0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/369 Thanks! 1 00:00:09,730 --> 00:00:11,709 Good evening, everyone. 2 00:00:11,710 --> 00:00:14,109 I hope because you picked this dog 3 00:00:14,110 --> 00:00:16,319 that all of you know what 4 00:00:16,320 --> 00:00:18,489 you stand for 5 00:00:18,490 --> 00:00:20,769 just in case it stands 6 00:00:20,770 --> 00:00:23,139 for Unified Extensible Firmware 7 00:00:23,140 --> 00:00:25,839 Interface and roughly speaking, 8 00:00:25,840 --> 00:00:27,939 a replacement for the successor 9 00:00:27,940 --> 00:00:30,939 for legacy by just 10 00:00:30,940 --> 00:00:32,530 more features, more secure. 11 00:00:34,780 --> 00:00:37,029 The objective of our research was 12 00:00:37,030 --> 00:00:39,189 to get access to this tiny 13 00:00:39,190 --> 00:00:42,079 chip that's normally stored 14 00:00:42,080 --> 00:00:44,139 folder to your motherboard, and 15 00:00:44,140 --> 00:00:46,269 it's named SPEEA Flash Chip, and 16 00:00:46,270 --> 00:00:48,459 it holds the contents of the Wi-Fi 17 00:00:48,460 --> 00:00:49,479 network. 18 00:00:49,480 --> 00:00:51,520 So it holds the code of unify. 19 00:00:53,260 --> 00:00:55,839 The rules of the play is 20 00:00:55,840 --> 00:00:56,859 with physical access. 21 00:00:56,860 --> 00:00:58,089 It's straightforward, right? 22 00:00:58,090 --> 00:01:00,159 All you need is to connect proper 23 00:01:00,160 --> 00:01:02,379 gear, the flash programmer to this 24 00:01:02,380 --> 00:01:05,318 chip and then you can play with it that. 25 00:01:05,319 --> 00:01:07,209 So we consider only software attacks 26 00:01:08,500 --> 00:01:10,449 during this stock, particularly the ones 27 00:01:10,450 --> 00:01:12,699 that can be conducted remotely, but just 28 00:01:12,700 --> 00:01:13,700 much more scary. 29 00:01:15,160 --> 00:01:16,160 Why bother? 30 00:01:17,130 --> 00:01:19,569 Well, biosurgery Wi-Fi is 31 00:01:19,570 --> 00:01:22,179 quite a special piece of code because 32 00:01:22,180 --> 00:01:24,669 that's the code that gets executed first 33 00:01:24,670 --> 00:01:26,799 by the CPU after the machine is 34 00:01:26,800 --> 00:01:28,179 powered up. 35 00:01:28,180 --> 00:01:30,369 So it means if you have control at 36 00:01:30,370 --> 00:01:33,279 this very early stage of execution, 37 00:01:33,280 --> 00:01:35,439 you control what's executed here. 38 00:01:35,440 --> 00:01:37,569 You also control what's 39 00:01:37,570 --> 00:01:38,679 executed later. 40 00:01:38,680 --> 00:01:40,809 We can trojan it at your what 41 00:01:40,810 --> 00:01:42,999 you can see so you can throw down the 42 00:01:43,000 --> 00:01:45,039 kernel that's loaded later on or the 43 00:01:45,040 --> 00:01:46,040 applications. 44 00:01:47,470 --> 00:01:50,229 And this method of Trojan 45 00:01:50,230 --> 00:01:52,659 has a nice advantage that it can 46 00:01:52,660 --> 00:01:54,429 survive Oyston installation. 47 00:01:54,430 --> 00:01:56,559 Right, because the code for the Trojan 48 00:01:56,560 --> 00:01:58,389 does not reside on the hard drive along 49 00:01:58,390 --> 00:02:00,579 with the operating system, but 50 00:02:00,580 --> 00:02:02,730 in the BIOS bodying on the for us. 51 00:02:04,300 --> 00:02:06,189 So that's pretty unique. 52 00:02:06,190 --> 00:02:08,288 Also, if you're not that sophisticated, 53 00:02:08,289 --> 00:02:10,239 you can do much more a trick, just 54 00:02:10,240 --> 00:02:12,339 overwrite the bias 55 00:02:12,340 --> 00:02:13,959 that you have with garbage. 56 00:02:13,960 --> 00:02:16,019 And then what happens is that 57 00:02:16,020 --> 00:02:18,639 the machine will not put aside because 58 00:02:18,640 --> 00:02:20,259 bios will not stand. 59 00:02:20,260 --> 00:02:22,359 And the only way to divide 60 00:02:22,360 --> 00:02:24,759 this machine is just again to connect 61 00:02:24,760 --> 00:02:26,349 the flash programmer. There's no other 62 00:02:26,350 --> 00:02:28,509 way, though. That's pretty nasty attack. 63 00:02:28,510 --> 00:02:30,129 If you consider what happened to Saudi 64 00:02:30,130 --> 00:02:32,319 Aramco a couple of years ago, that 65 00:02:32,320 --> 00:02:34,330 kind of attack would be much more nasty. 66 00:02:35,440 --> 00:02:38,679 So all these three, 67 00:02:38,680 --> 00:02:40,899 there are three reasons why why it is 68 00:02:40,900 --> 00:02:43,479 interesting to get access to them at 69 00:02:43,480 --> 00:02:45,629 flash cheap. It's an ideal place for 70 00:02:45,630 --> 00:02:46,989 rootkit. 71 00:02:46,990 --> 00:02:49,389 You probably don't hear a lot about 72 00:02:49,390 --> 00:02:51,819 these kids being deployed in the wild 73 00:02:51,820 --> 00:02:54,069 because it's a little bit advanced, 74 00:02:54,070 --> 00:02:55,119 but they do happen. 75 00:02:55,120 --> 00:02:57,399 And if you Google for the project 76 00:02:57,400 --> 00:02:59,649 data bounds by NSA, 77 00:02:59,650 --> 00:03:01,739 you can see that really that kind of 78 00:03:01,740 --> 00:03:03,280 could happen either way. 79 00:03:05,520 --> 00:03:07,689 It's so high regarding this 80 00:03:07,690 --> 00:03:10,929 issue, how security is implemented. 81 00:03:10,930 --> 00:03:12,699 Well, first of all, the chipset itself 82 00:03:12,700 --> 00:03:14,829 provides the means, the features to 83 00:03:14,830 --> 00:03:16,989 actually program the flash device. 84 00:03:16,990 --> 00:03:18,519 It's necessary if you want to support, 85 00:03:18,520 --> 00:03:20,589 for instance, by biosolids. 86 00:03:20,590 --> 00:03:22,869 But it also it's 87 00:03:22,870 --> 00:03:24,489 possible to configure the chipset in a 88 00:03:24,490 --> 00:03:26,619 way that prevents access to the 89 00:03:26,620 --> 00:03:28,839 chip and then 90 00:03:28,840 --> 00:03:31,209 it's up to the firmware, biosurgery, 91 00:03:31,210 --> 00:03:33,639 fi, whatever utilizes 92 00:03:33,640 --> 00:03:34,839 it properly. 93 00:03:34,840 --> 00:03:37,269 So that, for instance, before 94 00:03:37,270 --> 00:03:39,789 update the BIOS is applied, Yafei 95 00:03:39,790 --> 00:03:41,239 must have a chance to, for instance, 96 00:03:41,240 --> 00:03:43,299 check the signature to verify that it's 97 00:03:43,300 --> 00:03:44,949 a legitimate happening. 98 00:03:44,950 --> 00:03:47,169 And of course, and the random 99 00:03:47,170 --> 00:03:50,109 attempts to write the 100 00:03:50,110 --> 00:03:51,639 SBA that should be denied 101 00:03:53,200 --> 00:03:55,269 well of this 102 00:03:55,270 --> 00:03:56,259 method of protection. 103 00:03:56,260 --> 00:03:58,569 So there are 104 00:03:58,570 --> 00:04:00,549 vulnerabilities in the past that allowed 105 00:04:00,550 --> 00:04:02,709 us to get past this rate protection for 106 00:04:02,710 --> 00:04:05,499 probably the first one was in 2009, 107 00:04:05,500 --> 00:04:07,749 for a long time ago by Alex 108 00:04:07,750 --> 00:04:09,479 that rescued me from ITIL. 109 00:04:10,600 --> 00:04:13,989 And this gentleman much more recently 110 00:04:13,990 --> 00:04:16,088 presented at least two different ways 111 00:04:16,089 --> 00:04:18,259 of getting right access to the 112 00:04:18,260 --> 00:04:19,299 SBA. 113 00:04:19,300 --> 00:04:21,879 But in fact, these attacks were a bit 114 00:04:21,880 --> 00:04:24,669 theoretical, certainly 115 00:04:24,670 --> 00:04:26,409 some optimal from explications point of 116 00:04:26,410 --> 00:04:28,479 view. The reason was these 117 00:04:28,480 --> 00:04:30,669 attacks were based on complex memory 118 00:04:30,670 --> 00:04:32,899 corruption vulnerabilities and 119 00:04:32,900 --> 00:04:34,959 even developing exploits 120 00:04:34,960 --> 00:04:37,059 for them is very tedious because it's 121 00:04:37,060 --> 00:04:38,919 very difficult to debunk the early 122 00:04:38,920 --> 00:04:40,149 bioscope. 123 00:04:40,150 --> 00:04:42,429 So in reality, to have reasonable 124 00:04:42,430 --> 00:04:44,169 chances to develop such an exploit, you 125 00:04:44,170 --> 00:04:46,359 need equipment like data 126 00:04:46,360 --> 00:04:48,669 debugger plus programing, and 127 00:04:48,670 --> 00:04:50,199 it gets complicated. 128 00:04:50,200 --> 00:04:52,629 Also, the exploits were 129 00:04:52,630 --> 00:04:54,739 quite unstable. 130 00:04:54,740 --> 00:04:57,039 So you were dependent on a particular 131 00:04:57,040 --> 00:04:59,209 version of the chipset etc 132 00:04:59,210 --> 00:05:00,999 etc and deporting them to a different 133 00:05:01,000 --> 00:05:02,709 platform was Manchego. 134 00:05:02,710 --> 00:05:05,139 So for that reason, although 135 00:05:05,140 --> 00:05:07,209 definitely real and possible to exploit 136 00:05:07,210 --> 00:05:09,429 this vulnerabilities are not. 137 00:05:09,430 --> 00:05:12,249 Expected to be really 138 00:05:12,250 --> 00:05:14,319 exploding in a way, but 139 00:05:14,320 --> 00:05:16,379 today will present something better, 140 00:05:17,560 --> 00:05:19,749 namely will present vulnerabilities 141 00:05:19,750 --> 00:05:22,419 which are prevalent among CUFI inflexible 142 00:05:22,420 --> 00:05:23,559 system. 143 00:05:23,560 --> 00:05:24,639 Essentially all 144 00:05:25,720 --> 00:05:28,059 five or six systems that we tested from 145 00:05:28,060 --> 00:05:30,429 different wings were vulnerable. 146 00:05:30,430 --> 00:05:32,339 So it means your laptop is vulnerable 147 00:05:33,460 --> 00:05:35,919 and the consequences are, 148 00:05:35,920 --> 00:05:38,319 again, ability to get the right access 149 00:05:38,320 --> 00:05:40,449 to the flash and also as 150 00:05:40,450 --> 00:05:42,519 a nice bonus ability to get 151 00:05:42,520 --> 00:05:44,769 into some ethem 152 00:05:44,770 --> 00:05:46,959 being system management mode. 153 00:05:46,960 --> 00:05:49,059 It's a very powerful mode of execution of 154 00:05:49,060 --> 00:05:51,129 C.P.U that's 155 00:05:51,130 --> 00:05:53,799 again, usually insulated 156 00:05:53,800 --> 00:05:56,169 from the rest of the operating system. 157 00:05:56,170 --> 00:05:58,029 And finally, they are quite 158 00:05:58,030 --> 00:06:00,729 straightforward, reliable, 159 00:06:00,730 --> 00:06:01,839 simple. 160 00:06:01,840 --> 00:06:03,609 You should be able to reproduce it at 161 00:06:03,610 --> 00:06:04,610 home. 162 00:06:06,080 --> 00:06:09,389 Oh, OK. 163 00:06:09,390 --> 00:06:11,679 Uh, before I begin to make sure my demo 164 00:06:11,680 --> 00:06:13,759 is still up and ready to go. 165 00:06:13,760 --> 00:06:14,760 OK. 166 00:06:16,990 --> 00:06:19,239 So as awful as saying the 167 00:06:19,240 --> 00:06:21,189 protecting the contents of the bias of 168 00:06:21,190 --> 00:06:23,529 the spy flash is of paramount importance 169 00:06:23,530 --> 00:06:25,239 for all those properties he was listing, 170 00:06:25,240 --> 00:06:27,339 and due to this security 171 00:06:27,340 --> 00:06:28,659 critical nature of the bias, there's a 172 00:06:28,660 --> 00:06:31,149 number of protections that surround 173 00:06:31,150 --> 00:06:33,099 making arbitrary programs or any programs 174 00:06:33,100 --> 00:06:34,299 to spy. 175 00:06:34,300 --> 00:06:36,489 So it's not sufficient to just break 176 00:06:36,490 --> 00:06:37,389 down one of these. 