WEBVTT 00:00:00.000 --> 00:00:19.759 35c3 prerol music 00:00:19.759 --> 00:00:26.630 Herald: So Trammell Hudson, who is standing here, he's taking things apart. 00:00:26.630 --> 00:00:34.370 Don't worry not life on stage, but he will give us a proof of concept and some 00:00:34.370 --> 00:00:39.559 details and functionalities about hardware implants. So the same things that we heard 00:00:39.559 --> 00:00:45.480 from Bloomberg article talking about Apple and super microcomputers with implants 00:00:45.480 --> 00:00:52.879 that, yeah, were implanted into those, into those computers. And I'm really 00:00:52.879 --> 00:00:57.680 excited to see this in action. Please give a warm round of applause to Trammel 00:00:57.680 --> 00:01:02.590 Hudson! 00:01:02.590 --> 00:01:07.510 applause 00:01:07.510 --> 00:01:11.600 Trammell: Before we begin talking about hardware implants just two quick 00:01:11.600 --> 00:01:16.310 disclaimers. The first from my employer Two Sigma investments as it says are 00:01:16.310 --> 00:01:21.910 chocolate bars. This is not investment advice. And secondly I don't actually know 00:01:21.910 --> 00:01:26.920 what the story is behind the super micro story. No one outside of Bloomberg and 00:01:26.920 --> 00:01:32.450 their sources do. But I have spent a lot of time thinking about hardware implants 00:01:32.450 --> 00:01:38.200 starting with the thunderstrike firmware attack against mac books as well as the 00:01:38.200 --> 00:01:45.420 thunderstrike 2 where we were able to get software to write into the firmware on the 00:01:45.420 --> 00:01:50.560 mac books. I've also been thinking a lot about how to defend against hardware 00:01:50.560 --> 00:01:54.420 implants with things like the heads firmware for slightly more secure laptops 00:01:54.420 --> 00:01:59.420 and also as part of my co-lead on the Linux boot project. We're thinking about 00:01:59.420 --> 00:02:10.080 how to protect servers from physical and software attacks. So with all of this 00:02:10.080 --> 00:02:14.910 concentrated thinking about firmware and hardware attacks, I was really excited 00:02:14.910 --> 00:02:20.720 when I saw the Bloomberg story back in October. But what really intrigued me was 00:02:20.720 --> 00:02:26.440 the animated image that they had at the header that highlighted one small part of 00:02:26.440 --> 00:02:32.920 the board as where the implant was, but what I found really interesting is that is 00:02:32.920 --> 00:02:40.250 exactly where I would install a hardware implant as they described on the SPI bus. 00:02:40.250 --> 00:02:44.610 A lot of other people in the hardware and from our security community thought it 00:02:44.610 --> 00:02:50.140 sounded plausible. Other people pointed out that supply chain attacks come up 00:02:50.140 --> 00:02:56.070 periodically and they are definitely a concern. Some people thought the attack as 00:02:56.070 --> 00:03:03.320 described was entirely implausible and in general we sort of had a Whiskey Tango 00:03:03.320 --> 00:03:08.160 Foxtrot moment as everybody scrambled to figure out what's going on inside their 00:03:08.160 --> 00:03:14.540 machines. So, let's step back very quickly and review what the key claims that 00:03:14.540 --> 00:03:22.340 Bloomberg alleged happened. First they said that Amazon's testers found a tiny 00:03:22.340 --> 00:03:27.250 microchip that wasn't part of the board's original design that had been disguised to 00:03:27.250 --> 00:03:33.350 look like a signaling condition signal condition coupler and that these illicit 00:03:33.350 --> 00:03:39.790 chips were connected to the baseboard management controller or the BMC which 00:03:39.790 --> 00:03:44.210 gave them access to machines that were turned off. That might sound kind of 00:03:44.210 --> 00:03:49.870 extreme, but that's actually what the role of the BMC is, that in most servers the 00:03:49.870 --> 00:03:55.280 BMC is running any time the machine is hooked up to power and it's connected to 00:03:55.280 --> 00:04:01.910 the power supplies so that it can turn the machine on and turn it off. Frequently you 00:04:01.910 --> 00:04:06.780 want to be able to do this over a network so it has its own dedicated LAN port but 00:04:06.780 --> 00:04:14.180 it can also share the LAN port with the with the main system. Serial over LAN is a 00:04:14.180 --> 00:04:19.180 really useful way to debug the systems so it provides that functionality. It can 00:04:19.180 --> 00:04:27.350 also provide fake USB volumes to allow to to do unintended OS installation. A lot of 00:04:27.350 --> 00:04:33.430 sites also won't remote KVM so it has VGA but that VGA support means that it's on 00:04:33.430 --> 00:04:40.370 the PCIe BUS and because some PCIe it can do DMA into main memory. It also is 00:04:40.370 --> 00:04:47.000 typically muxed into