A couple of guys are here. I
want to stand in front of you
and talk about the PCI express. Joe and Miles, give them a round
of applause. ( Applause ) >>
Hey, how's it going? Ok, who here went to Mike Osman's RF
Reflectors NSA Playset Talk? Ok,
who went to Josh Jatko and Teddy Reed's ITC Implant Talk? Who
went to Dean Anlooki's GSM talk?
Okay. Who here bought any NSA Playset kit from Vendor Village?
You don't have to say if your
employer sent you to buy one for research purposes, you know. So
this is Stupid PCIe Tricks
featuring NSA Playset PCIe. It didn't really start out as an
NSA Playset talk, but it fights
right in because this is a capability that they've got to
have. It's got to be on one of
the pages rejected or missing. I'm Joe Fitzpatrick. I have an
electrical engineering education
with focus on CS and Infosec. I spent eight years doing security
research, speed debut and tool
development for CPUs including hardware pen testing of CPUs and
security training for functional
validators worldwide. I also teach a really cool class,
software exploitation via
hardware hacking, aka SEx via HEx, so if any of you are
interested, you should google
look for that. It's somewhat safe. It's work safe. And our
mandatory meeting, "if Joe Fitz,
he sitz". If you missed the hot tub at Tour Camp, you should go
next time. It runs in two years.
>> I'm Miles Crabill, I'm a current student and hardware
Newbie, but interested in
computer science and met up with Joe last year and have been
working with him on the last
couple months on this NSA Playset PCIe stuff. I didn't
come in with much hardware
experience SP and I've pretty much been learning as I went.
It's been a great time. So I
couldn't show this, of course. >> Miles has been great because
he makes it all look
presentable. I'm a hardware guy and not a coder. So a slight
disclaimer, I didn't do really
good research, I didn't cite a lot of people, but there are
tons of people who have done
PCIe work and other stuff so, the difference is in line with
the NSA Playset goals, we try to
make it accessible and inexpensive. We want any 10
years olds to start doing DAM
attacks and memory jumps and lock screen bypasses. Miles will
give us the run-down of what the
heck is PCIe, because even though you might know it, you
may not know the next layer in
detail. >> Okay. So what is PCIe? Well, the answer is that
PCIe is PCI extending on this
old specification. It's been around forever. It's for fast
IO, right? If you have a video
card or something like that, network card, sound card,
anything really that goes in an
extension, it'll probably on your motherboard, whether you're
on a laptop, desktop, most
modern computers use PCI and so this is how you get fast stuff
going on the hardware level. So
there are also things that don't match up. As you see here, they
don't look exactly the same.
However, PCIe is backwards compatible with PCI and PTIX. On
the lower level you have packets
that are being transmitted across lanes, and so a lane is
four wires. When you see on a
PCI card something like XX 4 or X 16, that's the number of lanes
and it corresponds to
throughput, so the amount of data you're able to transfer.
Most video use X 16, because
they're transferring a lot of data. PCI enables DAM access. So
PCI hierarchy. The root complex
is the highest node in the hierarchy and pretty much
everything else descends from
there. You see the switch connected to the root complex,
and PCI devices will connect to
the switch and other PCI devices can be connected to other PCI
devices so you get a whole mess
when you try underwriting this stuff. So switching. This is the
inside of the switch. From the
upstream you have the bus, and then you have these virtual PCI
to PCI bridges, and then these
actually interface with the real devices that you have connected,
the real PCI devices. So the
layers of PCI building up from the bottom, you have RxTX on the
physical layer of things, the
logical side and electrical side data and then up to the
transaction where you're
actually working with packets. I don't know how well you can see
this, but this is the actual PCI
spec stuff in the top like device I.D. and vendor I.D. is
how you would identify a device.
So diving into that we have LSPCI output, just checking out
a specific device. You can see
this highlighted area is the vendor I.D. of a device, and so
you can see this highlighted
area is the vendor ID of the device and so this is how you
would check the manufacturer.
