34C3 - Public FPGA based DMA Attacking

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again good evening for the last session on day three of the Congress I'm really happy to see so many of you so late interested in such a particular topic that might be really really relevant for many in assessing our threat levels so we will hear more about direct memory attacks and how they're still possible nowadays again and or frisk is here to show you and to tell you more about what you should know about it thank you tonight we're going to talk about public FPD a base direct memory access D main attacking my name is all frisk and helping me with demos today I have pietà Noreen I will start by briefly going through some background and previous work that's been done in the area then we'll jump straight into the actual DMA attacking I will try to do a live demo in which we will transmit and receive PCI Express transaction layer packets we will dump memory at speeds up to 75 megabytes per second then we'll have a look at the actual FPGA design that I created after that we will go into some more advanced DMA attacking we will attack a vulnerable vanilla Linux system and a vulnerable ua5 if you manage to get into you a file you might also be able to compromise secure boot and then you can also compromise the not just booted operating system such as a Windows 10 system running virtualization based security and at the end we will have a look at some future hardware that I'm really excited about my name is Sol frisk I'm employed in the financial sector in Stockholm Sweden a previously presented my work at the sakti conference in Stockholm and also at Def Con in Las Vegas and the author of the pcl each direct memory access attack toolkit and it's has been I hope a project of mine since the start and it still is also need to point out that I'm giving this talk as an individual my employer is not involved in any way whatsoever I'm here today represent PCL HF PDA PCL HF PDA is the combination between the site links SP 605 development board coupled with aft 601 USB 3 ad on board the PCI Express generation 1 one line side goes into the target computer or if you wish to call it the victim computer the USB 3 side goes into the controller computer or if you wish to call it the attacker computer once both sides are connected the controller computer is able to send piece Express from section layer packets over USB on to the FPGA which will then put them on PCI Express of the target system we can also read PCI Express TL piece this way from the target system and they will be forwarded on to the controller computer the whole hardware setup as such is between five and six hundred dollars in total and we list you will be able to do DMA to build both 32-bit memory address space below for jigs and 64-bit memory address space above for gigs you will be able to do DMA at around 75 megabytes per second everything that I created is totally open source but I'm using some vendor proprietary blobs in there unfortunately so that's why the title of today's talk is public and not open if I compare the SB 605 as FPGA solution with the the earlier hardware I used for DMA attacks the USB 33 a tip the USB 3380 was sold out earlier this year and the FPGA solution is a little bit more expensive its bulkier it's also slower as is at the moment but it's much more stable and you will be able to do 64-bit the memory addressing as well and that means that you're able to access memory above four jigs as well as memory below four jigs and this is a huge different compared to the old hardware that we were only able to access memory below four gigs with DNA attacks has been around since pretty much forever I think you all heard of Inception awesome firewire DMA attacking tool if you haven't used it or heard of it please look it up as a response to the may attacks as also as a response to the growing need for virtualization of devices CPU vendors introduced the IO mm use or VDD around 2008 and onwards and if the IMM use are used properly and by the former and the operating systems they should be able to protect fully against DMA attacks as well see today that not always did that's not always the case there's been lots of research in the day in the DMA attacking space account mention everyone here today I thought I should mention the Caminos work with his iron hide it from the academic area that I used for his PhD thesis and also snare and racing did a really awesome Thunderbolt attacking DNA attacking talk back in 2014 actually using the exact same hardware that I'm using here today the SB 605 and then just a couple of months ago Dmitriy alexia released what I know to be the first DMA attack focused FPGA bitstream into the public with his PC Express do-it-yourself packing toolkit Dmitry also supported my work with the PCL each and it also shared both at first binaries and some source code with me and it really pushed me to actually get the SB 605 from the start and get going here so really huge thanks to Dmitriy without you I wouldn't be here thank you PC Express is based on its packet based the packets are called transaction layer packets or teal piece they are D word based 32-bit based they usually consists of a header or between three and four D borscht long and the TLP is kind of different types for example read memory write memory i/o configuration messages completions and so on let's focus on the DNA ATL piece here today their memory read and write tail piece the 64-bit write EOP is down on the left it starts with which type of packet it is in the first D word and then you also have the length