<i>35c3 prerol music</i>

Herald: So Trammell Hudson, who is
standing here, he's taking things apart.

Don't worry not life on stage, but he will
give us a proof of concept and some

details and functionalities about hardware
implants. So the same things that we heard

from Bloomberg article talking about Apple
and super microcomputers with implants

that, yeah, were implanted into those,
into those computers. And I'm really

excited to see this in action. Please give
a warm round of applause to Trammel

Hudson!

<i>applause</i>

Trammell: Before we begin talking about
hardware implants just two quick

disclaimers. The first from my employer
Two Sigma investments as it says are

chocolate bars. This is not investment
advice. And secondly I don't actually know

what the story is behind the super micro
story. No one outside of Bloomberg and

their sources do. But I have spent a lot
of time thinking about hardware implants

starting with the thunderstrike firmware
attack against mac books as well as the

thunderstrike 2 where we were able to get
software to write into the firmware on the

mac books. I've also been thinking a lot
about how to defend against hardware

implants with things like the heads
firmware for slightly more secure laptops

and also as part of my co-lead on the
Linux boot project. We're thinking about

how to protect servers from physical and
software attacks. So with all of this

concentrated thinking about firmware and
hardware attacks, I was really excited

when I saw the Bloomberg story back in
October. But what really intrigued me was

the animated image that they had at the
header that highlighted one small part of

the board as where the implant was, but
what I found really interesting is that is

exactly where I would install a hardware
implant as they described on the SPI bus.

A lot of other people in the hardware and
from our security community thought it

sounded plausible. Other people pointed
out that supply chain attacks come up

periodically and they are definitely a
concern. Some people thought the attack as

described was entirely implausible and in
general we sort of had a Whiskey Tango

Foxtrot moment as everybody scrambled to
figure out what's going on inside their

machines. So, let's step back very quickly
and review what the key claims that

Bloomberg alleged happened. First they
said that Amazon's testers found a tiny

microchip that wasn't part of the board's
original design that had been disguised to

look like a signaling condition signal
condition coupler and that these illicit

chips were connected to the baseboard
management controller or the BMC which

gave them access to machines that were
turned off. That might sound kind of

extreme, but that's actually what the role
of the BMC is, that in most servers the

BMC is running any time the machine is
hooked up to power and it's connected to

the power supplies so that it can turn the
machine on and turn it off. Frequently you

want to be able to do this over a network
so it has its own dedicated LAN port but

it can also share the LAN port with the
with the main system. Serial over LAN is a

really useful way to debug the systems so
it provides that functionality. It can

also provide fake USB volumes to allow to
to do unintended OS installation. A lot of

sites also won't remote KVM so it has VGA
but that VGA support means that it's on

the PCIe BUS and because some PCIe it can
do DMA into main memory. It also is

typically muxed into the SPI flash for
the host firmware, which allows it to

modify it and on some systems it's even
connected to the TPM which allows it to

circumvent the corporate of trust. So with
all of this capability inside this chip

it's really unfortunate that they are
really not well put together. The head of

Azure security says they have no
protection against attacks. There's no

ability to detect if an attack has
happened and there's no ability to recover

from an attack. So having a hardware
implant on the BMC is a really big

concern. The other claim in the article is
that it affected 30 different companies

including Apple and Bloomberg alleges that
Apple found malicious chips independently

on their super micro boards. Went to the
FBI about it and that they then severed

ties with Super Micro. This particular
claim was interesting because it

corroborated a story that had shown up
back in early 2017 that Apple had removed

Super Micro from their data centers. Apple
denied that there was a firmware issue.

But it's interesting that perhaps these
two were related. The third set of claims

is that on some of these implants they
were actually put between the layers on

the PCB and then the most explosive claim
is that this was done by operatives from

China, the Chinese People's Liberation
Army. With a story with this you know this

many claims and this significant of
allegations we'd hoped that it would be

really well sourced and for a normal story
17 independent sources that Bloomberg

editors agreed to grant anonymity to,
including six national security, two

people inside of AWS and three senior
insiders at Apple seems like pretty solid

sourcing, except as soon as this article
is published everyone denied it. The

Director of National Intelligence said
they'd seen no evidence of this. Amazon

said that they've never found any issues
of modified hardware nor have they been

engaged with the government over it. Apple
was even more blunt. CEO Tim Cook said

this did not happen. There is no truth to
this. And Super Micro wrote a fairly

lengthy letter about what they do to
protect their supply chain and why they

think this attack did not happen. And it
is worth going through to look at some of

the things that they say that they do to
protect their supply chain. They point out

that if there's any unauthorized physical
alterations during the manufacturing

process other design elements would not
match and those things would be detected.

