34c3 preroll music Herald: Last year he presented how to get JTAG over USB at the 33C3. Today he will tell us how to interrogate the Intel Management Engine in a similarly ingenious and devious way. Please join me in welcoming Maxim Goryachy to 34C3. Applause Maxim Goryachy: Hello guys. I'm speaking about Intel debug capabilities at the CC Conference for the second year in a row. Last time I talked about how new Intel CPUs allow debug technology called Intel Direct Connect Interface or DCI and now I'm going to talk how activates DCI for Intel Management Engine. (Sorry) DCI is a private implementation of widely known industry standards for debugging hardware and low level software from Intel. And addition I will talk about how it can be used for research and how to use it in practice. Unfortunately my colleague Mark couldn't come and I will introduce our research alone. And I think that you some hungry and I will be quickly. Out our Management Engine research team at Positive Technologies includes following researchers: my colleague Dmitry Sklyarov and Mark Ermolov and myself. Mark Ermolov is my colleague. With him, with whom we found Intel vulnerability in Intel Management Engine. He is a system programmer and a reverse engineer and Dmitry Sklyarov a well known reverse engineer who did 5 #research of the ME filesystem. He recovered Huffman codes for version 11 of ME and you can find his tool for unpacking ME image and for parsing ME file system on our Github pages. How you can see our previous talk related to ME and our contacts so you can feel free to communicate with us for any question you're interested about our research. How I have just said I will talk about what is Intel ME, how it's implemented and how we activated JTAG for ME Core vulnerability which Mark and I found. Then I disclose in details how our technique works and show proven our achievements. How many people in this hall know what is ME? Oh cool! But in here, a review. As a topic, the Management Engine is very popular now. First it's almost fully undocumented and very powerful at the same time. For example it has full access to your platforms hardware including CPU complex, it has capabilities to intercept all that you are doing on your PC. For example keyboard, he has access to keyboard to USB and of course PCI buses. It is also a root of trust for many Intel security features like TPM, like DRM and APT. Intel has chosen the following design for ME version 11: independent microcontroller, own operating system based on Minix, built in Java Machine. It gets started before main CPU. Its firmware has parts in PCH, beyond in memory and in SPI flash. Many Intel technologies are implemented with help of Management Engine for example Active Management Technology or PVT and we think that SGX, too. Another question how many people in this hall know what is JTAG? Cool! But some review of JTAG. JTAG stands for Joint Test Action Group and you can find its description in IEEE standards which the details available in the standard itself. As the results of the paper available on our blog where the design is described in close details. Out often manufacture extend standard JTAG by adding their own functions. JTAG in Intel processor is described rather poorly and some information can be found in documents and patent. You can see our paper on the slide and starting with Skylake, Intel introduced Direct Connect Interface technology and you can find the description of it in the documents and in our works. The diagrams show two types of connection: using a specific device, a so-called Intel SVT Closed Chassis Adapter or a common used USB3 debug cable. I would like to note that the target system in this case doesn't require the use of a hardware agent. The drawback of this technology is that it works out of box. Intel or Silicon Valley technology closed unintelligible provides access to day fix features like JTAG and RAM control through USB3 ports on platforms. It works through USB3 links but implements a private protocol and makes it possible to manipulate the target system in deep sleep mode. It means that in this mode you have independent links between JTAG adapter and PCH. USB3 host on DCI is common USB3 debug cable which works as OTG device that means that a special device appears on the host system and activation and commands are sent to device through the common USB interface. As the device itself is integrated into PCH and it transforms the command into JTAG. If you have JTAG for ME devices it means you have almost full control of ME. Two main questions: Doesn't who provides of any technique for debugging ME on public platforms? And the second: What does software and hardware need for any debugging? Ok. The answer to the first question: Yes they found a special partition called UTOK which allocated on the special, on the SPI flash where storage ME. This partition has same structures FPT and another partition of ME. Partition builts entry of available debug capabilities. One of this records means types of unlock: Red or orange. Please pay attention, it will be important later. And what is, what means DFx? DFx is collective term for next to privation DFT designed for testability and DFD designed for debugging. DFT is set of technique used for manufacturing defects finding of integrated chips and standard DFT it generally buys it on ordinary boundaries can detect comments but Intel extends it's DFT in its branded silicone view technology. DFD joins all internal chip level logic used to organize Hardware level debugging of course sequences executed by chips. DFx is connected to internal world by a special thing called embedded day fix interface. This bridge connects dayfix