< Return to Video

35C3 - Modchips of the State

  • 0:00 - 0:20
    35c3 prerol music
  • 0:20 - 0:27
    Herald: So Trammell Hudson, who is
    standing here, he's taking things apart.
  • 0:27 - 0:34
    Don't worry not life on stage, but he will
    give us a proof of concept and some
  • 0:34 - 0:40
    details and functionalities about hardware
    implants. So the same things that we heard
  • 0:40 - 0:45
    from Bloomberg article talking about Apple
    and super microcomputers with implants
  • 0:45 - 0:53
    that, yeah, were implanted into those,
    into those computers. And I'm really
  • 0:53 - 0:58
    excited to see this in action. Please give
    a warm round of applause to Trammel
  • 0:58 - 1:03
    Hudson!
  • 1:03 - 1:08
    applause
  • 1:08 - 1:12
    Trammell: Before we begin talking about
    hardware implants just two quick
  • 1:12 - 1:16
    disclaimers. The first from my employer
    Two Sigma investments as it says are
  • 1:16 - 1:22
    chocolate bars. This is not investment
    advice. And secondly I don't actually know
  • 1:22 - 1:27
    what the story is behind the super micro
    story. No one outside of Bloomberg and
  • 1:27 - 1:32
    their sources do. But I have spent a lot
    of time thinking about hardware implants
  • 1:32 - 1:38
    starting with the thunderstrike firmware
    attack against mac books as well as the
  • 1:38 - 1:45
    thunderstrike 2 where we were able to get
    software to write into the firmware on the
  • 1:45 - 1:51
    mac books. I've also been thinking a lot
    about how to defend against hardware
  • 1:51 - 1:54
    implants with things like the heads
    firmware for slightly more secure laptops
  • 1:54 - 1:59
    and also as part of my co-lead on the
    Linux boot project. We're thinking about
  • 1:59 - 2:10
    how to protect servers from physical and
    software attacks. So with all of this
  • 2:10 - 2:15
    concentrated thinking about firmware and
    hardware attacks, I was really excited
  • 2:15 - 2:21
    when I saw the Bloomberg story back in
    October. But what really intrigued me was
  • 2:21 - 2:26
    the animated image that they had at the
    header that highlighted one small part of
  • 2:26 - 2:33
    the board as where the implant was, but
    what I found really interesting is that is
  • 2:33 - 2:40
    exactly where I would install a hardware
    implant as they described on the SPI bus.
  • 2:40 - 2:45
    A lot of other people in the hardware and
    from our security community thought it
  • 2:45 - 2:50
    sounded plausible. Other people pointed
    out that supply chain attacks come up
  • 2:50 - 2:56
    periodically and they are definitely a
    concern. Some people thought the attack as
  • 2:56 - 3:03
    described was entirely implausible and in
    general we sort of had a Whiskey Tango
  • 3:03 - 3:08
    Foxtrot moment as everybody scrambled to
    figure out what's going on inside their
  • 3:08 - 3:15
    machines. So, let's step back very quickly
    and review what the key claims that
  • 3:15 - 3:22
    Bloomberg alleged happened. First they
    said that Amazon's testers found a tiny
  • 3:22 - 3:27
    microchip that wasn't part of the board's
    original design that had been disguised to
  • 3:27 - 3:33
    look like a signaling condition signal
    condition coupler and that these illicit
  • 3:33 - 3:40
    chips were connected to the baseboard
    management controller or the BMC which
  • 3:40 - 3:44
    gave them access to machines that were
    turned off. That might sound kind of
  • 3:44 - 3:50
    extreme, but that's actually what the role
    of the BMC is, that in most servers the
  • 3:50 - 3:55
    BMC is running any time the machine is
    hooked up to power and it's connected to
  • 3:55 - 4:02
    the power supplies so that it can turn the
    machine on and turn it off. Frequently you
  • 4:02 - 4:07
    want to be able to do this over a network
    so it has its own dedicated LAN port but
  • 4:07 - 4:14
    it can also share the LAN port with the
    with the main system. Serial over LAN is a
  • 4:14 - 4:19
    really useful way to debug the systems so
    it provides that functionality. It can
  • 4:19 - 4:27
    also provide fake USB volumes to allow to
    to do unintended OS installation. A lot of
  • 4:27 - 4:33
    sites also won't remote KVM so it has VGA
    but that VGA support means that it's on
  • 4:33 - 4:40
    the PCIe BUS and because some PCIe it can
    do DMA into main memory. It also is
  • 4:40 - 4:47
    typically muxed into the SPI flash for
    the host firmware, which allows it to
  • 4:47 - 4:52
    modify it and on some systems it's even
    connected to the TPM which allows it to
  • 4:52 - 5:00
    circumvent the corporate of trust. So with
    all of this capability inside this chip
  • 5:00 - 5:07
    it's really unfortunate that they are
    really not well put together. The head of
  • 5:07 - 5:11
    Azure security says they have no
    protection against attacks. There's no
  • 5:11 - 5:16
    ability to detect if an attack has
    happened and there's no ability to recover
  • 5:16 - 5:22
    from an attack. So having a hardware
    implant on the BMC is a really big
  • 5:22 - 5:32
    concern. The other claim in the article is
    that it affected 30 different companies
  • 5:32 - 5:40
    including Apple and Bloomberg alleges that
    Apple found malicious chips independently
  • 5:40 - 5:45
    on their super micro boards. Went to the
    FBI about it and that they then severed
  • 5:45 - 5:52
    ties with Super Micro. This particular
    claim was interesting because it
  • 5:52 - 5:58
    corroborated a story that had shown up
    back in early 2017 that Apple had removed
  • 5:58 - 6:03
    Super Micro from their data centers. Apple
    denied that there was a firmware issue.
