Thursday, July 30, 2009

Black Hat 2009 Slides

The wait is over. The slides are here. The press release is here. Unless you're a chipset/BIOS engineer kind of person, I strongly recommend reading the press release first, before opening the slides.

So, the "Ring -3 Rootkit" presentation is about vPro/AMT chipset compromises. The "Attacking Intel BIOS" presentation is about exploiting a heap overflow in BIOS environment in order to bypass reflashing protection, that otherwise allows only Intel-signed updates to be flashed.

We will publish the code some time after get back from Vegas.


ps. Let me remind my dear readers that all the files hosted on the ITL website are not digitally signed and are served over a plaintext connection (HTTP). In addition, the ITL's website is hosted on a 3rd party provider's server, on which we have totally no control (which is the reason why we don't buy an SSL certificate for the website). Never trust unsigned files that you download from the Internet. ITL cannot be liable for any damages caused by the files downloaded from our website, unless they are digitally signed.


joanna said...

I know, the links were swapped. Should be fixed now. Thanks to all the dozen of people for telling me ;) [How come Alex didn't notice that...?;)]

Othman Esoul said...

Never trust unsigned files that you download from the Internet" probably you should add, unless they contain images lol....

Thank you very much, I would call this work as The art of X-ware hacking ( software, firmware, and hardware). It is very informative and pointed out to other security issues on the fly.

But, how did you know that the boot splash logo was not part of the signature in the BIOS update? That wasn't mentioned anywhere... lol

Is there any other DMA-capable devices emulated by AMT other than the "Virtual CD-ROM"?.

Now, How close are we from loading unsigned microcode update and hopefully concurring the behavior of main CPU?

Others are calling for "no more free bugs" what do you think of this?


joanna said...


1) We knew the logo picture is not signed, because, if you think about it, it couldn't be otherwise, as it is something OEM can customize and you don't expect Intel to sign logos of all possible OEMs/organizations.

2) There are also other AMT devices, be we didn't find a way (yet) to use DMA engines on them.

3) I'm not sure why people think that microcode hacking would be better then AMT hacking. A rootkit inside AMT seems to offer more, then a potential ucode compromise. Keep in mind it has a dedicated link to the NIC, executes on a independent processor, that is active even in sleep mode, and has access to some 16MB of dedicated, protected DRAM that nobody else can even read. What else you could ask for?

I think people confuse potential microcode rootkits, with a hypothetical ucode exploitation (ring 3 -> ring 0 escalations). But that would not be rootkits, that would be an escalation attack. The Holly Grail of all attacks, but still not a rootkit.

4) "No More Free Bugs" initiative, as recently advocated by several researchers, seems to me like a very naive, childish attempt to make money on something that is totally useless for business, i.e. on selling bugs and exploits. I have expressed my thoughts on a Daily Dave list some months ago (DD is really touching the bottom these days BTW, wonder if it recover sometime).

Martin T said...

Thanks for uploading the slides so fast! As others have pointed out, these are really ingenious and original attacks, each involving quite a few innovative steps to reach the desired outcome.

BTW, in case you or others didn't know the Intel iTPM (integrated TPM in the chipset) found in eg. Q45, is actually implemented in firmware running on this special processor in the northbridge. So a compromise of this special environment on the Q45 might cause yet other headaches. Maybe it would even be possible to extract the endorsement key of the TPM, making it possible to create a TPM emulator in software that could attest to any desired set of (faked) PCR values.

Not that it really matters, since as you point out, the current attack can already be used to inject malicious code into a trusted environment after it has been measured by the TPM, thereby fooling eg. remote attestation schemes.

Certainly intersting times with these special CPU's popping up everywhere ;)

Othman Esoul said...

Nope, I do not expect Intel to sign logos of all OEMs, but I do expect the BIOS re-flash locks will be set before loading any unsigned logo in the future ... lol...

Yes, it is really incredible how they included a tiny little router in there lol, I agree that AMT technology offers what attackers need and more (encryption etc.), in fact, what makes it very powerful to defeat (once the attacker takes over) is the dedicated separate processor and memory, nevertheless, we should not forget what makes our code executes and behaves the way we want (on any processor) is ultimately the processor instructions, compromise it and the whole system is burned! (firmware and software). We may not able to craft a whole rootkit out of that, however, it is still strong, as it is the lowest level of all system compromises.

Also, access to physical memory has probably become as difficult as compromising certain technologies in the processor itself, so it is worth looking at these technologies integrated inside the CPU for abuse - i.e., what happens if the memory controller is integrated inside the processor also? As you mentioned, AMT on the Q45 chipset is more protected against such attacks... so!

It is good to know that ITL team do not advocate such slogans (no more free bugs lol) because it is really contributing the great deal to the research community, and to pushing chip makers to take a serious look at every technology they include in commodities these days.


joanna said...

@Martin: yes, we're aware of the iTPM device implemented in ME firmware, however the info we have suggests that SPI-flash compromise is not enough to compromise the iTPM's security, so we decided not to mention this in the slides. Similarly it seems like the SPI reflashing is not enough to compromise the AMT code on Q45.

pyromanus²-chacalus² said...

thanks joanna !