1 00:00:00,099 --> 00:00:15,750 *34c3 preroll music* 2 00:00:15,750 --> 00:00:22,450 Herald: Last year he presented how to get JTAG over USB at the 33C3. Today he will 3 00:00:22,450 --> 00:00:28,119 tell us how to interrogate the Intel Management Engine in a similarly ingenious 4 00:00:28,119 --> 00:00:36,079 and devious way. Please join me in welcoming Maxim Goryachy to 34C3. 5 00:00:36,079 --> 00:00:44,130 *Applause* 6 00:00:44,590 --> 00:00:54,800 Maxim Goryachy: Hello guys. I'm speaking about Intel debug capabilities at the CC 7 00:00:54,800 --> 00:01:02,579 Conference for the second year in a row. Last time I talked about how new Intel 8 00:01:02,579 --> 00:01:11,920 CPUs allow debug technology called Intel Direct Connect Interface or DCI and now 9 00:01:11,920 --> 00:01:24,670 I'm going to talk how activates DCI for Intel Management Engine. (Sorry) DCI is a 10 00:01:24,670 --> 00:01:31,750 private implementation of widely known industry standards for debugging hardware 11 00:01:31,750 --> 00:01:40,729 and low level software from Intel. And addition I will talk about how it can be 12 00:01:40,729 --> 00:01:51,549 used for research and how to use it in practice. Unfortunately my colleague Mark 13 00:01:51,549 --> 00:02:00,939 couldn't come and I will introduce our research alone. And I think that you some 14 00:02:00,939 --> 00:02:09,639 hungry and I will be quickly. Out our Management Engine research team at 15 00:02:09,639 --> 00:02:15,530 Positive Technologies includes following researchers: my colleague Dmitry Sklyarov 16 00:02:15,530 --> 00:02:27,470 and Mark Ermolov and myself. Mark Ermolov is my colleague. With him, with whom we 17 00:02:27,470 --> 00:02:32,791 found Intel vulnerability in Intel Management Engine. He is a system 18 00:02:32,791 --> 00:02:38,620 programmer and a reverse engineer and Dmitry Sklyarov a well known reverse 19 00:02:38,620 --> 00:02:45,830 engineer who did 5 #research of the ME filesystem. He recovered Huffman codes for 20 00:02:45,830 --> 00:02:59,200 version 11 of ME and you can find his tool for unpacking ME image and for parsing ME 21 00:02:59,200 --> 00:03:09,730 file system on our Github pages. How you can see our previous talk related to ME 22 00:03:09,730 --> 00:03:16,980 and our contacts so you can feel free to communicate with us for any question 23 00:03:16,980 --> 00:03:25,370 you're interested about our research. How I have just said I will talk about what is 24 00:03:25,370 --> 00:03:32,400 Intel ME, how it's implemented and how we activated JTAG for ME Core vulnerability 25 00:03:32,400 --> 00:03:40,650 which Mark and I found. Then I disclose in details how our technique works and show 26 00:03:40,650 --> 00:03:55,400 proven our achievements. How many people in this hall know what is ME? Oh cool! But 27 00:03:55,400 --> 00:04:05,040 in here, a review. As a topic, the Management Engine is very popular now. 28 00:04:05,040 --> 00:04:08,940 First it's almost fully undocumented and very powerful at the same time. For 29 00:04:08,940 --> 00:04:15,260 example it has full access to your platforms hardware including CPU complex, 30 00:04:15,260 --> 00:04:23,460 it has capabilities to intercept all that you are doing on your PC. For example 31 00:04:23,460 --> 00:04:34,000 keyboard, he has access to keyboard to USB and of course PCI buses. It is also a 32 00:04:34,000 --> 00:04:46,600 root of trust for many Intel security features like TPM, like DRM and APT. Intel 33 00:04:46,600 --> 00:04:52,380 has chosen the following design for ME version 11: independent microcontroller, 34 00:04:52,380 --> 00:05:03,710 own operating system based on Minix, built in Java Machine. It gets started before 35 00:05:03,710 --> 00:05:13,371 main CPU. Its firmware has parts in PCH, beyond in memory and in SPI flash. Many 36 00:05:13,371 --> 00:05:19,290 Intel technologies are implemented with help of Management Engine for example 37 00:05:19,290 --> 00:05:34,010 Active Management Technology or PVT and we think that SGX, too. Another question how 38 00:05:34,010 --> 00:05:51,690 many people in this hall know what is JTAG? Cool! But some review of JTAG. JTAG 39 00:05:51,690 --> 00:05:58,300 stands for Joint Test Action Group