Security Analysis of the Computer Architecture *OR* What a so9ware researcher can teach you about *YOUR* computer

Similar documents
Intel Software Guard Extensions(Intel SGX) Carlos Rozas Intel Labs November 6, 2013

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Attacking Hypervisors via Firmware and Hardware

Windows Server Virtualization & The Windows Hypervisor

Attacking Hypervisors via Firmware and Hardware

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

COS 318: Operating Systems

85MIV2 / 85MIV2-L -- Components Locations

AES Flow Interception : Key Snooping Method on Virtual Machine. - Exception Handling Attack for AES-NI -

Virtual Machines. COMP 3361: Operating Systems I Winter

Compromise-as-a-Service

FRONT FLYLEAF PAGE. This page has been intentionally left blank

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Intel Trusted Platforms Overview

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

Intel Trusted Execution Technology (Intel TXT)

Technologies to Improve. Ernie Brickell

Security Policy for FIPS Validation

A Unified View of Virtual Machines

I/O. Input/Output. Types of devices. Interface. Computer hardware

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Basics of Virtualisation

Virtual machines and operating systems

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Example of Standard API

Virtualization. Jia Rao Assistant Professor in CS

Intel Virtualization Technology Overview Yu Ke

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Intel Trusted Execution Technology (Intel TXT)

H ARDWARE C ONSIDERATIONS

Virtualization. Clothing the Wolf in Wool. Wednesday, April 17, 13

COS 318: Operating Systems. Virtual Machine Monitors

Virtualization. Pradipta De

Software Token Security & Provisioning: Innovation Galore!

UNCLASSIFIED Version 1.0 May 2012

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Operating System Overview. Otto J. Anshus

Introduction to Virtual Machines

x86 Virtualization Hardware Support Pla$orm Virtualiza.on

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Introduction to Virtual Machines

A Tour Beyond BIOS Supporting an SMM Resource Monitor using the EFI Developer Kit II

Haven. Shielding applications from an untrusted cloud. Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research

Attacking Intel Trusted Execution Technology

Frontiers in Cyber Security: Beyond the OS

Index. BIOS rootkit, 119 Broad network access, 107

Sierraware Overview. Simply Secure

Enabling Intel Virtualization Technology Features and Benefits

Intel Virtualization Technology FlexMigration Application Note

Intel Virtualization Technology Processor Virtualization Extensions and Intel Trusted execution Technology

SecureDoc Disk Encryption Cryptographic Engine

Distributed Systems. Virtualization. Paul Krzyzanowski

Virtualization Technology. Zhiming Shen

System Area Manager. Remote Management

BHyVe. BSD Hypervisor. Neel Natu Peter Grehan

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Computer Setup (F10) Utility Guide HP Compaq dx2200 Microtower Business PC

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

Windows Server Virtualization & The Windows Hypervisor. Background and Architecture Reference

Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors

OpenSGX: An Open Platform for SGX Research

Full and Para Virtualization

The Reduced Address Space (RAS) for Application Memory Authentication

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Virtualization and the U2 Databases

Cloud Computing. Up until now

The Bus (PCI and PCI-Express)

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

CPU Organization and Assembly Language

USB Portable Storage Device: Security Problem Definition Summary

Certifying Program Execution with Secure Processors

Virtualization in Linux KVM + QEMU

AwardBIOS Setup Utility

Mark Bennett. Search and the Virtual Machine

Putting it all together: Intel Nehalem.