They all have codes associated and then this would be the
device I.D. so this is like per
a specific product or family of products. Then the revision, so
you can see that all of this is
just right in these bytes that you can access through LSPCI.
And this is your class. Device
class. Yes. So you can see that this is a PCI bridge that's
0604. It's just the code that's
assigned to this type of device. And so enumeration, as I said
before, it gets pretty messy
because it's depth first, traversal of the tree hierarchy
and everything like switches and
PCI‑ to‑ PCI bridges show up multiple times. And so any kind
of LSPCI VD output is just a
headache to look out. It's huge. So ‑ ‑ >> Okay. I'm back on.
Routing PCIe. So we talked a
little bit about what PCIe is from a conceptual level. The
fundamental difference is PCI
was 32 bits in parallel, a big flat parallel bus with multiple
devices sitting on it. PCI
express is this high‑ speed serial with differential
signaling. When you route high‑
speed signaling and high speed differential signals you have
some rules to follow, okay? If
you wanted to make your own PCI express device, you have to
follow the step by step
complicated mandatory and inflexible rules to routing
PCIE. For every single one of
these. Number one, route your pairs at roughly equal length.
That's pretty much it. They made
this spec to make it easier for designing boards, because
routing 32 lines in parallel
along with the cloth, they have to be equal lengths. That's a
pain in the ass. They said ok,
we'll do each pair on it's own, TX pair and RX pair, and as long
as each pair is the same length,
the next line over can be a different length, the next line
over can be a different length,
which works well when you have a long card. It doesn't matter.
All of that is taken care of by
the physical layer of the PCIE. There's some specs, right? You
have to have board traces and 12
inches or less, cards are supposed to be 13 1/2 total. 2
chips on one board supposed to
be 15 inches. And if you follow the rules, your board might
work. If you don't follow these
rules, it might still work. So PCI express 1 X, the lowest
common denominator, is 2.5GHz
TX, 2.5GHz RX and 100MHz Clock. That is a common clock and
that's actually optional. The
device can actually generate it's own clock. It depends on
the system and device. You can
do it with the clock. But we'll throw it in there, just for, you
know, because we have room. If
we wanted to make a table to connect this, what do we need?
We need something that can do
high‑ speed, and PCI express specifies actually like external
cabling and it's really
expensive. I don't like expensive things, because I'm
cheap. This is a cross‑ section
of the USB 3 cable. If you look inside, you've got the red and
the black are ground to BCC, and
the green and white are your old school USB, USB 2.0 wires,
right? Those are designed go up
to 240 megabytes, right? That's what USB megabyte was and that's
plenty to carry our clock. You
have the two level pockets, the red, blue, and the purple and
orange and those hold the high
speed lanes and those go at 5 gigahertz. Right? So we have
this cable we can get them for a
couple of bucks at pretty much any store and they carry exactly
what they need, they carry 5
gigahertz, 5GHz and 500MHz. That's actually more than we
need. I threw together this
little PCB. It looks like a PCIe card. There's a dotted line in a
middle. That's because I'm cheap
again. And you can get a 5x5 cm board for one price and I wanted
two boards, but I didn't want to
have to pay for two boards, so I put them on the same board. Cut
them in half if you want or use
as is. You can see those red and blue lines those are the top and
bottom layers where I just
connect the wires together and I actually did a really bad job of
this. You can do your own
production stuff, do your own. You can actually buy these
premade from several
manufacturers on eBay and all express and other places in
China, but that's no fun. So I
made my own. This is what the board looks like, and I have the
cool silk solder mask, silver
lettering because that's really important when you make PCB to
have your logo on there. I call
it PEXternalizer. There's the board cut in half at the other
end and assembled on the
populated board. They're a 1X PCI express socket up there and
the end looks kind of mundged up
and molten, that's because I just got my soldering iron and
ran through that to open it up
so I could put a 16 X card in. Here's a quick screen shot
basically. This PCI express
wireless adapter in, and it's connected and running, and I can
connect to wireless networks.