and you can find its description in IEEE standards 40 00:05:58,300 --> 00:06:05,910 which the details available in the standard itself. As the results of the 41 00:06:05,910 --> 00:06:16,350 paper available on our blog where the design is described in close details. Out 42 00:06:16,350 --> 00:06:23,380 often manufacture extend standard JTAG by adding their own functions. JTAG in Intel 43 00:06:23,380 --> 00:06:31,530 processor is described rather poorly and some information can be found in documents 44 00:06:31,530 --> 00:06:46,370 and patent. You can see our paper on the slide and starting with Skylake, Intel 45 00:06:46,370 --> 00:06:50,579 introduced Direct Connect Interface technology 46 00:06:50,579 --> 00:06:55,889 and you can find the description 47 00:06:55,889 --> 00:07:06,540 of it in the documents and in our works. The diagrams show two types of connection: 48 00:07:06,540 --> 00:07:14,670 using a specific device, a so-called Intel SVT Closed Chassis Adapter or a common 49 00:07:14,670 --> 00:07:23,080 used USB3 debug cable. I would like to note that the target system in this case 50 00:07:23,080 --> 00:07:30,790 doesn't require the use of a hardware agent. The drawback of this technology is 51 00:07:30,790 --> 00:07:37,980 that it works out of box. Intel or Silicon Valley technology closed *unintelligible* 52 00:07:37,980 --> 00:07:51,180 provides access to day fix features like JTAG and RAM control through USB3 ports on 53 00:07:51,180 --> 00:08:02,160 platforms. It works through USB3 links but implements a private protocol and makes it 54 00:08:02,160 --> 00:08:07,960 possible to manipulate the target system in deep sleep mode. It means that in this 55 00:08:07,960 --> 00:08:26,270 mode you have independent links between JTAG adapter and PCH. USB3 host on DCI is 56 00:08:26,270 --> 00:08:32,839 common USB3 debug cable which works as OTG device that means that a special device 57 00:08:32,839 --> 00:08:38,639 appears on the host system and activation and commands are sent to device through 58 00:08:38,639 --> 00:08:46,839 the common USB interface. As the device itself is integrated into PCH and it 59 00:08:46,839 --> 00:08:58,449 transforms the command into JTAG. If you have JTAG for ME devices it means you have 60 00:08:58,449 --> 00:09:04,869 almost full control of ME. Two main questions: Doesn't who provides of any 61 00:09:04,869 --> 00:09:09,800 technique for debugging ME on public platforms? And the second: What does 62 00:09:09,800 --> 00:09:20,889 software and hardware need for any debugging? Ok. The answer to the first 63 00:09:20,889 --> 00:09:28,420 question: Yes they found a special partition called UTOK which allocated on 64 00:09:28,420 --> 00:09:40,749 the special, on the SPI flash where storage ME. This partition has same 65 00:09:40,749 --> 00:09:47,610 structures FPT and another partition of ME. Partition builts entry of available 66 00:09:47,610 --> 00:09:55,600 debug capabilities. One of this records means types of unlock: Red or orange. 67 00:09:55,600 --> 00:10:04,899 Please pay attention, it will be important later. And what is, what means DFx? DFx is 68 00:10:04,899 --> 00:10:13,059 collective term for next to privation DFT designed for testability and DFD designed 69 00:10:13,059 --> 00:10:27,179 for debugging. DFT is set of technique used for manufacturing defects finding of 70 00:10:27,179 --> 00:10:38,259 integrated chips and standard DFT it generally buys it on ordinary boundaries 71 00:10:38,259 --> 00:10:48,880 can detect comments but Intel extends it's DFT in its branded silicone view 72 00:10:48,880 --> 00:10:55,490 technology. DFD joins all internal chip level logic used to organize Hardware 73 00:10:55,490 --> 00:11:02,399 level debugging of course sequences executed by chips. DFx is connected to 74 00:11:02,399 --> 00:11:13,939 internal world by a special thing called embedded day fix interface. This bridge 75 00:11:13,939 --> 00:11:20,199 connects dayfix whith external industry interface like USB there is a special 76 00:11:20,199 --> 00:11:26,749 device in interpret from controller hub called defects aggregator its function is 77 00:11:26,749 --> 00:11:44,970 to control access to DFx. 2 types : orange