  • 6:03 - 6:10
    But it's interesting that perhaps these
    two were related. The third set of claims
  • 6:10 - 6:16
    is that on some of these implants they
    were actually put between the layers on
  • 6:16 - 6:23
    the PCB and then the most explosive claim
    is that this was done by operatives from
  • 6:23 - 6:34
    China, the Chinese People's Liberation
    Army. With a story with this you know this
  • 6:34 - 6:39
    many claims and this significant of
    allegations we'd hoped that it would be
  • 6:39 - 6:45
    really well sourced and for a normal story
    17 independent sources that Bloomberg
  • 6:45 - 6:52
    editors agreed to grant anonymity to,
    including six national security, two
  • 6:52 - 6:57
    people inside of AWS and three senior
    insiders at Apple seems like pretty solid
  • 6:57 - 7:03
    sourcing, except as soon as this article
    is published everyone denied it. The
  • 7:03 - 7:09
    Director of National Intelligence said
    they'd seen no evidence of this. Amazon
  • 7:09 - 7:14
    said that they've never found any issues
    of modified hardware nor have they been
  • 7:14 - 7:21
    engaged with the government over it. Apple
    was even more blunt. CEO Tim Cook said
  • 7:21 - 7:28
    this did not happen. There is no truth to
    this. And Super Micro wrote a fairly
  • 7:28 - 7:32
    lengthy letter about what they do to
    protect their supply chain and why they
  • 7:32 - 7:39
    think this attack did not happen. And it
    is worth going through to look at some of
  • 7:39 - 7:45
    the things that they say that they do to
    protect their supply chain. They point out
  • 7:45 - 7:51
    that if there's any unauthorized physical
    alterations during the manufacturing
  • 7:51 - 7:57
    process other design elements would not
    match and those things would be detected.
  • 7:57 - 8:03
    To sort of understand how circuit boards
    are made, I recently visited a PCB factory
  • 8:03 - 8:11
    in Guangzhou. This is not a super micro
    factory. This is just a holiday photos. So
  • 8:11 - 8:17
    in order to add new vias they would have
    to modify the drill files which would then
  • 8:17 - 8:22
    get electroplated. If they had to add new
    traces, they would have to be able to
  • 8:22 - 8:29
    subvert the masking and etching process
    and any changes to either the drills or
  • 8:29 - 8:35
    the etching on individual layers would be
    caught by the optical inspection that's
  • 8:35 - 8:41
    done on these bare circuit boards.
    Additionally the allegation that things
  • 8:41 - 8:47
    were inserted between circuit boards would
    require that the lamination process be
  • 8:47 - 8:55
    subverted and that the implant somehow
    aligned into the system. If that implant
  • 8:55 - 9:00
    changes any of the connectivity the flying
    protesters would pick it up or the bed of
  • 9:00 - 9:06
    nails testers which checks all of the
    connectivity of all the traces to make
  • 9:06 - 9:09
    sure that there are no shorts and to make
    sure that everything that is supposed to
  • 9:09 - 9:17
    be connected is electrically conductive.
