34c3 preroll music
Herald: Last year he presented how to get
JTAG over USB at the 33C3. Today he will
tell us how to interrogate the Intel
Management Engine in a similarly ingenious
and devious way. Please join me in
welcoming Maxim Goryachy to 34C3.
Applause
Maxim Goryachy: Hello guys. I'm speaking
about Intel debug capabilities at the CC
Conference for the second year in a row.
Last time I talked about how new Intel
CPUs allow debug technology called Intel
Direct Connect Interface or DCI and now
I'm going to talk how activates DCI for
Intel Management Engine. (Sorry) DCI is a
private implementation of widely known
industry standards for debugging hardware
and low level software from Intel. And
addition I will talk about how it can be
used for research and how to use it in
practice. Unfortunately my colleague Mark
couldn't come and I will introduce our
research alone. And I think that you some
hungry and I will be quickly. Out our
Management Engine research team at
Positive Technologies includes following
researchers: my colleague Dmitry Sklyarov
and Mark Ermolov and myself. Mark Ermolov
is my colleague. With him, with whom we
found Intel vulnerability in Intel
Management Engine. He is a system
programmer and a reverse engineer and
Dmitry Sklyarov a well known reverse
engineer who did 5 #research of the ME
filesystem. He recovered Huffman codes for
version 11 of ME and you can find his tool
for unpacking ME image and for parsing ME
file system on our Github pages. How you
can see our previous talk related to ME
and our contacts so you can feel free to
communicate with us for any question
you're interested about our research. How
I have just said I will talk about what is
Intel ME, how it's implemented and how we
activated JTAG for ME Core vulnerability
which Mark and I found. Then I disclose in
details how our technique works and show
proven our achievements. How many people
in this hall know what is ME? Oh cool! But
in here, a review. As a topic, the
Management Engine is very popular now.
First it's almost fully undocumented and
very powerful at the same time. For
example it has full access to your
platforms hardware including CPU complex,
it has capabilities to intercept all that
you are doing on your PC. For example
keyboard, he has access to keyboard to
USB and of course PCI buses. It is also a
root of trust for many Intel security
features like TPM, like DRM and APT. Intel
has chosen the following design for ME
version 11: independent microcontroller,
own operating system based on Minix, built
in Java Machine. It gets started before
main CPU. Its firmware has parts in PCH,
beyond in memory and in SPI flash. Many
Intel technologies are implemented with
help of Management Engine for example
Active Management Technology or PVT and we
think that SGX, too. Another question how
many people in this hall know what is
JTAG? Cool! But some review of JTAG. JTAG
stands for Joint Test Action Group and you
can find its description in IEEE standards
which the details available in the
standard itself. As the results of the
paper available on our blog where the
design is described in close details. Out
often manufacture extend standard JTAG by
adding their own functions. JTAG in Intel
processor is described rather poorly and
some information can be found in documents
and patent. You can see our paper on the
slide and starting with Skylake, Intel
introduced
Direct Connect Interface technology
and you can find the description
of it in the documents and in our works.
The diagrams show two types of connection:
using a specific device, a so-called Intel
SVT Closed Chassis Adapter or a common
used USB3 debug cable. I would like to
note that the target system in this case
doesn't require the use of a hardware
agent. The drawback of this technology is
that it works out of box. Intel or Silicon
Valley technology closed unintelligible
provides access to day fix features like
JTAG and RAM control through USB3 ports on
platforms. It works through USB3 links but
implements a private protocol and makes it
possible to manipulate the target system
in deep sleep mode. It means that in this
mode you have independent links between
JTAG adapter and PCH. USB3 host on DCI is
common USB3 debug cable which works as OTG
device that means that a special device
appears on the host system and activation
and commands are sent to device through
the common USB interface. As the device
itself is integrated into PCH and it
transforms the command into JTAG. If you
have JTAG for ME devices it means you have
almost full control of ME. Two main
questions: Doesn't who provides of any
technique for debugging ME on public
platforms? And the second: What does
software and hardware need for any
debugging? Ok. The answer to the first
question: Yes they found a special
partition called UTOK which allocated on
the special, on the SPI flash where
storage ME. This partition has same
structures FPT and another partition of
ME. Partition builts entry of available
debug capabilities. One of this records
means types of unlock: Red or orange.