types it means that vendors may use the 78 00:11:44,970 --> 00:11:54,790 JTAG debugging for ICH for example and auto partition for orange unlock must be 79 00:11:54,790 --> 00:12:06,739 signed by vendor scheme. This key stored in FPF fuses and more interesting is read 80 00:12:06,739 --> 00:12:17,670 unlock because this unlock provides full access to besiege. The internal devices 81 00:12:17,670 --> 00:12:31,889 unlocks JTAG for ME core and provides unlimited access to ME memory. Intel 82 00:12:31,889 --> 00:12:37,360 management engine uses two devices for support Hardware debugging the fixed 83 00:12:37,360 --> 00:12:44,280 aggregator management's defects functionality and the CSE zeroing register 84 00:12:44,280 --> 00:12:55,840 from device called GEN and only BUP and ROM uses this device. 85 00:12:55,840 --> 00:13:02,989 It is CSE zeroing register when we know only 86 00:13:02,989 --> 00:13:09,399 about 1 bit. We called it Intel unlock 87 00:13:09,399 --> 00:13:26,370 request and this register means that you asked the platform to do read unlock. More 88 00:13:26,370 --> 00:13:36,339 interesting is DFx aggregator register and personal to register. Personality register 89 00:13:36,339 --> 00:13:45,149 specifies type of unlock red or orange and consent used for allowed right to personal 90 00:13:45,149 --> 00:13:58,879 to register. It means that consent register or it means that this bit to 91 00:13:58,879 --> 00:14:16,850 allow write data in DFx personal to register and read and lock works in 2 92 00:14:16,850 --> 00:14:28,981 steps. On the first, the BUP fun is finding who talked partition. If partition 93 00:14:28,981 --> 00:14:43,170 found, the BUP checked is checking partition signatory and platform ID. Also 94 00:14:43,170 --> 00:15:02,589 BUP checks time because the talk has time limitation and after that if all is okay, 95 00:15:02,589 --> 00:15:11,529 BUP parses an entry in who talked partition called knobs if intel knob 96 00:15:11,529 --> 00:15:27,029 unlock founded and platform is not already unlocked BOB set these aren't register and 97 00:15:27,029 --> 00:15:38,189 do not reset in it. After set in ROM, check is checking TCS errant register and 98 00:15:38,189 --> 00:15:53,699 if it's set, it to clean this register and switch on consent and personality it means 99 00:15:53,699 --> 00:16:11,850 read and lock after that ROM is cleaning ME keys and working but if you have active 100 00:16:11,850 --> 00:16:18,450 but if dci is active immediate doesn't latch the fix consent register. It means 101 00:16:18,450 --> 00:16:31,600 that if you want to switch on JTAG you don't need to reboot ME. if you have the 102 00:16:31,600 --> 00:16:43,779 second action *inhales deply* and how active how to wait read and lock without intel 103 00:16:43,779 --> 00:16:50,939 keys on blockhead Europe we disclosed bug in BUP model. This function as you can see 104 00:16:50,939 --> 00:16:56,920 has a vulnerability when it called other function reading in BUP CT file it gives 105 00:16:56,920 --> 00:17:05,169 incorrect size of data to read instead of local buffer size the buffer DFS file read 106 00:17:05,169 --> 00:17:14,010 function gets the size of the role file how we exploited this vulnerability you 107 00:17:14,010 --> 00:17:22,638 can found in our presentation from blockhead and using the vulnerability we 108 00:17:22,638 --> 00:17:34,960 also have activated attack for management engine and to research ME in internal of 109 00:17:34,960 --> 00:17:48,309 in ME right activation without intel keys may be doing after 4 simple steps on the 110 00:17:48,309 --> 00:17:56,700 first activate manufacture mode for target it means for DCI and set the size drop in 111 00:17:56,700 --> 00:18:02,820 a flash descriptor and using the vulnerability to a lot well with 3 to 112 00:18:02,820 --> 00:18:19,720 defects personal register and after that you you will have MEquerem? and you can do 113 00:18:19,720 --> 00:18:32,789 research in internal semi but unfortunately you will have one problem 114 00:18:32,789 --> 00:18:44,059 because you don't have software for debugging Keeney but it is small problem 115 00:18:44,059 --> 00:18:52,730 and next let's talk about software part of