stupid pcie tricks
play

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami - PowerPoint PPT Presentation

Aug 21, 2022 •96 likes •1.06k views

Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014 whoami Electrical Engineering education with focus on CS and Infosec 8 years doing security research, speed debug, and tool development for CPUs Hardware Pen Testing of CPUs

  1. Stupid PCIe Tricks Joe FitzPatrick Breakpoint 2014

  2. whoami ● Electrical Engineering education with focus on CS and Infosec ● 8 years doing security research, speed debug, and tool development for CPUs ● Hardware Pen Testing of CPUs ● Security training for functional validators worldwide ● Software Exploitation via Hardware Joe FitzPatrick Exploits, AKA SExViaHEx @securelyfitz joefitz@securinghardware.com

  3. If Joe Fitz... Joe Sitz

  4. Disclaimer This is not academic-caliber research. Lots of this stuff has been done before. The difference is that I aim to show that PCIe attacks can be easier and cheaper than previously thought

  5. What is PCIe?

  6. PCIe is PCI!

  7. PCIe is NOT PCI! Photo by snikerdo http://en.wikipedia.org Foto tomada por Jorge González http://es.wikipedia.org

  8. Links and Lanes Diagram: PCIe 2.1 specification

  9. Hierarchy Diagram: PCIe 2.1 specification

  10. Switching and Routing Diagram: PCIe 2.1 specification

  11. Layers Diagram: PCIe 2.1 specification

  12. Configuration Space Diagram: PCIe 2.1 specification

  13. Configuration Space Diagram: PCIe 2.1 specification

  14. Configuration Space Diagram: PCIe 2.1 specification

  15. Configuration Space Diagram: PCIe 2.1 specification

  16. Configuration Space Diagram: PCIe 2.1 specification

  17. Enumeration Diagram: PCIe 2.1 specification

  18. Routing PCIe

  19. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe:

  20. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length

  21. The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length … that’s mostly it

  22. Routing PCIe System Board Traces 12 Inches Add-in Card Traces 3.5 inches Chip-to-Chip Routes 15 inches Follow these rules and your board might work. Break them and it might not.

  23. Routing PCIe Minimum PCIe: ● 2.5GHz TX ● 2.5GHz RX ● 100MHz Clock (optional)

  25. $ $ $ $ $

  26. Routing PCIe Cross-section of a USB 3.0 cable. Image courtesy of USB Implementers Forum

  27. PEXternalizer on github

  28. PEXternalizer on github

  29. PEXternalizer on github

  30. PEXternalizer on github

  32. mPEXternalizer on github

  33. POC || GTFO 0x05

  34. POC || GTFO 0x05

  35. POC || GTFO 0x05

  36. A brief history of DMA attacks

  37. Tribble

  38. Firewire Attacks

  40. Video Demo Slides SysCan ‘14

  41. PLX Technologies Buy one

  42. Thunderbolt

  43. Thunderbolt

  44. USB3380 Firmware

  45. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........

  46. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........

  47. USB3380 Firmware > xxd SLOTSCREAMER.bin 0000000: 5a00 0c00 2310 4970 0000 0000 e414 bc16 Z...#.Ip........ That’s all!

  49. Hardware http://www.hwtools.net/PLX.html

  50. Software tools used in preparing this presentation: ● plx’s flashing software ● pyusb + scripts ● inception_pci ● volatility for memory analysis

  51. Attack-side Software Quick ‘n’ dirty PCIe memory read/write with PyUSB

  52. More attack-side Software

  53. More attack-side Software # EQUALS: # # |-- Offset 0x00 # / # /\ |-patchoffset--------------->[b0 01] # 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f .. (byte offset) # ----------------------------------------------- # c6 0f 85 a0 b8 00 00 b8 ab 05 03 ff ef 01 00 00 .. (chunk of memory data) # ----------------------------------------------- # \______/ \___/ \______/ # \ \ \ # \ \ |-- Chunk 2 at internaloffset 0x05 # \ |-- Some data (ignore, don't match this) # |-- Chunk 1 at internaloffset 0x00 # \_____________________/ # \ # |-- Entire signature #