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

Virtualization. Dr. Yingwu Zhu

CS 3530 Operating Systems. L02 OS Intro Part 1 Dr. Ken Hoganson

Kingston KC300 Security Toolbox

A Survey on ARM Cortex A Processors. Wei Wang Tanima Dey

BIOS Update Release Notes

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Virtualization. Types of Interfaces

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Fachbereich Informatik und Elektrotechnik SunSPOT. Ubiquitous Computing. Ubiquitous Computing, Helmut Dispert

evm Virtualization Platform for Windows

Cloud security CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642

Performance monitoring with Intel Architecture

Intel Server Board S5000PALR Intel Server System SR1500ALR

Chapter 5 Cloud Resource Virtualization

Transcription:

Security Analysis of the Computer Architecture *OR* What a so9ware researcher can teach you about *YOUR* computer Rodrigo Rubira Branco (BSDaemon) rodrigo *nospam* kernelhacking.com hhps://twiher.com/bsdaemon BSDaemon

Disclaimers I don t speak for my employer. All the opinions and informamon here are of my responsibility (actually no one ever saw this talk before); The talk focus mostly in Intel Skylake Architecture (Wikipedia says it will be released 2015-2016). I ll try to generalize as much as I can though in that, probably many mistakes might happen, so Interrupt me if you have quesmons or important comments at any point. IMPORTANT: No, I m not part of the Intel Security Group (Mcafee)

Start answering quesmons I already anmcipate a few quesmons: RNG - > I have no idea how strong it is, I believe it is not as strong as a specialized hardware but probably stronger than usual random generamon mechanisms existent in the pla`orm AMT - > I ll talk a bit about the ME, but I ll let the AMT research by Insinuator [0] to conmnue ;) [0] hhp://www.insinuator.net/2014/03/how- to- use- intel- amt- and- have- some- fun- with- mainboards/

Arch x uarch Architecture The collecmon of features of a processor (or a system) as they are seen by the user User: a binary executable running on that processor, or assembly level programmer μarchitecture The collecmon of features or way of implementamon of a processor (or a system) that do not affect the user. Features which change Timing/performance are considered microarchitecture.

Arch and uarch elements Architecture Registers data width (8/16/32/64) InstrucMon set Addressing modes Addressing methods (SegmentaMon, Paging, etc...) ProtecMon etc µarchitecture Bus width Physical memory size Caches & Cache size Number of execumon units ExecuMon Pipelines, Number & type execumon units Branch predicmon TLB etc... Timing is considered µarchitecture (though it is user visible!)

Your computer External Graphics Card DDRIII Channel 1 DDRIII Channel 2 2133-1066 MHz Mem BUS Memory controller Cache Core Core GFX PCI express 16 System Agent Line out Line in S/PDIF out S/PDIF in Audio Codec Display link South Bridge (PCH) 4 DMI D-sub, HDMI, DVI, Display port exp slots BIOS PCI express 1 Parallel Port Serial Port Super I/O Floppy Drive PS/2 keybrd/ mouse LPC mouse USB SATA SATA DVD Drive Hard Disk Lan Adap LAN

Computer Complexity IOMMU (Intel VT- d) What is it? How does it work - > Is it a chip or a so9ware? Where is it located?

Easy, another one How many processors your machine runs? (4? 8? 2 x 4 threads?) Well Your cpu s (and threads) Your ME (Manageability Engine) INTERRUPT RECEIVED!!

Interrupt Handler DAL [1] (Dynamic ApplicaMon Loader) Runs Java (permits 3 rd part applicamons) ARC Processor Complete real- Mme OS IRET [1] hhp://developers.txe.iil.intel.com/discover

Processors PCU (Power Control Unit) Pure assembly OS (similar, but not fully compamble x86 ISA) Mainly comprises watchdogs for voltage failures (trying to recover or reset) Harvard Architecture (separate RAM/ROM) PMC (Power Management Controller) Your PCH PCU GPCU (Graphics PCU)

Processors Your gigabit card Uops, research already done in that [2] [2] hhp://www.alchemistowl.org/arrigo/papers/arrigo- Triulzi- PACSEC08- Project- Maux- II.pdf VCU (ValidaMon Control Unit) BMC (servers) [3] [3] hhps://community.rapid7.com/community/metasploit/blog/ 2013/07/02/a- penetramon- testers- guide- to- ipmi