technologists tech it's presented by DAL.. 116 00:18:52,730 --> 00:19:00,149 Intel DFX abstraction layer package it's alleged library exposes all power of 117 00:19:00,149 --> 00:19:09,610 DFx software model as we found DAL heslage history supports various platform 118 00:19:09,610 --> 00:19:23,470 and CPU architecture designed to work with different debug ports and hardware were we 119 00:19:23,470 --> 00:19:28,820 know that DAL is a core of all instruments that Intel uses for testing 120 00:19:28,820 --> 00:19:38,100 and debugging of its hardware and firmware components so it's provided with Intel 121 00:19:38,100 --> 00:19:47,659 systems studio for example and can be download without an ID and DAL is almost 122 00:19:47,659 --> 00:20:02,330 writen in C# and has same structure on the top DAL has console interface 123 00:20:02,330 --> 00:20:14,020 and GUI interface and library layer and Driver transport and DFX on 124 00:20:14,020 --> 00:20:24,350 target we found a patient from Intel in public description corelation of DFX exci 125 00:20:24,350 --> 00:20:34,259 internal interfaces you can see our previous work to details about how 126 00:20:34,259 --> 00:20:49,250 internal structure of dialogues DAL's architecture is based on notion there 127 00:20:49,250 --> 00:20:57,850 are two type of nodes physical and logical physical nodes represents 3 of hardware 128 00:20:57,850 --> 00:21:08,540 components organized from probe unit and including the following levels gdect e to 129 00:21:08,540 --> 00:21:15,630 c bus and an other logical nodes represents certain functionalities that 130 00:21:15,630 --> 00:21:22,149 can be used to perform debugging stuff and many problems at public version of DAL 131 00:21:22,149 --> 00:21:28,210 doesn't include configuration for ME core however that didn't stop us 132 00:21:28,210 --> 00:21:47,490 and we found the solution how I said DAL has some configuration and as 133 00:21:47,490 --> 00:21:52,570 we investigated during reverse engineering of the DAL library each configuration is 134 00:21:52,570 --> 00:22:01,201 included in encrypted XML files DAL uses aes cipher and key derivation function 135 00:22:01,201 --> 00:22:13,210 pbkdf2 with fixed key and salt the first of lines of poem it is salt and ATP is 136 00:22:13,210 --> 00:22:22,960 easy key the simple program on is a simple program allows the crypto device 137 00:22:22,960 --> 00:22:26,880 configuration of DAL *applause* 138 00:22:26,880 --> 00:22:34,177 Thank you. *applause continues* 139 00:22:34,177 --> 00:22:42,460 Maybe another poems to decrypt, for example 140 00:22:42,460 --> 00:22:50,710 microcode of CPU, I don't know. How there is no configuration of any 141 00:22:50,710 --> 00:22:56,929 devices, we found that ME core is an LMT2 devices and the configuration of this 142 00:22:56,929 --> 00:23:02,250 device can be found in decrypted XML files, before anybody can write 143 00:23:02,250 --> 00:23:12,000 configuration for ME. I don't know, for example on the slide you can see internal 144 00:23:12,000 --> 00:23:25,669 structure of LP series of PCH. It is U series of cpu and at the top divided 145 00:23:25,669 --> 00:23:42,769 on four part and on top connected parts in the end ME core. and how to do 146 00:23:42,769 --> 00:23:51,880 custom configuration, four first steps: on the first decrypt XML files, the 147 00:23:51,880 --> 00:24:01,790 second adds the following clients to top SPT XML and use DAL environment for any 148 00:24:01,790 --> 00:24:40,640 debugging and it will make you computer personal again. Some demo. One moment. 149 00:24:40,640 --> 00:24:55,660 Okay. It is version of systems studio and we decrypt files, with configuration 150 00:24:55,660 --> 00:25:18,500 of DAL, and to edit to add some lines. The top is for each series of PCH and the 151 00:25:18,500 --> 00:25:35,346 bottom for LP series. It is ME core, it is linked between ME core and *unintelligible* 152 00:25:46,594 --> 00:26:01,130 We halt the execution, we load some, reloading some library, our library, we 153 00:26:01,130 --> 00:26:31,010 set up reset breaks, it needs for to stop on the reset vector in ME. How you can see 154 00:26:31,010 --> 00:26:50,730 GDT table and current instruction