whith external industry interface like USB there is a special device in interpret from controller hub called defects aggregator its function is to control access to DFx. 2 types : orange types it means that vendors may use the JTAG debugging for ICH for example and auto partition for orange unlock must be signed by vendor scheme. This key stored in FPF fuses and more interesting is read unlock because this unlock provides full access to besiege. The internal devices unlocks JTAG for ME core and provides unlimited access to ME memory. Intel management engine uses two devices for support Hardware debugging the fixed aggregator management's defects functionality and the CSE zeroing register from device called GEN and only BUP and ROM uses this device. It is CSE zeroing register when we know only about 1 bit. We called it Intel unlock request and this register means that you asked the platform to do read unlock. More interesting is DFx aggregator register and personal to register. Personality register specifies type of unlock red or orange and consent used for allowed right to personal to register. It means that consent register or it means that this bit to allow write data in DFx personal to register and read and lock works in 2 steps. On the first, the BUP fun is finding who talked partition. If partition found, the BUP checked is checking partition signatory and platform ID. Also BUP checks time because the talk has time limitation and after that if all is okay, BUP parses an entry in who talked partition called knobs if intel knob unlock founded and platform is not already unlocked BOB set these aren't register and do not reset in it. After set in ROM, check is checking TCS errant register and if it's set, it to clean this register and switch on consent and personality it means read and lock after that ROM is cleaning ME keys and working but if you have active but if dci is active immediate doesn't latch the fix consent register. It means that if you want to switch on JTAG you don't need to reboot ME. if you have the second action inhales deply and how active how to wait read and lock without intel keys on blockhead Europe we disclosed bug in BUP model. This function as you can see has a vulnerability when it called other function reading in BUP CT file it gives incorrect size of data to read instead of local buffer size the buffer DFS file read function gets the size of the role file how we exploited this vulnerability you can found in our presentation from blockhead and using the vulnerability we also have activated attack for management engine and to research ME in internal of in ME right activation without intel keys may be doing after 4 simple steps on the first activate manufacture mode for target it means for DCI and set the size drop in a flash descriptor and using the vulnerability to a lot well with 3 to defects personal register and after that you you will have MEquerem? and you can do research in internal semi but unfortunately you will have one problem because you don't have software for debugging Keeney but it is small problem and next let's talk about software part of technologists tech it's presented by DAL.. Intel DFX abstraction layer package it's alleged library exposes all power of DFx software model as we found DAL heslage history supports various platform and CPU architecture designed to work with different debug ports and hardware were we know that DAL is a core of all instruments that Intel uses for testing and debugging of its hardware and firmware components so it's provided with Intel systems studio for example and can be download without an ID and DAL is almost writen in C# and has same structure on the top DAL has console interface and GUI interface and library layer and Driver transport and DFX on target we found a patient from Intel in public description corelation of DFX exci internal interfaces you can see our previous work to details about how internal structure of dialogues DAL's architecture is based on notion there are two type of nodes physical and logical physical nodes represents 3 of hardware components organized from probe unit and including the following levels gdect e to c bus and an other logical nodes represents certain functionalities that can be used to perform debugging stuff and many problems at public version of DAL doesn't include configuration for ME core however that didn't stop us and we found the solution how I said DAL has some configuration and as we investigated during reverse engineering of the DAL library each configuration is included in encrypted XML files DAL uses aes cipher and key derivation function pbkdf2 with fixed key and salt the first of lines of poem it is salt and ATP is easy key the simple program on is a simple program allows the crypto device configuration of DAL applause Thank you. applause continues Maybe another poems to decrypt, for example microcode of CPU, I don't know. How there is no configuration of any devices, we found that ME core is an LMT2 devices and the configuration of this device can be found in decrypted XML files, before anybody can write configuration for ME. I don't know, for example on the slide you can see internal structure of LP series of PCH. It is U series of cpu and at the top divided on four part and on top connected parts in the end ME core. and how to do custom configuration, four first steps: on the first decrypt XML files, the second adds the following clients to top SPT XML and use DAL environment for any debugging and it will make you computer personal again. Some demo. One moment. Okay. It is version of systems studio and we decrypt files, with configuration of DAL, and to edit to add some lines. The top is for