Please pay attention, it will be important
later. And what is, what means DFx? DFx is
collective term for next to privation DFT
designed for testability and DFD designed
for debugging. DFT is set of technique
used for manufacturing defects finding of
integrated chips and standard DFT it
generally buys it on ordinary boundaries
can detect comments but Intel extends it's
DFT in its branded silicone view
technology. DFD joins all internal chip
level logic used to organize Hardware
level debugging of course sequences
executed by chips. DFx is connected to
internal world by a special thing called
embedded day fix interface. This bridge
connects dayfix whith external industry
interface like USB there is a special
device in interpret from controller hub
called defects aggregator its function is
to control access to DFx. 2 types : orange
types it means that vendors may use the
JTAG debugging for ICH for example and
auto partition for orange unlock must be
signed by vendor scheme. This key stored
in FPF fuses and more interesting is read
unlock because this unlock provides full
access to besiege. The internal devices
unlocks JTAG for ME core and provides
unlimited access to ME memory. Intel
management engine uses two devices for
support Hardware debugging the fixed
aggregator management's defects
functionality and the CSE zeroing register
from device called GEN and only
BUP and ROM uses this device.
It is CSE zeroing register
when we know only
about 1 bit.
We called it Intel unlock
request and this register means that you
asked the platform to do read unlock. More
interesting is DFx aggregator register and
personal to register. Personality register
specifies type of unlock red or orange and
consent used for allowed right to personal
to register. It means that consent
register or it means that this bit to
allow write data in DFx personal to
register and read and lock works in 2
steps. On the first, the BUP fun is
finding who talked partition. If partition
found, the BUP checked is checking
partition signatory and platform ID. Also
BUP checks time because the talk has time
limitation and after that if all is okay,
BUP parses an entry in who talked
partition called knobs if intel knob
unlock founded and platform is not already
unlocked BOB set these aren't register and
do not reset in it. After set in ROM,
check is checking TCS errant register and
if it's set, it to clean this register and
switch on consent and personality it means
read and lock after that ROM is cleaning
ME keys and working but if you have active
but if dci is active immediate doesn't
latch the fix consent register. It means
that if you want to switch on JTAG you
don't need to reboot ME. if you have the
second action inhales deply and how active
how to wait read and lock without intel
keys on blockhead Europe we disclosed bug
in BUP model. This function as you can see
has a vulnerability when it called other
function reading in BUP CT file it gives
incorrect size of data to read instead of
local buffer size the buffer DFS file read
function gets the size of the role file
how we exploited this vulnerability you
can found in our presentation from
blockhead and using the vulnerability we
also have activated attack for management
engine and to research ME in internal of
in ME right activation without intel keys
may be doing after 4 simple steps on the
first activate manufacture mode for target
it means for DCI and set the size drop in
a flash descriptor and using the
vulnerability to a lot well with 3 to
defects personal register and after that
you you will have MEquerem? and you can do
research in internal semi but
unfortunately you will have one problem
because you don't have software for
debugging Keeney but it is small problem
and next let's talk about software part of
technologists tech it's presented by DAL..