177 00:06:37,390 --> 00:06:38,439 You have to really have to break through many 178 00:06:38,440 --> 00:06:40,029 layers if you actually want to, like 179 00:06:40,030 --> 00:06:41,949 insert an implant onto the bias. 180 00:06:41,950 --> 00:06:45,009 And the general flow of the presentation 181 00:06:45,010 --> 00:06:46,959 from here will just be to describe each 182 00:06:46,960 --> 00:06:49,119 of these layers of security, 183 00:06:49,120 --> 00:06:50,499 describe the attack, a service against 184 00:06:50,500 --> 00:06:52,629 them, and then break through them and 185 00:06:52,630 --> 00:06:54,549 hopefully show some large demonstrations 186 00:06:54,550 --> 00:06:56,229 of us doing it on these systems up here. 187 00:06:56,230 --> 00:06:58,269 But we'll see if the Democrats are nice 188 00:06:58,270 --> 00:06:59,270 to us today. 189 00:07:00,070 --> 00:07:01,749 So they're number one, as you can see on 190 00:07:01,750 --> 00:07:03,339 this one, is the the BIOS control 191 00:07:03,340 --> 00:07:04,239 register. 192 00:07:04,240 --> 00:07:06,609 And this is a memory map to register 193 00:07:06,610 --> 00:07:08,709 that you can access memory mattio 194 00:07:08,710 --> 00:07:09,969 or audio. 195 00:07:09,970 --> 00:07:12,039 And it takes the form of many 196 00:07:12,040 --> 00:07:13,539 of these security critical registers on 197 00:07:13,540 --> 00:07:15,669 the six architecture, where you have 198 00:07:15,670 --> 00:07:18,279 some bits that control features 199 00:07:18,280 --> 00:07:20,619 and then you have maybe one locking bit 200 00:07:20,620 --> 00:07:22,089 so that once it's set, 201 00:07:23,330 --> 00:07:25,539 the feature bits can't be 202 00:07:25,540 --> 00:07:27,249 maliciously modified by a compromised 203 00:07:27,250 --> 00:07:29,379 operating system or 204 00:07:29,380 --> 00:07:30,579 a compromised driver or something like 205 00:07:30,580 --> 00:07:31,539 that. 206 00:07:31,540 --> 00:07:33,849 So in this case, this is 207 00:07:33,850 --> 00:07:35,889 responsible for or at least something 208 00:07:35,890 --> 00:07:37,209 that's partly responsible for protecting 209 00:07:37,210 --> 00:07:38,949 the bios. And you can see that number 210 00:07:38,950 --> 00:07:40,479 zeros, the bios try to name a bit. 211 00:07:40,480 --> 00:07:42,609 And this is quite simple when this is one 212 00:07:42,610 --> 00:07:44,109 you can make writes to the BIOS when it's 213 00:07:44,110 --> 00:07:45,970 not, you can simple, 214 00:07:47,260 --> 00:07:48,699 but no one is a bit more interesting. 215 00:07:48,700 --> 00:07:50,709 So as I was saying, normally with these 216 00:07:50,710 --> 00:07:51,999 locking bits, you have it where you set 217 00:07:52,000 --> 00:07:54,189 it to a one and then you can't change 218 00:07:54,190 --> 00:07:55,719 the feature bits anymore until the 219 00:07:55,720 --> 00:07:56,649 platform resets. 220 00:07:56,650 --> 00:07:58,059 They're just locked. 221 00:07:58,060 --> 00:07:59,709 But this one is different. 222 00:07:59,710 --> 00:08:02,049 If you read the fine print text, it says, 223 00:08:03,970 --> 00:08:06,139 OK, if I so I can set to one enable 224 00:08:06,140 --> 00:08:07,719 setting the bias right and able to cause 225 00:08:07,720 --> 00:08:08,799 semis once set. 226 00:08:08,800 --> 00:08:09,759 This bit can only be played by the 227 00:08:09,760 --> 00:08:10,899 platform reset. 228 00:08:10,900 --> 00:08:13,119 So kind of interesting. 229 00:08:13,120 --> 00:08:14,559 It's not saying that just straight up 230 00:08:14,560 --> 00:08:16,599 blocks access to the bios try to enable, 231 00:08:16,600 --> 00:08:19,029 but it just enables essentially S.A.M. 232 00:08:19,030 --> 00:08:21,009 to act as an arbitrator and decide 233 00:08:21,010 --> 00:08:22,779 whether or not try to table should be set 234 00:08:22,780 --> 00:08:24,219 to a one or two, a zero. 235 00:08:24,220 --> 00:08:26,379 And so this puts system management mode 236 00:08:26,380 --> 00:08:28,899 in a position to decide who gets access 237 00:08:28,900 --> 00:08:29,900 to the ship. 238 00:08:31,690 --> 00:08:33,158 So that was a bit abstract. 239 00:08:33,159 --> 00:08:35,019 It's probably helps to clarify with some 240 00:08:35,020 --> 00:08:37,298 diagrams. So if a let's 241 00:08:37,299 --> 00:08:39,308 say this is a malicious kernel, driver 242 00:08:39,309 --> 00:08:41,499 wants to put an implant 243 00:08:41,500 --> 00:08:43,029 onto the ship, the first thing and has to 244 00:08:43,030 --> 00:08:44,889 do is write enable the BIOS because it 245 00:08:44,890 --> 00:08:46,179 has to be one to make programing 246 00:08:46,180 --> 00:08:47,139 operations. 247 00:08:47,140 --> 00:08:48,669 But in this case, the BIOS lock and a 248 00:08:48,670 --> 00:08:49,689 little bit is also sets. 249 00:08:49,690 --> 00:08:50,940 The bias is being protected. 250 00:08:52,120 --> 00:08:54,689 So because obviously being able set 251 00:08:54,690 --> 00:08:56,889 SMI system to interrupt is immediately 252 00:08:56,890 --> 00:08:58,899 generated some kicks in. 253 00:08:58,900 --> 00:09:00,849 And so in this case is going to determine 254 00:09:00,850 --> 00:09:01,959 that, hey, this is an illegitimate 255 00:09:01,960 --> 00:09:03,969 attempt to write, enable the bios. 256 00:09:03,970 --> 00:09:05,559 So we need to come in here and set by 257 00:09:05,560 --> 00:09:07,659 Australian will back to zero and 258 00:09:07,660 --> 00:09:09,369 then eventually the system. 259 00:09:09,370 --> 00:09:11,799 The Senate handler will eventually 260 00:09:11,800 --> 00:09:13,359 return context back to the original 261 00:09:13,360 --> 00:09:14,679 kernel driver that started this whole 262 00:09:14,680 --> 00:09:17,289 attempt to reprogram the ship. 263 00:09:17,290 --> 00:09:19,479 And at the end of the day, the attempt 264 00:09:19,480 --> 00:09:21,849 to write the BIOS fails because 265 00:09:21,850 --> 00:09:24,029 this kernel driver, this thread is 266 00:09:24,030 --> 00:09:25,269 never able to actually execute 267 00:09:25,270 --> 00:09:27,369 instructions in the context of the chips 268 00:09:27,370 --> 00:09:28,959 that went by to try to enable a sequel to 269 00:09:28,960 --> 00:09:29,960 one. 270 00:09:31,310 --> 00:09:33,409 So what do we 271 00:09:33,410 --> 00:09:34,819 have here is the description of the bias 272 00:09:34,820 --> 00:09:36,949 control register from the old days and 273 00:09:36,950 --> 00:09:39,019 from the new days, so the process of 274 00:09:39,020 --> 00:09:41,329 looking at this was kind of like a bendir 275 00:09:41,330 --> 00:09:42,919 thing for vulnerabilities, but in this 276 00:09:42,920 --> 00:09:45,049 case, for dissing the documentation and 277 00:09:45,050 --> 00:09:46,519 you'll see some interesting changes 278 00:09:46,520 --> 00:09:48,619 happen. So back in the old days, the 279 00:09:48,620 --> 00:09:49,549 city takes architecture. 280 00:09:49,550 --> 00:09:51,739 You had the Northbridge Southbridge 281 00:09:51,740 --> 00:09:53,419 style, the memory controller having the 282 00:09:53,420 --> 00:09:56,029 controller hub and then the CPU. 283 00:09:56,030 --> 00:09:58,129 So this is what's up top, the old 284 00:09:58,130 --> 00:10:00,049 what I'm calling style architecture. 285 00:10:00,050 --> 00:10:02,389 But on newer systems, most of them, 286 00:10:02,390 --> 00:10:03,709 they've gravitated away from this 287 00:10:03,710 --> 00:10:04,759 Northbridge Southbridge style 288 00:10:04,760 --> 00:10:06,469 architecture. Now, there's a lot of that 289 00:10:06,470 --> 00:10:07,699 Northbridge functionality has been 290 00:10:07,700 --> 00:10:10,069 migrated into the CPU and 291 00:10:10,070 --> 00:10:11,269 other functionality has been pushed to 292 00:10:11,270 --> 00:10:12,739 the platform controller hub, which is 293 00:10:12,740 --> 00:10:14,839 kind of assume the role of many 294 00:10:14,840 --> 00:10:16,999 of the north and south bridge functions. 295 00:10:17,000 --> 00:10:18,649 So now you just have CPU platform 296 00:10:18,650 --> 00:10:19,699 controller hub. 297 00:10:19,700 --> 00:10:22,009 And I think this happened 298 00:10:22,010 --> 00:10:24,139 around 2010 or so, but I can't say for 299 00:10:24,140 --> 00:10:25,339 sure. 300 00:10:25,340 --> 00:10:26,869 On the old one, you see that big seven 301 00:10:26,870 --> 00:10:28,309 through five are just reserved. 302 00:10:28,310 --> 00:10:29,569 They don't provide any additional 303 00:10:29,570 --> 00:10:31,249 features. But on the new platform 304 00:10:31,250 --> 00:10:33,739 controller hub chipsets, 305 00:10:33,740 --> 00:10:35,869 bit number five is for the cement Binish 306 00:10:35,870 --> 00:10:37,939 right. Protect Vitt, which has some 307 00:10:37,940 --> 00:10:38,929 pretty interesting language. 308 00:10:38,930 --> 00:10:41,089 In particular, it says that when 309 00:10:41,090 --> 00:10:43,309 it's set by this region, 310 00:10:43,310 --> 00:10:44,989 assessment protection is enabled by its 311 00:10:44,990 --> 00:10:46,579 region is not writable unless all 312 00:10:46,580 --> 00:10:47,929 processors are in SMS. 313 00:10:47,930 --> 00:10:49,489 So when we looked at that, it kind of 314 00:10:49,490 --> 00:10:51,469 gave pause to what does that actually 315 00:10:51,470 --> 00:10:53,419 mean? All processors have to be an Samim 316 00:10:53,420 --> 00:10:54,770 for rights to occur. 317 00:10:56,300 --> 00:10:58,609 Well, it turns out that Intel is patching 318 00:10:58,610 --> 00:11:01,339 a latent race condition into the 319 00:11:01,340 --> 00:11:03,139 spice protections provided by byas 320 00:11:03,140 --> 00:11:03,979 control. 321 00:11:03,980 --> 00:11:06,469 And actually the way this 322 00:11:06,470 --> 00:11:08,059 cooperation between the fall and I came 323 00:11:08,060 --> 00:11:10,879 about, as I said, riffel a paper of mines 324 00:11:10,880 --> 00:11:12,379 describing some attacks against legacy 325 00:11:12,380 --> 00:11:14,539 bias and describe this bias control 326 00:11:14,540 --> 00:11:16,359 functionality and are false. 327 00:11:16,360 --> 00:11:17,629 And that seems a bit racy. 328 00:11:17,630 --> 00:11:19,909 We should try to look at that closer. 329 00:11:19,910 --> 00:11:21,439 And some of my colleagues also suggested 330 00:11:21,440 --> 00:11:23,149 that this might be a problem. But as it 331 00:11:23,150 --> 00:11:25,429 turns out, that this bias block enabled 332 00:11:25,430 --> 00:11:27,559 mechanism is subject to a race condition 333 00:11:27,560 --> 00:11:28,640 on multicore systems. 334 00:11:30,190 --> 00:11:32,739 So the way this generally works, it's 335 00:11:32,740 --> 00:11:34,419 really simple to to exploit. 336 00:11:34,420 --> 00:11:36,789 You just need to thread so to 337 00:11:36,790 --> 00:11:38,949 to cause so essentially 338 00:11:38,950 --> 00:11:40,719 to colonel drivers and one will be 339 00:11:40,720 --> 00:11:42,309 attempting to. Right. Enable the bias in 340 00:11:42,310 --> 00:11:43,359 a tight loop. 341 00:11:43,360 --> 00:11:45,459 And then the other core, what 342 00:11:45,460 --> 00:11:46,509 I'm representing here is thread number 343 00:11:46,510 --> 00:11:48,129 two is just going to be attempting flash 344 00:11:48,130 --> 00:11:49,999 programing operations in a tight loop. 345 00:11:50,000 --> 00:11:52,209 So this when we succeed 346 00:11:52,210 --> 00:11:54,069 in the race condition bias. 347 00:11:54,070 --> 00:11:55,479 Right, enable OK, we're doing this a 348 00:11:55,480 --> 00:11:57,759 million times and Simmi 349 00:11:57,760 --> 00:11:59,709 occurs and the handler is going to come 350 00:11:59,710 --> 00:12:01,269 in and try to save the day and set bias. 351 00:12:01,270 --> 00:12:03,309 Right. Enable equal to zero. 352 00:12:03,310 --> 00:12:06,099 But it doesn't happen in time because 353 00:12:06,100 --> 00:12:08,199 thread to here just keeps on, keeps 354 00:12:08,200 --> 00:12:09,759 on trying and eventually they're able to 355 00:12:09,760 --> 00:12:11,169 make that flash programing operation 356 00:12:11,170 --> 00:12:11,679 happen. 