each series of PCH and the bottom for LP series. It is ME core, it is linked between ME core and unintelligible We halt the execution, we load some, reloading some library, our library, we set up reset breaks, it needs for to stop on the reset vector in ME. How you can see GDT table and current instruction and the register value, LDT value and we are doing a reset on ME and step in instruction in to ME. Then initialize of segments and new GDT value, ok and okay and demo from black hat. it is our stand, it is host platform, already halted, init settings for any core. Oh sorry. It is not ME. The reset vector, how you can see in catcher interface it is special device between which manufacture for for links between host CPU and ME and now we read some read only register for CPU from (???????) and set the value of this register from ME. The magic. applause And then my demo is more interesting than my english sorry and I have a live demo if internet will be good. One moment. It's my machine at work and the internet is not good sorry. maybe maybe later. Okay. And our achievement: JTAG activation, we we do JTAG - well achievement in respect to the vulnerability, in addition we activate JTAG for ME. Also we dumped the ME startup code and found the way to extract platform's key used by the flash file system. It means that you can decrypt and integrate your files into ME and ME doesn't detect it. And our links: on our GitHub page you can find our tools for ME reversing researching and our blogs, where is our article, our reference and thank you for your attention. Questions please. applause Herald: So anyone that has a question for Maxim please line up by one of the microphones. They are 1, 2, 3, 4 on this side of the room and 5, 6, 7, 8 on that side of the room. If you are watching online we have a signal angel, who is monitoring the internet for all of your interesting questions and they will be asked. So already here at microphone number one. Mic 1: Okay so it mentions, you mention that you dumped the ROM. And previously, as there were some rumors with ROM bypass available, did you compare the dumped Maxim: Yeah. Mic 1: ROM against ROM bypass Maxim: Yeah. Mic 1: and is it the same? Maxim: No. Mic 1: No? Maxim: We found there's some difference but it relates with that ME bypass code starts into protected mode but a real ROM starts into real mode. Mic 1: Okay, so otherwise it's functioning almost the same. Maxim: Hmm, we found some difference in cryptography but I think it is not important. Herald: So, if you if you are leaving please be quiet, so the talk is still going on, we're still having questions and answers and please be considerate of the people asking questions. Thank you. The next one, from microphone number five. Mic 5: Yeah, so you set the personality register to read and then you reset the ME and it will break at the reset. Is that register persistence over reboots or you have to do the exploit and set it every time? Maxim: Yeah, you need to do it every time. This only persist between resets. Herald: Signal angel, is there's a question from the internet. Signal Angel: Yes, they'd like to know where to find the internal USB port on the main board. Maxim: Sorry please repetition. Sig Ang: The question is where to find the internal USB port on the main board for the JTAG access. Maxim: How I know all USB ports now has access to this functionality. You don't need to find its ports on your system. If you have platform with Skylake you always has this functionality on your USB ports. Oh, of course if this ports link directly to PCH, if if it is port- link- connected where some another controller you probably don't have to stay on these ports. Herald: Microphone, microphone number two. Mic 2: Does it work, means you can extract any key from ME, for example key for SGX remote as a station? Maxim: I didn't know. We are starting this research how ME relates with SGX and we - I don't know how key in ME extract, derive and loaded and relate with SGX. I don't know, sorry. Herald: Microphone number one. Mic 1: Did you receive any any messages, any recognition about this from Intel? Maxim: You mean that - did we share this information with Intel? Mic 1: No, did they react to, did they react in any way to that? Maxim: After our vulnerabilities they said "okay" audience laughs Mic 1: Okay, so nothing much except for patches? Maxim: Yeah. Mic 1: Okay, thank you. Herald: Signal angel, is there another question from the internet? Sig Ang: Yeah - how can you disable the JTAG access? is just disabling the ME enough or what do you have to do? Maxim: Sorry, you mean how Intel disabled decide functionality for ME and Sig Ang: How can you fix it now, how could the Intel fix it or how can you secure your own system? Maxim: It is not, it is just feature it is not bug, sorry. You don't have any chance a chance to switch on JTAG for in ME if you don't have UTAG or you don't have vulnerability. And JTAG for ME switch on only inter BUP mode module - in inter-in BUP module. If we have vulnerability in other module, for example in AMT, we mustn't do it. And if you have to try - it's its feature, it is not bug. You can switch off the HECI flash descriptor and to fix this side problem which we found in last year, and it will be ok. Herald: Microphone number four in the back. Mic 4: I believe one of your previous slides mentioned that they incorporated a Java Virtual Machine - why in god's earth did they do that? Maxim: How I know; this it is DAL and it has some relative with jeeks when I know. I didn't have details. Herald: So microphone number five. Mic 5: The last slide mentioned the extraction of platform keys. So a simple question - are they enough