Intel DFX abstraction layer package
it's alleged library exposes all power of
DFx software model as we found DAL
heslage history supports various platform
and CPU architecture designed to work with
different debug ports and hardware were we
know that DAL is a core of all
instruments that Intel uses for testing
and debugging of its hardware and firmware
components so it's provided with Intel
systems studio for example and can be
download without an ID and DAL is almost
writen in C# and has same structure on the
top DAL has console interface
and GUI interface and library
layer and Driver transport and DFX on
target we found a patient from Intel in
public description corelation of DFX exci
internal interfaces you can see our
previous work to details about how
internal structure of dialogues DAL's
architecture is based on notion there
are two type of nodes physical and logical
physical nodes represents 3 of hardware
components organized from probe unit and
including the following levels gdect e to
c bus and an other logical nodes
represents certain functionalities that
can be used to perform debugging stuff and
many problems at public version of DAL
doesn't include configuration for
ME core however that didn't stop us
and we found the solution how I said DAL
has some configuration and as
we investigated during reverse engineering
of the DAL library each configuration is
included in encrypted XML files DAL uses
aes cipher and key derivation function
pbkdf2 with fixed key and salt the first
of lines of poem it is salt and ATP is
easy key the simple program on is a simple
program allows the crypto device
configuration of DAL
applause
Thank you.
applause continues
Maybe another poems to decrypt,
for example
microcode of CPU, I don't know.
How there is no configuration of any
devices, we found that ME core is an LMT2
devices and the configuration of this
device can be found in decrypted XML
files, before anybody can write
configuration for ME. I don't know, for
example on the slide you can see internal
structure of LP series of PCH. It is U
series of cpu and at the top divided
on four part and on top connected parts
in the end ME core. and how to do
custom configuration, four first
steps: on the first decrypt XML files, the
second adds the following clients to top
SPT XML and use DAL environment for any
debugging and it will make you computer
personal again. Some demo. One moment.
Okay. It is version of systems studio
and we decrypt files, with configuration
of DAL, and to edit to add some lines.
The top is for each series of PCH and the
bottom for LP series. It is ME core, it is
linked between ME core and unintelligible
We halt the execution, we load some,
reloading some library, our library, we
set up reset breaks, it needs for to stop
on the reset vector in ME. How you can see
GDT table and current instruction and the
register value, LDT value and we are doing
a reset on ME and step in
instruction in to ME. Then initialize
of segments and new GDT value, ok and okay
and demo from black hat. it is our stand,
it is host platform, already halted, init
settings for any core. Oh sorry. It is not
ME. The reset vector, how you can see in
catcher interface it is
special device between which manufacture
for for links between host CPU and ME and
now we read some read only register for
CPU from (???????) and set the value of
this register from ME. The magic.
applause
And then my demo
is more interesting than my english
sorry and I have a live demo if internet
will be good. One moment. It's my machine
at work and the internet is not good
sorry. maybe maybe later. Okay. And our
achievement: JTAG activation, we we do
JTAG - well achievement in respect to the
vulnerability, in addition we activate
JTAG for ME. Also we dumped the ME startup
code and found the way to extract
platform's key used by the flash file
system. It means that you can decrypt and
integrate your files into ME and ME
doesn't detect it. And our links: on our
GitHub page you can find our tools for ME
reversing researching and our blogs, where
is our article, our reference and thank
you for your attention. Questions please.
applause
Herald: So anyone that has a question for
Maxim please line up by one of the
microphones. They are 1, 2, 3, 4 on this
side of the room and 5, 6, 7, 8 on that
side of the room. If you are watching
online we have a signal angel, who is
monitoring the internet for all of your
interesting questions and they will be
asked. So already here
at microphone number one.
Mic 1: Okay so it mentions, you mention
that you dumped the ROM. And previously,
as there were some rumors with ROM bypass
available, did you compare the dumped
Maxim: Yeah.
Mic 1: ROM against ROM bypass
Maxim: Yeah.
Mic 1: and is it the same?
Maxim: No.
Mic 1: No?
Maxim: We found there's some difference
but it relates with that ME bypass code
starts into protected mode but a
real ROM starts into real mode.
Mic 1: Okay, so otherwise it's
functioning almost the same.
Maxim: Hmm, we found some difference in
cryptography but I think it is not
important.
Herald: So, if you if you are leaving
please be quiet, so the talk is still
going on, we're still having questions and
answers and please be considerate of the
people asking questions. Thank you. The
next one, from microphone number five.
Mic 5: Yeah, so you set the personality
register to read and then you reset the ME
and it will break at the reset. Is that
register persistence over reboots or you
have to do the exploit and set it every
time?