the SPI flash for the host firmware, which allows it to 00:04:47.000 --> 00:04:51.820 modify it and on some systems it's even connected to the TPM which allows it to 00:04:51.820 --> 00:04:59.930 circumvent the corporate of trust. So with all of this capability inside this chip 00:04:59.930 --> 00:05:06.919 it's really unfortunate that they are really not well put together. The head of 00:05:06.919 --> 00:05:11.150 Azure security says they have no protection against attacks. There's no 00:05:11.150 --> 00:05:15.530 ability to detect if an attack has happened and there's no ability to recover 00:05:15.530 --> 00:05:22.449 from an attack. So having a hardware implant on the BMC is a really big 00:05:22.449 --> 00:05:32.030 concern. The other claim in the article is that it affected 30 different companies 00:05:32.030 --> 00:05:39.930 including Apple and Bloomberg alleges that Apple found malicious chips independently 00:05:39.930 --> 00:05:44.980 on their super micro boards. Went to the FBI about it and that they then severed 00:05:44.980 --> 00:05:52.100 ties with Super Micro. This particular claim was interesting because it 00:05:52.100 --> 00:05:57.570 corroborated a story that had shown up back in early 2017 that Apple had removed 00:05:57.570 --> 00:06:03.050 Super Micro from their data centers. Apple denied that there was a firmware issue. 00:06:03.050 --> 00:06:10.190 But it's interesting that perhaps these two were related. The third set of claims 00:06:10.190 --> 00:06:16.090 is that on some of these implants they were actually put between the layers on 00:06:16.090 --> 00:06:23.210 the PCB and then the most explosive claim is that this was done by operatives from 00:06:23.210 --> 00:06:33.580 China, the Chinese People's Liberation Army. With a story with this you know this 00:06:33.580 --> 00:06:39.389 many claims and this significant of allegations we'd hoped that it would be 00:06:39.389 --> 00:06:45.430 really well sourced and for a normal story 17 independent sources that Bloomberg 00:06:45.430 --> 00:06:52.490 editors agreed to grant anonymity to, including six national security, two 00:06:52.490 --> 00:06:57.340 people inside of AWS and three senior insiders at Apple seems like pretty solid 00:06:57.340 --> 00:07:03.110 sourcing, except as soon as this article is published everyone denied it. The 00:07:03.110 --> 00:07:09.080 Director of National Intelligence said they'd seen no evidence of this. Amazon 00:07:09.080 --> 00:07:13.990 said that they've never found any issues of modified hardware nor have they been 00:07:13.990 --> 00:07:21.000 engaged with the government over it. Apple was even more blunt. CEO Tim Cook said 00:07:21.000 --> 00:07:27.590 this did not happen. There is no truth to this. And Super Micro wrote a fairly 00:07:27.590 --> 00:07:32.150 lengthy letter about what they do to protect their supply chain and why they 00:07:32.150 --> 00:07:38.990 think this attack did not happen. And it is worth going through to look at some of 00:07:38.990 --> 00:07:44.880 the things that they say that they do to protect their supply chain. They point out 00:07:44.880 --> 00:07:50.700 that if there's any unauthorized physical alterations during the manufacturing 00:07:50.700 --> 00:07:56.949 process other design elements would not match and those things would be detected. 00:07:56.949 --> 00:08:03.300 To sort of understand how circuit boards are made, I recently visited a PCB factory 00:08:03.300 --> 00:08:11.080 in Guangzhou. This is not a super micro factory. This is just a holiday photos. So 00:08:11.080 --> 00:08:16.760 in order to add new vias they would have to modify the drill files which would then 00:08:16.760 --> 00:08:22.050 get electroplated. If they had to add new traces, they would have to be able to 00:08:22.050 --> 00:08:29.400 subvert the masking and etching process and any changes to either the drills or 00:08:29.400 --> 00:08:34.909 the etching on individual layers would be caught by the optical inspection that's 00:08:34.909 --> 00:08:41.479 done on these bare circuit boards. Additionally the allegation that things 00:08:41.479 --> 00:08:47.110 were inserted between circuit boards would require that the lamination process be 00:08:47.110 --> 00:08:55.329 subverted and that the implant somehow aligned into the system. If that implant 00:08:55.329 --> 00:09:00.410 changes any of the connectivity the flying protesters would pick it up or the bed of 00:09:00.410 --> 00:09:05.980 nails testers which checks all of the connectivity of all the traces to make 00:09:05.980 --> 00:09:09.300 sure that there are no shorts and to make sure that everything that is supposed to 00:09:09.300 --> 00:09:16.679 be connected is electrically conductive. So it would be very difficult to 00:09:16.679 --> 00:09:22.110 circumvent