and the register value, LDT value and we are doing 155 00:26:50,730 --> 00:27:32,470 a reset on ME and step in instruction in to ME. Then initialize 156 00:27:32,470 --> 00:28:17,169 of segments and new GDT value, ok and okay and demo from black hat. it is our stand, 157 00:28:17,169 --> 00:28:54,220 it is host platform, already halted, init settings for any core. Oh sorry. It is not 158 00:28:54,220 --> 00:29:12,080 ME. The reset vector, how you can see in catcher interface it is 159 00:29:12,080 --> 00:29:26,120 special device between which manufacture for for links between host CPU and ME and 160 00:29:26,120 --> 00:29:39,830 now we read some read only register for CPU from (???????) and set the value of 161 00:29:39,830 --> 00:30:01,400 this register from ME. The magic. *applause* 162 00:30:01,400 --> 00:30:07,210 And then my demo is more interesting than my english 163 00:30:07,210 --> 00:30:53,779 sorry and I have a live demo if internet will be good. One moment. It's my machine 164 00:30:53,779 --> 00:31:31,620 at work and the internet is not good sorry. maybe maybe later. Okay. And our 165 00:31:31,620 --> 00:31:38,829 achievement: JTAG activation, we we do JTAG - well achievement in respect to the 166 00:31:38,829 --> 00:31:49,230 vulnerability, in addition we activate JTAG for ME. Also we dumped the ME startup 167 00:31:49,230 --> 00:32:01,590 code and found the way to extract platform's key used by the flash file 168 00:32:01,590 --> 00:32:17,259 system. It means that you can decrypt and integrate your files into ME and ME 169 00:32:17,259 --> 00:32:28,929 doesn't detect it. And our links: on our GitHub page you can find our tools for ME 170 00:32:28,929 --> 00:32:37,379 reversing researching and our blogs, where is our article, our reference and thank 171 00:32:37,379 --> 00:32:40,177 you for your attention. Questions please. 172 00:32:40,177 --> 00:32:49,569 *applause* 173 00:32:49,569 --> 00:32:54,199 Herald: So anyone that has a question for Maxim please line up by one of the 174 00:32:54,199 --> 00:32:59,129 microphones. They are 1, 2, 3, 4 on this side of the room and 5, 6, 7, 8 on that 175 00:32:59,129 --> 00:33:03,259 side of the room. If you are watching online we have a signal angel, who is 176 00:33:03,259 --> 00:33:08,470 monitoring the internet for all of your interesting questions and they will be 177 00:33:08,470 --> 00:33:12,369 asked. So already here at microphone number one. 178 00:33:12,369 --> 00:33:17,909 Mic 1: Okay so it mentions, you mention that you dumped the ROM. And previously, 179 00:33:17,909 --> 00:33:22,160 as there were some rumors with ROM bypass available, did you compare the dumped 180 00:33:22,160 --> 00:33:23,550 Maxim: Yeah. Mic 1: ROM against ROM bypass 181 00:33:23,550 --> 00:33:25,029 Maxim: Yeah. Mic 1: and is it the same? 182 00:33:25,029 --> 00:33:26,039 Maxim: No. Mic 1: No? 183 00:33:26,039 --> 00:33:37,839 Maxim: We found there's some difference but it relates with that ME bypass code 184 00:33:37,839 --> 00:33:46,889 starts into protected mode but a real ROM starts into real mode. 185 00:33:46,889 --> 00:33:51,850 Mic 1: Okay, so otherwise it's functioning almost the same. 186 00:33:51,850 --> 00:33:59,380 Maxim: Hmm, we found some difference in cryptography but I think it is not 187 00:33:59,380 --> 00:34:02,549 important. Herald: So, if you if you are leaving 188 00:34:02,549 --> 00:34:06,350 please be quiet, so the talk is still going on, we're still having questions and 189 00:34:06,350 --> 00:34:13,080 answers and please be considerate of the people asking questions. Thank you. The 190 00:34:13,080 --> 00:34:20,389 next one, from microphone number five. Mic 5: Yeah, so you set the personality 191 00:34:20,389 --> 00:34:27,389 register to read and then you reset the ME and it will break at the reset. Is that 192 00:34:27,389 --> 00:34:32,909 register persistence over reboots or you have to do the exploit and set it every 193 00:34:32,909 --> 00:34:36,699 time? Maxim: Yeah, you need to do it every time. 194 00:34:36,699 --> 00:34:47,130 This only persist between resets. Herald: Signal angel, is there's a 195 00:34:47,130 --> 00:34:50,843 question from the internet. Signal Angel: Yes, they'd like to know 196 00:34:50,843 --> 00:34:54,380 where to find the internal USB port on the 197 00:34:54,380 --> 00:34:59,090 main board. Maxim: Sorry please repetition. 