That's all well and good, but that's old news. What else can
we do? What devices can we add
PCI express to that don't generally have it? Have you seen
this? Intel Galileo. It's an
arduino board, but it actually has a mini PCIe board on the
back. What can you do with that?
It's supposed to only work with WiFi adapters, but that's no
fun. Anybody can put a WiFi
adapter in an arduino. Yeah, make light flash. Oh, I'm not
wearing that shirt. Oops. Makers
make lights flahs. Hackers make other people's lights flash. I
made another version of the
board, a mini‑ PCIE version. I'll show you pictures. We'll
look over. I'll actually show
you. Oh, whoa. So we've got here a nice ‑ ‑ oh, there. It's
upside graphics card backwards.
We've got our Intel Galileo and flip on the other side we have
the mini PCIe card with the USB
header. Again it's USB header it's just USB header and cable
because they're cheap. On the
other end I have the populated thingy‑ do which has a little
power regulator on the end. We
don't have the power supply and cables and extra VGA to hook it
up and show you, but basically
we plug ‑ ‑ stay still. I'm looking at the screen. Whoo!
Anybody sick yet? Pop it in the
slot. >> Oh, gosh. >> There we go. So you got that, right? You
got it. There we go. You have
more than 12 inches. Yeah. Do you think it still works? Yeah,
it still works. And so here's a
screen shot. Whoa, here we go. Actually when we tried it out,
we used a bigger graphics card
because bigger is better, right? So wired them up PCIe that tiny
Arduino and that nice big burly
graphics card hovering over it and if we hook it and we look, I
had to do a little bit of custom
building of that, which is annoying because of the software
and I hate software. If you do
all this PCIe, same tools as before. It's on the Galileo
board already. You see a whole
bunch of 8086, 8086, 8086. Anybody knows who vendor I.D.
that is? All the way down at the
bottom is the 10de. Who do you think that might be? Invideos.
So, ya know. Sneak it in there
and put it Invidy with Intel in bed a little longer. Here we go.
I hooked you up to my full HD
display, to say, hey, I have X running. There's no keyboard
input or anything like that, but
at this point it's a software problem and I'm a hardware guy.
It's someone else's problem,
right? So let's move on. The other device I played around
with, and I don't have it here
to show off is not fully working yet. This is a Pogoplug. It's a
network storage device. It has
an Ethernet port and USB port and you plug it in. It shares it
with the whole world. It doesn't
tell you about that part. If we look at two versions of the PCE,
the cheap and expensive one. The
big difference in the upper left corner is an extra chip that's a
USB‑ 3 chip. You want USB 3 on
your very slow network storage device. The way it's connected
is PCI express. If you see on
this one, the purple wires on the left hand side, those are my
PCI express lanes. I have TX and
Rx pairs and then I've got a clock line. He took it with my
phone through my magnifying
glass, but you see on the left we have a couple tiny little
resistors that have it over it.
Can you see it? You can't? Oh, no. You can. So you see right
there, there's a couple
resistors because the resistance loaders, you have to put on the
clock lines, and over here's
they're still very small, but you see that little brown spot
right there and there? Those are
capacitors that are soldered to the tip of USB connector and
then the wire is soldered to the
other edges side. It looks pretty fancy. But a year and a
half ago I sucked at soldering
and still do. You find a friend who can do it. Thanks, Kenny.
He's not here, but you know.
Those of you who know Kenny, he does good work. Again, that goes
out to a USB connector, which is
the same Pen out as this chain again. So my plan there is to
get it working and see if I can
compile those drivers for ARM instead. So introducing
SLOTSCREAMER. This is where we
get into the NSA Playset side of things. It reset our timer. Oh,
its 2:16. We're good.