    So it would be very difficult to
  • 9:17 - 9:22
    circumvent the production process at this
    stage. And it also would be very difficult
  • 9:22 - 9:28
    to contain because the PCB factory doesn't
    know which customers are going to receive
  • 9:28 - 9:34
    those circuit boards. Super Micro also
    points out that during the assembly
  • 9:34 - 9:40
    process when the parts are installed they
    have their employees on site the whole
  • 9:40 - 9:48
    time. On my same holiday trip I also
    visited some PCB assembly companies and
  • 9:48 - 9:54
    spoke with companies that are using doing
    contract manufacturing and they said that
  • 9:54 - 9:59
    they also send their employees to the
    production line to observe the pick and
  • 9:59 - 10:06
    place machines and the reflow and the rest
    of the surface mount assembly. Their big
  • 10:06 - 10:10
    concern is that if they don't have someone
    there the parts that are fed in the pick
  • 10:10 - 10:18
    in place will be replaced with either
    counterfeits or with salvaged parts. I
  • 10:18 - 10:23
    visited the electronics market in ???????
    bay where there are people desoldering
  • 10:23 - 10:29
    e-waste and then sorting the parts into
    bins and selling these salvaged components
  • 10:29 - 10:35
    by the kilo and for a few extra renminbi
    they'll put them on rails for you so that
  • 10:35 - 10:42
    you can save a few pennies on your
    production process. The other concern that
  • 10:42 - 10:46
    these companies have, is not just salvaged
    parts but straight up counterfeits.
  • 10:46 - 10:52
    Especially for things that cost more than
    a few dollars each. The Arduino community
  • 10:52 - 10:59
    was hit a few years ago with a bunch of
    counterfeit FTDI chips where the internal
  • 10:59 - 11:08
    construction was entirely different. In
    this case it caused reliability issues but
  • 11:08 - 11:12
    you can imagine from a security
    perspective this is really worrisome that
  • 11:12 - 11:16
    parts that look identical might have
    completely different functionality inside
  • 11:16 - 11:25
    of them. Super Micro also mentions that
    they X-ray their main boards to look for
  • 11:25 - 11:32
    anomalies and I wasn't able to take any
    photos inside the factory there was doing
  • 11:32 - 11:38
    x-rays. But in this Wikipedia photo we can
    clearly see active components like this
  • 11:38 - 11:46
    SOIC chip are different from things like
    the SMD resistors and capacitors. So if an
  • 11:46 - 11:51
    attacker were trying to subvert the supply
    chain by putting a disguise component it
  • 11:51 - 11:57
    could be detected at this step. Another
    interesting thing in this photo are these
  • 11:57 - 12:03
    inductors that are encased in dip
    packages. This is really common in a lot
  • 12:03 - 12:07
    of Ethernet boards and occasionally people
    have thought they had some sort of
  • 12:07 - 12:14
    hardware implant when they found inductors
    in their ethernet jacks but it's pretty
  • 12:14 - 12:20
    it's fairly common and it shows it pretty
    clearly on the x-ray. Some other security
  • 12:20 - 12:26
    researchers like Sophia D'Antoine did an
    extensive teardown of Super Micro boards
  • 12:26 - 12:33
    including X-ray analysis and her group
    found a few oddities but nothing.. they
  • 12:33 - 12:38
    didn't find anything malicious. There were
    no smoking guns. They just appeared to be
  • 12:38 - 12:43
    sort of supply chain type things. You can
    read her blog post for more details about
  • 12:43 - 12:49
    where they found things that shouldn't
    have been there. But turned out to be just
  • 12:49 - 13:01
    actual signal condition components. So
    super micro in their ???? letter, they
  • 13:01 - 13:07
    keep reenforcing that the manufacturing
    process that is the assembly process, it's
  • 13:07 - 13:11
    during the manufacturing process and I
    agree with them. It would be very
  • 13:11 - 13:18
    difficult to circumvent security in a
    reasonable way in that part of the
  • 13:18 - 13:23
    process. But that's not the only place
    this could happen. We know that national
  • 13:23 - 13:30
    security agencies intercept shipments of
    computer hardware and then have their
  • 13:30 - 13:37
    tailored access operations open the
    computers, install hardware implants,
  • 13:37 - 13:44
    reseal them and then have them continue on
    their way in shipment. The NSA even has a
  • 13:44 - 13:51
    catalog of hardware implants like this
    JTAG implant Ethernet jacks with embedded
  • 13:51 - 13:57
    computers in them as well as firmware
    specific ones that target servers SNM(?)