198 00:34:59,090 --> 00:35:05,540 Sig Ang: The question is where to find the internal USB port on the main board for 199 00:35:05,540 --> 00:35:14,320 the JTAG access. Maxim: How I know all USB ports now has 200 00:35:14,320 --> 00:35:23,171 access to this functionality. You don't need to find its ports on your system. If 201 00:35:23,171 --> 00:35:34,790 you have platform with Skylake you always has this functionality on your USB ports. 202 00:35:34,790 --> 00:35:48,770 Oh, of course if this ports link directly to PCH, if if it is port- link- connected 203 00:35:48,770 --> 00:36:01,410 where some another controller you probably don't have to stay on these ports. 204 00:36:01,410 --> 00:36:09,020 Herald: Microphone, microphone number two. Mic 2: Does it work, means you can extract 205 00:36:09,020 --> 00:36:14,890 any key from ME, for example key for SGX remote as a station? 206 00:36:14,890 --> 00:36:26,151 Maxim: I didn't know. We are starting this research how ME relates with SGX and we - 207 00:36:26,151 --> 00:36:41,723 I don't know how key in ME extract, derive and loaded and relate with SGX. I don't 208 00:36:41,723 --> 00:36:45,040 know, sorry. Herald: Microphone number one. 209 00:36:45,040 --> 00:36:52,170 Mic 1: Did you receive any any messages, any recognition about this from Intel? 210 00:36:52,170 --> 00:36:59,840 Maxim: You mean that - did we share this information with Intel? 211 00:36:59,840 --> 00:37:05,600 Mic 1: No, did they react to, did they react in any way to that? 212 00:37:05,600 --> 00:37:10,110 Maxim: After our vulnerabilities they said "okay" 213 00:37:10,110 --> 00:37:12,538 *audience laughs* 214 00:37:12,538 --> 00:37:15,050 Mic 1: Okay, so nothing much except for patches? 215 00:37:15,050 --> 00:37:17,010 Maxim: Yeah. Mic 1: Okay, thank you. 216 00:37:17,010 --> 00:37:20,336 Herald: Signal angel, is there another question from the internet? 217 00:37:20,336 --> 00:37:27,820 Sig Ang: Yeah - how can you disable the JTAG access? is just disabling the ME 218 00:37:27,820 --> 00:37:36,909 enough or what do you have to do? Maxim: Sorry, you mean how Intel disabled 219 00:37:36,909 --> 00:37:44,810 decide functionality for ME and Sig Ang: How can you fix it now, how could 220 00:37:44,810 --> 00:37:48,770 the Intel fix it or how can you secure your own system? 221 00:37:48,770 --> 00:37:59,010 Maxim: It is not, it is just feature it is not bug, sorry. You don't have any chance 222 00:37:59,010 --> 00:38:06,640 a chance to switch on JTAG for in ME if you don't have UTAG or you don't have 223 00:38:06,640 --> 00:38:23,480 vulnerability. And JTAG for ME switch on only inter BUP mode module - in inter-in 224 00:38:23,480 --> 00:38:31,130 BUP module. If we have vulnerability in other module, for example in AMT, we 225 00:38:31,130 --> 00:38:46,260 mustn't do it. And if you have to try - it's its feature, it is not bug. You can 226 00:38:46,260 --> 00:38:54,430 switch off the HECI flash descriptor and to fix this side problem which we found in 227 00:38:54,430 --> 00:39:01,110 last year, and it will be ok. 228 00:39:01,110 --> 00:39:03,650 Herald: Microphone number four in the back. 229 00:39:03,650 --> 00:39:07,500 Mic 4: I believe one of your previous slides mentioned that they incorporated a 230 00:39:07,500 --> 00:39:12,120 Java Virtual Machine - why in god's earth did they do that? 231 00:39:12,120 --> 00:39:30,190 Maxim: How I know; this it is DAL and it has some relative with jeeks when I know. 232 00:39:30,190 --> 00:39:36,490 I didn't have details. Herald: So microphone number five. 233 00:39:36,490 --> 00:39:44,850 Mic 5: The last slide mentioned the extraction of platform keys. So a simple 234 00:39:44,850 --> 00:39:54,420 question - are they enough to sign a firmware update which you would modify so 235 00:39:54,420 --> 00:40:04,820 that ME would accept it-- Maxim: No, sorry. Please repeat. 