Introducing SLOTSCREAMER, its in all CAPS because it's cool to
have things in all CAPS. I've
had some critiquing because the name sounds too good, it's not
random and silly enough for NSA
Playset because it actually is a device that goes in a slot. I
apologize. Again, I mentioned
before I didn't do a lot of research or citation, but I was
at Black Hat and I saw this
awesome slide which was from Steven Weiss talking about
protecting date in-use from
firmware and physical attacks, which is kind of what we're
about to do. I figured I'd throw
his slide in here. Thank you to all of these people for all the
work they have done, because I
wouldn't have done this if it wasn't done before me including
all the citations. So it's also
really cool to go into someone else's talk and see my name on
it. Whoo. This is my first time
talking at DEF CON. ( Applause ) >> It's Miles' first time,
too. I'm glad we could have our
first time together Miles. ( Applause ) >> A lot of people
are playing with this doing
these PCI Express attacks, but a lot of them are using FPGAs.
FPGAs are expensive and they're
difficult and they're hard and you have to download like 28
bytes of software to get them
working. Which who cares about that software stuff. So I looked
around and found this cool it'll
ASIC. It's a PLX technology. It's a USB 3380 its aPCI‑ to‑
USB bridge that works. It's a
USB device port. You can plug it into your system and load
drivers and make it look like a
mass storage control. You can use this configure differently
and make a PCI express device
work over the USB. You can have an attached graphics adapter,
right? Right? This is a block
diagram, one side you have PCI Express, the other side you have
USB. That's all there is to it.
You know, every chip that is configurable is configurable in
ways they didn't intend, so
that's what I did. They have this PCI out end point. An
endpoint is something that shows
up from USB, so from USB ‑ ‑ I'm going really fast, aren't I?
Am I going too fast? I
apologize. >> We have a lot of slides. >> We're on 49 of 92.
Okay. We're actually going a
little fast. Let's slow down. PCI out. Okay. It's actually
good, because I thought we
wouldn't have enough time, and I was going to tell them to go
away. Since he came at the right
time. How is it going? >> Good. >> What's all this? >> We heard
this track was going a little
bit fast, so we thought we would mellow it out a bit. That's why
we're here. How are they doing?
( Cheers and applause ) >> I guess they really want you to
slow down. The slides are a bit
of an eye‑chart, although when you had the picture of the
device up, the board. I got the
detail on that. >> All right. New speakers to DEF CON. >>
Cheers. ( Applause ) >> I did
that for all of you. Hold on. Thank you. Can I continue now?
PCI out end point. This shows up
on the USB side of things, right? This is a packet format.
We need to write a bunch of
bytes for USB so this guy and actually fills out what's called
a PCI master control register
and the PCI master address register. What happens is when
these registers get filled up,
the chip, this guy, receives the data from the USB side. He takes
it into his little hardware
stuff. Don't worry about it, it's hardware. You guys wouldn't
understand and he generates a
PCI Express packet. Which goes out over PCI Express to the root
complex, the root complex
processes it, does whatever you want or whatever you told it to
and sends back a response. Once
we enabled it, so this comes out of the spec, sorry for the eye
chart, if we look down here we
have this little end point enabled bit. So you think
something silly like this would
be off by default. But look actually oh, Others = 1, it's on
by default. How convenient. This
makes sense because if you look at the drivers for this device,
the standard Linux drivers for
USB gadget events, which lets you use it as a device port so
you can turn your computer into
a mass storage controller, they have this little section where
they explicitly disabled these
dedicated end points. And I think in another kernel version
they have like, for security
reasons, we need to disable these end points, which is
great. I like when I see things
like that in documentation. I talked to PLX service engineers
asking about this. We don't do
that. That's not what it's for. We can try it and see if it
works. Didn't really say what
would happen if I turned it on in this mode, but I heart
undefined behavior. Is that
sticker still on there? At least it's not on my shirt. Thank you,
Mike, for the shirt. Anyway. So
let's enable it. We're still not going too fast. I showed you the
three registers here. If we look
inside, this is the PCI master control register. Basically what
we do is we need to write bits
that will end up in here and do these things that it says and
this bits 5 to 4 two bits, we
can basically say, do a memory read and memory write, or an IO
read, an IO write or conf read
or config write, or PCI express message. Let me explain for a
second what each of these are.