  • 13:57 - 14:05
    and then some that can do data
    exfiltration via RF. So that's sort of
  • 14:05 - 14:09
    tailored access operations is really ideal
    for this supply chain attack because it
  • 14:09 - 14:17
    allows them to contain the exploit to a
    single customer. It allows them fairly
  • 14:17 - 14:21
    good concealment as well as good cover
    that if it's discovered it's really hard
  • 14:21 - 14:26
    to attribute where things went wrong. Now
    unlike if you find something inside your
  • 14:26 - 14:34
    motherboard between the layers you know
    that had to have happened at the factory.
  • 14:34 - 14:47
    So Super Micro also claim that this was
    technically implausible, that it was
  • 14:47 - 14:53
    highly unlikely that unauthorized hardware
    would function properly because a third
  • 14:53 - 15:02
    party with lack of complete knowledge of
    the design. I think that's inaccurate,
  • 15:02 - 15:08
    both because we know the NSA does it and
    also because I have done it.
  • 15:08 - 15:10
    laughter
  • 15:10 - 15:16
    Really, all that you need to know is that
    these are common components. These flash
  • 15:16 - 15:20
    chips show up on all the boards. You can
    search the internet for the data sheet and
  • 15:20 - 15:26
    find exactly how it's wired into the rest
    of the system. And the only thing that we
  • 15:26 - 15:33
    need to know to communicate to the BMC is
    the serial output pin from this component,
  • 15:33 - 15:43
    so the BMC flash is connected over to the
    BMC CPU via the serial output and it goes
  • 15:43 - 15:52
    through a small series resistor and that
    is where my implant goes in. Mine's a
  • 15:52 - 15:57
    little bit larger than that resistor. It
    clicks onto the board and it has a small
  • 15:57 - 16:03
    FPGA that hangs offside but it's
    completely plausible to fit it into
  • 16:03 - 16:12
    something that small in fact a modern ARM
    M0 fits in the space of two transistors
  • 16:12 - 16:18
    from a 65 002 from a few years ago. The
    Moore's Law means we can pack an amazing
  • 16:18 - 16:28
    amount of CPU into a very very small
    amount of space. So on that 0 6 0 3
  • 16:28 - 16:36
    resistor could fit around 100 cortex M0 it
    would be plenty powerful for this system.
  • 16:36 - 16:42
    The problem is we only have those two pins
    so ordinarily on the spy flashing you need
  • 16:42 - 16:48
    at least six pens but we don't have power
    and ground so we have to passively power
  • 16:48 - 16:53
    this through the data signal that's
    passing through it. We don't have the chip
  • 16:53 - 17:00
    select pin so we have to guess when this
    chip has been talked to. We don't have the
  • 17:00 - 17:05
    data input pin so we don't know what
    addresses are being read or what commands
  • 17:05 - 17:11
    are being sent. We have to reconstruct it
    from the data output pin and we also don't
  • 17:11 - 17:19
    have a clock pin so we have to figure out
    how to synchronize to that clock. Lastly
  • 17:19 - 17:23
    we don't have the ability to make
    arbitrary data changes. All we can do is
  • 17:23 - 17:29
    disconnect the pin from the BMC so we can
    only turn 1 bits into 0 bits. We can't go
  • 17:29 - 17:35
    the other way around. So with these
    limitations we can still do some pretty
  • 17:35 - 17:41
    interesting things. Recovering the clock
    is actually pretty easy. We can look at
  • 17:41 - 17:50
    the data stream and find the shortest bit
    transitions from 0 1 0 or 1 0 1 to
  • 17:50 - 17:55
    estimate what the clock is which allows us
    to then reconstruct that data stream being
  • 17:55 - 18:01
    sent to the BMC and if we look at the
    flash contents we can see that a lot of it
  • 18:01 - 18:08
    is being fairly random noise but a lot of
    it is all white which in this case would
  • 18:08 - 18:15
    mean that it's all one bits. So if we look
    at the way the flash is organized we can
  • 18:15 - 18:19
    see there's the u-boot bootloader and
    that's executable. That's kind of
  • 18:19 - 18:25
    difficult to make useful changes in, the
    kernel and the root file system are both
  • 18:25 - 18:33
    compressed so that they look effectively
    like random noise but the nvram region is
  • 18:33 - 18:42
    a jffs2 file system and this file system
    ??? 3 Megs, it's mostly empty and all that
  • 18:42 - 18:50
    empty space is F F which is all ones. So
    this is plenty of ones for us to work on.