357 00:12:11,680 --> 00:12:13,479 And this works pretty easily because 358 00:12:13,480 --> 00:12:15,189 there's no penalty for failure. 359 00:12:15,190 --> 00:12:16,929 You can just attempt this flash 360 00:12:16,930 --> 00:12:18,219 programing operation in a tight loop, 361 00:12:18,220 --> 00:12:19,479 millions and millions of times. 362 00:12:19,480 --> 00:12:21,489 And if it fails because by Astrud and 363 00:12:21,490 --> 00:12:23,379 able to zero, then it just basically 364 00:12:23,380 --> 00:12:24,909 silently fails. Nothing catastrophic 365 00:12:24,910 --> 00:12:26,019 happens like gaming the system or 366 00:12:26,020 --> 00:12:26,589 whatever. 367 00:12:26,590 --> 00:12:28,869 So you can really be quite a brute force 368 00:12:28,870 --> 00:12:30,370 approach and it will work just fine. 369 00:12:32,760 --> 00:12:34,559 And then eventually someone will come in 370 00:12:34,560 --> 00:12:36,629 and set by to be able to zero but too 371 00:12:36,630 --> 00:12:38,219 late, the the implants already been 372 00:12:38,220 --> 00:12:40,230 installed and the game is already lost. 373 00:12:42,240 --> 00:12:44,339 So we're about to attempt a live demo, 374 00:12:44,340 --> 00:12:46,499 No. One. So I'm going to try to 375 00:12:46,500 --> 00:12:48,059 show you this race condition just to make 376 00:12:48,060 --> 00:12:50,099 it more real. It's going on. 377 00:12:50,100 --> 00:12:51,509 So let's give that a try. 378 00:12:51,510 --> 00:12:52,510 Everyone. 379 00:12:53,920 --> 00:12:55,969 So what I have here is I'm currently in 380 00:12:55,970 --> 00:12:57,460 one of these systems and 381 00:12:58,780 --> 00:13:00,099 we're just going to use this race 382 00:13:00,100 --> 00:13:02,289 condition to corrupt the firmware 383 00:13:02,290 --> 00:13:04,539 on this book and just render 384 00:13:04,540 --> 00:13:06,639 it non bootable. That's the goal anyway. 385 00:13:06,640 --> 00:13:09,669 But before we begin, I want to show you, 386 00:13:09,670 --> 00:13:11,079 just to make it even more clear what's 387 00:13:11,080 --> 00:13:12,490 going on at this bias. Right, enable bit. 388 00:13:14,500 --> 00:13:16,959 So this right here on the LPC 389 00:13:16,960 --> 00:13:18,999 device is you can see right here at 390 00:13:19,000 --> 00:13:21,129 Offset, D.C., this is the bias 391 00:13:21,130 --> 00:13:23,229 control register right now, only a 392 00:13:23,230 --> 00:13:25,179 bit one is set, which the bios lock in a 393 00:13:25,180 --> 00:13:27,369 bit. And you can try all you 394 00:13:27,370 --> 00:13:28,779 want to set this thing to one. 395 00:13:28,780 --> 00:13:30,849 And yeah, it appears 396 00:13:30,850 --> 00:13:32,259 maybe to stick for a second. 397 00:13:33,920 --> 00:13:35,689 You see a three there, but that only 398 00:13:35,690 --> 00:13:36,690 appears to because 399 00:13:37,850 --> 00:13:39,289 the refrigerator this is like one time a 400 00:13:39,290 --> 00:13:41,359 second, so we can't we can attempt to by 401 00:13:41,360 --> 00:13:42,589 trying and able, but it's not working 402 00:13:42,590 --> 00:13:44,039 because someone is coming in and setting 403 00:13:44,040 --> 00:13:45,559 bayfront and equal to zero. 404 00:13:45,560 --> 00:13:46,999 But what happens if we just try this 405 00:13:47,000 --> 00:13:48,079 millions of millions of times 406 00:13:48,080 --> 00:13:50,239 simultaneously eventually will succeed? 407 00:13:50,240 --> 00:13:51,240 Hopefully. 408 00:14:06,950 --> 00:14:08,569 OK, before I begin, I just want to show 409 00:14:08,570 --> 00:14:10,549 you the region of the ship that we're 410 00:14:10,550 --> 00:14:12,709 going to change, 411 00:14:12,710 --> 00:14:13,789 if I can remember. 412 00:14:16,350 --> 00:14:18,789 OK, so in here is just essentially unused 413 00:14:18,790 --> 00:14:21,069 space, so it's just 414 00:14:21,070 --> 00:14:22,269 make a change here because it'll be 415 00:14:22,270 --> 00:14:24,339 obvious and what we have to do 416 00:14:24,340 --> 00:14:25,899 and do in these programing operations is 417 00:14:25,900 --> 00:14:28,059 actually clobber a hole for for 418 00:14:28,060 --> 00:14:29,229 a block. 419 00:14:29,230 --> 00:14:31,029 And doing so will corrupt the firmware to 420 00:14:31,030 --> 00:14:33,309 the point where it's not 421 00:14:33,310 --> 00:14:34,869 going to boot anymore. So this is what 422 00:14:34,870 --> 00:14:36,159 will be changing. This is our target. 423 00:14:39,300 --> 00:14:41,459 OK, so what I've already done 424 00:14:41,460 --> 00:14:43,199 previously is I've installed two COL 425 00:14:43,200 --> 00:14:45,449 drivers into this one, eight systems, and 426 00:14:45,450 --> 00:14:47,369 Colonel Driver number one is going to do 427 00:14:47,370 --> 00:14:48,959 biocide enabled in a tight loop when it 428 00:14:48,960 --> 00:14:50,729 receives an IO control code. 429 00:14:50,730 --> 00:14:52,919 And kernel driver number two is 430 00:14:52,920 --> 00:14:54,839 going to attempt to flash programing 431 00:14:54,840 --> 00:14:56,759 operation in a tight loop upon receiving 432 00:14:56,760 --> 00:14:57,899 an audio control code. So then all I have 433 00:14:57,900 --> 00:14:59,999 to do is use choose to use Herland agents 434 00:15:00,000 --> 00:15:01,889 to start sending the IO control codes to 435 00:15:01,890 --> 00:15:03,120 try to win this race condition. 436 00:15:13,300 --> 00:15:15,699 OK, so this one on the right set 437 00:15:15,700 --> 00:15:17,169 by Australian, an agent that's going to 438 00:15:17,170 --> 00:15:19,419 be the one that invokes the by to naval 439 00:15:19,420 --> 00:15:20,799 tight loop code and it's one of the flash 440 00:15:20,800 --> 00:15:22,699 programing now with our flash programing. 441 00:15:22,700 --> 00:15:24,699 And it's a bit odd or I guess not odd, 442 00:15:24,700 --> 00:15:27,039 but you have to do an array operation 443 00:15:27,040 --> 00:15:28,569 before you do a programing operation. 444 00:15:28,570 --> 00:15:30,069 So I'm actually going to have to win this 445 00:15:30,070 --> 00:15:32,169 race two separate times to 446 00:15:32,170 --> 00:15:33,669 actually accomplish this attack. 447 00:15:33,670 --> 00:15:34,989 So let's see if I can be quick about 448 00:15:34,990 --> 00:15:35,990 this. 449 00:15:36,610 --> 00:15:39,070 Oops, I didn't install the drivers. 450 00:15:44,430 --> 00:15:45,430 Here we go. 451 00:15:49,040 --> 00:15:51,229 OK, so right now I'm raising both 452 00:15:51,230 --> 00:15:52,669 those threads are occurring, is happening 453 00:15:52,670 --> 00:15:54,859 millions of times that was 454 00:15:54,860 --> 00:15:57,709 attempting the flash iRace operation 455 00:15:57,710 --> 00:16:00,619 and now I'm going to attempt the 456 00:16:00,620 --> 00:16:02,120 the programing operation. 457 00:16:04,070 --> 00:16:06,019 So let's just try that one more time. 458 00:16:08,760 --> 00:16:10,129 Let it go for a little bit. 459 00:16:13,190 --> 00:16:15,409 OK, that should have been sufficient, but 460 00:16:15,410 --> 00:16:16,580 we can actually check. 461 00:16:19,120 --> 00:16:20,379 So what I have right now is a colonel 462 00:16:20,380 --> 00:16:21,549 driver, which is just dumping the 463 00:16:21,550 --> 00:16:23,139 contents of this by flash so I can just 464 00:16:23,140 --> 00:16:24,789 verify that I've actually won the race 465 00:16:24,790 --> 00:16:26,139 and been able to make these changes. 466 00:16:30,140 --> 00:16:31,729 Yeah, and you can see here, these were 467 00:16:31,730 --> 00:16:33,649 originally asked and I just wrote some 468 00:16:33,650 --> 00:16:35,539 junkier and as I was mentioning, 469 00:16:36,620 --> 00:16:38,449 programing only happened sixty four bites 470 00:16:38,450 --> 00:16:40,219 at a time. So I've only seen sixty four 471 00:16:40,220 --> 00:16:41,659 bites here. I could just continue this 472 00:16:41,660 --> 00:16:43,189 and write even more, but the iRace 473 00:16:43,190 --> 00:16:45,619 happens and a whole four block. 474 00:16:45,620 --> 00:16:47,569 So I actually annihilated a whole lot of 475 00:16:47,570 --> 00:16:50,089 other stuff, including important yafai 476 00:16:50,090 --> 00:16:51,529 data structures, which is basically on a 477 00:16:51,530 --> 00:16:53,689 brick this system when I tried to 478 00:16:53,690 --> 00:16:55,369 reboot it. So let's see what happens when 479 00:16:55,370 --> 00:16:56,370 I try to be done. 480 00:17:00,240 --> 00:17:01,829 So I'm going to reboot and the real race 481 00:17:01,830 --> 00:17:04,078 will be, can I break the system 482 00:17:04,079 --> 00:17:05,639 with the flash program I bought with me 483 00:17:05,640 --> 00:17:07,649 before our fall finishes his portion and 484 00:17:07,650 --> 00:17:08,650 we can continue. 485 00:17:11,220 --> 00:17:13,349 OK, so I just rebooted that system. 486 00:17:15,060 --> 00:17:17,159 Probably it will do something 487 00:17:17,160 --> 00:17:17,639 horrible. 488 00:17:17,640 --> 00:17:19,259 Yeah, so right now it's just stuck in 489 00:17:19,260 --> 00:17:21,358 this diagnostic boot loop. 490 00:17:21,359 --> 00:17:23,489 It'll never but again, the firmware has 491 00:17:23,490 --> 00:17:25,618 been completely like a hosed because I've 492 00:17:25,619 --> 00:17:27,149 overridden critical parts of it. 493 00:17:27,150 --> 00:17:29,249 And you're basically dead in the 494 00:17:29,250 --> 00:17:30,179 water. 495 00:17:30,180 --> 00:17:31,979 You can't attempt to reinstall the 496 00:17:31,980 --> 00:17:33,239 operating system. That's not going to fix 497 00:17:33,240 --> 00:17:34,199 it because the firmware is just 498 00:17:34,200 --> 00:17:35,509 completely blasted at this point. 499 00:17:35,510 --> 00:17:37,439 It'll never turn on. 500 00:17:37,440 --> 00:17:39,479 So this kind of attack was to happen. 501 00:17:39,480 --> 00:17:40,979 Your I.T. department would be pretty ill 502 00:17:40,980 --> 00:17:42,329 prepared to recover from this. 503 00:17:44,310 --> 00:17:45,310 Luckily. 504 00:17:50,780 --> 00:17:52,819 So luckily, I've had the foresight to 505 00:17:52,820 --> 00:17:54,559 make a backup of the firmware with my 506 00:17:54,560 --> 00:17:56,599 flash programmer that I brought here so I 507 00:17:56,600 --> 00:17:58,729 can try to recover the contents of 508 00:17:58,730 --> 00:18:00,859 this, the fall is continuing, which 509 00:18:00,860 --> 00:18:02,240 I'll do after I finish up here. 510 00:18:03,790 --> 00:18:06,139 OK, so one sort of important question 511 00:18:06,140 --> 00:18:07,309 is who is affected? 512 00:18:07,310 --> 00:18:09,649 Now, as I mentioned in earlier, 513 00:18:09,650 --> 00:18:11,959 systems didn't even have this 514 00:18:11,960 --> 00:18:14,329 symbiotes right protect Newar 515 00:18:14,330 --> 00:18:16,099 platform controller hub systems. 516 00:18:18,200 --> 00:18:20,149 It's like doing this CPU loop of doom 517 00:18:20,150 --> 00:18:20,609 right now. 518 00:18:20,610 --> 00:18:21,610 So if 519 00:18:23,240 --> 00:18:25,309 if newer platform controller based 520 00:18:25,310 --> 00:18:27,099 systems, if they set estimate by a ship 521 00:18:27,100 --> 00:18:29,509 protect race condition defeated doesn't 522 00:18:29,510 --> 00:18:31,309 happen. Good to go. 523 00:18:31,310 --> 00:18:33,649 Older systems, they can possibly 524 00:18:33,650 --> 00:18:35,149 protect these sell themselves. 