To sort of understand how circuit boards
are made, I recently visited a PCB factory

in Guangzhou. This is not a super micro
factory. This is just a holiday photos. So

in order to add new vias they would have
to modify the drill files which would then

get electroplated. If they had to add new
traces, they would have to be able to

subvert the masking and etching process
and any changes to either the drills or

the etching on individual layers would be
caught by the optical inspection that's

done on these bare circuit boards.
Additionally the allegation that things

were inserted between circuit boards would
require that the lamination process be

subverted and that the implant somehow
aligned into the system. If that implant

changes any of the connectivity the flying
protesters would pick it up or the bed of

nails testers which checks all of the
connectivity of all the traces to make

sure that there are no shorts and to make
sure that everything that is supposed to

be connected is electrically conductive.
So it would be very difficult to

circumvent the production process at this
stage. And it also would be very difficult

to contain because the PCB factory doesn't
know which customers are going to receive

those circuit boards. Super Micro also
points out that during the assembly

process when the parts are installed they
have their employees on site the whole

time. On my same holiday trip I also
visited some PCB assembly companies and

spoke with companies that are using doing
contract manufacturing and they said that

they also send their employees to the
production line to observe the pick and

place machines and the reflow and the rest
of the surface mount assembly. Their big

concern is that if they don't have someone
there the parts that are fed in the pick

in place will be replaced with either
counterfeits or with salvaged parts. I

visited the electronics market in ???????
bay where there are people desoldering

e-waste and then sorting the parts into
bins and selling these salvaged components

by the kilo and for a few extra renminbi
they'll put them on rails for you so that

you can save a few pennies on your
production process. The other concern that

these companies have, is not just salvaged
parts but straight up counterfeits.

Especially for things that cost more than
a few dollars each. The Arduino community

was hit a few years ago with a bunch of
counterfeit FTDI chips where the internal

construction was entirely different. In
this case it caused reliability issues but

you can imagine from a security
perspective this is really worrisome that

parts that look identical might have
completely different functionality inside

of them. Super Micro also mentions that
they X-ray their main boards to look for

anomalies and I wasn't able to take any
photos inside the factory there was doing

x-rays. But in this Wikipedia photo we can
clearly see active components like this

SOIC chip are different from things like
the SMD resistors and capacitors. So if an

attacker were trying to subvert the supply
chain by putting a disguise component it

could be detected at this step. Another
interesting thing in this photo are these

inductors that are encased in dip
packages. This is really common in a lot

of Ethernet boards and occasionally people
have thought they had some sort of

hardware implant when they found inductors
in their ethernet jacks but it's pretty

it's fairly common and it shows it pretty
clearly on the x-ray. Some other security

researchers like Sophia D'Antoine did an
extensive teardown of Super Micro boards

including X-ray analysis and her group
found a few oddities but nothing.. they

didn't find anything malicious. There were
no smoking guns. They just appeared to be

sort of supply chain type things. You can
read her blog post for more details about

where they found things that shouldn't
have been there. But turned out to be just

actual signal condition components. So
super micro in their ???? letter, they

keep reenforcing that the manufacturing
process that is the assembly process, it's

during the manufacturing process and I
agree with them. It would be very

difficult to circumvent security in a
reasonable way in that part of the

process. But that's not the only place
this could happen. We know that national

security agencies intercept shipments of
computer hardware and then have their

tailored access operations open the
computers, install hardware implants,

reseal them and then have them continue on
their way in shipment. The NSA even has a

catalog of hardware implants like this
JTAG implant Ethernet jacks with embedded

computers in them as well as firmware
specific ones that target servers SNM(?)

and then some that can do data
exfiltration via RF. So that's sort of

tailored access operations is really ideal
for this supply chain attack because it

allows them to contain the exploit to a
single customer. It allows them fairly

good concealment as well as good cover
that if it's discovered it's really hard

to attribute where things went wrong. Now
unlike if you find something inside your

motherboard between the layers you know
that had to have happened at the factory.

So Super Micro also claim that this was
technically implausible, that it was

highly unlikely that unauthorized hardware
would function properly because a third

party with lack of complete knowledge of
the design. I think that's inaccurate,

both because we know the NSA does it and
also because I have done it.