Tricky? Lets make it easier then How many execumon modes your processor has? Real- mode? Virtual- 8086 mode? Protected mode? SMM Mode? [4] POC GTFO 0x03 Net Watch: System Management Mode is not just for Governments [4] My troopers talk and Phrack armcle on the subject

Modes Where are the x64 folks? 32e mode? 64- bit mode? Those are more like ISA- related modes, similar to ARM Thumb I and/or II modes More?? VT- x anyone? SGX (So9ware Guard Extensions) anyone? More on this later

Modes So, I m bul*********? One is new (SGX is not even available yet) and the other is not exactly a mode What about cram mode then?? Anyone? Note: CRAM!= CAR (Yeap, I love Intel acronyms)

Modes What about TXT? (GETSEC[SENTER]) to execute SINIT ACM - > AMD PRESIDIO? I ll discuss this later as well ;) ACM (AuthenMcated Code Modules) run in CRAM mode Memory Areas protected by VT- d PMR or DPR (DMA Protected Region) Any code can be called and execute a MLE (Measured Launch Environment) BTW: InteresMng ACM to have a look at: SCLEAN (clean system memory) Probe mode anyone? For debugging with hardware debugger (ITP In- Target Probe) Supports JTAG standard/protocol No regular instrucmon fetch (IP register not in use) PIR (Probe Mode InstrucMon Register) PDR (Probe Mode Data Register) Probe- mode special instrucmons» PROBEMODE (to specify each core in PM or NOT)» WRSUBPIR (to send instrucmon to CPU)» READPDRT (read PDR) MSRs exclusive to probe mode (not real hardware register, only ucode funcmons)» prob_lt_sp_cyc Access LT private space» prob_change_pg_bit Disable/enable paging in 64 bit mode SMM special relamon (Enter Probe mode thru RedirecMon)» ICECTLPMR (redirecmon configuramon bits) MSR available in probe mode» SMM_ENTER, SMM_EXIT, MC_ENTER, INIT, IR (interrupt)

Yeap, life was easy ;) Reset or PE=0 Real-Address Mode PE = 1 Reset or RSM SMI# Reset Protected Mode SMI# RSM System Management Mode VM = 0 VM = 1 Virtual-8086 Mode SMI# RSM

SMll missing a few we discussed

Now it is very clear

So9ware, so9ware, so9ware That gets even beher : How much of your hardware is actually so9ware? The exported ISA is not exactly the same behind the wheels What about ucode patches? (who here don t love cpu erratas?) Your ISA is translated to ucode, which has uinstrucmons that depend on the uarch (and parts of the process are bare metal)

So, there are any backdoors? Fair response (which I once heard but don t remember the author to give the proper credits): None that I m aware of (in my case I actually read the enmre mov implementamon) but if you ask me again next Troopers (I m sure you will not want to miss the next one a9er coming to this one, do you?) and I say I prefer to not comment, you might take your own conclusions ;)

The feeling about security?

TCB (Trusted CompuMng Base) I don t think considering vendor backdoors in Hardware by the big players should be in any TCB since: There are other (easier) ways to get access without involving a complex and difficult to hide and change hardware component LogisMcs intercepmon ExploiMng vulnerabilimes (at this point I believe everyone agree that giving the complexity, the number of issues published is *SUPER* small yeap, the teams at the companies are doing a good job, but smll)

What you can do to improve? Work on validamng your systems using FREE and WIDELY available technologies: TXT to get an image of what you have and compare with other companies that use different supply chains and are in different countries (this protects you against supply chain hijacks) Intel has a so9ware called MtWilson that helps you do that (it also integrates with VM- based environments to collect data on kernel components of it) - > Honestly, I don t even know what (if any) is the cost of it, but there are an open- source version (also made by Intel) [5] [5] hhps://github.com/openahestamon/