525 00:18:35,150 --> 00:18:37,009 This other layer of protection called 526 00:18:37,010 --> 00:18:38,899 protected range registers. 527 00:18:38,900 --> 00:18:41,959 But even if they use them, 528 00:18:41,960 --> 00:18:43,249 we'll talk more about how these work. 529 00:18:43,250 --> 00:18:44,929 But it might not be sufficient and we'll 530 00:18:44,930 --> 00:18:45,930 talk about why later. 531 00:18:47,690 --> 00:18:49,969 So if you don't set symbiotes 532 00:18:49,970 --> 00:18:51,139 right protect, you're probably 533 00:18:51,140 --> 00:18:52,729 vulnerable, as is the multistory. 534 00:18:52,730 --> 00:18:55,099 And the bad news is most systems 535 00:18:55,100 --> 00:18:56,479 that I've looked at, even systems that 536 00:18:56,480 --> 00:18:57,499 support symbiotes. 537 00:18:57,500 --> 00:18:58,579 Right. Protect, don't set it. 538 00:18:58,580 --> 00:19:00,889 So I did another 539 00:19:00,890 --> 00:19:03,079 paper with some colleagues 540 00:19:03,080 --> 00:19:04,159 earlier this year that talked about a 541 00:19:04,160 --> 00:19:05,179 hack in the box, Amsterdam. 542 00:19:05,180 --> 00:19:06,439 And we surveyed about eight thousand 543 00:19:06,440 --> 00:19:08,599 systems. And granted, 544 00:19:08,600 --> 00:19:10,969 the systems were probably about two 545 00:19:10,970 --> 00:19:13,309 years old on average, I would say, but 546 00:19:13,310 --> 00:19:15,019 less than 10 percent were actually making 547 00:19:15,020 --> 00:19:16,339 use of some right protect. 548 00:19:16,340 --> 00:19:18,409 So there's this fix available for a lot 549 00:19:18,410 --> 00:19:20,179 of systems. But for whatever reason, OEMs 550 00:19:20,180 --> 00:19:21,799 don't seem to be using it like this elite 551 00:19:21,800 --> 00:19:23,599 book supports it but doesn't set it. 552 00:19:23,600 --> 00:19:25,739 And many systems look, that is just 553 00:19:25,740 --> 00:19:27,229 don't bother, use it for whatever reason. 554 00:19:27,230 --> 00:19:29,329 And yeah, just to reiterate, very easy to 555 00:19:29,330 --> 00:19:31,979 exploit. Nothing magical going on. 556 00:19:31,980 --> 00:19:34,409 I just need one thread setting 557 00:19:34,410 --> 00:19:35,729 try enable a bunch another throughout a 558 00:19:35,730 --> 00:19:37,249 typical flash programing and then wait a 559 00:19:37,250 --> 00:19:39,319 second and then you've probably won no 560 00:19:39,320 --> 00:19:41,059 penalty for brute force. Just keep on 561 00:19:41,060 --> 00:19:42,060 trying. 562 00:19:43,570 --> 00:19:45,789 OK, so that's the 563 00:19:45,790 --> 00:19:48,309 sort of the outermost layer of the bias 564 00:19:48,310 --> 00:19:49,719 protection. But how can we proceed in 565 00:19:49,720 --> 00:19:51,669 work? You get to the promised land of the 566 00:19:51,670 --> 00:19:54,549 flagship of the UNFI firmware. 567 00:19:54,550 --> 00:19:57,819 So next up is if 568 00:19:57,820 --> 00:19:59,869 the OEM, if the BIOS makes use of 569 00:19:59,870 --> 00:20:01,989 symbiotes right protect, we 570 00:20:01,990 --> 00:20:03,609 are essentially forced to break into 571 00:20:03,610 --> 00:20:05,589 system management mode to continue our 572 00:20:05,590 --> 00:20:06,969 assault on the firmware. 573 00:20:06,970 --> 00:20:08,919 And Raphel is going to talk about how we 574 00:20:08,920 --> 00:20:10,449 can attack S.A.M. 575 00:20:10,450 --> 00:20:11,799 on most Yafai systems 576 00:20:13,240 --> 00:20:14,380 with this portion of next. 577 00:20:19,580 --> 00:20:21,769 OK, so attacking S.A.M. 578 00:20:21,770 --> 00:20:24,259 biocide protect us. 579 00:20:24,260 --> 00:20:27,409 So have you ever heard the story of 580 00:20:27,410 --> 00:20:28,999 the wife? 581 00:20:29,000 --> 00:20:30,669 No, I thought so. 582 00:20:30,670 --> 00:20:32,299 That's not the story that the Jedi would 583 00:20:32,300 --> 00:20:33,950 tell you so. 584 00:20:39,630 --> 00:20:42,059 For our purposes, the important 585 00:20:42,060 --> 00:20:44,309 thing is that they are kept 586 00:20:44,310 --> 00:20:47,159 out of the comatose for many years. 587 00:20:47,160 --> 00:20:49,229 In fact, he killed him and revived 588 00:20:49,230 --> 00:20:50,230 a couple of times. 589 00:20:51,240 --> 00:20:53,639 The reasoning behind it was research. 590 00:20:53,640 --> 00:20:55,709 He just wanted to figure out how 591 00:20:55,710 --> 00:20:57,479 many Clarient work and how they're 592 00:20:57,480 --> 00:20:59,249 connected to life and death. 593 00:20:59,250 --> 00:21:01,469 So how is it relevant for 594 00:21:01,470 --> 00:21:03,869 our business and 595 00:21:03,870 --> 00:21:05,459 the relevant parties that you have 596 00:21:05,460 --> 00:21:08,009 already seen, namely the 597 00:21:08,010 --> 00:21:10,199 that registers unlockable and some 598 00:21:10,200 --> 00:21:12,269 of the lakebeds are cleared 599 00:21:12,270 --> 00:21:14,429 only during the whole 600 00:21:14,430 --> 00:21:15,430 three sets. 601 00:21:17,070 --> 00:21:19,499 So the idea is to force 602 00:21:19,500 --> 00:21:22,229 this reset so the death of the platform 603 00:21:22,230 --> 00:21:24,449 and then still gain control over 604 00:21:24,450 --> 00:21:26,579 it while it's being resurrected. 605 00:21:28,470 --> 00:21:30,629 And that that idea 606 00:21:30,630 --> 00:21:32,429 means that we still have control. 607 00:21:32,430 --> 00:21:33,430 Why the 608 00:21:34,530 --> 00:21:36,389 logistics are not locked. 609 00:21:36,390 --> 00:21:38,399 And some of you might already have 610 00:21:38,400 --> 00:21:40,979 guessed that we will use XP as we sleep 611 00:21:40,980 --> 00:21:43,289 because it involves both 612 00:21:43,290 --> 00:21:46,599 death, so sleep and then resurrection. 613 00:21:46,600 --> 00:21:48,689 So as you said, we see 614 00:21:48,690 --> 00:21:50,789 that as we sleep equals the 615 00:21:50,790 --> 00:21:51,790 Ikoma. 616 00:21:52,650 --> 00:21:54,659 So what's the difference between normal 617 00:21:54,660 --> 00:21:57,599 bolt and resume from as we sleep 618 00:21:57,600 --> 00:21:58,600 in context of you? 619 00:22:00,030 --> 00:22:02,099 So if I executions divided into a 620 00:22:02,100 --> 00:22:04,049 couple of days, you have SECC face to 621 00:22:04,050 --> 00:22:06,449 face the XY, then device 622 00:22:06,450 --> 00:22:08,969 selection and operating system look 623 00:22:08,970 --> 00:22:11,099 and the interesting part happens 624 00:22:11,100 --> 00:22:12,929 in the face. 625 00:22:12,930 --> 00:22:15,149 So at this point, 626 00:22:15,150 --> 00:22:16,709 most of the registers are actually 627 00:22:16,710 --> 00:22:17,710 locked. 628 00:22:18,690 --> 00:22:21,359 Interestingly, each time 629 00:22:21,360 --> 00:22:23,489 the platform is being configured by 630 00:22:23,490 --> 00:22:25,499 the means of PCI config space. 631 00:22:25,500 --> 00:22:27,259 Right. Memory, right. 632 00:22:27,260 --> 00:22:29,699 I'll write the information 633 00:22:29,700 --> 00:22:31,890 about an exact 634 00:22:33,660 --> 00:22:35,609 information about what's being. 635 00:22:37,320 --> 00:22:39,539 Configured as recorded in the 636 00:22:39,540 --> 00:22:41,780 data structure means what script? 637 00:22:43,210 --> 00:22:45,339 And what script is just, again, 638 00:22:45,340 --> 00:22:47,479 data structure starting normal 639 00:22:47,480 --> 00:22:49,569 ram, usually, typically 640 00:22:49,570 --> 00:22:52,089 it is in a vessel 641 00:22:52,090 --> 00:22:54,609 area of RAM reserved for 642 00:22:54,610 --> 00:22:55,750 the purposes of you faith 643 00:22:56,770 --> 00:22:58,959 and why it is so it will be useful 644 00:22:58,960 --> 00:23:00,489 on a resume. 645 00:23:00,490 --> 00:23:02,889 So as Friesian, we start 646 00:23:02,890 --> 00:23:03,999 in a very similar way. 647 00:23:04,000 --> 00:23:06,249 So C.P.U is powered 648 00:23:06,250 --> 00:23:08,619 up, jumps to the reset vector, 649 00:23:08,620 --> 00:23:10,809 then the fuckface executes 650 00:23:10,810 --> 00:23:13,089 the phase execute, 651 00:23:13,090 --> 00:23:14,709 but then something else happens. 652 00:23:14,710 --> 00:23:16,899 Namely instead of just loading 653 00:23:16,900 --> 00:23:19,149 all the driver from the flash and 654 00:23:19,150 --> 00:23:21,339 just running of all of them, 655 00:23:21,340 --> 00:23:24,099 we just replay the configuration 656 00:23:24,100 --> 00:23:26,349 actions from the script. 657 00:23:26,350 --> 00:23:27,459 So that's the difference. 658 00:23:27,460 --> 00:23:29,619 So at this point, it's not the content 659 00:23:29,620 --> 00:23:31,569 of the Flash that dictates what is being 660 00:23:31,570 --> 00:23:33,999 executed. In fact, it's just the contents 661 00:23:34,000 --> 00:23:36,129 of this memory of the script 662 00:23:36,130 --> 00:23:38,769 that shows what configuration actions 663 00:23:38,770 --> 00:23:39,770 will be applied. 664 00:23:40,930 --> 00:23:43,089 And then afterwards, as usual, 665 00:23:43,090 --> 00:23:45,159 the operating system is woken up and to 666 00:23:45,160 --> 00:23:46,160 give in control. 667 00:23:47,310 --> 00:23:49,469 So, again, the important part is that 668 00:23:49,470 --> 00:23:50,879 at the moment when the script is 669 00:23:50,880 --> 00:23:52,949 interpreted, most of 670 00:23:52,950 --> 00:23:54,629 the platform registers are not locked 671 00:23:54,630 --> 00:23:55,630 yet. 672 00:23:57,310 --> 00:23:59,429 OK, so obvious 673 00:23:59,430 --> 00:24:01,509 thing, actually, inverse 674 00:24:01,510 --> 00:24:03,729 memory as just normal, it's not 675 00:24:03,730 --> 00:24:05,699 protected against the operating system in 676 00:24:05,700 --> 00:24:08,049 anyway, so it means that the 677 00:24:08,050 --> 00:24:10,479 attacker was at least ability 678 00:24:10,480 --> 00:24:12,909 to access all physical memory 679 00:24:12,910 --> 00:24:14,859 can mess with the contents of the. 680 00:24:16,620 --> 00:24:19,659 And that's what we're going to do. 681 00:24:19,660 --> 00:24:22,019 Yeah, one more thing, this whole 682 00:24:22,020 --> 00:24:24,509 boot script concept is quite a core 683 00:24:26,070 --> 00:24:27,149 feature of UniFi. 684 00:24:27,150 --> 00:24:29,319 So all the Wi-Fi implementations 685 00:24:29,320 --> 00:24:30,819 are used. 686 00:24:32,630 --> 00:24:34,699 Yeah, so how about 687 00:24:34,700 --> 00:24:37,279 script look like so again, 688 00:24:37,280 --> 00:24:38,959 maybe just for completeness, I will quote 689 00:24:38,960 --> 00:24:40,369 some documentation. 690 00:24:40,370 --> 00:24:41,989 The typical configuration can be viewed 691 00:24:41,990 --> 00:24:43,819 as a series of memory eion PCI 692 00:24:43,820 --> 00:24:45,949 configuration operations, which the C 693 00:24:45,950 --> 00:24:47,479 drive is recalled in the framework 694 00:24:47,480 --> 00:24:49,669 script. During a few years, that script 695 00:24:49,670 --> 00:24:51,859 engine executes the script to restart 696 00:24:51,860 --> 00:24:53,209 the chipset settings. 697 00:24:53,210 --> 00:24:55,489 So the script consists of the series of 698 00:24:55,490 --> 00:24:57,609 op codes like Allwright Memory, 699 00:24:57,610 --> 00:25:00,049 Riteish Config Write and parameters 700 00:25:00,050 --> 00:25:02,609 to where there is a very interesting 701 00:25:03,680 --> 00:25:05,659 op code for our purposes. 