<i>laughter</i>

Really, all that you need to know is that
these are common components. These flash

chips show up on all the boards. You can
search the internet for the data sheet and

find exactly how it's wired into the rest
of the system. And the only thing that we

need to know to communicate to the BMC is
the serial output pin from this component,

so the BMC flash is connected over to the
BMC CPU via the serial output and it goes

through a small series resistor and that
is where my implant goes in. Mine's a

little bit larger than that resistor. It
clicks onto the board and it has a small

FPGA that hangs offside but it's
completely plausible to fit it into

something that small in fact a modern ARM
M0 fits in the space of two transistors

from a 65 002 from a few years ago. The
Moore's Law means we can pack an amazing

amount of CPU into a very very small
amount of space. So on that 0 6 0 3

resistor could fit around 100 cortex M0 it
would be plenty powerful for this system.

The problem is we only have those two pins
so ordinarily on the spy flashing you need

at least six pens but we don't have power
and ground so we have to passively power

this through the data signal that's
passing through it. We don't have the chip

select pin so we have to guess when this
chip has been talked to. We don't have the

data input pin so we don't know what
addresses are being read or what commands

are being sent. We have to reconstruct it
from the data output pin and we also don't

have a clock pin so we have to figure out
how to synchronize to that clock. Lastly

we don't have the ability to make
arbitrary data changes. All we can do is

disconnect the pin from the BMC so we can
only turn 1 bits into 0 bits. We can't go

the other way around. So with these
limitations we can still do some pretty

interesting things. Recovering the clock
is actually pretty easy. We can look at

the data stream and find the shortest bit
transitions from 0 1 0 or 1 0 1 to

estimate what the clock is which allows us
to then reconstruct that data stream being

sent to the BMC and if we look at the
flash contents we can see that a lot of it

is being fairly random noise but a lot of
it is all white which in this case would

mean that it's all one bits. So if we look
at the way the flash is organized we can

see there's the u-boot bootloader and
that's executable. That's kind of

difficult to make useful changes in, the
kernel and the root file system are both

compressed so that they look effectively
like random noise but the nvram region is

a jffs2 file system and this file system
??? 3 Megs, it's mostly empty and all that

empty space is F F which is all ones. So
this is plenty of ones for us to work on.

Additionally it has fairly nice headers
that we can we can match on. So when we

see these magic bit masks we know when
we've entered different parts of the file

system. So given that we can now
reconstruct the clock we can figure out

where we are in the file system. This
hardware implant can start to inject new

data into what was the empty space. So
this short file that we put in here is a

small shell script and it is one of the
network configuration scripts, so this is

where I'm going to try a live demo and I
hope this works. We're running in qemu

since I didn't bring a Super Micro board
and what we have on the left is the flash

console excuse me the hardware implant
console. And then on the right we have the

serial console from the BMC so we can see
it has loaded the kernel and in a second

it's going to we should see a bunch of
traffic, okay, so the implant is active.

It has replaced the data when that nvram
file system was mounted the BMC is now

continuing on doing its set up. It's going
to load a bunch of device drivers for that

video. It pauses here for some reason that
I haven't diagnosed because that's that's

not my job.

<i>laughter</i>

And eventually it's going to configure the
networks and it does that by running that

shell script off of the nvram partition
here it starts KVM stuff brings up some

things. Allright.
<i>applause</i>

OK. So luckily we got to that point
without having to fake the demo. In the

hardware it's really flaky. My version
works about one in eight times. But it

doesn't typically cause a crash. So that's
actually good for concealment because it

becomes now much harder to determine which
machines are affected. In qemu because

it's emulating, it's a little more
reliable but it's still it's only two out

of three. If we let the BMC boot a little
bit further it actually prints out this

message. And if you hit enter it drops you
to a shell with no password and you can

then just run commands as root on the BMC
and that's a lot easier than all this

stuff with the SPI bus if you wanted to
build a hardware implant against it. I

don't know where the serial port is on the
on the Super Micro but on a different tier

1 server mainboard I was able to probe
around the oscilloscope and locate the

serial console for the BMC. Figure out
it's 115 kbaud and it has the same code

that you hit enter and you can run
commands there. So that's a much easier

way to do it. A big question a lot of
people have is how do we actually detect

this sort of flash implant. A lot of high
assurance sites replace all of their roms

with ones that they flash themselves but
that doesn't get rid of the implant

because it's outside of the ROM chip.
Likewise reading the ROM chip doesn't show

anything because it's not in the ROM
itself it's it's outside of it. Even

hooking up a logic analyzer to the bus and
watching as the machine boots and seeing

the data stream coming out of the flash
won't actually reveal the implant because

you'd have to put the logic probes on the
PGA pads on the flat on the BMC itself.