  54. More attack-side Software {'OS': 'Mac OS X 10.9', 'versions': ['10.9'], 'architectures': ['x64'], 'name': 'DirectoryService/OpenDirectory unlock/privilege escalation', 'notes': 'Overwrites the DoShadowHashAuth/ODRecordVerifyPassword return value. 'signatures': [{'offsets': [0x1e5], # 10.9 'chunks': [{'chunk': 0x4488e84883c4685b415c415d415e415f5d, 'internaloffset': 0x00, 'patch': 0x90b001, # nop; mov al,1; 'patchoffset': 0x00}]}]}]

  55. Attacking via PCIe

  57. MRd Find important values at known locations Take memory dumps for later analysis Example: Dump memory and use Volatility to analyze it

  58. Dump Analysis with Volatility dmesg log of the attack recovered from the memory dump of the victim

  59. Dump Analysis with Volatility names, pids, and uids for dumped processes

  60. Dump Analysis with Volatility extracted machine info the perfect amount of memory to dump!

  61. MWr Modify values at known locations Manipulate code!!! Example: Use Inception to modify lock screen checking, or drop a metasploit payload!

  62. Inception with Metasploit (W7sp1 POC only)

  63. IORd/IOWr Only for legacy devices (legacy means not thoroughly tested recently)

  64. CfgRd/CfgWr Interact with other PCI devices’ config spaces Yet another separate address space/different means of accessing hardware

  65. Msg/MsgD Messages send things like interrupts and vendor- defined configuration Many message types are very rarely used Example: Invisible Things Labs SNB VT-D

  66. Mitigations

  67. Bus Master Enable joefitz@linUX31a:~/Documents/pcie/SLOTSCREAMER/inception_pci$ lspci -vv | grep BusMaster Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+

  68. Access Control Services

  69. IOMMU

  70. Mitigating the Mitigations

  71. VID:PID ● Identifies device to the OS ● OS chooses which driver to load ● OS configures ACS, BME, etc… ● OS loads driver

  72. Default Drivers ● Some drivers are ‘class’ drivers (think USB MSC, etc...) ● Some device specific drivers might be installed by default (OSX) ● Drivers contain bugs ● Think facedancer for PCIE or Thunderbolt

  73. Early Boot ● IOMMU is not configured yet ● Neither is much else ● Wishlist: Volatility support for EFI shell

  74. Option ROM/EFI drivers ● Some devices have firmware that gets run at early boot ● Some systems block this (but usually for anti-competitive reasons, not security) ●

  75. Breaking the rules ● Spoof requesterID for posted transactions ● Well-timed spoofed requesterID for non- posted transactions ● Setting the ‘translated request’ bit

  76. Misconfigurations ● Everything is MMIO now - memory protections are essential ● Memory protections are not enough - need Cfg and IO protections as well - don’t forget about them ● Does installing a hypervisor change how your OS uses its IOMMU?

  77. Putting it all together

  78. Thunderbolt Diagram: Apple Thunderbolt Device Driver Programming Guide

  79. HALIBUTDUGOUT

  80. Sorry, Previous Speakers ALLOYVIPER

  81. Building ALLOYVIPER

  82. Building ALLOYVIPER

  83. Building ALLOYVIPER

  84. Building ALLOYVIPER

  85. Building ALLOYVIPER

  86. Building ALLOYVIPER

  87. Building ALLOYVIPER

  88. Building ALLOYVIPER

  89. MITMing

  90. ⇐ Thanks for the slides, snare & rzn

  91. ⇐ Thanks for the slides, snare & rzn

  92. Bypassing VT-d on Macbooks? ● VT-d is off at boot/reboot ● Broadcom Ethernet drivers crash the system ● System reboots - all the doors are open for a few moments No POC yet (I’ll GTFO soon…)