the production process at this stage. And it also would be very difficult 00:09:22.110 --> 00:09:27.709 to contain because the PCB factory doesn't know which customers are going to receive 00:09:27.709 --> 00:09:34.470 those circuit boards. Super Micro also points out that during the assembly 00:09:34.470 --> 00:09:40.480 process when the parts are installed they have their employees on site the whole 00:09:40.480 --> 00:09:47.559 time. On my same holiday trip I also visited some PCB assembly companies and 00:09:47.559 --> 00:09:53.589 spoke with companies that are using doing contract manufacturing and they said that 00:09:53.589 --> 00:09:59.089 they also send their employees to the production line to observe the pick and 00:09:59.089 --> 00:10:05.600 place machines and the reflow and the rest of the surface mount assembly. Their big 00:10:05.600 --> 00:10:10.089 concern is that if they don't have someone there the parts that are fed in the pick 00:10:10.089 --> 00:10:17.660 in place will be replaced with either counterfeits or with salvaged parts. I 00:10:17.660 --> 00:10:23.459 visited the electronics market in ??????? bay where there are people desoldering 00:10:23.459 --> 00:10:29.190 e-waste and then sorting the parts into bins and selling these salvaged components 00:10:29.190 --> 00:10:34.589 by the kilo and for a few extra renminbi they'll put them on rails for you so that 00:10:34.589 --> 00:10:41.660 you can save a few pennies on your production process. The other concern that 00:10:41.660 --> 00:10:46.489 these companies have, is not just salvaged parts but straight up counterfeits. 00:10:46.489 --> 00:10:52.439 Especially for things that cost more than a few dollars each. The Arduino community 00:10:52.439 --> 00:10:59.139 was hit a few years ago with a bunch of counterfeit FTDI chips where the internal 00:10:59.139 --> 00:11:07.600 construction was entirely different. In this case it caused reliability issues but 00:11:07.600 --> 00:11:11.550 you can imagine from a security perspective this is really worrisome that 00:11:11.550 --> 00:11:15.709 parts that look identical might have completely different functionality inside 00:11:15.709 --> 00:11:25.379 of them. Super Micro also mentions that they X-ray their main boards to look for 00:11:25.379 --> 00:11:32.000 anomalies and I wasn't able to take any photos inside the factory there was doing 00:11:32.000 --> 00:11:38.230 x-rays. But in this Wikipedia photo we can clearly see active components like this 00:11:38.230 --> 00:11:45.670 SOIC chip are different from things like the SMD resistors and capacitors. So if an 00:11:45.670 --> 00:11:51.220 attacker were trying to subvert the supply chain by putting a disguise component it 00:11:51.220 --> 00:11:56.670 could be detected at this step. Another interesting thing in this photo are these 00:11:56.670 --> 00:12:02.680 inductors that are encased in dip packages. This is really common in a lot 00:12:02.680 --> 00:12:07.439 of Ethernet boards and occasionally people have thought they had some sort of 00:12:07.439 --> 00:12:13.589 hardware implant when they found inductors in their ethernet jacks but it's pretty 00:12:13.589 --> 00:12:19.799 it's fairly common and it shows it pretty clearly on the x-ray. Some other security 00:12:19.799 --> 00:12:26.069 researchers like Sophia D'Antoine did an extensive teardown of Super Micro boards 00:12:26.069 --> 00:12:33.439 including X-ray analysis and her group found a few oddities but nothing.. they 00:12:33.439 --> 00:12:37.529 didn't find anything malicious. There were no smoking guns. They just appeared to be 00:12:37.529 --> 00:12:43.190 sort of supply chain type things. You can read her blog post for more details about 00:12:43.190 --> 00:12:49.319 where they found things that shouldn't have been there. But turned out to be just 00:12:49.319 --> 00:13:00.879 actual signal condition components. So super micro in their ???? letter, they 00:13:00.879 --> 00:13:07.239 keep reenforcing that the manufacturing process that is the assembly process, it's 00:13:07.239 --> 00:13:11.179 during the manufacturing process and I agree with them. It would be very 00:13:11.179 --> 00:13:17.939 difficult to circumvent security in a reasonable way in that part of the 00:13:17.939 --> 00:13:23.189 process. But that's not the only place this could happen. We know that national 00:13:23.189 --> 00:13:30.309 security agencies intercept shipments of computer hardware and then have their 00:13:30.309 --> 00:13:37.249 tailored access operations open the computers, install hardware implants, 00:13:37.249 --> 00:13:43.670 reseal them and then have them continue on their way in shipment. The NSA even has a 00:13:43.670 --> 00:13:51.199 catalog of hardware implants like this JTAG implant Ethernet jacks with embedded 00:13:51.199 --> 00:13:57.009 computers in them as well as firmware specific ones that target servers SNM(?) 