702 00:25:05,660 --> 00:25:07,789 It's named dispatch and the 703 00:25:07,790 --> 00:25:09,949 semantics of it is essentially 704 00:25:09,950 --> 00:25:11,899 execute arbitrary code, right? 705 00:25:11,900 --> 00:25:13,609 It's very useful. 706 00:25:13,610 --> 00:25:16,639 As you can see in the specification, 707 00:25:16,640 --> 00:25:19,099 uh, the consequences are 708 00:25:19,100 --> 00:25:21,649 obvious. So if we can achieve 709 00:25:21,650 --> 00:25:23,809 any of the following, either alter the 710 00:25:23,810 --> 00:25:25,999 contents of the script, so insert 711 00:25:26,000 --> 00:25:28,699 a malicious dispatch of code into it 712 00:25:28,700 --> 00:25:30,829 or alter the target 713 00:25:30,830 --> 00:25:33,049 of an existing AEF, I would 714 00:25:33,050 --> 00:25:34,939 skip dispatchable code so that different. 715 00:25:34,940 --> 00:25:37,009 We do not mess with the 716 00:25:37,010 --> 00:25:39,589 script itself, but we hook our override 717 00:25:39,590 --> 00:25:41,759 the code that's legally calls from 718 00:25:41,760 --> 00:25:42,760 right. 719 00:25:43,070 --> 00:25:45,169 And finally, we can alter 720 00:25:45,170 --> 00:25:47,269 the data structure used by the farmer 721 00:25:47,270 --> 00:25:49,699 to locate where the script is. 722 00:25:49,700 --> 00:25:51,199 If we can achieve any of the following, 723 00:25:51,200 --> 00:25:53,399 then we can force three, suspend, resume 724 00:25:53,400 --> 00:25:55,639 cycle and run 725 00:25:55,640 --> 00:25:57,739 arbitrary code in the context of the 726 00:25:57,740 --> 00:25:58,740 interpreter. 727 00:25:59,700 --> 00:26:01,499 So how exploitation would look like 728 00:26:01,500 --> 00:26:03,899 that's the normal layout 729 00:26:03,900 --> 00:26:06,119 of data, relevant data structure on most 730 00:26:06,120 --> 00:26:08,879 of the machines that we have a look at. 731 00:26:08,880 --> 00:26:11,319 So at the top of it, there is 732 00:26:11,320 --> 00:26:14,009 a unified environment 733 00:26:14,010 --> 00:26:16,589 variable named ATP Global Variable, 734 00:26:16,590 --> 00:26:18,479 and it starts a value that it is a 735 00:26:18,480 --> 00:26:19,559 pointer. 736 00:26:19,560 --> 00:26:21,929 This pointer points into RAM 737 00:26:21,930 --> 00:26:23,999 into action Invictus and 738 00:26:24,000 --> 00:26:26,159 there is data structure named 739 00:26:26,160 --> 00:26:27,719 also global variable 740 00:26:28,920 --> 00:26:31,019 at certain of that in it, 741 00:26:31,020 --> 00:26:33,419 that is a pointer to their bottom. 742 00:26:33,420 --> 00:26:35,879 Right. So that's how it 743 00:26:35,880 --> 00:26:37,259 looks like. 744 00:26:37,260 --> 00:26:39,329 So the most straightforward way that 745 00:26:39,330 --> 00:26:41,939 works most of the time is 746 00:26:41,940 --> 00:26:44,399 first we will prepare our 747 00:26:44,400 --> 00:26:46,649 script. We copy the original script 748 00:26:46,650 --> 00:26:48,719 here. We prepare and you 749 00:26:48,720 --> 00:26:50,909 will dispatch a barcode that just calls 750 00:26:50,910 --> 00:26:52,259 our show code. 751 00:26:52,260 --> 00:26:54,869 And then we change this pointer 752 00:26:54,870 --> 00:26:56,279 to point to our new 753 00:26:57,480 --> 00:26:59,489 shiny biscuit. 754 00:26:59,490 --> 00:27:01,709 The reason why we copied the original 755 00:27:01,710 --> 00:27:03,749 script is obvious, right? 756 00:27:03,750 --> 00:27:05,309 We want to maintain the stability of the 757 00:27:05,310 --> 00:27:06,359 system as you. 758 00:27:08,160 --> 00:27:09,449 And that's pretty much it. 759 00:27:10,590 --> 00:27:12,689 So the question is, can it be done in 760 00:27:12,690 --> 00:27:13,769 the right way? So 761 00:27:14,790 --> 00:27:17,099 is it possible to implement the concept 762 00:27:17,100 --> 00:27:18,149 of security? 763 00:27:18,150 --> 00:27:19,349 And the answer is yes. 764 00:27:19,350 --> 00:27:21,599 And actually, if a development 765 00:27:21,600 --> 00:27:23,669 kit introduces the concept of 766 00:27:23,670 --> 00:27:25,889 the lock box, so the method to 767 00:27:25,890 --> 00:27:28,319 store certain crucial data structures 768 00:27:28,320 --> 00:27:30,989 in a secure way and 769 00:27:30,990 --> 00:27:33,719 the way how it's achieved is that 770 00:27:33,720 --> 00:27:35,489 these data structures must be stored in 771 00:27:35,490 --> 00:27:37,819 some memory, not in 772 00:27:37,820 --> 00:27:39,419 unprotected RAM, but in the region of 773 00:27:39,420 --> 00:27:41,339 memory assigned for system management 774 00:27:41,340 --> 00:27:43,529 molt that's protecting 775 00:27:43,530 --> 00:27:45,659 against an operating system. 776 00:27:45,660 --> 00:27:48,239 And then these 777 00:27:48,240 --> 00:27:50,369 attacks from above will not work. 778 00:27:52,570 --> 00:27:54,699 But it's possible to screw things in 779 00:27:54,700 --> 00:27:56,859 a number of ways, so 780 00:27:56,860 --> 00:27:59,169 we have seen only a single system that 781 00:27:59,170 --> 00:28:01,509 actually used some lockbox to 782 00:28:01,510 --> 00:28:03,249 store the Bush script and relevant data 783 00:28:03,250 --> 00:28:04,539 structure. 784 00:28:04,540 --> 00:28:06,549 And it was actually a horrifying 785 00:28:06,550 --> 00:28:08,829 development. Mother? What the problem 786 00:28:08,830 --> 00:28:11,349 is that the implementation 787 00:28:11,350 --> 00:28:12,730 contained a legal 788 00:28:13,810 --> 00:28:14,810 code. 789 00:28:15,600 --> 00:28:17,729 Patch of with the arguments being, 790 00:28:17,730 --> 00:28:20,129 again, in unprotected memory, 791 00:28:20,130 --> 00:28:21,989 so this time, instead of messing with the 792 00:28:21,990 --> 00:28:23,789 script or the pointer to the script, we 793 00:28:23,790 --> 00:28:26,129 can just overwrite or hook the code 794 00:28:26,130 --> 00:28:27,599 that's normally called. 795 00:28:27,600 --> 00:28:29,269 And guess who is you? 796 00:28:29,270 --> 00:28:31,339 Again, and the effect would be quite 797 00:28:31,340 --> 00:28:32,340 the same. 798 00:28:33,670 --> 00:28:36,099 And so, again, why why 799 00:28:36,100 --> 00:28:38,229 we're doing that is largely 800 00:28:38,230 --> 00:28:40,629 unlocked at this point, particularly 801 00:28:40,630 --> 00:28:42,609 on all the systems that we have seen from 802 00:28:42,610 --> 00:28:45,279 various OEMs biosynthetic 803 00:28:45,280 --> 00:28:46,359 unlocked. 804 00:28:46,360 --> 00:28:48,909 So that means even if buyers 805 00:28:48,910 --> 00:28:51,309 if Intel biocides protect 806 00:28:51,310 --> 00:28:52,869 the needs that we took previously, even 807 00:28:52,870 --> 00:28:55,009 if it is set, it can be fully answered. 808 00:28:55,010 --> 00:28:56,010 Nothing prevents that. 809 00:28:57,040 --> 00:28:59,319 And at this point, Biosynthesis 810 00:28:59,320 --> 00:29:00,429 does not prevent right. 811 00:29:00,430 --> 00:29:01,430 Access to the chip. 812 00:29:02,710 --> 00:29:03,849 It means that 813 00:29:05,110 --> 00:29:06,999 we don't even necessarily have to 814 00:29:07,000 --> 00:29:09,129 actually get code execution in the same 815 00:29:09,130 --> 00:29:10,809 context. Right. 816 00:29:10,810 --> 00:29:12,490 Because we simply can and set 817 00:29:13,570 --> 00:29:15,519 biocides protected. 818 00:29:15,520 --> 00:29:17,529 Not getting control over a system is 819 00:29:17,530 --> 00:29:19,689 quite nice because, again, of all 820 00:29:19,690 --> 00:29:22,599 the power that this model has 821 00:29:22,600 --> 00:29:24,129 for how it looks. 822 00:29:24,130 --> 00:29:26,409 So generally the memory is protected 823 00:29:26,410 --> 00:29:28,359 by two set of registers. 824 00:29:28,360 --> 00:29:30,069 First of all, you have to protect against 825 00:29:30,070 --> 00:29:31,989 access from the CPU. 826 00:29:31,990 --> 00:29:34,239 So for that purpose, modern Zippos 827 00:29:34,240 --> 00:29:35,950 have dedicated. 828 00:29:37,900 --> 00:29:40,239 And there's already stealth named 829 00:29:40,240 --> 00:29:42,789 some Ranger stealth, and 830 00:29:42,790 --> 00:29:45,069 certainly this word define a region 831 00:29:45,070 --> 00:29:47,259 of memory that cannot be accessed 832 00:29:47,260 --> 00:29:49,269 by the CPO unless it is the. 833 00:29:50,650 --> 00:29:52,959 Interestingly, this 834 00:29:52,960 --> 00:29:54,279 is, again, on the platform that we have 835 00:29:54,280 --> 00:29:56,499 seen. These missiles 836 00:29:56,500 --> 00:29:58,629 are already configured prior to 837 00:29:58,630 --> 00:30:00,789 execution of script all this 838 00:30:00,790 --> 00:30:02,979 time, no luck, at least 839 00:30:02,980 --> 00:30:05,359 no free lunch, even in the context of 840 00:30:05,360 --> 00:30:07,479 the fact that we cannot access from 841 00:30:07,480 --> 00:30:08,769 the C.P.U. 842 00:30:08,770 --> 00:30:10,899 But there is another way how memory 843 00:30:10,900 --> 00:30:13,329 can be accessed, namely the ADMA direct 844 00:30:13,330 --> 00:30:15,729 memory access 845 00:30:15,730 --> 00:30:17,379 triggered by BISHAR devices. 846 00:30:17,380 --> 00:30:19,479 Right. All PCI devices 847 00:30:19,480 --> 00:30:22,239 that are capable can 848 00:30:22,240 --> 00:30:24,459 trigger access to the memory 849 00:30:24,460 --> 00:30:27,039 and there is a separate register of 96. 850 00:30:27,040 --> 00:30:29,379 This time it's a chip register 851 00:30:29,380 --> 00:30:31,539 that again defines a region of memory 852 00:30:31,540 --> 00:30:33,730 that cannot be accessed by the. 853 00:30:35,350 --> 00:30:37,839 Interestingly, this is configured 854 00:30:37,840 --> 00:30:40,449 before the book is interpreted, 855 00:30:40,450 --> 00:30:42,520 but it's not locked, interestingly, 856 00:30:43,690 --> 00:30:45,149 which is good news for us, 857 00:30:46,330 --> 00:30:47,500 what we can do is 858 00:30:48,640 --> 00:30:50,799 change the value of the T Segretti 859 00:30:50,800 --> 00:30:53,469 to something totally bogus volume 860 00:30:53,470 --> 00:30:55,839 and then NFPA device 861 00:30:55,840 --> 00:30:58,509 can execute DMA cycles and 862 00:30:58,510 --> 00:31:00,369 get read and write access to that 863 00:31:00,370 --> 00:31:01,509 assignment. 864 00:31:01,510 --> 00:31:03,099 The only trouble with this approach is 865 00:31:03,100 --> 00:31:04,100 that. 866 00:31:04,940 --> 00:31:07,129 Actually, configuring a device 867 00:31:07,130 --> 00:31:09,229 to do arbitrary DMA to arbitrarily 868 00:31:09,230 --> 00:31:11,329 address is tricky because 869 00:31:11,330 --> 00:31:13,369 essentially you must know full semantics 870 00:31:13,370 --> 00:31:15,079 of the device, right? 871 00:31:15,080 --> 00:31:17,449 And just implementing 872 00:31:17,450 --> 00:31:19,699 it in the household itself would be 873 00:31:19,700 --> 00:31:21,799 quite non-trivial so we can do something 874 00:31:21,800 --> 00:31:23,989 better. So in the so-called itself, we 875 00:31:23,990 --> 00:31:26,119 just move out of the 876 00:31:26,120 --> 00:31:27,109 way. 877 00:31:27,110 --> 00:31:28,759 He says also lock it. 878 00:31:28,760 --> 00:31:30,889 And then after the operating system is 879 00:31:30,890 --> 00:31:33,259 woken up, it's much easier 880 00:31:33,260 --> 00:31:35,209 to do arbitrary dilemma because at that 881 00:31:35,210 --> 00:31:37,699 time you can use all the drivers that 882 00:31:37,700 --> 00:31:39,859 has been loaded by the operating system. 