of the data that you wish to write in number of D words the second D word contains the requestor ID which is the bus number and device number of the actual device sending this P a TLP packet and then since we are doing a 64-bit right that means that were writing to 64-bit memory address space we need to represent that address into the version and then they have the data tender when we do a write we just post this message on to PC Express and we will trust that it will get written we won't get an acknowledgement back that it was successful or not when we are doing a read it looks pretty much the same the packets except it's a different type of course since we are doing a read here we are doing a 32-bit memory read and once you submit that one you need to wait a short while and you will receive one or more completion tailpiece back containing the actual data that you read so let's do a demo let's transmit or receive PCI Express transaction layer packets let's enumerate the memory and let's dump the memory if we switch over damage to the hardware here I hide the FPGA board and I have a victim system here so let's insert our Express card to a PCI Express adapter in the target computer and power on the FPGA it's connected to my presenter computer via USB here if we switch back to my presentation and here we have it from a slightly different and go the hardware here we are trying to read something we are going to read one D word from 64-bit memory address space we are going to read from the address for Jiggs exactly this address here see what happens here we send the read TLP and we get a completion field P back and the completion TLP the first 3d words or the hello and then they have the actual data that the read here so let's do a write as well let's do a 64-bit memory write to the same address let's do a to kill le 2d world long right to the very same address with this data and see if we can overwrite that previous data so we send that Philby and since we are doing it right we won't get any answer back no completions or anything like that but we can try to read the memory back to see what happens if the right was successful let's try to read 30 D works this time from the very same address here we see that we get the completions back in two different completions and if you check in the beginning is that see that we previously read data is now our written with our new data here we can also enumerate the memory of the target system since we don't know how much memory it's in this computer we need to check it out and we can do this by reading a tiny portion of every page that we are able to read and see how much memory there is in this computer and physical memory address space in a modern-day computer is not one big contiguous chunk of memory you have the physical memory in there and you also have like holes in memory in which there are nothing you have memory map PCI Express devices you can have a readable memory such as system management mode memory as well here we see that we read that it seems to be failing after slightly more than a jig this problem 8gb system so let's try to dump the memory dumping memory takes a while so let's go back to the presentation these are all PC Express form factors we have these standard PCI Express card as you all know to the lower left you have the mini PCI Express that goes pretty much behind the back cover of laptops you have the Express card that I use here today Thunderbolt also carries PCI Express Thunderbolt 3 is most often combined with the USBC connector nowadays and then you have the different m2 key form factors for example M 2 p.m. is really common for nvme drives here is the actual FPGA design that I created it's rather simplistic you have a block that receives and transmit data over a 32-bit data connection from the USB 33 L the USB ft60 one hardware and then you have the silence PCI Express score on the other side that handles the actual PCI Express communication everything in yellow here our silence IP blocks or I pick worse and they are not like open source so it's a vendor proprietary stuff everything in green here is stuff that I created those so it's totally open source and it's found on my github worried we received some data from over the USB connector in the connection from the controller computer and then they actually receive some data and some metadata because we know we need to know what kind of data we are receiving if the data is a part of a transaction layer package at COP they put it on the first out first queue and if I you 40 apiece if it's some other kind of data for example internal loopback the bag data we put it on an internal loop like FIFO for example if you do some put the tail piece at the date of the tail piece on the top-5 phone we transmit it to the stylings PCI Express core and that one will take care of everything practical we receive data illiteracy feel peace from the silence peace Express score as well and then since we have different fibers here that we wish to read data from as well we need some merged logic here so merge it into a stream that we can send back to the controller computer and actually everything like like formatting of the tailpiece is actually done in software on the controller computer so this is a rather simplistic design but it works so let's jump into some more advanced DMA attacking let's do a demo on that vulnerable vanilla Linux system let's locate and patch into the Linux kernel and since Linux kernel version 4.8 I believe the kernel is fully randomized in physical memory address space which means that it's very likely that it will end up