00:13:57.009 --> 00:14:05.490 and then some that can do data exfiltration via RF. So that's sort of 00:14:05.490 --> 00:14:09.481 tailored access operations is really ideal for this supply chain attack because it 00:14:09.481 --> 00:14:16.699 allows them to contain the exploit to a single customer. It allows them fairly 00:14:16.699 --> 00:14:21.180 good concealment as well as good cover that if it's discovered it's really hard 00:14:21.180 --> 00:14:25.769 to attribute where things went wrong. Now unlike if you find something inside your 00:14:25.769 --> 00:14:34.230 motherboard between the layers you know that had to have happened at the factory. 00:14:34.230 --> 00:14:47.040 So Super Micro also claim that this was technically implausible, that it was 00:14:47.040 --> 00:14:52.559 highly unlikely that unauthorized hardware would function properly because a third 00:14:52.559 --> 00:15:02.470 party with lack of complete knowledge of the design. I think that's inaccurate, 00:15:02.470 --> 00:15:07.639 both because we know the NSA does it and also because I have done it. 00:15:07.639 --> 00:15:10.319 laughter 00:15:10.319 --> 00:15:16.059 Really, all that you need to know is that these are common components. These flash 00:15:16.059 --> 00:15:20.310 chips show up on all the boards. You can search the internet for the data sheet and 00:15:20.310 --> 00:15:25.989 find exactly how it's wired into the rest of the system. And the only thing that we 00:15:25.989 --> 00:15:33.499 need to know to communicate to the BMC is the serial output pin from this component, 00:15:33.499 --> 00:15:43.429 so the BMC flash is connected over to the BMC CPU via the serial output and it goes 00:15:43.429 --> 00:15:51.589 through a small series resistor and that is where my implant goes in. Mine's a 00:15:51.589 --> 00:15:56.670 little bit larger than that resistor. It clicks onto the board and it has a small 00:15:56.670 --> 00:16:03.009 FPGA that hangs offside but it's completely plausible to fit it into 00:16:03.009 --> 00:16:12.139 something that small in fact a modern ARM M0 fits in the space of two transistors 00:16:12.139 --> 00:16:18.350 from a 65 002 from a few years ago. The Moore's Law means we can pack an amazing 00:16:18.350 --> 00:16:28.329 amount of CPU into a very very small amount of space. So on that 0 6 0 3 00:16:28.329 --> 00:16:36.100 resistor could fit around 100 cortex M0 it would be plenty powerful for this system. 00:16:36.100 --> 00:16:42.379 The problem is we only have those two pins so ordinarily on the spy flashing you need 00:16:42.379 --> 00:16:47.720 at least six pens but we don't have power and ground so we have to passively power 00:16:47.720 --> 00:16:53.059 this through the data signal that's passing through it. We don't have the chip 00:16:53.059 --> 00:16:59.959 select pin so we have to guess when this chip has been talked to. We don't have the 00:16:59.959 --> 00:17:04.980 data input pin so we don't know what addresses are being read or what commands 00:17:04.980 --> 00:17:11.190 are being sent. We have to reconstruct it from the data output pin and we also don't 00:17:11.190 --> 00:17:18.900 have a clock pin so we have to figure out how to synchronize to that clock. Lastly 00:17:18.900 --> 00:17:22.890 we don't have the ability to make arbitrary data changes. All we can do is 00:17:22.890 --> 00:17:29.060 disconnect the pin from the BMC so we can only turn 1 bits into 0 bits. We can't go 00:17:29.060 --> 00:17:35.300 the other way around. So with these limitations we can still do some pretty 00:17:35.300 --> 00:17:40.920 interesting things. Recovering the clock is actually pretty easy. We can look at 00:17:40.920 --> 00:17:49.670 the data stream and find the shortest bit transitions from 0 1 0 or 1 0 1 to 00:17:49.670 --> 00:17:55.060 estimate what the clock is which allows us to then reconstruct that data stream being 00:17:55.060 --> 00:18:00.870 sent to the BMC and if we look at the flash contents we can see that a lot of it 00:18:00.870 --> 00:18:07.570 is being fairly random noise but a lot of it is all white which in this case would 00:18:07.570 --> 00:18:15.110 mean that it's all one bits. So if we look at the way the flash is organized we can 00:18:15.110 --> 00:18:19.380 see there's the u-boot bootloader and that's executable. That's kind of 00:18:19.380 --> 00:18:25.230 difficult to make useful changes in, the kernel and the root file system are both 00:18:25.230 --> 00:18:33.040 compressed so that they look effectively like random noise but the nvram region is 00:18:33.040 --> 00:18:41.660 a jffs2 file system and this file system ??? 