Recommend

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018

Stupid Pluto Tricks with the ADALM-PLUTO FOSDEM 2018 ROBIN GETZ MICHAEL HENNERICH 02/04/2018 Agenda Analog Devices and Education Introduction to the ADALM-PLUTO Software support Libiio Supported applications Building

783 views • 35 slides
Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never

Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never

Better to LOOK stupid, than to BE stupid Fred Henry Williams Agile Prague, 2018 Never underestimate the power of human stupidity. Robert A. Heinlein (P.s. Many highly intelligent people are actually stupid) Epistemology the

343 views • 16 slides
PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe

PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe

PCI Express Rx-Tx-Protocol Solutions Customer Presentation December 13, 2013 Agenda PCIe Gen4 Update PCIe Gen3 Overview PCIe Gen3 Tx Solutions Tx Demo PCIe Gen3 Rx Solutions Rx Demo PCIe Gen3 Protocol

587 views • 48 slides
RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid

RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid

RESILIENCE lo Deli v er the bits, stupid. David Isenberg Rise of the Stupid Network HTTP email ftp telnet gopher TCP/IP HTTP URLs HTML WWW Ti e trick... is to make sure that each limited mechanical part of the web,

1k views • 66 slides
Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is

Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is

Its People, Stupid (People are stupid?) Andy Walker Success in software engineering is limited by your ability to influence, understand and work with other people. Three laws of humanity 1. People believe what they want to believe

922 views • 16 slides
Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid

The heart of the matter, part 2: Jesuss Stupid Disciples Mike Taylor Forest Community Church Sunday 5 May 2019 Stupid is a Bible word Stupid is a Bible word It occurs 17 times in the NLT. It occurs 17 times in the NLT.

815 views • 53 slides
S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior Research Scientist / Associate Professor Simula Research Laboratory / University of Oslo Outline Motivation PCIe Overview

645 views • 36 slides
S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student

S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student

S7281: Device Lending: Dynamic Sharing of GPUs in a PCIe Cluster Jonas Markussen PhD student Simula Research Laboratory Outline Motivation PCIe Overview Non-Transparent Bridges Device Lending Distributed applications may need

571 views • 25 slides
Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor,

Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor,

Dual T1E1 Express (PCIe) Analysis & Emulation Boards 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com PCIe based Dual Express T1 E1

672 views • 22 slides
TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11 Tony Wasserka Meeting C ++ @ fail _ cluez 17 November 2018 WHO AM I ? WHO AM I ? Berlin - based consultant : Workflow optimization , Code

973 views • 24 slides
TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a proposed name for a co-operative can be reserved for 90 days before incorporation if you dont incorporate within 90 days, you cannot reserve

604 views • 38 slides
The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

W8 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks Presented by: Mike Cottmeyer VersionOne Presented at: Agile Development Practices

646 views • 60 slides
Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas AG The KISS principle. Herbstcampus 2010 Keep Persistence Simple, Stupid 2 Complexity Cost Functions (Lower) Cost (Higher) Complexity

211 views • 17 slides
AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on

AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on

AMBER 16 on V100s October 2017 PME-Cellulose_NPT on V100s PCIe 50 47.67 40 24.6X (Untuned on Volta) Running AMBER version 16.8 30 ns/day The blue node contains Dual Intel Xeon E5-2690 v4@2.6GHz [3.5GHz Turbo] (Broadwell) CPUs 20 The

590 views • 26 slides
AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35

AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35

AMBER 16 on P100s February 2017 PME-Cellulose_NPT on P100s PCIe 40 PME-Cellulose_NPT 35 Running AMBER version 16.3 30.00 30 The blue node contains Dual Intel Xeon E5-2699 v4@2.2GHz [3.6GHz Turbo] 25 12.8X ns/day 21.85 (Broadwell) CPUs