Maxim: Yeah, you need to do it every time.
This only persist between resets.
Herald: Signal angel, is there's a
question from the internet.
Signal Angel: Yes, they'd like to know
where to find the internal USB port on the
main board.
Maxim: Sorry please repetition.
Sig Ang: The question is where to find the
internal USB port on the main board for
the JTAG access.
Maxim: How I know all USB ports now has
access to this functionality. You don't
need to find its ports on your system. If
you have platform with Skylake you always
has this functionality on your USB ports.
Oh, of course if this ports link directly
to PCH, if if it is port- link- connected
where some another controller you probably
don't have to stay on these ports.
Herald: Microphone, microphone number two.
Mic 2: Does it work, means you can extract
any key from ME, for example key for SGX
remote as a station?
Maxim: I didn't know. We are starting this
research how ME relates with SGX and we -
I don't know how key in ME extract, derive
and loaded and relate with SGX. I don't
know, sorry.
Herald: Microphone number one.
Mic 1: Did you receive any any messages,
any recognition about this from Intel?
Maxim: You mean that - did we share this
information with Intel?
Mic 1: No, did they react to, did they
react in any way to that?
Maxim: After our vulnerabilities they said
"okay"
audience laughs
Mic 1: Okay, so nothing much
except for patches?
Maxim: Yeah.
Mic 1: Okay, thank you.
Herald: Signal angel, is there another
question from the internet?
Sig Ang: Yeah - how can you disable the
JTAG access? is just disabling the ME
enough or what do you have to do?
Maxim: Sorry, you mean how Intel disabled
decide functionality for ME and
Sig Ang: How can you fix it now, how could
the Intel fix it or how can you secure
your own system?
Maxim: It is not, it is just feature it is
not bug, sorry. You don't have any chance
a chance to switch on JTAG for in ME if
you don't have UTAG or you don't have
vulnerability. And JTAG for ME switch on
only inter BUP mode module - in inter-in
BUP module. If we have vulnerability in
other module, for example in AMT, we
mustn't do it. And if you have to try -
it's its feature, it is not bug. You can
switch off the HECI flash descriptor and
to fix this side problem which we found in
last year, and it will be ok.
Herald: Microphone number four
in the back.
Mic 4: I believe one of your previous
slides mentioned that they incorporated a
Java Virtual Machine - why in god's earth
did they do that?
Maxim: How I know; this it is DAL and it
has some relative with jeeks when I know.
I didn't have details.
Herald: So microphone number five.
Mic 5: The last slide mentioned the
extraction of platform keys. So a simple
question - are they enough to sign a
firmware update which you would modify so
that ME would accept it--
Maxim: No, sorry. Please repeat.
Mic 5: Okay so let me rephrase
Maxim: I understand. You, okay, the
firmware sign it by Intel public key. I
don't have private key of Intel and this
key is not built-in into ME. It is
platform it is only platform key - this
key for symmetric encryption files and
sign it files on the file system. If you
have this key, you can only modify any
file system. But unfortunately the
execution module start in in other places.
Mic 5: Okay, I get it so now is the path
for castrating system from ME yet,
thank you.
Herald: Signal angel?
Signal Angel: Can you have only free
software running on the ME?
Maxim: Sorry,
please repeat question, slowly.
Signal Angel: Can you have only free
software running on the ME by modifying
the flash contents?
Maxim: I don't understand, sorry. You mean
that how how how we can modify the file
systems or not?
Signal Angel: Yeah replace the ME firmware
with free code
Maxim: No no, unfortunately because we we
mustn't to change the the chain between
ROM and BUP module. And we mustn't to
change kernel of ME and BUP module. I
don't now how use it functionality for
change in need to open source solution.
But of course you can to do you can do
special device with detection finality
which to replace after reboot all ME from
reset vector and executed. But it is some
quirks, somehow some - impossible, I think
Herald: Microphone number two.