883 00:31:39,860 --> 00:31:42,379 Particularly the most straightforward 884 00:31:42,380 --> 00:31:44,390 way is to use the hard disk drive driver. 885 00:31:46,640 --> 00:31:48,769 Yeah, OK, so 886 00:31:48,770 --> 00:31:51,289 that's again, consequences really 887 00:31:51,290 --> 00:31:53,449 ability to get access 888 00:31:53,450 --> 00:31:55,609 to some memory, so 889 00:31:55,610 --> 00:31:57,649 this vulnerability has been reported to 890 00:31:57,650 --> 00:31:59,809 certain has been assigned this 891 00:31:59,810 --> 00:32:00,949 tracking number. 892 00:32:00,950 --> 00:32:02,749 Again, all of the unified system that we 893 00:32:02,750 --> 00:32:04,729 surveyed were vulnerable one way or 894 00:32:04,730 --> 00:32:05,730 another. 895 00:32:06,420 --> 00:32:08,309 It allows a cabinet level attacker, 896 00:32:09,460 --> 00:32:11,609 right, essentially 897 00:32:11,610 --> 00:32:13,889 to bypass the fiction 898 00:32:13,890 --> 00:32:16,109 employed by biosciences and 899 00:32:16,110 --> 00:32:18,209 also escalate in runtime, which 900 00:32:18,210 --> 00:32:19,739 is also interesting. 901 00:32:19,740 --> 00:32:21,839 And finally, it is more or less easy 902 00:32:21,840 --> 00:32:22,799 to exploit. 903 00:32:22,800 --> 00:32:24,869 The only potential difficulty is that 904 00:32:24,870 --> 00:32:27,089 the book's format varies from vendor 905 00:32:27,090 --> 00:32:30,179 to vendor slightly but significantly. 906 00:32:30,180 --> 00:32:31,410 So if you want to 907 00:32:32,550 --> 00:32:35,009 inject your custom 908 00:32:35,010 --> 00:32:36,359 dispatchable code, you need to know the 909 00:32:36,360 --> 00:32:38,519 format. So some reverse engineer might 910 00:32:38,520 --> 00:32:40,679 be quiet if you need to 911 00:32:40,680 --> 00:32:43,199 party to another system. 912 00:32:43,200 --> 00:32:44,909 Another interesting bit. 913 00:32:44,910 --> 00:32:46,859 This very same vulnerability was 914 00:32:46,860 --> 00:32:48,749 discovered totally independently and 915 00:32:48,750 --> 00:32:51,179 mostly at the same time by 916 00:32:51,180 --> 00:32:53,129 guys from Intel Advanced Threat Research 917 00:32:53,130 --> 00:32:54,089 Team. 918 00:32:54,090 --> 00:32:55,349 So congratulations to them. 919 00:32:56,550 --> 00:32:58,499 It happens rarely, but it does happen. 920 00:33:00,120 --> 00:33:01,889 Oh, OK. 921 00:33:01,890 --> 00:33:03,869 So now let's try to do some 922 00:33:03,870 --> 00:33:04,870 demonstration. 923 00:33:06,770 --> 00:33:08,869 Um, I have set up a clinic system, 924 00:33:08,870 --> 00:33:09,950 it's here, so 925 00:33:11,060 --> 00:33:13,639 you should see the white rectangle, 926 00:33:13,640 --> 00:33:15,369 right? So the machine is powered up. 927 00:33:16,730 --> 00:33:18,559 So I assume you have some access to this 928 00:33:18,560 --> 00:33:20,859 machine machine 929 00:33:20,860 --> 00:33:22,099 doesn't need to be a site. 930 00:33:22,100 --> 00:33:23,929 You could just exploit a browser and then 931 00:33:23,930 --> 00:33:25,609 get Connect Backchat. 932 00:33:25,610 --> 00:33:27,679 And all these attacks are going to 933 00:33:27,680 --> 00:33:29,779 require administrator 934 00:33:29,780 --> 00:33:30,780 privileges. 935 00:33:31,610 --> 00:33:33,679 So lucky that a 936 00:33:33,680 --> 00:33:36,499 couple of ways to do that, it's 937 00:33:36,500 --> 00:33:38,149 irrelevant. 938 00:33:38,150 --> 00:33:40,399 And now we can essentially 939 00:33:40,400 --> 00:33:41,400 get busy. 940 00:33:42,330 --> 00:33:44,389 Um, so, first of 941 00:33:44,390 --> 00:33:46,549 all, let's see what the 942 00:33:46,550 --> 00:33:47,550 location of that. 943 00:33:50,600 --> 00:33:52,250 So is, uh, 944 00:33:53,810 --> 00:33:56,229 registered in the host village interface. 945 00:33:56,230 --> 00:33:57,230 Uh, 946 00:33:58,580 --> 00:34:00,769 it's also a 947 00:34:00,770 --> 00:34:02,119 H. 948 00:34:02,120 --> 00:34:04,429 Yeah. So normally it's a 949 00:34:04,430 --> 00:34:06,649 Sissy and Zeitels film. 950 00:34:06,650 --> 00:34:08,959 Now lets this demo is mostly 951 00:34:08,960 --> 00:34:10,769 about getting access to them. 952 00:34:11,989 --> 00:34:14,329 So now how we can try 953 00:34:14,330 --> 00:34:16,488 what happens when we do the major 954 00:34:16,489 --> 00:34:17,959 address. To do that, we need to 955 00:34:17,960 --> 00:34:21,019 innsmouth, uh, this helper 956 00:34:21,020 --> 00:34:22,020 helper module 957 00:34:23,600 --> 00:34:25,908 and then run 958 00:34:25,909 --> 00:34:26,909 the total. 959 00:34:29,300 --> 00:34:31,759 We will read to the filename Thesiger 960 00:34:31,760 --> 00:34:32,760 at. 961 00:34:33,469 --> 00:34:35,639 This address, uh. 962 00:34:40,630 --> 00:34:42,380 It's interesting and read one page. 963 00:34:43,420 --> 00:34:44,420 So if you do it. 964 00:34:46,320 --> 00:34:48,059 Uh, what do you get? 965 00:34:48,060 --> 00:34:50,099 Let's try to figure it out when I type 966 00:34:50,100 --> 00:34:51,100 comments. 967 00:34:56,070 --> 00:34:58,709 Nothing is kind of expected, 968 00:34:58,710 --> 00:35:00,539 and if you look at the current logs. 969 00:35:02,450 --> 00:35:04,279 Well, something horrible has happened, 970 00:35:04,280 --> 00:35:06,439 right? Essentially, the colonel had to 971 00:35:06,440 --> 00:35:09,259 totally reset the setting 972 00:35:09,260 --> 00:35:11,419 because it complained they 973 00:35:11,420 --> 00:35:13,519 had complained that the Matsen section 974 00:35:13,520 --> 00:35:14,610 has failed. Right. 975 00:35:15,900 --> 00:35:17,919 You can see that right, SPDM. 976 00:35:19,820 --> 00:35:21,919 Again, it means how the 977 00:35:21,920 --> 00:35:24,829 protection offered by the team works 978 00:35:24,830 --> 00:35:27,379 so now will run the exploit 979 00:35:27,380 --> 00:35:29,599 again in just a matter of 980 00:35:29,600 --> 00:35:31,140 running another tool. 981 00:35:32,600 --> 00:35:34,859 So what it does it right shall go to 982 00:35:34,860 --> 00:35:37,009 the location, determines what's 983 00:35:37,010 --> 00:35:39,289 the key variable holds 984 00:35:39,290 --> 00:35:41,179 and then switches the location of the 985 00:35:41,180 --> 00:35:42,889 actual Watsky 986 00:35:44,450 --> 00:35:45,739 and what it does. 987 00:35:45,740 --> 00:35:47,809 It again, loads shall 988 00:35:47,810 --> 00:35:50,209 code. And actually this 989 00:35:50,210 --> 00:35:52,360 so-called is just an old binary 990 00:35:53,420 --> 00:35:56,359 and once it is run, it will log 991 00:35:56,360 --> 00:35:57,650 some information to its body. 992 00:35:58,880 --> 00:36:01,909 So if we dump 993 00:36:01,910 --> 00:36:03,979 the contents of 994 00:36:03,980 --> 00:36:06,889 the memory at this location 995 00:36:08,390 --> 00:36:10,880 and to some log file 996 00:36:12,830 --> 00:36:14,030 of settlements 997 00:36:15,650 --> 00:36:17,839 and you add those strings, log 998 00:36:17,840 --> 00:36:18,839 file. 999 00:36:18,840 --> 00:36:20,959 OK, this is does the contents of the 1000 00:36:20,960 --> 00:36:23,149 shell. So nothing has been logged 1001 00:36:23,150 --> 00:36:24,189 yet, right. 1002 00:36:25,760 --> 00:36:28,129 So what remains? 1003 00:36:28,130 --> 00:36:31,159 We can now use the normal 1004 00:36:31,160 --> 00:36:33,649 utility bundle with Linux that will arm 1005 00:36:33,650 --> 00:36:36,139 realtime clock and 1006 00:36:36,140 --> 00:36:37,250 wake the platform, 1007 00:36:38,450 --> 00:36:40,579 resuspended to memory and will tell 1008 00:36:40,580 --> 00:36:43,040 it to wake after 20 seconds 1009 00:36:44,640 --> 00:36:46,999 and then its utility 1010 00:36:47,000 --> 00:36:48,320 that's bundled with 1011 00:36:50,330 --> 00:36:52,239 most distributions. 1012 00:36:52,240 --> 00:36:54,349 OK, so now you can have a look 1013 00:36:54,350 --> 00:36:55,969 at this at this machine. 1014 00:36:55,970 --> 00:36:57,859 Now it's running. 1015 00:36:57,860 --> 00:37:00,169 If I run this command, 1016 00:37:00,170 --> 00:37:02,329 you see, you could see it 1017 00:37:02,330 --> 00:37:04,459 went blank. So it's suspended now 1018 00:37:04,460 --> 00:37:05,510 and you can see that 1019 00:37:07,040 --> 00:37:08,449 the shell is hanging. 1020 00:37:08,450 --> 00:37:10,279 I cannot, of course, interact with it 1021 00:37:10,280 --> 00:37:13,429 because the machine is asleep. 1022 00:37:13,430 --> 00:37:15,739 So now we can either wait for it, reboot 1023 00:37:15,740 --> 00:37:17,959 or use the force like venom if I command 1024 00:37:17,960 --> 00:37:20,029 your ride 1025 00:37:20,030 --> 00:37:21,030 and see 1026 00:37:22,580 --> 00:37:23,590 the facility. 1027 00:37:24,800 --> 00:37:26,179 Yeah, it's like. 1028 00:37:27,910 --> 00:37:30,159 Yeah, and now, uh, 1029 00:37:30,160 --> 00:37:32,349 let's we do all the things that 1030 00:37:32,350 --> 00:37:33,940 we have done previously. 1031 00:37:35,360 --> 00:37:37,599 Uh, so now what's 1032 00:37:37,600 --> 00:37:39,879 what's the value of to give it 1033 00:37:39,880 --> 00:37:41,939 some if it won't 1034 00:37:41,940 --> 00:37:42,940 help much. 1035 00:37:43,570 --> 00:37:46,039 And let's read 1036 00:37:46,040 --> 00:37:48,219 the, um, 1037 00:37:48,220 --> 00:37:49,389 you know. 1038 00:37:53,710 --> 00:37:55,779 Yeah, let's read the log 1039 00:37:55,780 --> 00:37:57,829 of the of the show called 1040 00:37:59,140 --> 00:38:00,140 and. 1041 00:38:01,250 --> 00:38:03,559 And now you see something 1042 00:38:03,560 --> 00:38:05,759 more is logged, so the so-called says 1043 00:38:05,760 --> 00:38:08,149 that initial value of this egg was 1044 00:38:08,150 --> 00:38:09,349 not logged. 1045 00:38:09,350 --> 00:38:11,539 It was possible to overwrite words with F 1046 00:38:12,680 --> 00:38:14,899 and most importantly, the value 1047 00:38:14,900 --> 00:38:16,699 of biosynthetic was eight. 1048 00:38:16,700 --> 00:38:18,799 So the bits, number one, is 1049 00:38:18,800 --> 00:38:19,879 not set. 1050 00:38:19,880 --> 00:38:21,439 So, again, we have bypassed the 1051 00:38:21,440 --> 00:38:24,919 protection offered by biosensor. 1052 00:38:24,920 --> 00:38:27,079 And finally, let's try to 1053 00:38:27,080 --> 00:38:29,409 do DMA at this point. 1054 00:38:31,080 --> 00:38:33,179 OK, and now 1055 00:38:34,770 --> 00:38:36,989 let's see if anything interesting 1056 00:38:36,990 --> 00:38:38,399 is in there. 1057 00:38:38,400 --> 00:38:39,689 Now it looks much better. 1058 00:38:39,690 --> 00:38:41,939 Not only is it right, so 1059 00:38:41,940 --> 00:38:43,800 let's let's try to disassemble. 1060 00:38:47,810 --> 00:38:50,209 Does it look like like eight, 1061 00:38:50,210 --> 00:38:51,210 86? 1062 00:38:52,640 --> 00:38:55,659 I'm cold. 1063 00:38:55,660 --> 00:38:57,529 OK, we have a jump. 1064 00:38:57,530 --> 00:38:59,679 I'm 54 1065 00:38:59,680 --> 00:39:02,379 and then we have something 1066 00:39:02,380 --> 00:39:03,639 very unusual. 1067 00:39:03,640 --> 00:39:06,099 We have memory access with six 1068 00:39:06,100 --> 00:39:07,059 graphics. 1069 00:39:07,060 --> 00:39:09,189 So the selector for the code is used 1070 00:39:09,190 --> 00:39:11,259 as a demographic of memory 1071 00:39:11,260 --> 00:39:13,479 access. And coupled 1072 00:39:13,480 --> 00:39:15,309 with that, we have graphics. 