236 00:40:04,820 --> 00:40:16,370 Mic 5: Okay so let me rephrase Maxim: I understand. You, okay, the 237 00:40:16,370 --> 00:40:27,120 firmware sign it by Intel public key. I don't have private key of Intel and this 238 00:40:27,120 --> 00:40:36,120 key is not built-in into ME. It is platform it is only platform key - this 239 00:40:36,120 --> 00:40:47,290 key for symmetric encryption files and sign it files on the file system. If you 240 00:40:47,290 --> 00:40:56,480 have this key, you can only modify any file system. But unfortunately the 241 00:40:56,480 --> 00:41:08,760 execution module start in in other places. Mic 5: Okay, I get it so now is the path 242 00:41:08,760 --> 00:41:13,580 for castrating system from ME yet, thank you. 243 00:41:13,580 --> 00:41:19,200 Herald: Signal angel? Signal Angel: Can you have only free 244 00:41:19,200 --> 00:41:23,260 software running on the ME? 245 00:41:23,260 --> 00:41:26,980 Maxim: Sorry, please repeat question, slowly. 246 00:41:26,980 --> 00:41:34,050 Signal Angel: Can you have only free software running on the ME by modifying 247 00:41:34,050 --> 00:41:42,030 the flash contents? Maxim: I don't understand, sorry. You mean 248 00:41:42,030 --> 00:41:51,330 that how how how we can modify the file systems or not? 249 00:41:51,330 --> 00:41:56,280 Signal Angel: Yeah replace the ME firmware with free code 250 00:41:56,280 --> 00:42:10,570 Maxim: No no, unfortunately because we we mustn't to change the the chain between 251 00:42:10,570 --> 00:42:21,430 ROM and BUP module. And we mustn't to change kernel of ME and BUP module. I 252 00:42:21,430 --> 00:42:32,890 don't now how use it functionality for change in need to open source solution. 253 00:42:32,890 --> 00:42:41,980 But of course you can to do you can do special device with detection finality 254 00:42:41,980 --> 00:42:50,440 which to replace after reboot all ME from reset vector and executed. But it is some 255 00:42:50,440 --> 00:43:05,950 quirks, somehow some - impossible, I think Herald: Microphone number two. 256 00:43:05,950 --> 00:43:11,940 Mic 2: Are you aware anywhere the MINIX image has been leaked somewhere where 257 00:43:11,940 --> 00:43:14,870 perhaps it could be downloaded and analyzed? 258 00:43:14,870 --> 00:43:23,120 Maxim: Unfortunately the kernel of ME only 259 00:43:23,120 --> 00:43:36,430 based on MINIX. And the Intel guys almost all to rewrite all, almost all kernel. And 260 00:43:36,430 --> 00:43:44,200 on the reverse engineering. And maybe indeed you can get information from Intel 261 00:43:44,200 --> 00:43:52,270 after signs NDA, I don't know. Herald: Microphone number eight. 262 00:43:52,270 --> 00:43:58,190 Mic 8: Do you think it do you think it would ever be possible to add your own 263 00:43:58,190 --> 00:44:02,330 public keys or are the Intel public keys for signing the firmware 264 00:44:02,330 --> 00:44:04,930 stored in a ROM only? 265 00:44:04,930 --> 00:44:12,420 Maxim: I'm sorry, you mean.. Mic 8: Could you add your own public keys 266 00:44:12,420 --> 00:44:19,780 for signing firmware with, or is not possible because the ME checks the public 267 00:44:19,780 --> 00:44:30,500 key. Maxim: ME checks only hash of public key 268 00:44:30,500 --> 00:44:45,190 and we know that ROM has that in ME major a lot version of any which signs on two 269 00:44:45,190 --> 00:45:07,710 keys. We saw only one keys front from bus. And a ROM checked that check SHA from 270 00:45:07,710 --> 00:45:26,330 public key exist in whitelist. ROM has hard-coded 8 hashes of keys and some lists 271 00:45:26,330 --> 00:45:39,540 for some white list of all these hashes. And if you keys in this list you can run 272 00:45:39,540 --> 00:45:43,580 your ME firmware 273 00:45:43,580 --> 00:45:46,560 Mic 8: Okay but that list of hashes is in ROM? 274 00:45:46,560 --> 00:45:49,230 Maxim: Yeah yeah. Mic 8: Okay, thank you. 275 00:45:49,230 --> 00:45:53,570 Herald: Signal angel. Signal Angel: What is your general 276 00:45:53,570 --> 00:46:01,070 impression of this security of ME - how vulnerable is it to attacks? 277 00:46:01,070 --> 00:46:12,820 Maxim: Sorry, you mean how vulnerable you mean have an ability to help us do it? 278 00:46:12,820 --> 00:46:15,380 Sorry. Signal Angel: You know, how vulnerable is 279 00:46:15,380 --> 00:46:20,420 it to other attacks? Maxim: On other module, yeah? 280 00:46:20,420 --> 00:46:26,500 Signal Angel: Sorry, on what? Maxim: In other module. 