3 Megs, it's mostly empty and all that 00:18:41.660 --> 00:18:50.040 empty space is F F which is all ones. So this is plenty of ones for us to work on. 00:18:50.040 --> 00:18:55.380 Additionally it has fairly nice headers that we can we can match on. So when we 00:18:55.380 --> 00:19:00.570 see these magic bit masks we know when we've entered different parts of the file 00:19:00.570 --> 00:19:06.990 system. So given that we can now reconstruct the clock we can figure out 00:19:06.990 --> 00:19:13.310 where we are in the file system. This hardware implant can start to inject new 00:19:13.310 --> 00:19:20.320 data into what was the empty space. So this short file that we put in here is a 00:19:20.320 --> 00:19:28.020 small shell script and it is one of the network configuration scripts, so this is 00:19:28.020 --> 00:19:37.350 where I'm going to try a live demo and I hope this works. We're running in qemu 00:19:37.350 --> 00:19:45.660 since I didn't bring a Super Micro board and what we have on the left is the flash 00:19:45.660 --> 00:19:50.530 console excuse me the hardware implant console. And then on the right we have the 00:19:50.530 --> 00:19:57.353 serial console from the BMC so we can see it has loaded the kernel and in a second 00:19:57.353 --> 00:20:03.430 it's going to we should see a bunch of traffic, okay, so the implant is active. 00:20:03.430 --> 00:20:10.450 It has replaced the data when that nvram file system was mounted the BMC is now 00:20:10.450 --> 00:20:18.780 continuing on doing its set up. It's going to load a bunch of device drivers for that 00:20:18.780 --> 00:20:24.250 video. It pauses here for some reason that I haven't diagnosed because that's that's 00:20:24.250 --> 00:20:27.040 not my job. 00:20:27.040 --> 00:20:29.140 laughter 00:20:29.140 --> 00:20:33.020 And eventually it's going to configure the networks and it does that by running that 00:20:33.020 --> 00:20:43.010 shell script off of the nvram partition here it starts KVM stuff brings up some 00:20:43.010 --> 00:20:53.390 things. Allright. applause 00:20:53.390 --> 00:21:01.920 OK. So luckily we got to that point without having to fake the demo. In the 00:21:01.920 --> 00:21:07.820 hardware it's really flaky. My version works about one in eight times. But it 00:21:07.820 --> 00:21:12.041 doesn't typically cause a crash. So that's actually good for concealment because it 00:21:12.041 --> 00:21:17.850 becomes now much harder to determine which machines are affected. In qemu because 00:21:17.850 --> 00:21:21.640 it's emulating, it's a little more reliable but it's still it's only two out 00:21:21.640 --> 00:21:26.760 of three. If we let the BMC boot a little bit further it actually prints out this 00:21:26.760 --> 00:21:32.120 message. And if you hit enter it drops you to a shell with no password and you can 00:21:32.120 --> 00:21:38.170 then just run commands as root on the BMC and that's a lot easier than all this 00:21:38.170 --> 00:21:43.440 stuff with the SPI bus if you wanted to build a hardware implant against it. I 00:21:43.440 --> 00:21:48.540 don't know where the serial port is on the on the Super Micro but on a different tier 00:21:48.540 --> 00:21:54.030 1 server mainboard I was able to probe around the oscilloscope and locate the 00:21:54.030 --> 00:22:00.830 serial console for the BMC. Figure out it's 115 kbaud and it has the same code 00:22:00.830 --> 00:22:06.050 that you hit enter and you can run commands there. So that's a much easier 00:22:06.050 --> 00:22:11.990 way to do it. A big question a lot of people have is how do we actually detect 00:22:11.990 --> 00:22:18.100 this sort of flash implant. A lot of high assurance sites replace all of their roms 00:22:18.100 --> 00:22:22.760 with ones that they flash themselves but that doesn't get rid of the implant 00:22:22.760 --> 00:22:28.960 because it's outside of the ROM chip. Likewise reading the ROM chip doesn't show 00:22:28.960 --> 00:22:35.321 anything because it's not in the ROM itself it's it's outside of it. Even 00:22:35.321 --> 00:22:40.650 hooking up a logic analyzer to the bus and watching as the machine boots and seeing 00:22:40.650 --> 00:22:45.780 the data stream coming out of the flash won't actually reveal the implant because 00:22:45.780 --> 00:22:51.770 you'd have to put the logic probes on the PGA pads on the flat on the BMC itself. 