  • 18:50 - 18:55
    Additionally it has fairly nice headers
    that we can we can match on. So when we
  • 18:55 - 19:01
    see these magic bit masks we know when
    we've entered different parts of the file
  • 19:01 - 19:07
    system. So given that we can now
    reconstruct the clock we can figure out
  • 19:07 - 19:13
    where we are in the file system. This
    hardware implant can start to inject new
  • 19:13 - 19:20
    data into what was the empty space. So
    this short file that we put in here is a
  • 19:20 - 19:28
    small shell script and it is one of the
    network configuration scripts, so this is
  • 19:28 - 19:37
    where I'm going to try a live demo and I
    hope this works. We're running in qemu
  • 19:37 - 19:46
    since I didn't bring a Super Micro board
    and what we have on the left is the flash
  • 19:46 - 19:51
    console excuse me the hardware implant
    console. And then on the right we have the
  • 19:51 - 19:57
    serial console from the BMC so we can see
    it has loaded the kernel and in a second
  • 19:57 - 20:03
    it's going to we should see a bunch of
    traffic, okay, so the implant is active.
  • 20:03 - 20:10
    It has replaced the data when that nvram
    file system was mounted the BMC is now
  • 20:10 - 20:19
    continuing on doing its set up. It's going
    to load a bunch of device drivers for that
  • 20:19 - 20:24
    video. It pauses here for some reason that
    I haven't diagnosed because that's that's
  • 20:24 - 20:27
    not my job.
  • 20:27 - 20:29
    laughter
  • 20:29 - 20:33
    And eventually it's going to configure the
    networks and it does that by running that
  • 20:33 - 20:43
    shell script off of the nvram partition
    here it starts KVM stuff brings up some
  • 20:43 - 20:53
    things. Allright.
    applause
  • 20:53 - 21:02
    OK. So luckily we got to that point
    without having to fake the demo. In the
  • 21:02 - 21:08
    hardware it's really flaky. My version
    works about one in eight times. But it
  • 21:08 - 21:12
    doesn't typically cause a crash. So that's
    actually good for concealment because it
  • 21:12 - 21:18
    becomes now much harder to determine which
    machines are affected. In qemu because
  • 21:18 - 21:22
    it's emulating, it's a little more
    reliable but it's still it's only two out
  • 21:22 - 21:27
    of three. If we let the BMC boot a little
    bit further it actually prints out this
  • 21:27 - 21:32
    message. And if you hit enter it drops you
    to a shell with no password and you can
  • 21:32 - 21:38
    then just run commands as root on the BMC
    and that's a lot easier than all this
  • 21:38 - 21:43
    stuff with the SPI bus if you wanted to
    build a hardware implant against it. I
  • 21:43 - 21:49
    don't know where the serial port is on the
    on the Super Micro but on a different tier
  • 21:49 - 21:54
    1 server mainboard I was able to probe
    around the oscilloscope and locate the
  • 21:54 - 22:01
    serial console for the BMC. Figure out
    it's 115 kbaud and it has the same code
  • 22:01 - 22:06
    that you hit enter and you can run
    commands there. So that's a much easier
  • 22:06 - 22:12
    way to do it. A big question a lot of
    people have is how do we actually detect
  • 22:12 - 22:18
    this sort of flash implant. A lot of high
    assurance sites replace all of their roms
  • 22:18 - 22:23
    with ones that they flash themselves but
    that doesn't get rid of the implant
  • 22:23 - 22:29
    because it's outside of the ROM chip.
    Likewise reading the ROM chip doesn't show
  • 22:29 - 22:35
    anything because it's not in the ROM
    itself it's it's outside of it. Even
  • 22:35 - 22:41
    hooking up a logic analyzer to the bus and
    watching as the machine boots and seeing
  • 22:41 - 22:46
    the data stream coming out of the flash
    won't actually reveal the implant because
  • 22:46 - 22:52
    you'd have to put the logic probes on the
    PGA pads on the flat on the BMC itself.
  • 22:52 - 22:58
    And that's a much harder task. Some people
    think "oh well we can see the weird
  • 22:58 - 23:03
    network traffic when the BMC tries to
    exfiltrate the data" but that would be
  • 23:03 - 23:08
    that's only one way for the BMC to affect
    things. There is a great talk a few years
  • 23:08 - 23:13
    ago at DefCon from Intel ATR where they
    showed how something that can control the
  • 23:13 - 23:19
    system firmware can backdoor hypervisors.
    And then they gave a use case where a
  • 23:19 - 23:26
    unprivileged guest on a cloud system could
    read all of the rest of physical memory so
  • 23:26 - 23:35
    it could see all of the other guests
    memory. So what do we do? The big problems
  • 23:35 - 23:40
    is the BMC has way too many privileges.