And that's a much harder task. Some people
think "oh well we can see the weird

network traffic when the BMC tries to
exfiltrate the data" but that would be

that's only one way for the BMC to affect
things. There is a great talk a few years

ago at DefCon from Intel ATR where they
showed how something that can control the

system firmware can backdoor hypervisors.
And then they gave a use case where a

unprivileged guest on a cloud system could
read all of the rest of physical memory so

it could see all of the other guests
memory. So what do we do? The big problems

is the BMC has way too many privileges.
It's connected to pretty much everything

in the system but the BMC is not our only
concern. As @whitequark said, our PCs are

just a bunch of embedded devices in a
trench coat and they all have firmware. In

fact pretty much everything on your system
more complex than a resistor probably has

firmware and if you have one of those
Super Micro implants maybe even your

resistors have firmware as well. I've
found that the firmware and things like

the power supplies can be used to gain
code execution on the BMC. It's really

interesting how tightly connected all of
our systems are. And as Joe Fit's pointed

out in his blackhat ???? talk, these are
not multimillion dollar attacks these are

five euro bits of hardware that we now
have to really be worried about. I really

like the guidelines that NIST has
published that suggests that we think

about our systems more in this holistic
manner. Although the interpreting pretty

much everything into the TPM is the
trusted platform module for doing this

attestation and I think we as a community
need to do more to use the TPM. There

actually a really good tool for securing
our systems but they are also potentially

subject to their own hardware implants.
The NCC Group TPM genie is able to subvert

the core root of trust by interposing on
the TPM. So a lot of folks are proposing

we should move to other trusted execution
environments like SGX or Trustzone. And I

think these have a lot of promise
especially for trusted cloud computing.

There also is a lot of innovation in the
hardware roots of trust going on right now

between the Google Titan, which initially
was for their servers and is now showing

up on all of their chrome books. The
Microsoft Cerberus chip which again is the

Azure system. They're actually publishing
their firmware and the ASIC design so that

people can have a little more faith in it
and they hope it will become an open

standard. And companies like Apple have
also gone their own way. With the T2 and

the T2's are really amazing chip for
securing systems. But it does so at the

expense of user freedom and that gets in
the way of what I think the real way that

we need to.. we need to solve this
problem. We need to get rid of a lot of

these secrets. Counter to what the Super
Micro CEO said, having a secret

motherboard design does not make you more
secure. Things like the Open Compute

hardware I think is a good vision for how
we can move forward that when you buy an

Open Compute server it comes with full
schematics and gerber files. So that

motivated customers can verify that the
systems that they're buying are the ones

that they think they that they're buying
that all of the components are what they

think they should be. I think the firmware
also needs more openness. Ronald Minnich,

Google is my co-lead on Linux boot project
and we think that Linux in the firmware is

a way forward to get a more secure more
flexible and more resilient system. We're

working with a spin off project called
micro BMC that is using the Linux boot

tools to build BMC firmware and this is
opensource. It's reproducibly built it can

work with roots of trust attestation. It's
written in a memory safe language since

it's a Google collaboration and go. And
more importantly we've thrown away all of

the legacy features that have been a
source of a lot of security

vulnerabilities in these systems. So did
it happen? I don't know. Is it technically

possible? I think so. I hope I've
convinced all of you that this is

definitely a technical possibility that we
need to be concerned about and I hope that

the way forward through hardware roots of
trust with attestation and more

importantly with open hardware so that we
know that what the machines were running

are running code that we know.. the code
that we've built that we understand and

that we can actually have a good chance of
being able to take control back of them.

If you're interested in more discussion on
this and also on open firmware, there's an

assembly here in this hall that has a
bunch folks working on a core boot and

Linux boot and a lot of these projects
where you can help contribute and you can

help also pressure vendors to make these
this standard and a way forward for a more

secure computing. So thank you all for
coming. And I really enjoyed the chance to

show off my modship of the state.

<i>applause</i>

Herald: Geat talk, thank you very much
Trammel. We have 10 minutes for questions

so please line up at the microphones if
you have questions. And we also have a

signal angel probably with questions from
the internet. So any questions? Microphone

number three?
Mic 3: Yes, I was going to ask, what's

your opinion on the Talos systems? The
openPOWER based ones?