1073 00:39:15,310 --> 00:39:17,379 And the fact that you load 1074 00:39:17,380 --> 00:39:19,449 global descriptive table, it tells 1075 00:39:19,450 --> 00:39:21,630 you that it's really examine 1076 00:39:22,660 --> 00:39:25,089 some further proof can be found 1077 00:39:25,090 --> 00:39:27,969 below. Unfortunately, if you disassemble 1078 00:39:27,970 --> 00:39:30,069 embedded instructions, the reason is 1079 00:39:30,070 --> 00:39:31,070 that. 1080 00:39:32,410 --> 00:39:34,709 The entry point enters Longmont, 1081 00:39:34,710 --> 00:39:36,809 Co. So we need to disassemble 1082 00:39:36,810 --> 00:39:37,810 in. 1083 00:39:39,580 --> 00:39:42,069 And along long, Mulder 1084 00:39:42,070 --> 00:39:43,070 and. 1085 00:39:46,960 --> 00:39:48,130 I always mix it, 1086 00:39:49,240 --> 00:39:52,269 yeah, and now no more distractions, 1087 00:39:52,270 --> 00:39:54,399 and most interestingly, 1088 00:39:54,400 --> 00:39:56,529 after a couple of them, you'll see 1089 00:39:56,530 --> 00:39:58,839 that this is the smoking gun, right? 1090 00:39:58,840 --> 00:40:00,819 Returning from system management about 1091 00:40:00,820 --> 00:40:02,649 this instruction can be possibly only 1092 00:40:02,650 --> 00:40:04,629 used in a single place in a small 1093 00:40:04,630 --> 00:40:06,999 handler. So that really 1094 00:40:07,000 --> 00:40:09,369 shows that we can get access to them 1095 00:40:09,370 --> 00:40:11,649 by DMA after it can 1096 00:40:11,650 --> 00:40:12,879 be moved. 1097 00:40:12,880 --> 00:40:15,039 Consequently, we can override the body 1098 00:40:15,040 --> 00:40:16,899 of someone and get the code executed in 1099 00:40:16,900 --> 00:40:17,900 some context. 1100 00:40:27,350 --> 00:40:29,509 OK, so we've broken past biased 1101 00:40:29,510 --> 00:40:31,369 control, we've broken into system manager 1102 00:40:31,370 --> 00:40:32,509 mode on most systems that we've 1103 00:40:32,510 --> 00:40:33,439 evaluated. 1104 00:40:33,440 --> 00:40:35,599 But one last hurdle remains 1105 00:40:35,600 --> 00:40:37,399 before we get to the sacred land, which 1106 00:40:37,400 --> 00:40:39,239 is the flag, the protected range 1107 00:40:39,240 --> 00:40:41,209 registers protecting the firmware. 1108 00:40:41,210 --> 00:40:42,949 So what are these guys? 1109 00:40:42,950 --> 00:40:45,169 Well, it is possible to use 1110 00:40:45,170 --> 00:40:47,089 protected range registers such that you 1111 00:40:47,090 --> 00:40:48,679 mask off parts of the flagship so it's 1112 00:40:48,680 --> 00:40:50,239 not even rideable, even the system 1113 00:40:50,240 --> 00:40:52,159 manager mode, this ultra privileged mode 1114 00:40:52,160 --> 00:40:53,359 of execution. 1115 00:40:53,360 --> 00:40:55,369 So you can you have several regions that 1116 00:40:55,370 --> 00:40:57,499 you can declare and as some 1117 00:40:57,500 --> 00:40:59,539 can even write to them because protective 1118 00:40:59,540 --> 00:41:01,309 arrangements saves the day. 1119 00:41:01,310 --> 00:41:03,019 Now, what's interesting about UNFI is 1120 00:41:03,020 --> 00:41:05,059 that the protected range registers can't 1121 00:41:05,060 --> 00:41:07,489 cover the entire spy flagship because 1122 00:41:07,490 --> 00:41:09,439 unifiers this thing is called nonvolatile 1123 00:41:09,440 --> 00:41:11,419 variables, which are kind of like Linux, 1124 00:41:11,420 --> 00:41:12,919 Unix environment variables, describing 1125 00:41:12,920 --> 00:41:14,209 things like the boot order, platform 1126 00:41:14,210 --> 00:41:15,679 language, et cetera, et cetera. 1127 00:41:15,680 --> 00:41:17,839 And these have to be these 1128 00:41:17,840 --> 00:41:20,449 live on the flagship, so co-exist 1129 00:41:20,450 --> 00:41:22,250 near the UFC code and all that. 1130 00:41:23,300 --> 00:41:24,889 But they have to be updatable by the 1131 00:41:24,890 --> 00:41:26,359 runtime of the system, which essentially 1132 00:41:26,360 --> 00:41:27,409 means the operating system. 1133 00:41:27,410 --> 00:41:28,909 The US has to be able to communicate 1134 00:41:28,910 --> 00:41:30,889 information to the firmware and change 1135 00:41:30,890 --> 00:41:31,999 changes variables or change the boot 1136 00:41:32,000 --> 00:41:33,559 order, et cetera, et cetera. 1137 00:41:33,560 --> 00:41:35,719 So these essentially cannot be masked by 1138 00:41:35,720 --> 00:41:36,949 the protected range registers. 1139 00:41:36,950 --> 00:41:38,509 If we can get to some, we can always 1140 00:41:38,510 --> 00:41:40,340 clobber whatever is in this region. 1141 00:41:41,910 --> 00:41:43,859 So the question we asked is, if we can 1142 00:41:43,860 --> 00:41:45,779 clobber anything in here, can we find 1143 00:41:45,780 --> 00:41:47,999 some trusted integer value and 1144 00:41:48,000 --> 00:41:49,799 corrupted and some buffer overflow or 1145 00:41:49,800 --> 00:41:50,729 something like that? 1146 00:41:50,730 --> 00:41:52,319 And General, can we find memory 1147 00:41:52,320 --> 00:41:54,569 corruption vulnerabilities by 1148 00:41:54,570 --> 00:41:56,969 doing crazy things, this region of the 1149 00:41:56,970 --> 00:41:58,949 ship that Saddam has right access to? 1150 00:42:00,270 --> 00:42:02,369 Well, obviously, we're up here today 1151 00:42:02,370 --> 00:42:04,559 and the UNFI code, a lot 1152 00:42:04,560 --> 00:42:05,879 of it. There's a reference implementation 1153 00:42:05,880 --> 00:42:07,649 that's open source. You can just go in 1154 00:42:07,650 --> 00:42:09,779 and check out or whatever and go to work 1155 00:42:09,780 --> 00:42:10,799 and have to do any crazy reverse 1156 00:42:10,800 --> 00:42:11,549 engineering. 1157 00:42:11,550 --> 00:42:13,379 So Rafil and I went to work on auditing 1158 00:42:13,380 --> 00:42:15,929 the FBI code and we found many 1159 00:42:15,930 --> 00:42:17,669 of these vulnerabilities that if you 1160 00:42:17,670 --> 00:42:19,889 assume an attacker can do some type 1161 00:42:19,890 --> 00:42:21,989 of memory corruption vulnerability to 1162 00:42:21,990 --> 00:42:23,519 maybe do bad things like get past 1163 00:42:23,520 --> 00:42:25,349 protected ranger teachers, it all depends 1164 00:42:25,350 --> 00:42:27,839 on how early we can induce these 1165 00:42:27,840 --> 00:42:29,429 vulnerabilities in the boot up of the 1166 00:42:29,430 --> 00:42:31,499 system. If we can make this vulnerable 1167 00:42:31,500 --> 00:42:33,659 line of code, run in the platform, boot 1168 00:42:33,660 --> 00:42:35,639 up before the protected rangers are set 1169 00:42:35,640 --> 00:42:38,309 and locked, then we can bypass them. 1170 00:42:38,310 --> 00:42:39,959 So in this case, pretty simple. 1171 00:42:39,960 --> 00:42:41,999 Buffer overflow data size is controlled 1172 00:42:42,000 --> 00:42:43,769 by some attacker because it becomes that 1173 00:42:43,770 --> 00:42:45,899 variable region and that in 1174 00:42:45,900 --> 00:42:48,029 public he stores a fixed size data area. 1175 00:42:48,030 --> 00:42:49,139 We can collaborate and you control the 1176 00:42:49,140 --> 00:42:50,219 instruction point in the early boot 1177 00:42:50,220 --> 00:42:52,169 environment. So blah, blah, blah. 1178 00:42:52,170 --> 00:42:54,239 Not very exciting, but let's have 1179 00:42:54,240 --> 00:42:56,369 five protected range predators. 1180 00:42:56,370 --> 00:42:58,049 And we found other instances of this not 1181 00:42:58,050 --> 00:42:59,069 very surprising. 1182 00:42:59,070 --> 00:43:00,869 This data, a lot of times just in general 1183 00:43:00,870 --> 00:43:02,129 treated as trusted. 1184 00:43:02,130 --> 00:43:03,089 If it originates. 1185 00:43:03,090 --> 00:43:04,799 If it originates from. 1186 00:43:04,800 --> 00:43:06,299 Yeah. You'll have to validate it too much 1187 00:43:06,300 --> 00:43:07,649 because that's a meme is like a privileged 1188 00:43:07,650 --> 00:43:09,239 type of entity which should have been 1189 00:43:09,240 --> 00:43:10,709 instantiated by the bios anyway. 1190 00:43:10,710 --> 00:43:13,169 Right. So in this case, we can make 1191 00:43:13,170 --> 00:43:14,829 next variable, next variable point 1192 00:43:14,830 --> 00:43:16,379 somewhere crazy, which leads to a buffer 1193 00:43:16,380 --> 00:43:18,089 overflow on the if I copy them. 1194 00:43:18,090 --> 00:43:19,799 So another buffer overflow that we can 1195 00:43:19,800 --> 00:43:22,109 possibly use to pivot Parsees protected 1196 00:43:22,110 --> 00:43:23,609 range resistors. 1197 00:43:23,610 --> 00:43:26,249 But the point of this presentation 1198 00:43:26,250 --> 00:43:27,809 is that we don't want to give you complex 1199 00:43:27,810 --> 00:43:29,379 memory corruption vulnerabilities because 1200 00:43:29,380 --> 00:43:30,269 they're hard to do it yourself. 1201 00:43:30,270 --> 00:43:32,069 They're hard to reproduce, they're 1202 00:43:32,070 --> 00:43:33,629 implementation dependent, et cetera, et 1203 00:43:33,630 --> 00:43:35,339 cetera. They're just hard to deal with. 1204 00:43:35,340 --> 00:43:37,409 So we want to 1205 00:43:37,410 --> 00:43:39,539 give you some other ideas for how you can 1206 00:43:39,540 --> 00:43:41,069 bypass these protected industries without 1207 00:43:41,070 --> 00:43:42,330 doing these complicated tricks. 1208 00:43:44,460 --> 00:43:46,679 So what's interesting is I 1209 00:43:46,680 --> 00:43:48,879 checked out the protected the UniFi 1210 00:43:48,880 --> 00:43:50,789 reference code further and it turned out 1211 00:43:50,790 --> 00:43:53,249 that data that was within these 1212 00:43:53,250 --> 00:43:54,719 authenticated variables, these 1213 00:43:54,720 --> 00:43:56,729 nonvolatile variables that some can 1214 00:43:56,730 --> 00:43:59,609 control, was used to authenticate 1215 00:43:59,610 --> 00:44:00,569 flash updates. 1216 00:44:00,570 --> 00:44:02,759 So there is a mechanism for doing 1217 00:44:02,760 --> 00:44:04,529 firmware update, firmware updates, 1218 00:44:04,530 --> 00:44:06,329 updating your bios and back in the old 1219 00:44:06,330 --> 00:44:07,289 days of legacy bios. 1220 00:44:07,290 --> 00:44:09,089 It was like the Wild Wild West. 1221 00:44:09,090 --> 00:44:10,569 HP would do something different. 1222 00:44:10,570 --> 00:44:12,719 Dell would do something different, 1223 00:44:12,720 --> 00:44:13,859 merican megatrends or do something 1224 00:44:13,860 --> 00:44:14,969 different. And everyone just doing their 1225 00:44:14,970 --> 00:44:16,559 own thing. I thought update their bios. 1226 00:44:16,560 --> 00:44:18,599 But the UNFI reference, the code 1227 00:44:18,600 --> 00:44:20,219 reference implementation code provides 1228 00:44:20,220 --> 00:44:22,199 like a clear way called capsule update 1229 00:44:22,200 --> 00:44:24,029 for this is how you should do firmware 1230 00:44:24,030 --> 00:44:25,649 updates on your eBay system. 1231 00:44:25,650 --> 00:44:28,499 All the code is in there and 1232 00:44:28,500 --> 00:44:30,689 that code path, the UNFI capsule update 1233 00:44:30,690 --> 00:44:32,999 just straight up uses the same control 1234 00:44:33,000 --> 00:44:35,219 data to authenticate whether 1235 00:44:35,220 --> 00:44:36,449 or not these updates are valid. 1236 00:44:36,450 --> 00:44:38,549 So an attacker can just use the 1237 00:44:38,550 --> 00:44:40,799 legitimate BIOS update path and 1238 00:44:40,800 --> 00:44:43,319 add their malicious rootkit update 1239 00:44:43,320 --> 00:44:45,329 as a legitimate update by manipulating 1240 00:44:45,330 --> 00:44:46,949 this data, assigning it and then adding 1241 00:44:46,950 --> 00:44:48,479 the key to that, one of these 1242 00:44:48,480 --> 00:44:49,769 authenticated variables, et cetera, et 1243 00:44:49,770 --> 00:44:51,959 cetera. So this 1244 00:44:51,960 --> 00:44:53,399 is what I thought when reading the UNFI 1245 00:44:53,400 --> 00:44:54,599 code. I was like this. 1246 00:44:54,600 --> 00:44:55,829 This can't be right. 