    It's connected to pretty much everything
  • 23:40 - 23:47
    in the system but the BMC is not our only
    concern. As @whitequark said, our PCs are
  • 23:47 - 23:52
    just a bunch of embedded devices in a
    trench coat and they all have firmware. In
  • 23:52 - 23:57
    fact pretty much everything on your system
    more complex than a resistor probably has
  • 23:57 - 24:01
    firmware and if you have one of those
    Super Micro implants maybe even your
  • 24:01 - 24:08
    resistors have firmware as well. I've
    found that the firmware and things like
  • 24:08 - 24:15
    the power supplies can be used to gain
    code execution on the BMC. It's really
  • 24:15 - 24:21
    interesting how tightly connected all of
    our systems are. And as Joe Fit's pointed
  • 24:21 - 24:27
    out in his blackhat ???? talk, these are
    not multimillion dollar attacks these are
  • 24:27 - 24:34
    five euro bits of hardware that we now
    have to really be worried about. I really
  • 24:34 - 24:38
    like the guidelines that NIST has
    published that suggests that we think
  • 24:38 - 24:44
    about our systems more in this holistic
    manner. Although the interpreting pretty
  • 24:44 - 24:50
    much everything into the TPM is the
    trusted platform module for doing this
  • 24:50 - 24:56
    attestation and I think we as a community
    need to do more to use the TPM. There
  • 24:56 - 25:01
    actually a really good tool for securing
    our systems but they are also potentially
  • 25:01 - 25:08
    subject to their own hardware implants.
    The NCC Group TPM genie is able to subvert
  • 25:08 - 25:15
    the core root of trust by interposing on
    the TPM. So a lot of folks are proposing
  • 25:15 - 25:19
    we should move to other trusted execution
    environments like SGX or Trustzone. And I
  • 25:19 - 25:25
    think these have a lot of promise
    especially for trusted cloud computing.
  • 25:25 - 25:31
    There also is a lot of innovation in the
    hardware roots of trust going on right now
  • 25:31 - 25:35
    between the Google Titan, which initially
    was for their servers and is now showing
  • 25:35 - 25:40
    up on all of their chrome books. The
    Microsoft Cerberus chip which again is the
  • 25:40 - 25:47
    Azure system. They're actually publishing
    their firmware and the ASIC design so that
  • 25:47 - 25:50
    people can have a little more faith in it
    and they hope it will become an open
  • 25:50 - 25:57
    standard. And companies like Apple have
    also gone their own way. With the T2 and
  • 25:57 - 26:01
    the T2's are really amazing chip for
    securing systems. But it does so at the
  • 26:01 - 26:07
    expense of user freedom and that gets in
    the way of what I think the real way that
  • 26:07 - 26:11
    we need to.. we need to solve this
    problem. We need to get rid of a lot of
  • 26:11 - 26:19
    these secrets. Counter to what the Super
    Micro CEO said, having a secret
  • 26:19 - 26:23
    motherboard design does not make you more
    secure. Things like the Open Compute
  • 26:23 - 26:27
    hardware I think is a good vision for how
    we can move forward that when you buy an
  • 26:27 - 26:33
    Open Compute server it comes with full
    schematics and gerber files. So that
  • 26:33 - 26:38
    motivated customers can verify that the
    systems that they're buying are the ones
  • 26:38 - 26:42
    that they think they that they're buying
    that all of the components are what they
  • 26:42 - 26:49
    think they should be. I think the firmware
    also needs more openness. Ronald Minnich,
  • 26:49 - 26:56
    Google is my co-lead on Linux boot project
    and we think that Linux in the firmware is
  • 26:56 - 27:04
    a way forward to get a more secure more
    flexible and more resilient system. We're
  • 27:04 - 27:10
    working with a spin off project called
    micro BMC that is using the Linux boot
  • 27:10 - 27:17
    tools to build BMC firmware and this is
    opensource. It's reproducibly built it can
  • 27:17 - 27:23
    work with roots of trust attestation. It's
    written in a memory safe language since
  • 27:23 - 27:28
    it's a Google collaboration and go. And
    more importantly we've thrown away all of
  • 27:28 - 27:31
    the legacy features that have been a
    source of a lot of security
  • 27:31 - 27:41
    vulnerabilities in these systems. So did
    it happen? I don't know. Is it technically
  • 27:41 - 27:45
    possible? I think so. I hope I've
    convinced all of you that this is
  • 27:45 - 27:51
    definitely a technical possibility that we
    need to be concerned about and I hope that
  • 27:51 - 27:56
    the way forward through hardware roots of
    trust with attestation and more
  • 27:56 - 28:01
    importantly with open hardware so that we
    know that what the machines were running
  • 28:01 - 28:07
    are running code that we know.. the code
    that we've built that we understand and
  • 28:07 - 28:13
    that we can actually have a good chance of
    being able to take control back of them.