Memory read/memory write is exactly that. PCI express
devices need to have the memory
maps so they can read and write to buffers in the main memory.
So if you want to read some
memory, we can do that. If we want to write to memory, and we
can do that. IO read and write,
really nobody uses this anymore, it's all legacy stuff, but we
might as well try it because all
of the Legacy stuff wasn't tested as well as all of the new
stuff. Configuration read and
write, those are when we are actually directly accessing PCI
Express devices. So when you
enable things on the graphic cards you do a configuration
write to a bunch of registers on
the card. That's what maps to the table of class codes and
stuff Miles talked about briefly
before. Another eye chart. This is all well and good, but we
need to have this device just
work. We want to plug it in a socket and have it do stuff. We
don't want it to deal with
loading drivers, because who is going to load drivers to a fax
machine? No one clicks on silly
things, right? So we can modify the firmware. Basically there's
a little chip on the POX board.
Where is my board? That will hold configuration data, and
when the chip turns on and
powers up, it will read this data and set the registers
right. You think, okay, a lot of
work put into this custom firmware that I made, I've been
talking all about it, you think
I did a lot of work? I'm lazy. It's these. How many bytes is
that? That's it. That's the
content of the E prompt. To decode it for you to those that
speak XXD. Basically I have two
registers I wrote to. The first register that 497000049, right,
that's the content of the what
ports to a register and I slap the bit to enable USB. When the
device turns on, first thing it
does is enable USB. Second thing I do is this E414BC16. That's
the vendor ID and device I.D. of
the Broadcom secured digital card reader. Because it's a
secured digital card readers
everyone trusts them. If I tell them I'm one of them, they'll
turn everything on. They'll turn
on bus master even if they don't need to. That's pretty much all
that I did to configure this
chip to make it do my bidding. So let's attack the PCIe. >> So
as Joe said, who wants to load a
driver? We have this whole category of target side software
where we have to make sure the
target has all the stuff we need to get the attack roll, but no,
no, nothing. So on the attacker
side, we actually do have some stuff. So what we do is use high
USB, which is a nice Python
library for interacting with devices over USB to interact
with the PCI end points on the
swat screen, the USB 3380. So this is just a little snippet of
code showing a dirty PCI memory
read and write by PyUSB. At the top you see read where we're
actually making a packet to send
and you can see this OXCF and the F denotes the read, and down
at the bottom here you see the
4F means that it's a write and so now we have a demo. >> Well
you ‑ ‑ >> So you do the whole
switches of screens here. Basically we have this little
device here. It's a Nook Intel
makes them, they're tiny and they compute. We hook up this
device to a little board. It's
upside‑ down. >> Oh, no. It's still on my screen. >> I stepped
on the power strip. You're flaky
power strip. I saw the light. There we go. I have to reboot my
Nook. Luckily it boots fast. Oh.
I'm sorry. Please. I won't step on it again. I promise. What
time is it? 2:27. Are you ready
in no. We need to unplug and play it. That's not it. That is
it. You just need to mirror your
screens. I didn't recognize the picture. It's not my desktop. I
never got around to changing the
default desktop anyway. That's my fault. There you go. There we
go. Patience, patience. So I'm
using Python, and I'll stay away from the power strip. I'll step
back from here. Can you see
that? It's backwards, isn't it? >> Yeah. >> I'm sorry. It's a
crypto challenge. So what I'm
going to do is basically I wrote this little sampler in init PCI
and I'm going to hit enter and
it actually worked. Whoohoo! So it initialized the link from
this PC to the hacker's hack
device over PCI. It found two endpoints 0x0e and 0x0e out.
