cmd.header.in = tpm_getrandom_header ; tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes) ; tpm_transmit_cmd( chip, &tpm_cmd, TPM_GETRANDOM_RESULT_SIZE + num_bytes );

  27. At the Packet Level: Response 00 C4 00 00 00 1E 00 00 00 00 00 00 00 10 EF F8 2C 6A ... +---+ +---------+ +---------+ +---------+ +-----------...+ tag length ret code data_len rng_data +---------------------------+ +-----------------------...+ header body tpm_transmit_cmd(chip, &tpm_cmd, 0x1A); recd = be32_to_cpu( tpm_cmd.params.getrandom_out.rng_data_len ); memcpy(dest, tpm_cmd.params.getrandom_out.rng_data , recd);

  28. At the Packet Level: Response 00 C4 00 00 00 1E 00 00 00 00 00 00 FF FF AA AA AA AA ... +---+ +---------+ +---------+ +---------+ +-----------...+ tag length ret code data_len rng_data +---------------------------+ +-----------------------...+ header body tpm_transmit_cmd(chip, &tpm_cmd, 0x1A); recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);

  29. Didn’t The TCG Anticipate This?

  30. Authorization Sessions • HMAC • Appended to command and response packets. • Defense against payload tampering. • Guarantees Integrity : Packet hasn’t been tampered with. • Guarantees Authenticity: By knowledge of shared secret . • Parameter Encryption • Guarantees Confidentiality: Can transmit secrets on the bus w/o exposure. • Rolling Nonces • Prevent replay attacks.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using GENIE Combating Loneliness Inquiry https://genie.soton.ac.uk Anne Kennedy and Anne

Using GENIE Combating Loneliness Inquiry https://genie.soton.ac.uk Anne Kennedy and Anne

Using GENIE Combating Loneliness Inquiry https://genie.soton.ac.uk Anne Kennedy and Anne Rogers The team behind GENIE at Southampton University NIHR CLAHRC Wessex GENIE Online Intervention Steps Map personal community of support in

873 views • 27 slides
GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts

GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts

GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts University July 11, 2016 - NUTUNE 16, U. Liverpool OUTLINE 1) History/Context 2) Neutrino-Nucleon Interaction Modeling Free nucleon cross

905 views • 43 slides
Directions Most interaction is between Dorky Computer Scientist, the Genie and the crowd. Dialogue

Directions Most interaction is between Dorky Computer Scientist, the Genie and the crowd. Dialogue

Characters : 1. Computer Science GeniusMark 2. Computer Science Genie (or just Genie)GWA Overview : After the Dorky Computer Scientist summons the Power Agile Genie (with the help of the crowd) he is granted three wishes. As a first wish,

195 views • 8 slides
GENIE Status Gabriel N. Perdue Simulations for Neutrinos 30 January 2017 Overview Recent

GENIE Status Gabriel N. Perdue Simulations for Neutrinos 30 January 2017 Overview Recent

GENIE Status Gabriel N. Perdue Simulations for Neutrinos 30 January 2017 Overview Recent release: GENIE 2.12.2 Planned releases: - GENIE 3.0 - GENIE 4.0 2 Gabriel Perdue | GENIE news | Simulations for Neutrinos 30 January 2017 GENIE

397 views • 13 slides
Introducing 2) Develop skills to utilize the online GENIE GENIE checklist and become familiar

Introducing 2) Develop skills to utilize the online GENIE GENIE checklist and become familiar

3/18/2014 The Guide for Effective Nutrition Interventions and Education Learning Objectives 1) Explain the process used in developing and validating the Guide for Effective Nutrition Interventions and Education (GENIE). Introducing 2) Develop

500 views • 10 slides
First look at new GENIE syst CAFs LBL meeting 30 Jul 2018 Chris Backhouse University

First look at new GENIE syst CAFs LBL meeting 30 Jul 2018 Chris Backhouse University

First look at new GENIE syst CAFs LBL meeting 30 Jul 2018 Chris Backhouse University College London Introduction Using example file /dune/data/users/marshalc/CAF FHC.root Weights now readable in CAFAna as dune.genie wgt[][]