Mic 2: Are you aware anywhere the MINIX
image has been leaked somewhere where
perhaps it could be
downloaded and analyzed?
Maxim: Unfortunately the kernel of ME only
based on MINIX. And the Intel guys almost
all to rewrite all, almost all kernel. And
on the reverse engineering. And maybe
indeed you can get information from Intel
after signs NDA, I don't know.
Herald: Microphone number eight.
Mic 8: Do you think it do you think it
would ever be possible to add your own
public keys or are the Intel public keys
for signing the firmware
stored in a ROM only?
Maxim: I'm sorry, you mean..
Mic 8: Could you add your own public keys
for signing firmware with, or is not
possible because the ME checks the public
key.
Maxim: ME checks only hash of public key
and we know that ROM has that in ME major
a lot version of any which signs on two
keys. We saw only one keys front from bus.
And a ROM checked that check SHA from
public key exist in whitelist. ROM has
hard-coded 8 hashes of keys and some lists
for some white list of all these hashes.
And if you keys in this list you can run
your ME firmware
Mic 8: Okay but that
list of hashes is in ROM?
Maxim: Yeah yeah.
Mic 8: Okay, thank you.
Herald: Signal angel.
Signal Angel: What is your general
impression of this security of ME - how
vulnerable is it to attacks?
Maxim: Sorry, you mean how vulnerable you
mean have an ability to help us do it?
Sorry.
Signal Angel: You know, how vulnerable is
it to other attacks?
Maxim: On other module, yeah?
Signal Angel: Sorry, on what?
Maxim: In other module.
Herald: So I think the question is in
general how good is the security of the
Intel ME?
Maxim: So sorry..
Herald: In general, how good is the
security of the Intel ME, altogether?
Maxim: I think it is because is
independent researcher can use it for
dynamic analysis of any codes - it's it's
cool I I think.
Herald: Microphone number seven.
Mic 7: Do you have plans to research some
specific parts of the
Intel ME in the future?
Maxim: Yeah of course. Intel will publish
an ME 11 version and I know that they
changed Huffman tables for example. And
the next the next round of this game will
start it.
Herald: Is there another
question at microphone 7?
Mic 7: So if I understood you correctly,
just to make sure, this means that you -
if you have a CPU of this Skylake
architecture and a USB 3 port, you can
always get low-level access to the ME.
Maxim: Exactly.
Mic 7: So, if I were to own such a chip,
I would want that patched. What's the
usual path? Does the patch come in a
Windows patch or a BIOS update or what is
it?
Maxim: You have some some ways to use it.
If you have a SPI programmer, you you can
rewrite flash. You mean how we can exploit
it?
Mic 7: No, how does, sorry, how will Intel
distribute a patch for this vulnerability?
Maxim: Oh, unfortunately because downgrade
always possible. Intel punched only error
in BUP function.
But researcher or attacker
can always to downgrade version or to
earlier ME and exploit it without any
problem.
We are is SPI controller or a SPI
programmer and maybe another way.
Mic 7: Okay, thank you.
Herald: Microphone number one.
Mic 1: In the demo with video, we saw the
connection between the two machines with
this blue box, but I think there's another
one way to connect them with just a USB
cable. Is there anything you can do with
the blue box that you can't do without it?
Maxim: Yeah we checked it - we use only
USB3 debug cable. But it is not possible
for us because we need to to recover the
state of work for loading in ME. I do it
but I don't like that because I need to
stop execution for my research. It easy
for me and because
we were using a blue box.
Mic 1: Thank you.
Herald: Signal angel.
Signal Angel: Do you plan to publish
mask ROM dump in the future?
Maxim: Yeah, we will plan to do it, yeah.
Herald: Signal angel again.
Signal Angel: Just give me a moment.
Maxim: I didn't know, maybe when I
come back to Moscow.
Herald: Any other burning questions?
Please come up to one of the numbered
microphones. Then with that let's give
Maxim of great warm well applause-
Maxim: Thank you much for your attention.
Herald: Thank you so much Maxim.
Applause
34c3 outro
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!