Those actually line up to what I
showed you on the chart before. I'm sure you all wrote those
down. Then I'm going to read PCI
and so I give it an address and how many byes to read and right
there and I just get a whole
bunch of, it's Python software you see, Fs and 0s and Bs and
some strings and stuff. So yeah
I just read memory. This is off of this guy on PCI. Whoo. It's
not the greatest demo, but you
know, we're getting there. All right. >> Okay. And so how many
of you have heard of inception,
not the movie? That's a few. There's a cool utility that
Carston wrote that exploits the
DNA features of fire wire to basically patch some ‑ ‑ you
might see here there's some
selections that you can choose to target with signatures. So it
can identify based on the
signatures certain operating systems and inject code into it
bringing it up. For example the
OSX one makes all passwords nothing. So what we have instead
of inception, we have into PCIe,
which is an extension that we're ‑ ‑ >> It's an anagram.
>> I didn't know that. Yeah, so,
we extended inception to PCIE and we're still working on it.
Ironing out bugs and that kind
of thing, but that's the goal. >> This is right from Carson's
documentation. What we're doing
is hopping through memory and looking for the page that
contains whatever authentication
or password. You did a whole process up in the password. Yes,
you got it right and no you
didn't at the very end. It has a signature, which is listed as a
chunk of memory data. It looks
for that signature at a certain offset in every 4k page. So it
doesn't matter if you have ASLR
or anything within a 4k page it always ends up the same spot.
Then you go and patch it, and
the patch goes to offset. Basically just change the jump
to an up or something like that.
You bypass, so when you type in blah, blah, blah enter, no
matter what blah, blah, blah is
it lets you bypass the locked screen. ( Applause ) >> We
didn't do the work there. Other
people have been doing the Spyware stuff for a long time.
Don't clap. We just imported
into this PCI Express interface, which is great because you don't
require drivers. Firewire
require that the host offers install drivers, and you're
supposed to talk about this
later on. >> So you see here the chunk, which is actually the
signature that you're trying to
look for to identify in this case OS X 2.9. So earlier this
week Joe and I were in a hotel
room taking dumps together. As you can see from this little
highlighted into PCIe business
and all of the SLOTSCREAMERS on the desk. I decided after taking
all those dumps, Jason stool
analysis, you've heard of volatility is a cool analysis
framework, so this is the
demessage log of the attack straight off of the victim. You
can see my solarized color
scheme there. So at the top you can see the thunderbolt first
being recognized when plugged
in, and then some PCI configuration going on. And I
decided, hey SHTHS why not do
more analysis because the utility has all these nice
scripts? This is just another
dump. This is a MAC that we're dumping apple dot something,
something, something. And
various other ‑ ‑ >> I was looking around for the files,
and I find some of Miles'
cookies in his dumps . >> Here you can see, I don't know if its
major version or minor version
what it means, but I'm running 10.9.4.6 OS X. I had the perfect
amount of memory, 4 gigs, on
this machine not for not actually using things because
these kind of attacks are a
little limited because of PCIe is at 32 bit addresses and so we
can't actually go over the 4 gig
over the threshold. However, if you know what you're doing, 4
gigs is for our assessment. >>
You know what thunderbolt is. It's fun stuff. It's basically
PCI Express out of your system.