00:22:51.770 --> 00:22:58.140 And that's a much harder task. Some people think "oh well we can see the weird 00:22:58.140 --> 00:23:03.150 network traffic when the BMC tries to exfiltrate the data" but that would be 00:23:03.150 --> 00:23:08.030 that's only one way for the BMC to affect things. There is a great talk a few years 00:23:08.030 --> 00:23:13.410 ago at DefCon from Intel ATR where they showed how something that can control the 00:23:13.410 --> 00:23:19.020 system firmware can backdoor hypervisors. And then they gave a use case where a 00:23:19.020 --> 00:23:26.180 unprivileged guest on a cloud system could read all of the rest of physical memory so 00:23:26.180 --> 00:23:34.760 it could see all of the other guests memory. So what do we do? The big problems 00:23:34.760 --> 00:23:39.560 is the BMC has way too many privileges. It's connected to pretty much everything 00:23:39.560 --> 00:23:46.650 in the system but the BMC is not our only concern. As @whitequark said, our PCs are 00:23:46.650 --> 00:23:52.300 just a bunch of embedded devices in a trench coat and they all have firmware. In 00:23:52.300 --> 00:23:56.680 fact pretty much everything on your system more complex than a resistor probably has 00:23:56.680 --> 00:24:01.270 firmware and if you have one of those Super Micro implants maybe even your 00:24:01.270 --> 00:24:08.500 resistors have firmware as well. I've found that the firmware and things like 00:24:08.500 --> 00:24:15.150 the power supplies can be used to gain code execution on the BMC. It's really 00:24:15.150 --> 00:24:20.750 interesting how tightly connected all of our systems are. And as Joe Fit's pointed 00:24:20.750 --> 00:24:26.700 out in his blackhat ???? talk, these are not multimillion dollar attacks these are 00:24:26.700 --> 00:24:33.500 five euro bits of hardware that we now have to really be worried about. I really 00:24:33.500 --> 00:24:38.480 like the guidelines that NIST has published that suggests that we think 00:24:38.480 --> 00:24:43.650 about our systems more in this holistic manner. Although the interpreting pretty 00:24:43.650 --> 00:24:50.290 much everything into the TPM is the trusted platform module for doing this 00:24:50.290 --> 00:24:55.580 attestation and I think we as a community need to do more to use the TPM. There 00:24:55.580 --> 00:25:01.060 actually a really good tool for securing our systems but they are also potentially 00:25:01.060 --> 00:25:08.030 subject to their own hardware implants. The NCC Group TPM genie is able to subvert 00:25:08.030 --> 00:25:14.600 the core root of trust by interposing on the TPM. So a lot of folks are proposing 00:25:14.600 --> 00:25:19.160 we should move to other trusted execution environments like SGX or Trustzone. And I 00:25:19.160 --> 00:25:24.960 think these have a lot of promise especially for trusted cloud computing. 00:25:24.960 --> 00:25:30.970 There also is a lot of innovation in the hardware roots of trust going on right now 00:25:30.970 --> 00:25:34.860 between the Google Titan, which initially was for their servers and is now showing 00:25:34.860 --> 00:25:39.740 up on all of their chrome books. The Microsoft Cerberus chip which again is the 00:25:39.740 --> 00:25:46.710 Azure system. They're actually publishing their firmware and the ASIC design so that 00:25:46.710 --> 00:25:49.880 people can have a little more faith in it and they hope it will become an open 00:25:49.880 --> 00:25:56.780 standard. And companies like Apple have also gone their own way. With the T2 and 00:25:56.780 --> 00:26:00.620 the T2's are really amazing chip for securing systems. But it does so at the 00:26:00.620 --> 00:26:06.790 expense of user freedom and that gets in the way of what I think the real way that 00:26:06.790 --> 00:26:11.130 we need to.. we need to solve this problem. We need to get rid of a lot of 00:26:11.130 --> 00:26:18.830 these secrets. Counter to what the Super Micro CEO said, having a secret 00:26:18.830 --> 00:26:22.770 motherboard design does not make you more secure. Things like the Open Compute 00:26:22.770 --> 00:26:27.140 hardware I think is a good vision for how we can move forward that when you buy an 00:26:27.140 --> 00:26:33.030 Open Compute server it comes with full schematics and gerber files. So that 00:26:33.030 --> 00:26:37.910 motivated customers can verify that the systems that they're buying are the ones 00:26:37.910 --> 00:26:42.140 that they think they that they're buying that all of the components are what they 00:26:42.140 --> 00:26:49.250 think they should be. I think the firmware also needs more openness. Ronald Minnich, 00:26:49.250 --> 00:26:56.150 Google is my co-lead on Linux boot project and we think that Linux in the firmware is 00:26:56.150 --> 00:27:03.821 a way forward to get a more secure more flexible and more resilient system. We're 00:27:03.821 --> 00:27:09.981 working with a spin off project called micro BMC that is using the Linux boot 00:27:09.981 --> 00:27:16.580 tools to build BMC firmware and this is opensource. It's reproducibly built it can 00:27:16.580 --> 00:27:22.740 work with roots of trust attestation. It's written in a memory safe language since 00:27:22.740 --> 00:27:27.740 it's a Google collaboration and go. And more importantly we've thrown away all of 00:27:27.740 --> 