  • 28:13 - 28:18
    If you're interested in more discussion on
    this and also on open firmware, there's an
  • 28:18 - 28:24
    assembly here in this hall that has a
    bunch folks working on a core boot and
  • 28:24 - 28:29
    Linux boot and a lot of these projects
    where you can help contribute and you can
  • 28:29 - 28:38
    help also pressure vendors to make these
    this standard and a way forward for a more
  • 28:38 - 28:42
    secure computing. So thank you all for
    coming. And I really enjoyed the chance to
  • 28:42 - 28:50
    show off my modship of the state.
  • 28:50 - 28:56
    applause
  • 28:56 - 29:03
    Herald: Geat talk, thank you very much
    Trammel. We have 10 minutes for questions
  • 29:03 - 29:11
    so please line up at the microphones if
    you have questions. And we also have a
  • 29:11 - 29:25
    signal angel probably with questions from
    the internet. So any questions? Microphone
  • 29:25 - 29:30
    number three?
    Mic 3: Yes, I was going to ask, what's
  • 29:30 - 29:36
    your opinion on the Talos systems? The
    openPOWER based ones?
  • 29:36 - 29:42
    Trammell: So the question is about the
    Talos power 9 based systems power 9 is a
  • 29:42 - 29:48
    really interesting architecture. The.. it
    is using a open firmware very similar to
  • 29:48 - 29:55
    Linux boot called Petitboot that
    moves Linux into the bootloader. I'm a big
  • 29:55 - 29:59
    fan. There's a lot of folks in the
    opensource community who are very excited
  • 29:59 - 30:08
    about it. I'm hoping that there would be
    more power nine systems coming out. I'm
  • 30:08 - 30:13
    also very excited about the RISC-V
    systems. I think having open source CPUs
  • 30:13 - 30:19
    use is a real way that we can have more
    assurance that our systems are what we
  • 30:19 - 30:23
    think they are.
    Herald: Thank you, microphone number two
  • 30:23 - 30:27
    please.
    Mic 2: Yes, thanks for the talk. I was
  • 30:27 - 30:33
    wondering if you have just a scope probe
    over this serial, cause it's just a serial
  • 30:33 - 30:37
    resistor which we're replacing. If you put
    just two scope probes on there and measure
  • 30:37 - 30:41
    the voltage over it, in your situation
    would the voltage change there once in a
  • 30:41 - 30:42
    while?
    Trammell: Yes, yes, yes.
  • 30:42 - 30:47
    Mic 2: Well okay, in the normal case would
    it actually be quite consistent current.
  • 30:47 - 30:57
    Or if you lowered the input impedance of
    the BMC chip who might already have fixed
  • 30:57 - 31:02
    a part of the attack because the output
    sourcing current of your exploit is
  • 31:02 - 31:05
    probably limited due to the limited supply
    you only can..
  • 31:05 - 31:12
    Herald: Your question please?
    Mic 2: Yes.. but.. do you see a way to get
  • 31:12 - 31:18
    more power into your setup? Maybe using,
    well other power sources, other than the
  • 31:18 - 31:23
    two pins, or maybe somewhere of..
    Trammell: Well, so the question is about,
  • 31:23 - 31:28
    would there be a way to do more arbitrary
    changes through redesigning the implant.
  • 31:28 - 31:34
    One of the goals was to fit with only
    those two pins so that a single piece on
  • 31:34 - 31:39
    the motherboard could be replaced. With a
    dual probe soldering iron and you can pop
  • 31:39 - 31:46
    it out and stick a new one down in a
    matter of seconds. So, yes, if you have
  • 31:46 - 31:52
    more pins where you can get more power
    from you can do much more interesting
  • 31:52 - 31:57
    things. But that's.. would require a
    different set of changes to the
  • 31:57 - 32:02
    motherboard.
    Herald: Thank you. Microphone 1 please.