Kind of that whole USB crap, but without the sketching boards and
stuff. When you have
Thunderbolt, you have two chips, and it's straight from the
thunderbolt device programming
guide, and you have a chip inside your Macintosh and you
have a chip on your device. The
chip takes PCI Express in display port in and they crunch
it together into some other
physical layer really fast to transport mechanism, and the
other side extracts what it
needs to, right? You can also even pass the stuff through. You
can connect a display port to
something else, daisy chained along the end or fun stuff like
that. Of course, we try to plug
our device into the PCI express thunderbolt enclosure, and in
line with the NSA Playset, we
decided to give that a new name. So HALIBUTDUGOUT is the
slotscreamer when inserted into
a thunderbolt enclosure. And you'll see the little logo for
Great Scott Gadgets, he's
awesome, he sent me a bunch of hardware when he heard what I
was working on and that kind of
motivated me to keep working on this. Thank you, Mike. So I'm
forgetting what's next. In my
mind there's a gap here. Again, we talk about DMI. People have
showed off the DMI for a long
time and they're inaccessible they didn't give full disclosure
on exactly how to do it all or
the code for the FPJ or anything like that. So in line with the
NSA Playset, there's a little
page, click on there. We have all of the utilities and
firmware available for you to
download and do this yourself. The hardware itself is this ‑ ‑
right now I'm using a reference
board, and you don't even have to solder to make it work,
right? You buy the reference
board from a sketchy company in China, H.W. tools.net. I sent
thousands of dollars and they
sent me cards and they're pretty reliable. And I've talked to
their tech support a few times.
They're pretty good with that. That's a device on there. Its
got the chip on there. Instead
of that, there's a little bit of hardware hacking. You have to
find a jumper. Do you remember
what jumpers are? You have to put it over the first set of
pins to connect the E prong with
that chip right there. And then you have to go and flash it
yourself. We sold a bunch of
these in the vendor area yesterday all preflashed and
ready to go for all of you wants
to go back to the undisclosed employers to show off what you
learned at DEF CON. All the
software is on the NSA play set get DAIB hub. We put it all up
there, did you make it all
private? It will be up there very soon, but now that we've
got all of you basically enabled
to dump people's memories and check out their dumps and modify
and do all that stuff, what
could be done to fix this, right? Part of the NSA Playset
mission is like ok state actor
has had this capability for a long time. Forensics has had
this ability. Now that all of
you have this ability, maybe they'll actually fix it. I
started with an anti‑ Apple,
anti‑ Thunderbolt slant to this, but it actually came out pretty
good. In Linux, if you look for
this Bus Master enable bit, any device plug in the system gets
Bus Master enabled turned on.
Welcome to the show. What memory would you like? There really
isn't a software remediation for
this, right? You can't just not load the Fire wire drivers like
you could with the regular
inception attack. You can use an IOMMU. Are you familiar with
virtualization? How about
virtualization of hardware? Virtualization on the left, you
just have software VMs that run
a code and interfaced with an extraction layer. On the other
side you've got ‑ ‑ whether you
use BTD or an IOMMU of some sort, where you can actually
assign a device to a specific
software VM, you can actually have two graphic cards plugged
into your system, each running
native drivers in a separate VM and no one knows the difference.
All that memory DMA access is
remapped. If you configure a BTD write like Apple does 10.8.2 on
IP version they actually
configure BT later, unless you change the argument and turn BT
off, which is good for a
demonstration. You can go and modify memory. Why those
limitations? Why haven't they
rolled them back to IP bridge? Any system with thunderbolts
should have BTD on to protect
you against certain things. Any system that has an express card.
Any system you leave anywhere
you don't see that someone can open it up and pop a card in.
You should be careful. Your
operating system vendor should be writing and providing this
stuff by default. It's just
important. Until then what solution do we have? Abstinence,
right. Miles would ever plug
into sketchy into your display port/Thunderbolt port? >> Of
course not. >> What's plugged in
there right now? >> It's just a VGA cable. >> Where does it go?
What's this? Oh, oh. >> Whoops.
>> I have the power cord out, too. We have five minutes. Okay.
So yeah, yeah. Miles plugged in
this little cable that looks pretty simple. It's like one of
those stupid $30 Apple adapters.
But actually we look at the other end and its really just a
thunderbolt cable going to the
thunderbolt enclosure attached to an adapter. So this is how
you could basically one of these
yourself. We call this ALLOYVIPER. We need a new name,
because it's a cosmetic change
to commercial products. So ‑ ‑ actually this one has a list
price of 300,000, maybe a little
less if you buy them in bulk. It's actally pretty pricey
because one cable alone is 50
bucks. So you take one of these Thunderbolt cables and you go to
radio shack and GED get one of
these module telephone Jack and use these little metal thingies.