above the 4 GB limit and here they FPGA hardware really shines compared to the older attack hardware that I used so let's try to find the Linux kernel patch into it let's mount the file system and unlock the computer so here we have the Linux computer and see that the memory dump was successful here it's a little bit slower here today since I'm going through a USB hub unfortunately but the memory dump seems to have worked we switch to the FPGA here image okay yeah let's try to log on to this computer try to log on with the password of single-a here and it's the wrong password it cannot get into the Linux computer so if we switch back to the presentation we can insert a kernel module into the running Linux kernel we try to locate the Linux kernel and as we can see here today it's actually found below for gigs it's happened to be randomized in that position so but it seems to be working anyway let's mount the live filesystem using the kernel module address here and once the filesystem in bar is mounted we can just click into it actually we have mounted a live memory the library as well we can go into the e.t.c folder allocate a shadow file which contains the password hashes of the users you can just edit it in our favorite favorite editor here and here we have lots of user accounts with no has ashes and they have the user account that we ramped this has a very long password hash here and of course if you know the password hash you can try to crack it or something like that but that's no fun it's much easier to just delete it and replace it with something else and then we hit save let's see if we can log on if you switch back to the PDA try this single password of a thank you and so let's go back to the presentation if we go through the other computer here and we need to if we can switch the camera to the other computer that is for select filming already and you can also attack you a five you a five some ufs may protect themselves against the may attacks most you a face don't if you are able to get into you a fight you might even compromise secure boot and let's try to get into you AFI here today let's back toward the exit boot services function that is called by the operating system loader and once you'd wish to take control of the storage system let's retrieve the memory map of the efi memory map and let's also patch the not yet booted windows kernel that is loaded at this stage and actually what I'm doing here today Dimitri has done some really awesome work in this area as well so if you haven't checked out this stuff I really would like you to do that so if you switch to the map you can have this here so here we have another system we need to switch around the PDA here I think cabling so what we're doing we are inserting the FPGA here in the not yet booted computer and if we start it we switch back to the presentation to connect to the device let's try to do it again yeah works better this time probably a bad connection the computer is starting and now the operating system loader called in to the exit boot services function which we hooked with our code we dropped it there we retrieve the ufi memory map or the efi memory map here and once we are in this stage the Windows kernel is already in the memory the normal Antos kernel the hypervisor is already in the memory and the secure kernel is already in the memory but the Windows operating system is not yet booted so it cannot protect itself against the MA attacks yet so here we can actually patch into the Linux Windows kernel and if you look at windows virtualization based security it has something that can we can enable that protects kernel code integrity with help of the hypervisor and secure kernel with regard to evil devices that are trying to do DMA access to the memory the hypervisor and the secure kernel memory we have no access to that memory at all normal executable pages in the normal windows space and normal user space normal kernel space are marked as read only with regard to DMA from evil devices we cannot touch the memory directly there and normal non-executable pages are pretty much as you should read right and as I said the kernel mode code integrity features are not yet enabled in this - we are now since the Windows operating system is not yet booted so let's try to insert some code there and spawn I system show here we located we communicated with the our ufi module we located the Windows kernel and we locate some code caves in there to put our code in there and now Windows is booting enabling virtualization based security we cannot edit the kernel anymore but our evil code is already in there so we should be able to try to log on to this computer if you switch to the FPGA here we have the Windows computer I try to log on to that one using no password at all and as you can see we couldn't log on if you switch back to the presentation let's change that let's spawn my sister she'll aerial system and of course if your system we can remove the password of the user account and they to switch back to the FPGA we can try to log on and we're in if you switch back to the presentation we can also dump the memory of the window system here we see that we get lots of failed pages when we are dumping the memory its pages that are marked as not readable via the iommu via BTD yet windows protects its primarily the hypervisor and secure kernel pages in memory we cannot read those but everything else pretty much we can PCL each FPGA is open-source pretty much at least the part I coded it's found on github and I try to make it as easy to use as possible you don't need any prior fpga knowledge at