281 00:46:26,500 --> 00:46:31,670 Herald: So I think the question is in general how good is the security of the 282 00:46:31,670 --> 00:46:35,290 Intel ME? Maxim: So sorry.. 283 00:46:35,290 --> 00:46:42,570 Herald: In general, how good is the security of the Intel ME, altogether? 284 00:46:42,570 --> 00:46:50,210 Maxim: I think it is because is independent researcher can use it for 285 00:46:50,210 --> 00:46:57,570 dynamic analysis of any codes - it's it's cool I I think. 286 00:46:57,570 --> 00:47:04,710 Herald: Microphone number seven. Mic 7: Do you have plans to research some 287 00:47:04,710 --> 00:47:10,000 specific parts of the Intel ME in the future? 288 00:47:10,000 --> 00:47:19,467 Maxim: Yeah of course. Intel will publish 289 00:47:19,467 --> 00:47:28,310 an ME 11 version and I know that they changed Huffman tables for example. And 290 00:47:28,310 --> 00:47:38,150 the next the next round of this game will start it. 291 00:47:38,150 --> 00:47:42,120 Herald: Is there another question at microphone 7? 292 00:47:42,120 --> 00:47:51,730 Mic 7: So if I understood you correctly, just to make sure, this means that you - 293 00:47:51,730 --> 00:48:00,270 if you have a CPU of this Skylake architecture and a USB 3 port, you can 294 00:48:00,270 --> 00:48:06,560 always get low-level access to the ME. Maxim: Exactly. 295 00:48:06,560 --> 00:48:12,440 Mic 7: So, if I were to own such a chip, I would want that patched. What's the 296 00:48:12,440 --> 00:48:20,050 usual path? Does the patch come in a Windows patch or a BIOS update or what is 297 00:48:20,050 --> 00:48:26,940 it? Maxim: You have some some ways to use it. 298 00:48:26,940 --> 00:48:38,500 If you have a SPI programmer, you you can rewrite flash. You mean how we can exploit 299 00:48:38,500 --> 00:48:45,280 it? Mic 7: No, how does, sorry, how will Intel 300 00:48:45,280 --> 00:48:53,560 distribute a patch for this vulnerability? Maxim: Oh, unfortunately because downgrade 301 00:48:53,560 --> 00:49:01,569 always possible. Intel punched only error in BUP function. 302 00:49:01,569 --> 00:49:11,010 But researcher or attacker can always to downgrade version or to 303 00:49:11,010 --> 00:49:17,390 earlier ME and exploit it without any problem. 304 00:49:17,390 --> 00:49:27,480 We are is SPI controller or a SPI programmer and maybe another way. 305 00:49:27,480 --> 00:49:32,090 Mic 7: Okay, thank you. Herald: Microphone number one. 306 00:49:32,090 --> 00:49:37,330 Mic 1: In the demo with video, we saw the connection between the two machines with 307 00:49:37,330 --> 00:49:43,960 this blue box, but I think there's another one way to connect them with just a USB 308 00:49:43,960 --> 00:49:51,080 cable. Is there anything you can do with the blue box that you can't do without it? 309 00:49:51,080 --> 00:49:59,690 Maxim: Yeah we checked it - we use only USB3 debug cable. But it is not possible 310 00:49:59,690 --> 00:50:12,990 for us because we need to to recover the state of work for loading in ME. I do it 311 00:50:12,990 --> 00:50:26,160 but I don't like that because I need to stop execution for my research. It easy 312 00:50:26,160 --> 00:50:31,190 for me and because we were using a blue box. 313 00:50:31,190 --> 00:50:32,580 Mic 1: Thank you. 314 00:50:32,580 --> 00:50:37,110 Herald: Signal angel. Signal Angel: Do you plan to publish 315 00:50:37,110 --> 00:50:44,650 mask ROM dump in the future? Maxim: Yeah, we will plan to do it, yeah. 316 00:50:44,650 --> 00:50:51,640 Herald: Signal angel again. Signal Angel: Just give me a moment. 317 00:50:51,640 --> 00:51:01,800 Maxim: I didn't know, maybe when I come back to Moscow. 318 00:51:01,800 --> 00:51:09,990 Herald: Any other burning questions? Please come up to one of the numbered 319 00:51:09,990 --> 00:51:18,567 microphones. Then with that let's give Maxim of great warm well applause- 320 00:51:18,567 --> 00:51:22,050 Maxim: Thank you much for your attention. Herald: Thank you so much Maxim. 321 00:51:22,050 --> 00:51:25,028 *Applause* 322 00:51:25,028 --> 00:51:41,060 *34c3 outro* 323 00:51:41,060 --> 00:51:47,000 subtitles created by c3subtitles.de in the year 2020. Join, and help us!