SuggesMon for a Project Maybe a nice project to have is to share integrity values around the world, like nowadays people starmng to share IOCs? Different BIOSes integrity values Different VMMs This helps everyone finding already compromised systems, force the manufactures to publish such informamon and avoids supply chains hijacks ;)

And what about the future? Pointer Lookout SDE (So9ware Development Emulator) [6] Patch already available on GCC [6] hhp://so9ware.intel.com/en- us/armcles/intel- so9ware- development- emulator SGX (So9ware Guard Extensions) [7] [8] Secure Enclaves [7] hhp://so9ware.intel.com/en- us/blogs/2013/09/26/protecmng- applicamon- secrets- with- intel- sgx [8] hhps://sites.google.com/site/haspworkshop2013/workshop- program

SGX and what it tries to solve App X OK X X Malicious App App Bad Code OS Attack Attack and apps from each other UNTIL a malicious attacker gains full privileges and then tampers with the OS or other apps Apps not protected from privileged code attacks

SGX details Very different architecture (compared to ARM s TrustZone): A Memory EncrypMon Engine (MEE) exists to encrypt memory data This protects a given memory region from hardware- based access Even with Intel privileged access, the keys are not exposed (they are erased if an unlock happens) OS is part of the TCB and thus seem as a malicious element

SGX Protected execumon environment embedded in a process. OS Enclave Enclave Blob (dll) App Data App Code SECS Enclave Code Enclave Data TCS (*n) With its own code and data Provide ConfidenMality Provide Integrity Controlled Entrypoints Supports mulm- threading With full access to app memory

SGX AHack Surface X Proxy App Proxy App Proxy App OS X VMM Hardware X Attack Surface today Attack Surface with SE

How SE Works: Protec5on vs. So9ware A;ack Application Untrusted Part of App Create Enclave CallTrusted Func. Call Gate Trusted Part of App Execute SSN: 999-84-2611 1. App is built with trusted and untrusted parts 2. App runs & creates enclave which is placed in trusted memory 3. Trusted function is called; code running inside enclave sees data in clear; external access to data is denied Other SW

How SE Works: Protec5on vs. So9ware A;ack Application Untrusted Part of App Create Enclave CallTrusted Func. (etc.) Call Gate Trusted Part of App Execute Return m8u3bcv#zp49q 1. App is built with trusted and untrusted parts 2. App runs & creates enclave which is placed in trusted memory 3. Trusted function is called; code running inside enclave sees data in clear; external access to data is denied 4. Function returns; enclave data remains in trusted memory Other SW

SGX - MEE CPU Package Cores Cache AMEX: 3234-134584- 26864 System Memory Jco3lks937weu0cwejpoi9987v80we Snoop Snoop 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked with replay protection 4. External memory reads and bus snoops see only encrypted data 5. Attempts to modify memory will be detected

Life Cycle of An Enclave Build Enclave Virtual Address Space Before Entering Enclave Code/Data Code/Data Code/Data ECREATE (Range) EADD (Copy Page) EEXTEND EINIT EENTER EEXIT EREMOVE 1. Application is launched by OS 2. Application calls SE driver to allocate enclave 3. Driver calls ECREATE to allocate SECS 4. Application calls SE driver to add enclave pages to EPC 5. Driver calls EADD to add pages to EPC 6. Driver calls EEXTEND to extend measurement with initial contents of pages 7. Application calls SE driver to initialize enclave, providing SIGSTRUCT and LICTOKEN 8. Driver calls EINIT with SIGSTRUCT and LICTOKEN 9. Application enters enclave with EENTER 10. Enclave returns control to the application with EEXIT 11. Upon application exit, driver reclaims EPC pages with EREMOVE

Example: Secure TransacMon Client Application Remote Pla`orm Enclave Intel 1 Authenticated Channel ü 2 1. Enclave built & measured against ISV s signed manifest 2. Enclave requests REPORT from HW 3. REPORT & ephemeral key sent to server & verified 4. A trusted channel is established with remote server 4 3