00:27:31.240 the legacy features that have been a source of a lot of security 00:27:31.240 --> 00:27:40.960 vulnerabilities in these systems. So did it happen? I don't know. Is it technically 00:27:40.960 --> 00:27:44.520 possible? I think so. I hope I've convinced all of you that this is 00:27:44.520 --> 00:27:50.770 definitely a technical possibility that we need to be concerned about and I hope that 00:27:50.770 --> 00:27:56.260 the way forward through hardware roots of trust with attestation and more 00:27:56.260 --> 00:28:01.400 importantly with open hardware so that we know that what the machines were running 00:28:01.400 --> 00:28:07.130 are running code that we know.. the code that we've built that we understand and 00:28:07.130 --> 00:28:13.080 that we can actually have a good chance of being able to take control back of them. 00:28:13.080 --> 00:28:18.300 If you're interested in more discussion on this and also on open firmware, there's an 00:28:18.300 --> 00:28:23.850 assembly here in this hall that has a bunch folks working on a core boot and 00:28:23.850 --> 00:28:29.110 Linux boot and a lot of these projects where you can help contribute and you can 00:28:29.110 --> 00:28:37.510 help also pressure vendors to make these this standard and a way forward for a more 00:28:37.510 --> 00:28:42.000 secure computing. So thank you all for coming. And I really enjoyed the chance to 00:28:42.000 --> 00:28:50.380 show off my modship of the state. 00:28:50.380 --> 00:28:56.030 applause 00:28:56.030 --> 00:29:02.600 Herald: Geat talk, thank you very much Trammel. We have 10 minutes for questions 00:29:02.600 --> 00:29:11.080 so please line up at the microphones if you have questions. And we also have a 00:29:11.080 --> 00:29:25.390 signal angel probably with questions from the internet. So any questions? Microphone 00:29:25.390 --> 00:29:29.870 number three? Mic 3: Yes, I was going to ask, what's 00:29:29.870 --> 00:29:35.650 your opinion on the Talos systems? The openPOWER based ones? 00:29:35.650 --> 00:29:41.830 Trammell: So the question is about the Talos power 9 based systems power 9 is a 00:29:41.830 --> 00:29:48.490 really interesting architecture. The.. it is using a open firmware very similar to 00:29:48.490 --> 00:29:55.250 Linux boot called Petty(??) boot that moves Linux into the bootloader. I'm a big 00:29:55.250 --> 00:29:58.860 fan. There's a lot of folks in the opensource community who are very excited 00:29:58.860 --> 00:30:07.540 about it. I'm hoping that there would be more power nine systems coming out. I'm 00:30:07.540 --> 00:30:13.130 also very excited about the brisque five systems. I think having open source CPUs 00:30:13.130 --> 00:30:19.310 use is a real way that we can have more assurance that our systems are what we 00:30:19.310 --> 00:30:22.800 think they are. Herald: Thank you, microphone number two 00:30:22.800 --> 00:30:27.100 please. Mic 2: Yes, thanks for the talk. I was 00:30:27.100 --> 00:30:32.810 wondering if you have just a scope probe over this serial, cause it's just a serial 00:30:32.810 --> 00:30:37.320 resistor which we're replacing. If you put just two scope probes on there and measure 00:30:37.320 --> 00:30:41.270 the voltage over it, in your situation would the voltage change there once in a 00:30:41.270 --> 00:30:42.400 while? Trammell: Yes, yes, yes. 00:30:42.400 --> 00:30:46.540 Mic 2: Well okay, in the normal case would it actually be quite consistent current. 00:30:46.540 --> 00:30:56.890 Or if you lowered the input impedance of the BMC chip who might already have fixed 00:30:56.890 --> 00:31:01.760 a part of the attack because the output sourcing current of your exploit is 00:31:01.760 --> 00:31:04.900 probably limited due to the limited supply you only can.. 00:31:04.900 --> 00:31:12.390 Herald: Your question please? Mic 2: Yes.. but.. do you see a way to get 00:31:12.390 --> 00:31:17.710 more power into your setup? Maybe using, well other power sources, other than the 00:31:17.710 --> 00:31:22.650 two pins, or maybe somewhere of.. Trammell: Well, so the question is about, 00:31:22.650 --> 00:31:28.420 would there be a way to do more arbitrary changes through redesigning the implant. 00:31:28.420 --> 00:31:34.190 One of the goals was to fit with only those two pins so that a single piece on 00:31:34.190 --> 00:31:38.900 the motherboard could be replaced. With a dual probe soldering iron and you can pop 00:31:38.900 --> 00:31:45.500 it out and stick a new one down in a matter of seconds. So, yes, if you have 00:31:45.500 --> 00:31:51.809 more pins where you can get more power from you can do much more interesting 00:31:51.809 --> 00:31:57.460 things. But that's.. would require a different set of changes to the 00:31:57.460 --> 00:32:02.480 motherboard. Herald: Thank you. Microphone 1 please. 