all you should just be able to flash it on this hardware and start DMA attacking unfortunately it's Windows only at the moment on the attacker PC I have some Linux driver problems with the hardware I'm using here I hope to resolve that quite soon and what's even more exciting is that there seems to becoming lots of devices quite soon be able to do DMA attacks for example there will be lots of yeah some devices will be really inexpensive while some others will be a little bit more pricey but still less price than the specifics of our solution one such example is a new hardware the PC Express screamer it's a new hardware bikie to ram Tina mean it's going to be easier to use it's going to be a lower price tag than the SB 605 solution it's going to be more capable PCI Express generation 2 and I plan to add support for this one sometime early 2018 here so it's going to be really really early next year hopefully in the coming month to sum everything up affordable FPGA DMA attacking is the reality of today physical access is still an issue our menus are there in the hardware since forever but might not always be used and I hope I shown you today that I believe there is more research to be done in this area and hopefully my tools will be useful to everyone that is interested thank you thank you so much off so everybody just saw that you should keep your devices always on the person and we have questions microphone one please right now you're dumping memory and doing edit in memory and patching the color did you have the idea of say taking the writing and drive across a virtual machine which is mapping another machines memory into that virtual machine so that you can kind of say stop the processor and the attack machine have used a virtual processor to do operations on the memory of the victim machine very can see what the program is doing in the emulator I haven't gone into like attacking with like the virtual machine some nasty stuff as well but it's an interesting idea to be able to go into if I do have kernel access at the moment so it should be possible but this is like a whole project of mine my time is a little bit limited here it would be the service out there so it would be awesome if someone can actually look into this I think it might be quite useful so we have a lot of questions here also from the signal angel it's actually not that many choose to what prevents you from implementing the PCIe device without any proprietary stuff and is the controller limited to Windows because of that proprietary stuff of the windows question it's I believe I just it working on Linux quite soon it's just a driver issue I just haven't had the time to actual actually code it for Linux yet I had a little bit of a problem with that driver but it shouldn't be on a problem really I just need to find the time to actually do it and the other question I will regard for you see I'm quite new to FPGAs actually so I just use the default tools that the stylings toolkit provides and it should be impossible to replace some elements with more open elements in this design as well but I'm really FPD a new pair so it's it was my first attempt at an FPGA so it should be possible to do this as well so you should talk to each other further so microphone two please so I wonder if you can access the memory used by Intel ME the UM a which is not accessible by missile main CPU no this is out of limits from this it's going to be mapped away in the PHA and it platform controller hub so it's I shouldn't be able to access this access it and I cannot access system management no the memorizer thank you and the last question for microphone three you're using thing pets as I've seen do any BIOS settings of those thinkpads interfere with your DMA attack for example does disabling the ExpressCard slot really help or the trust more disabling trusted power lines or something disabling the Express card slot will help then I can't get into the Express card slot but usually on laptops if you unscrew the back cover there are something in like a Wi-Fi card or something like that in there that's probably going to be PCI Express as well and that's maybe it's harder to disable that one if I may the question before the last one I can answer that you can't replace some of the exiling scores for example the PCI Express one because that's so-called hard I mean that's really on FPGA non changeable stuff so it's trusts yeah yeah hardware it's hardware and yeah but I suppose the five wishes should be a real problem thank you thank you on microphone - did you wanted to say something still okay no so thanks again thank you all first and uh somebody showed up from Microsoft phone one yeah I'm on yeah so regarding the heart IP so what these heart IP is normally implement is the physical interface to the PCI Express which is doing these transaction layer packets but the actual DMA is usually done using IP core which you load and do these things so usually it's the IP core which is proprietary and running on the heart IP for the PC I've physical layer so you would probably need an open DM are a I peek or okay yeah thank you okay so now we're done with all the questions I guess you will have a lot of people surrounding you after the talk to not speak into microphones and yeah I wish you a great evening and thanks again or risk

Info

Channel: media.ccc.de

Views: 7,988

Rating: 4.884058 out of 5

Keywords: tuwat, leipzig, congress, chaos, 2017, Hardware & Making, Day 3, Saal Clarke, 34c3 ov, 34c3 eng, Ulf Frisk, 34c3

Id: XcEYkcwbRX8

Channel Id: undefined

Length: 31min 26sec (1886 seconds)

Published: Sun Dec 31 2017