to sign a firmware update which you would modify so that ME would accept it-- Maxim: No, sorry. Please repeat. Mic 5: Okay so let me rephrase Maxim: I understand. You, okay, the firmware sign it by Intel public key. I don't have private key of Intel and this key is not built-in into ME. It is platform it is only platform key - this key for symmetric encryption files and sign it files on the file system. If you have this key, you can only modify any file system. But unfortunately the execution module start in in other places. Mic 5: Okay, I get it so now is the path for castrating system from ME yet, thank you. Herald: Signal angel? Signal Angel: Can you have only free software running on the ME? Maxim: Sorry, please repeat question, slowly. Signal Angel: Can you have only free software running on the ME by modifying the flash contents? Maxim: I don't understand, sorry. You mean that how how how we can modify the file systems or not? Signal Angel: Yeah replace the ME firmware with free code Maxim: No no, unfortunately because we we mustn't to change the the chain between ROM and BUP module. And we mustn't to change kernel of ME and BUP module. I don't now how use it functionality for change in need to open source solution. But of course you can to do you can do special device with detection finality which to replace after reboot all ME from reset vector and executed. But it is some quirks, somehow some - impossible, I think Herald: Microphone number two. Mic 2: Are you aware anywhere the MINIX image has been leaked somewhere where perhaps it could be downloaded and analyzed? Maxim: Unfortunately the kernel of ME only based on MINIX. And the Intel guys almost all to rewrite all, almost all kernel. And on the reverse engineering. And maybe indeed you can get information from Intel after signs NDA, I don't know. Herald: Microphone number eight. Mic 8: Do you think it do you think it would ever be possible to add your own public keys or are the Intel public keys for signing the firmware stored in a ROM only? Maxim: I'm sorry, you mean.. Mic 8: Could you add your own public keys for signing firmware with, or is not possible because the ME checks the public key. Maxim: ME checks only hash of public key and we know that ROM has that in ME major a lot version of any which signs on two keys. We saw only one keys front from bus. And a ROM checked that check SHA from public key exist in whitelist. ROM has hard-coded 8 hashes of keys and some lists for some white list of all these hashes. And if you keys in this list you can run your ME firmware Mic 8: Okay but that list of hashes is in ROM? Maxim: Yeah yeah. Mic 8: Okay, thank you. Herald: Signal angel. Signal Angel: What is your general impression of this security of ME - how vulnerable is it to attacks? Maxim: Sorry, you mean how vulnerable you mean have an ability to help us do it? Sorry. Signal Angel: You know, how vulnerable is it to other attacks? Maxim: On other module, yeah? Signal Angel: Sorry, on what? Maxim: In other module. Herald: So I think the question is in general how good is the security of the Intel ME? Maxim: So sorry.. Herald: In general, how good is the security of the Intel ME, altogether? Maxim: I think it is because is independent researcher can use it for dynamic analysis of any codes - it's it's cool I I think. Herald: Microphone number seven. Mic 7: Do you have plans to research some specific parts of the Intel ME in the future? Maxim: Yeah of course. Intel will publish an ME 11 version and I know that they changed Huffman tables for example. And the next the next round of this game will start it. Herald: Is there another question at microphone 7? Mic 7: So if I understood you correctly, just to make sure, this means that you - if you have a CPU of this Skylake architecture and a USB 3 port, you can always get low-level access to the ME. Maxim: Exactly. Mic 7: So, if I were to own such a chip, I would want that patched. What's the usual path? Does the patch come in a Windows patch or a BIOS update or what is it? Maxim: You have some some ways to use it. If you have a SPI programmer, you you can rewrite flash. You mean how we can exploit it? Mic 7: No, how does, sorry, how will Intel distribute a patch for this vulnerability? Maxim: Oh, unfortunately because downgrade always possible. Intel punched only error in BUP function. But researcher or attacker can always to downgrade version or to earlier ME and exploit it without any problem. We are is SPI controller or a SPI programmer and maybe another way. Mic 7: Okay, thank you. Herald: Microphone number one. Mic 1: In the demo with video, we saw the connection between the two machines with this blue box, but I think there's another one way to connect them with just a USB cable. Is there anything you can do with the blue box that you can't do without it? Maxim: Yeah we checked it - we use only USB3 debug cable. But it is not possible for us because we need to to recover the state of work for loading in ME. I do it but I don't like that because I need to stop execution for my research. It easy for me and because we were using a blue box. Mic 1: Thank you. Herald: Signal angel. Signal Angel: Do you plan to publish mask ROM dump in the future? Maxim: Yeah, we will plan to do it, yeah. Herald: Signal angel again. Signal Angel: Just give me a moment. Maxim: I didn't know, maybe when I come back to Moscow. Herald: Any other burning questions? Please come up to one of the numbered microphones. Then with that let's give Maxim of great warm well applause- Maxim: Thank you much for your attention. Herald: Thank you so much Maxim. Applause 34c3 outro subtitles created by c3subtitles.de in the year 2020. Join, and help us!