Thank you. I can push buttons
now. You can get heat shrink tubing, open everything up and
thread your thunderbolt cable
through that. Close it up, get your heat shrink tubing, thread
the Thunderbolt cable through
that. Put the metal enclosure on the end, and that's pretty much
it. You basically say here, I
already got an adapter for you. Thanks for presenting. My
apology to Joe Grand. You were
here last. My apology to Miles, that dump I did was actually not
your Nook. I didn't find any
cookies in your dump, though. And basically on the other end,
you put a standard adapter,
look, I'm using the laser pointer on the screen. I
apologize. Right here I can
point at this one. Is this better? This is a screen that
was used on the corner and draws
it on the projector. It's the disclosure. Pay no attention to
the man behind the curtain. When
you plug this in, it defines the display port to the adapter on
the other end and It just passes
it through. That's what we've been presenting the whole time.
That's why it stopped when I
stepped on the power cable. Sorry. I thought I almost blew
the cover. So some
acknowledgements, this is an incomplete list. Thanks for all
the NSA Playset Crew for working
together on some awesome talks and working together getting
things up there and running.
Carsten for his work on inception again he built
inception based on many many
prior works before his. Again Great Scott Gadgets, thank you
motivating me to get it started.
Thanks for Dean for telling me, you haven't submitted that to
DEF CON yet? I'm like oh I
haven't done any work on it yet. Just submit it. You'll get it
done. Don't worry. Snare and Sam
did a talk just last year using FPGA board, which is basically
the exact same thing as this,
but you know. It's expensive. And everyone else who I forgot
to. And Miles for fixing my ugly
software code. So any questions? ( Applause ) What's your
question? ( Inaudible question
) >> Did you have a question? Yes? ( Inaudible question ) >>
I don't know anything about the
mitigation in Windows 8.1. So the questions are what
mitigations are built into
Windows 8.1. I don't know. I haven't tried it yet. I haven't
tried it with 8.1 before. You
want an NSA Playset pin. I'm sorry. >> Anybody that has
questions can come to the
microphone right here so everybody can hear the question
as well. Thank you. >> It
doesn't matter what operating system they're running or
anything because you don't need
any drivers? You just go ahead and plug and play? >> Yeah. No
drivers needed unless you've got
to figure something out in those Mac versions that we mentioned.
>> Is it 4 gigs? Because why
isn't it 2 gigs? >> Why 4 gigs? PCIe has 32 bit DMA natively.
That's just... >> Can you
offset? >> You can offset it. You need to change the DMA
offset register which requires
some device side drivers or software. Again, you have access
to the 40 bits of memory. You
can do it with memory and a lot of stuff there and inject
whatever code you want and do
fun stuff. >> Thanks for doing this. >> We have time for two
more questions. >> Did you look
into USB DMA 3. >> It will require drivers, though. >> I
don't know. Most likely. I don't
know. >> I'm more interested in the ‑ ‑ running the VMs with
certain PCIe. Is the information
you presented going to be up on your website? >> I'm sorry. I
can't really hear everything. >>
I'm looking for the information on building external PCIe
connected to virtual machines.
Have you discussed that a little bit? >> Using the ‑ ‑ >> Yes.
>> Let me just make an
announcement. Somebody dropped their iPhone in this section.
Everybody please check and make
sure you have your iPhone on you if you have such a device. >> I
work in building a virtual
machine connecting external PCIe. The information you
presented, will they be up on
the website? >> I'm sorry. I thought ‑ ‑ I can't hear what
you are saying. I'm sorry. Yeah.
( Inaudible question ) >> We'll talk offline. He wanted to
know how to connect external
devices to a virtual machine with PCIe. I think we have one
more moment. I guess not. No
more questions? Okay. ( Applause )