Trammell: So the question is about the
Talos power 9 based systems power 9 is a

really interesting architecture. The.. it
is using a open firmware very similar to

Linux boot called Petitboot that
moves Linux into the bootloader. I'm a big

fan. There's a lot of folks in the
opensource community who are very excited

about it. I'm hoping that there would be
more power nine systems coming out. I'm

also very excited about the RISC-V
systems. I think having open source CPUs

use is a real way that we can have more
assurance that our systems are what we

think they are.
Herald: Thank you, microphone number two

please.
Mic 2: Yes, thanks for the talk. I was

wondering if you have just a scope probe
over this serial, cause it's just a serial

resistor which we're replacing. If you put
just two scope probes on there and measure

the voltage over it, in your situation
would the voltage change there once in a

while?
Trammell: Yes, yes, yes.

Mic 2: Well okay, in the normal case would
it actually be quite consistent current.

Or if you lowered the input impedance of
the BMC chip who might already have fixed

a part of the attack because the output
sourcing current of your exploit is

probably limited due to the limited supply
you only can..

Herald: Your question please?
Mic 2: Yes.. but.. do you see a way to get

more power into your setup? Maybe using,
well other power sources, other than the

two pins, or maybe somewhere of..
Trammell: Well, so the question is about,

would there be a way to do more arbitrary
changes through redesigning the implant.

One of the goals was to fit with only
those two pins so that a single piece on

the motherboard could be replaced. With a
dual probe soldering iron and you can pop

it out and stick a new one down in a
matter of seconds. So, yes, if you have

more pins where you can get more power
from you can do much more interesting

things. But that's.. would require a
different set of changes to the

motherboard.
Herald: Thank you. Microphone 1 please.

Mic 1: So, a lot of the -like- arguments
that these implants were not feasible by a

Super Micro where you also show the
picture from the fab that you had to

change the etching and the optical
inspection and so on and so on. But how

probable would you rate the fact that some
acto just intercepted the manufacturing

files and added that component already in
the file because then all the optical

inspection and that would all say well
that matches what was sent to us. But that

was not necessarily what Super Micro sent
to the fab.

Trammell: So the question is, could
someone have modified all of the

manufacturing files that went to the
factory, and that's absolutely a

possibility. But that's also very likely
that that would be detected by Super Micro

itself that in a lot of cases you don't
necessarily want to trust the company that

is making the product to also test it. And
you probably want to have a separate

company that does random spot checks to
verify that the boards are actually being

produced to the specification that you..
that you desire. So it's certainly

possible and I really don't want to
speculate as to the accuracy of that part

of the story but yeah it would require
quite a bit more changes. And also would

be much more likely to be detected in the
spot check.

Herald: Great. Microphone number two
please.

Mic 2: Yes, for a lot of motherboards
there are also quite a few components not

populated some of which are on which you
could consider sensitive myths. Wouldn't

that make it. Yeah exactly. Wouldn't that
make it very easy to do just pop something

on there in parallel with one of the
components and not have it be detected

because it's like the board is modified.
There is a component or you have no way of

telling whether it had to be populated or
not?

Trammell: Super Micro puts a lot of extra
pads on the board in this one particular

one they have both 8 pin and 16 pin flash
chip pads that are just in parallel

together. So depending on which chip is
cheaper that day of the week or who knows

what, they will populate one or the other.
So that's why in this particular photo

having the position of that circle on the
data output pin is very very interesting.

Herald: Question answered? Okay. So one
more question on microphone number two

please?
Mic 2: How far can signing of firmware be

a solution to this problem?
Trammell: Signing firmware solves a lot of

the issues. It does however not all
typically not all of the firmware are

signed specifically is probably to be
signed in in a modern BMC. The kernel and

maybe the root file system might be
signed. But the envy of RAM file system in

this BMC is designed to be user modifiable
so it can't be signed by the manufacturer,

so this sort of attack would work against
a signed BMC just as well. Also the "Hit

enter to get a serial console" attack
circumvents any signing. There are things

on the host firmware on the x86 like boot
card that do a really good job of making

it harder to get code execution during the
boot process. But there have been several

CVEs where it has been implemented poorly.
So even though signature's the firmware is

signed, people have still managed to get
code execution during that process.

Herald: Great. Thank you Trammell Hudson
again, a warm round of applause, thank you

very much!

<i>applause</i>

<i>35c3 postrol music</i>

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!