6 Example: Secure TransacMon ID Client Application Remote Pla`orm Secure Input Pla`orm SW Enclave 5 Enclave 1 Authenticated Channel 2 7 1. Enclave built & measured against ISV s signed manifest 2. Enclave requests REPORT from HW 3. REPORT & ephemeral key sent to server & verified 4. A trusted channel is established with remote server 5. A trusted channel is similarly established with secure input via the PSW enclave 6. User info sent securely to server 7. Application Key provisioned to enclave 4 3

6 Secure Input Pla`orm SW Enclave Example: Secure TransacMon 9 Client Application 8 5 Enclave 7 1 Authenticated Channel Remote Pla`orm 2 1. Enclave built & measured against ISV s signed manifest 2. Enclave requests REPORT from HW 3. REPORT & ephemeral key sent to server & verified 4. A trusted channel is established with remote server 5. A trusted channel is similarly established with secure input via the PSW enclave 6. User info sent securely to server 7. Application Key provisioned to enclave 8. Enclave requests the HW Enclave-platform Sealing Key 9. Application Key encrypted using Sealing Key & stored for successive sessions 4 3

SGX EPC: Decrypted code and data space with SE access control Located in system memory space ImplementaMon as stolen main memory (protected by MEE) Protected from SW by range registers Protected from HW by encrypmon and integrity protecmon EPCM: Provide meta data for each EPC page SE1 InstrucMons: 12 new operamons ECREATE, EADD, EEXTEND, EINIT, EENTER, EIRET, EEXIT, EREMOVE, EDBGRD, EDBGWR, EREPORT, EGETKEY 2 Opcodes: 1 privileged; 1 unprivileged

SGX Ring 0 InstrucMons EAX Leaf Func5on Descrip5on 0x0 ECREATE Sets up the inimal state environment, sets up the measurement, adds SECS page to EPC, measures ahributes and xsave mask 0x1 EADD Adds a page to the enclave. Page can be used as enclave control, applicamon data, code, stack, or heap 0x2 EINIT Verifies permit and marks the enclave ready to run 0x3 EREMOVE Removes pages from an enclave 0x4 EDBGRD Reads 8 bytes from a debug enclave 0x5 EDBGWR Writes 8 bytes to a debug enclave 0x6 EEXTEND Extends the measurement of the enclave with a measurement of an addimonal chunk of memory

SGX Ring 3 InstrucMons EAX Leaf Func5on Descrip5on 0x0 EREPORT Demonstrates cryptographically what was placed inside the enclave 0x1 EGETKEY Provides access to system secrets & user level keys 0x2 Transfers control to a predefined entry point EENTER within the enclave 0x3 EIRET Resume execumon from its interrupt / excepmon point 0x4 EEXIT Returns from the enclave to the applicamon

BIOS, ACPI, others Yes, huge code base! Lots of OEM capabilimes Already been exploited by three leher agencies Chipsec: hhps://github.com/chipsec/chipsec Recently announced in CanSecWest (past week?)

ISA Extensions? AES- NI AVX (SIMD) Nice to discover huge NOPs in older systems: 66 66 0F 1F 84 00 00 00 00 00

Conclusions Folks, I could just keep going but I believe I made my points clear, but just to reinforce them: Your computer is actually a network of computers, running lots of so9ware (Sergey Bratus and Langsec here at Troopers!) Modern architecture provides a way for you to generate a hardware ahestamon (TXT) and this is your way to protect against supply chain based ahacks (sorry NSA, but I m Brazilian) We need efforts on the community to use features that are already present and that solve many pla`orm- related problems: Central base for sharing known good ahestamons? So9ware to manage and gather ahestamon informamon in networks, comparing to known good states and previously saved ones (OpenAHestaMon?)

Thank You Rodrigo Rubira Branco (BSDaemon) rodrigo *nospam* kernelhacking.com hhps://twiher.com/bsdaemon BSDaemon

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information