00:32:02.480 --> 00:32:09.350 Mic 1: So, a lot of the -like- arguments that these implants were not feasible by a 00:32:09.350 --> 00:32:13.820 Super Micro where you also show the picture from the fab that you had to 00:32:13.820 --> 00:32:19.390 change the etching and the optical inspection and so on and so on. But how 00:32:19.390 --> 00:32:27.870 probable would you rate the fact that some acto just intercepted the manufacturing 00:32:27.870 --> 00:32:33.570 files and added that component already in the file because then all the optical 00:32:33.570 --> 00:32:38.810 inspection and that would all say well that matches what was sent to us. But that 00:32:38.810 --> 00:32:41.650 was not necessarily what Super Micro sent to the fab. 00:32:41.650 --> 00:32:44.900 Trammell: So the question is, could someone have modified all of the 00:32:44.900 --> 00:32:48.620 manufacturing files that went to the factory, and that's absolutely a 00:32:48.620 --> 00:32:54.520 possibility. But that's also very likely that that would be detected by Super Micro 00:32:54.520 --> 00:33:01.170 itself that in a lot of cases you don't necessarily want to trust the company that 00:33:01.170 --> 00:33:05.930 is making the product to also test it. And you probably want to have a separate 00:33:05.930 --> 00:33:11.059 company that does random spot checks to verify that the boards are actually being 00:33:11.059 --> 00:33:16.460 produced to the specification that you.. that you desire. So it's certainly 00:33:16.460 --> 00:33:24.050 possible and I really don't want to speculate as to the accuracy of that part 00:33:24.050 --> 00:33:31.030 of the story but yeah it would require quite a bit more changes. And also would 00:33:31.030 --> 00:33:34.679 be much more likely to be detected in the spot check. 00:33:34.679 --> 00:33:38.230 Herald: Great. Microphone number two please. 00:33:38.230 --> 00:33:44.510 Mic 2: Yes, for a lot of motherboards there are also quite a few components not 00:33:44.510 --> 00:33:53.750 populated some of which are on which you could consider sensitive myths. Wouldn't 00:33:53.750 --> 00:33:59.430 that make it. Yeah exactly. Wouldn't that make it very easy to do just pop something 00:33:59.430 --> 00:34:04.540 on there in parallel with one of the components and not have it be detected 00:34:04.540 --> 00:34:08.329 because it's like the board is modified. There is a component or you have no way of 00:34:08.329 --> 00:34:11.490 telling whether it had to be populated or not? 00:34:11.490 --> 00:34:18.599 Trammell: Super Micro puts a lot of extra pads on the board in this one particular 00:34:18.599 --> 00:34:28.700 one they have both 8 pin and 16 pin flash chip pads that are just in parallel 00:34:28.700 --> 00:34:32.989 together. So depending on which chip is cheaper that day of the week or who knows 00:34:32.989 --> 00:34:38.419 what, they will populate one or the other. So that's why in this particular photo 00:34:38.419 --> 00:34:47.950 having the position of that circle on the data output pin is very very interesting. 00:34:47.950 --> 00:34:56.659 Herald: Question answered? Okay. So one more question on microphone number two 00:34:56.659 --> 00:35:00.400 please? Mic 2: How far can signing of firmware be 00:35:00.400 --> 00:35:06.470 a solution to this problem? Trammell: Signing firmware solves a lot of 00:35:06.470 --> 00:35:13.401 the issues. It does however not all typically not all of the firmware are 00:35:13.401 --> 00:35:21.020 signed specifically is probably to be signed in in a modern BMC. The kernel and 00:35:21.020 --> 00:35:25.789 maybe the root file system might be signed. But the envy of RAM file system in 00:35:25.789 --> 00:35:32.589 this BMC is designed to be user modifiable so it can't be signed by the manufacturer, 00:35:32.589 --> 00:35:41.340 so this sort of attack would work against a signed BMC just as well. Also the "Hit 00:35:41.340 --> 00:35:49.509 enter to get a serial console" attack circumvents any signing. There are things 00:35:49.509 --> 00:35:56.140 on the host firmware on the x86 like boot card that do a really good job of making 00:35:56.140 --> 00:36:01.520 it harder to get code execution during the boot process. But there have been several 00:36:01.520 --> 00:36:07.720 CVEs where it has been implemented poorly. So even though signature's the firmware is 00:36:07.720 --> 00:36:13.800 signed, people have still managed to get code execution during that process. 00:36:13.800 --> 00:36:18.329 Herald: Great. Thank you Trammell Hudson again, a warm round of applause, thank you 00:36:18.329 --> 00:36:21.009 very much! 00:36:21.009 --> 00:36:24.009 applause 00:36:24.009 --> 00:36:25.529 35c3 postrol music 00:36:25.529 --> 00:36:52.000 Subtitles created by c3subtitles.de in the year 2021. Join, and help us!