  • 32:02 - 32:09
    Mic 1: So, a lot of the -like- arguments
    that these implants were not feasible by a
  • 32:09 - 32:14
    Super Micro where you also show the
    picture from the fab that you had to
  • 32:14 - 32:19
    change the etching and the optical
    inspection and so on and so on. But how
  • 32:19 - 32:28
    probable would you rate the fact that some
    acto just intercepted the manufacturing
  • 32:28 - 32:34
    files and added that component already in
    the file because then all the optical
  • 32:34 - 32:39
    inspection and that would all say well
    that matches what was sent to us. But that
  • 32:39 - 32:42
    was not necessarily what Super Micro sent
    to the fab.
  • 32:42 - 32:45
    Trammell: So the question is, could
    someone have modified all of the
  • 32:45 - 32:49
    manufacturing files that went to the
    factory, and that's absolutely a
  • 32:49 - 32:55
    possibility. But that's also very likely
    that that would be detected by Super Micro
  • 32:55 - 33:01
    itself that in a lot of cases you don't
    necessarily want to trust the company that
  • 33:01 - 33:06
    is making the product to also test it. And
    you probably want to have a separate
  • 33:06 - 33:11
    company that does random spot checks to
    verify that the boards are actually being
  • 33:11 - 33:16
    produced to the specification that you..
    that you desire. So it's certainly
  • 33:16 - 33:24
    possible and I really don't want to
    speculate as to the accuracy of that part
  • 33:24 - 33:31
    of the story but yeah it would require
    quite a bit more changes. And also would
  • 33:31 - 33:35
    be much more likely to be detected in the
    spot check.
  • 33:35 - 33:38
    Herald: Great. Microphone number two
    please.
  • 33:38 - 33:45
    Mic 2: Yes, for a lot of motherboards
    there are also quite a few components not
  • 33:45 - 33:54
    populated some of which are on which you
    could consider sensitive myths. Wouldn't
  • 33:54 - 33:59
    that make it. Yeah exactly. Wouldn't that
    make it very easy to do just pop something
  • 33:59 - 34:05
    on there in parallel with one of the
    components and not have it be detected
  • 34:05 - 34:08
    because it's like the board is modified.
    There is a component or you have no way of
  • 34:08 - 34:11
    telling whether it had to be populated or
    not?
  • 34:11 - 34:19
    Trammell: Super Micro puts a lot of extra
    pads on the board in this one particular
  • 34:19 - 34:29
    one they have both 8 pin and 16 pin flash
    chip pads that are just in parallel
  • 34:29 - 34:33
    together. So depending on which chip is
    cheaper that day of the week or who knows
  • 34:33 - 34:38
    what, they will populate one or the other.
    So that's why in this particular photo
  • 34:38 - 34:48
    having the position of that circle on the
    data output pin is very very interesting.
  • 34:48 - 34:57
    Herald: Question answered? Okay. So one
    more question on microphone number two
  • 34:57 - 35:00
    please?
    Mic 2: How far can signing of firmware be
  • 35:00 - 35:06
    a solution to this problem?
    Trammell: Signing firmware solves a lot of
  • 35:06 - 35:13
    the issues. It does however not all
    typically not all of the firmware are
  • 35:13 - 35:21
    signed specifically is probably to be
    signed in in a modern BMC. The kernel and
  • 35:21 - 35:26
    maybe the root file system might be
    signed. But the envy of RAM file system in
  • 35:26 - 35:33
    this BMC is designed to be user modifiable
    so it can't be signed by the manufacturer,
  • 35:33 - 35:41
    so this sort of attack would work against
    a signed BMC just as well. Also the "Hit
  • 35:41 - 35:50
    enter to get a serial console" attack
    circumvents any signing. There are things
  • 35:50 - 35:56
    on the host firmware on the x86 like boot
    card that do a really good job of making
  • 35:56 - 36:02
    it harder to get code execution during the
    boot process. But there have been several
  • 36:02 - 36:08
    CVEs where it has been implemented poorly.
    So even though signature's the firmware is
  • 36:08 - 36:14
    signed, people have still managed to get
    code execution during that process.
  • 36:14 - 36:18
    Herald: Great. Thank you Trammell Hudson
    again, a warm round of applause, thank you
  • 36:18 - 36:21
    very much!
  • 36:21 - 36:24
    applause
  • 36:24 - 36:26
    35c3 postrol music
  • 36:26 - 36:52
    Subtitles created by c3subtitles.de
    in the year 2021. Join, and help us!
Title:
35C3 - Modchips of the State
Description:

more » « less
Video Language:
English
Duration:
36:52

English subtitles

Revisions Compare revisions