442 views • 11 slides
GENIE update a personal view Steve Dytman, Univ. of Pittsburgh NusTec 11 December, 2018

GENIE update a personal view Steve Dytman, Univ. of Pittsburgh NusTec 11 December, 2018

GENIE update a personal view Steve Dytman, Univ. of Pittsburgh NusTec 11 December, 2018 group changes v3 + reweighting model advances, plans electron scattering v4 GENIE group changes FNAL After contributing many

616 views • 24 slides
rSMILE, an interface to the Bayesian Network package GeNIe/SMILE Roman Klinger, Christoph M.

rSMILE, an interface to the Bayesian Network package GeNIe/SMILE Roman Klinger, Christoph M.

rSMILE, an interface to the Bayesian Network package GeNIe/SMILE Roman Klinger, Christoph M. Friedrich { klinger,friedrich } @scai.fraunhofer.de July 9, 2009 Outline Bayesian Networks Existing Implementations GeNIe/SMILE rSMILE Applications

642 views • 17 slides
The Genie in the Bottle Implementing and Sustaining Lean Pg 1 What Well Cover Introduction

The Genie in the Bottle Implementing and Sustaining Lean Pg 1 What Well Cover Introduction

The Genie in the Bottle Implementing and Sustaining Lean Pg 1 What Well Cover Introduction 1. The Definition of True North 2. Key Philosophies Successful Lean Organizations 3. Quick review of the Toyota House 4. Discussion

1.37k views • 92 slides
The Genie is out of the bottle: DNA testing and the end of donor anonymity DNA testing is on the

The Genie is out of the bottle: DNA testing and the end of donor anonymity DNA testing is on the

The Genie is out of the bottle: DNA testing and the end of donor anonymity DNA testing is on the rise www.varta.org.au N=312 Ancestry DNA tests how do they work? 3 main types 1. Y-DNA 2. mtDNA 3. Autosomal www.varta.org.au Autosomal

811 views • 18 slides
Genie Distributed Systems Synthesis and Verification Marc Rosen EN.600.667: Advanced Distributed

Genie Distributed Systems Synthesis and Verification Marc Rosen EN.600.667: Advanced Distributed

Genie Distributed Systems Synthesis and Verification Marc Rosen EN.600.667: Advanced Distributed Systems and Networks May 1, 2017 1 / 35 Outline Introduction Problem Statement Prior Art Demo How does it work? Code Generation How does it

504 views • 35 slides
GENIE: Valida,on and Tuning status report Julia Yarba,

GENIE: Valida,on and Tuning status report Julia Yarba,

GENIE: Valida,on and Tuning status report Julia Yarba, FNAL Simula,on for Neutrinos mee,ng Jan.30, 2016 GENE Valida,on and Tuning

369 views • 16 slides
FFPSA Implementation Efforts in LA County LA County DCFS Kym Renner &amp; Genie Chough FFPSA

FFPSA Implementation Efforts in LA County LA County DCFS Kym Renner &amp; Genie Chough FFPSA

FFPSA Implementation Efforts in LA County LA County DCFS Kym Renner &amp; Genie Chough FFPSA Convening CWDS Training Center Riverside, CA November 20, 2019 Highlights Introductions LA County Governance Structure &amp;

574 views • 10 slides
Learning Genie Staff Training 1 Welcome! Loved by thousands of teachers and directors, 40+ lab

Learning Genie Staff Training 1 Welcome! Loved by thousands of teachers and directors, 40+ lab

Learning Genie Staff Training 1 Welcome! Loved by thousands of teachers and directors, 40+ lab school partners, 200+ school districts /agencies 2 8:00-8:10am Introduction 8:10am-9:30am Training Session I (Mobile Devices) Portfolios Daily

694 views • 23 slides
The Genie Is Out of the Bottle Richard E. Ya Deau, MD FACS, FACHCE (HON) 23andme Your genetic

The Genie Is Out of the Bottle Richard E. Ya Deau, MD FACS, FACHCE (HON) 23andme Your genetic