426 views • 20 slides
Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos

Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos

Understanding PCIe performance for end host networking Rolf Neugebauer , Gianni Antichi, Jos Fernando Zazo, Yury Audzevich, Sergio Lpez-Buedo, Andrew W. Moore 1 The idea of end hosts participating in the implementation of network

451 views • 26 slides
Its the economy stupid! (and it doesnt have to be this way!) October 28, 2011 Alameda, CA

Its the economy stupid! (and it doesnt have to be this way!) October 28, 2011 Alameda, CA

Its the economy stupid! (and it doesnt have to be this way!) October 28, 2011 Alameda, CA Sylvia A. Allegretto, PhD Center on Wage & Employment Dynamics University of California, Berkeley The critical role of unions Unions

540 views • 37 slides
Embedded Systems Programming PCIe An Introduction (Module 11) Yann-Hang Lee Arizona State

Embedded Systems Programming PCIe An Introduction (Module 11) Yann-Hang Lee Arizona State

Embedded Systems Programming PCIe An Introduction (Module 11) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU PCI Challenges Limited

804 views • 11 slides
Who am I? @wrussell1999 Who am I? Ive got a track record for making stupid Discord bots that

Who am I? @wrussell1999 Who am I? Ive got a track record for making stupid Discord bots that

Who am I? @wrussell1999 Who am I? Ive got a track record for making stupid Discord bots that give all my friends and peers amusement. However, now apparently I make them for events too! Ive made the announcement bot and selfie bot (which

164 views • 13 slides
VASP 5.4.1 February 2017 Interface on P100s PCIe 0.00500 Interface Running VASP version 5.4.1

VASP 5.4.1 February 2017 Interface on P100s PCIe 0.00500 Interface Running VASP version 5.4.1

VASP 5.4.1 February 2017 Interface on P100s PCIe 0.00500 Interface Running VASP version 5.4.1 0.00450 0.00434 The blue node contains Dual Intel Xeon E5-2699 v4@2.2GHz [3.6GHz Turbo] 0.00400 2.5X (Broadwell) CPUs 0.00359 0.00350 2.1X

451 views • 17 slides
How do we Engage with our Dublin Customers? It is all about Content, Stupid! The 98FM

How do we Engage with our Dublin Customers? It is all about Content, Stupid! The 98FM

How do we Engage with our Dublin Customers? It is all about Content, Stupid! The 98FM Experience. Keith McCormack, CEO of 98FM How do we attract a new generation of Dublin listeners in the social and visual world Changes in Media

598 views • 33 slides
TONE IN MIDDLE SCHOOL Mandy Burton If you are not willing to look stupid, nothing great

TONE IN MIDDLE SCHOOL Mandy Burton If you are not willing to look stupid, nothing great

TONE IN MIDDLE SCHOOL Mandy Burton If you are not willing to look stupid, nothing great will ever happen to you. -Dr. Gregory House BUT FIRST, TONE Intonation Blend Balance BREATHING Start with students, before horns

297 views • 11 slides
I ts the A-box, stupid! (free after Carvill/ Clinton) Frank van Harmelen Vrije Universiteit

I ts the A-box, stupid! (free after Carvill/ Clinton) Frank van Harmelen Vrije Universiteit

I ts the A-box, stupid! (free after Carvill/ Clinton) Frank van Harmelen Vrije Universiteit Amsterdam Creative Commons License: allowed to share & remix, but must attribute & non-commercial Semantic Web News Headlines toxic

794 views • 43 slides
Lets Stop Making People Feel Stupid @ClareSudbery, ThoughtWorks FEEDBACK CLOSE YOUR EYES

Lets Stop Making People Feel Stupid @ClareSudbery, ThoughtWorks FEEDBACK CLOSE YOUR EYES

Lets Stop Making People Feel Stupid @ClareSudbery, ThoughtWorks FEEDBACK CLOSE YOUR EYES Making People Feel Stupid What does this mean? Elitism: What impact does it have? Impact on the industry? US: There will be an estimated 1

323 views • 29 slides

More recommend