The Genie Is Out of the Bottle Richard E. Ya Deau, MD FACS, FACHCE (HON) 23andme Your genetic data Participatory Research Richard YaDeau Richard YaDeau Genes vs. Environment 60-80 % Attributable to Genetics The heritability of AD

300 views • 7 slides
The Genie Is Out of the Bottle Richard E. Ya Deau MD, FACS, ACHCE (HON) 23andme Your genetic

The Genie Is Out of the Bottle Richard E. Ya Deau MD, FACS, ACHCE (HON) 23andme Your genetic

The Genie Is Out of the Bottle Richard E. Ya Deau MD, FACS, ACHCE (HON) 23andme Your genetic data Participatory Research Richard YaDeau Richard YaDeau Genes vs. Environment 60-80 % Attributable to Genetics The heritability of AD

252 views • 7 slides
TLA + specification of PCR parallel programming pattern Work in Progress e E. Solsona 1 Sergio

TLA + specification of PCR parallel programming pattern Work in Progress e E. Solsona 1 Sergio

TLA + specification of PCR parallel programming pattern Work in Progress e E. Solsona 1 Sergio Yovine 2 Jos Universidad ORT Uruguay September 2020 1 solsona@fi365.ort.edu.uy 2 yovine@fi365.ort.edu.uy TLA + specification of PCR Jos e E.

775 views • 35 slides
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci 1 Emulab Public network testbed Create complex experiments quickly 500+ nodes at Utah Emulab 2 Emulab Nodes Physical nodes

566 views • 35 slides
HOME Investment Partnerships Program Administrative Draws and Project Completion Reporting

HOME Investment Partnerships Program Administrative Draws and Project Completion Reporting

HOME Investment Partnerships Program Administrative Draws and Project Completion Reporting Administered by Because theres no place like HOME. What are Administrative Costs? Because theres no place like HOME. Administrative costs

687 views • 47 slides
TCG TPM2 Software Stack &amp; Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda

TCG TPM2 Software Stack &amp; Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda

TCG TPM2 Software Stack &amp; Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security basics Terms TPM basics What it is / what it does Why this matters / specific features TPM Software Stack

480 views • 26 slides
STK-IN4300 Methods using Derived Input Directions Statistical Learning Methods in Data Science

STK-IN4300 Methods using Derived Input Directions Statistical Learning Methods in Data Science

STK-IN4300 - Statistical Learning Methods in Data Science Outline of the lecture Model Assessment and Selection Cross-Validation Bootstrap Methods STK-IN4300 Methods using Derived Input Directions Statistical Learning Methods in Data Science

445 views • 11 slides
COVID-19 Press Briefing June 12, 2020 CCBH Jurisdiction Cases Overview Lab-confirmed cases

COVID-19 Press Briefing June 12, 2020 CCBH Jurisdiction Cases Overview Lab-confirmed cases

COVID-19 Press Briefing June 12, 2020 CCBH Jurisdiction Cases Overview Lab-confirmed cases 3,082 Probable cases 612 Total cases 3,694 Date of illness onset February 28 June 9 Recovered cases 1441 Number

670 views • 29 slides
The Resource-as-a-Service (RaaS) Cloud Orna Agmon Ben-Yehuda Muli Ben-Yehuda Assaf Schuster Dan

The Resource-as-a-Service (RaaS) Cloud Orna Agmon Ben-Yehuda Muli Ben-Yehuda Assaf Schuster Dan

The Resource-as-a-Service (RaaS) Cloud Orna Agmon Ben-Yehuda Muli Ben-Yehuda Assaf Schuster Dan Tsafrir Department of Computer Science Technion Israel Institute of Technology HotCloud 2012 Agmon Ben-Yehuda, Ben-Yehuda, Schuster, Tsafrir

606 views • 21 slides
Segmentation &amp; Custering Disclaimer: Many slides have been borrowed from Devi Parikh and

Segmentation &amp; Custering Disclaimer: Many slides have been borrowed from Devi Parikh and

Segmentation &amp; Custering Disclaimer: Many slides have been borrowed from Devi Parikh and Kristen Grauman, who may have borrowed some of them from others. Any time a slide did not already have a credit on it, I have credited it to Kristen. So

1.17k views • 93 slides

More recommend