1247 00:44:55,830 --> 00:44:57,389 You know, there's like a security barrier 1248 00:44:57,390 --> 00:44:58,769 here that's just been completely 1249 00:44:58,770 --> 00:45:00,479 demolished by this assumption. 1250 00:45:00,480 --> 00:45:01,589 So what's the deal? 1251 00:45:01,590 --> 00:45:03,689 So we talk to some unify a core 1252 00:45:03,690 --> 00:45:04,589 unified developer. 1253 00:45:04,590 --> 00:45:06,239 And he basically confirmed our suspicions 1254 00:45:06,240 --> 00:45:08,489 that some is just in the trusted 1255 00:45:08,490 --> 00:45:09,899 code base for UniFi. 1256 00:45:09,900 --> 00:45:12,359 If you can break into smarm, then 1257 00:45:12,360 --> 00:45:13,949 it's pretty much game over right now. 1258 00:45:13,950 --> 00:45:15,659 Nothing is going to stop you now. 1259 00:45:15,660 --> 00:45:17,759 UFC is going to be depending on 1260 00:45:17,760 --> 00:45:19,649 a new hardware feature in the future 1261 00:45:19,650 --> 00:45:21,269 called Platform Platform. 1262 00:45:21,270 --> 00:45:23,279 Firmware armoring technology or Biersack 1263 00:45:23,280 --> 00:45:25,109 are afraid exactly what they're calling 1264 00:45:25,110 --> 00:45:26,819 it these days. That I think uses the 1265 00:45:26,820 --> 00:45:28,559 management engine in some clever way to 1266 00:45:28,560 --> 00:45:30,389 protect the the firmware, even from an 1267 00:45:30,390 --> 00:45:31,739 awesome imprisoned attacker. 1268 00:45:31,740 --> 00:45:33,209 I'm not sure how much data about this is 1269 00:45:33,210 --> 00:45:34,919 publicly available. I mostly just found 1270 00:45:34,920 --> 00:45:37,049 marketing documents and patent filings 1271 00:45:37,050 --> 00:45:38,369 when I was looking at it. So not really 1272 00:45:38,370 --> 00:45:40,079 clear how it works. But definitely the 1273 00:45:40,080 --> 00:45:42,359 point is to protect UFC from 1274 00:45:42,360 --> 00:45:43,769 some imprisoned attacker. 1275 00:45:43,770 --> 00:45:46,289 And right now, all systems 1276 00:45:46,290 --> 00:45:48,029 you can get DMM through the platform is 1277 00:45:48,030 --> 00:45:49,030 probably going to fall. 1278 00:45:50,190 --> 00:45:52,169 So the cake is a lie. 1279 00:45:52,170 --> 00:45:53,729 There is no protected range registers on 1280 00:45:53,730 --> 00:45:55,889 these UAF eBay systems, and it turns 1281 00:45:55,890 --> 00:45:57,689 out that you probably do have to bypass 1282 00:45:57,690 --> 00:45:59,909 them anyway because many systems 1283 00:45:59,910 --> 00:46:00,839 weigh more than 50 percent. 1284 00:46:00,840 --> 00:46:02,249 I would say don't even use protected 1285 00:46:02,250 --> 00:46:03,479 range registers. 1286 00:46:03,480 --> 00:46:05,279 Ruffels Del right here doesn't use them. 1287 00:46:06,600 --> 00:46:08,189 I doubt this. Lenovo does Bessel. 1288 00:46:08,190 --> 00:46:10,319 And as I haven't some, a lot 1289 00:46:10,320 --> 00:46:12,719 of the apps I've seen do use a protected 1290 00:46:12,720 --> 00:46:14,939 introducers. But even on the systems I do 1291 00:46:14,940 --> 00:46:17,129 use them, they often fail 1292 00:46:17,130 --> 00:46:18,539 to cover all the important data. 1293 00:46:18,540 --> 00:46:20,699 So, for instance, the Protect 1294 00:46:20,700 --> 00:46:22,199 Brain Register should have in theory 1295 00:46:22,200 --> 00:46:24,359 protected this book, which I bricked with 1296 00:46:24,360 --> 00:46:26,279 a race condition from becoming bricked. 1297 00:46:26,280 --> 00:46:28,139 But they didn't because they usually 1298 00:46:28,140 --> 00:46:30,389 don't cover all the important data areas, 1299 00:46:30,390 --> 00:46:31,739 even if they're used. 1300 00:46:31,740 --> 00:46:33,929 Um, I have 1301 00:46:33,930 --> 00:46:34,949 another survey paper. 1302 00:46:34,950 --> 00:46:36,629 We did that hack in the box, Amsterdam 1303 00:46:36,630 --> 00:46:38,039 one. I think the number we were looking 1304 00:46:38,040 --> 00:46:40,319 at was only like thirty 1305 00:46:40,320 --> 00:46:41,729 percent or something. Systems using 1306 00:46:41,730 --> 00:46:43,949 protected range registers out of a mix 1307 00:46:43,950 --> 00:46:45,359 of like Lenovo, Dell and HP. 1308 00:46:45,360 --> 00:46:47,189 So they're not using a lot of systems, so 1309 00:46:47,190 --> 00:46:49,109 you don't have to worry about them. 1310 00:46:49,110 --> 00:46:51,239 So the point is you can get DMM firmware 1311 00:46:51,240 --> 00:46:52,240 is going to be toast. 1312 00:46:53,400 --> 00:46:54,659 So the summary is that 1313 00:46:55,860 --> 00:46:57,689 we want to talk about vulnerabilities 1314 00:46:57,690 --> 00:46:59,879 that you could take and do it yourself. 1315 00:46:59,880 --> 00:47:01,169 You could recreate these. 1316 00:47:01,170 --> 00:47:03,059 And because they are relatively easy to 1317 00:47:03,060 --> 00:47:05,189 exploit and you can do cool 1318 00:47:05,190 --> 00:47:06,249 things with them. The first one is the 1319 00:47:06,250 --> 00:47:07,589 race condition in the BIOS control 1320 00:47:07,590 --> 00:47:09,359 register. Very easy to exploit. 1321 00:47:09,360 --> 00:47:11,489 All you need is to kernel drivers 1322 00:47:11,490 --> 00:47:13,289 to side by side, enabling a tight loop. 1323 00:47:13,290 --> 00:47:14,849 One attempts you do flash programing in a 1324 00:47:14,850 --> 00:47:16,979 tight loop and then you'll probably win. 1325 00:47:16,980 --> 00:47:18,449 And that affects a great number of 1326 00:47:18,450 --> 00:47:20,489 systems because some systems are to 1327 00:47:20,490 --> 00:47:22,199 support the fix and of the ones that do 1328 00:47:22,200 --> 00:47:24,179 support the fix, many of them don't 1329 00:47:24,180 --> 00:47:26,669 bother using the bootstrap vulnerability 1330 00:47:26,670 --> 00:47:28,829 literally affected every unified system 1331 00:47:28,830 --> 00:47:30,359 that we looked at, which granted was only 1332 00:47:30,360 --> 00:47:31,679 like eight or nine systems, but it 1333 00:47:31,680 --> 00:47:33,899 included systems from Dell, one 1334 00:47:33,900 --> 00:47:34,889 of the Big Three. 1335 00:47:34,890 --> 00:47:36,569 So we suspect that it effects pretty much 1336 00:47:36,570 --> 00:47:37,710 all the other systems. 1337 00:47:38,880 --> 00:47:41,009 So your system, if it 1338 00:47:41,010 --> 00:47:42,329 was bought within the last, I don't know, 1339 00:47:42,330 --> 00:47:44,009 four or five years or whatever, probably 1340 00:47:44,010 --> 00:47:45,329 as vulnerable to the unified boot script 1341 00:47:45,330 --> 00:47:47,459 attack and pretty easy to 1342 00:47:47,460 --> 00:47:49,259 exploit it. You just need physical memory 1343 00:47:49,260 --> 00:47:50,939 access and you just need to do a tiny bit 1344 00:47:50,940 --> 00:47:52,229 of reverse engineering to figure out what 1345 00:47:52,230 --> 00:47:53,309 the script looked like. 1346 00:47:53,310 --> 00:47:55,799 Exactly. So just to give you an idea, 1347 00:47:55,800 --> 00:47:58,199 when Rafil and Alexander Tretiak 1348 00:47:58,200 --> 00:48:00,179 and did the first bios memory corruption 1349 00:48:00,180 --> 00:48:01,349 vulnerability when they're part of Invisible 1350 00:48:01,350 --> 00:48:03,479 Things Labs, they said it took 1351 00:48:03,480 --> 00:48:05,639 them like a month to do the exploit 1352 00:48:05,640 --> 00:48:06,929 and it probably only worked on one 1353 00:48:06,930 --> 00:48:09,089 BioServe Vision for one board, et cetera, 1354 00:48:09,090 --> 00:48:10,979 et cetera. So not very portable. 1355 00:48:10,980 --> 00:48:13,379 When I did the the bias exploits 1356 00:48:13,380 --> 00:48:15,419 recently, it took me about six weeks to 1357 00:48:15,420 --> 00:48:16,919 do one and it only worked for one biased 1358 00:48:16,920 --> 00:48:18,749 revision on one system, etc., etc. 1359 00:48:18,750 --> 00:48:20,729 It was very tedious to do that. 1360 00:48:20,730 --> 00:48:22,949 It took exploiting these took her fall. 1361 00:48:22,950 --> 00:48:24,809 And I just a few days and we're able to 1362 00:48:24,810 --> 00:48:26,309 exploit basically all the systems we had 1363 00:48:26,310 --> 00:48:28,619 access to in a few days because 1364 00:48:28,620 --> 00:48:30,839 they were simple to exploit and so 1365 00:48:30,840 --> 00:48:32,129 go and play them pretty easy to 1366 00:48:32,130 --> 00:48:34,379 reproduce. And the last point is system 1367 00:48:34,380 --> 00:48:36,059 management mode is just, you know, it's 1368 00:48:36,060 --> 00:48:37,559 been a problem and visible things. 1369 00:48:37,560 --> 00:48:38,939 Labs talked about this at length back in 1370 00:48:38,940 --> 00:48:39,940 the day. 1371 00:48:40,590 --> 00:48:42,179 Some can do really bad things. 1372 00:48:42,180 --> 00:48:43,180 It's kind of just. 1373 00:48:44,060 --> 00:48:45,619 Free to do whatever, and that's still the 1374 00:48:45,620 --> 00:48:47,689 case Newfie if you can DMM, 1375 00:48:47,690 --> 00:48:49,669 you can wreak havoc on the firmware 1376 00:48:49,670 --> 00:48:50,659 industry. 1377 00:48:50,660 --> 00:48:52,399 New hardware feature will address this in 1378 00:48:52,400 --> 00:48:53,929 the future, but the future is not now. 1379 00:48:53,930 --> 00:48:55,020 So now we are vulnerable. 1380 00:48:56,090 --> 00:48:58,279 Now, one thing 1381 00:48:58,280 --> 00:49:00,019 I'd like to point out is that these UniFi 1382 00:49:00,020 --> 00:49:01,669 and Byas vulnerabilities in general are 1383 00:49:01,670 --> 00:49:03,439 pretty complex to disclose because they 1384 00:49:03,440 --> 00:49:04,819 affect a wide number of people. 1385 00:49:04,820 --> 00:49:06,799 They affect HP, Dell, Lenovo, American 1386 00:49:06,800 --> 00:49:08,209 Megatrends, Phenix, et cetera, et cetera. 1387 00:49:08,210 --> 00:49:09,859 There's a lot of affected parties and 1388 00:49:09,860 --> 00:49:11,119 coordinating these vulnerabilities is 1389 00:49:11,120 --> 00:49:13,309 real pain. So big thanks to the guys 1390 00:49:13,310 --> 00:49:15,739 at Intel served the FBI Security Response 1391 00:49:15,740 --> 00:49:17,569 Team and CERT for helping reach out all 1392 00:49:17,570 --> 00:49:19,789 the affected parties and help fix 1393 00:49:19,790 --> 00:49:21,079 these issues. 1394 00:49:21,080 --> 00:49:23,329 Now, it's as I have ten minutes left, so 1395 00:49:23,330 --> 00:49:26,029 I'm going to try one last demo for our 1396 00:49:26,030 --> 00:49:27,709 viewer audience out there, because the 1397 00:49:27,710 --> 00:49:29,869 point is, Rafil 1398 00:49:29,870 --> 00:49:30,870 exploited. 1399 00:49:32,410 --> 00:49:34,239 His Dell laptop, which is running Linux 1400 00:49:34,240 --> 00:49:36,459 with a boot script, but the point is 1401 00:49:36,460 --> 00:49:38,829 Rafil uses Linux, I use Windows, 1402 00:49:38,830 --> 00:49:41,379 he uses AT&T style syntax, 1403 00:49:41,380 --> 00:49:43,809 I use Intel syntax is 1404 00:49:43,810 --> 00:49:46,089 is Emax. But we can find a vulnerability 1405 00:49:46,090 --> 00:49:47,769 that works for both of us. 1406 00:49:47,770 --> 00:49:48,939 And that's exactly what we're going to 1407 00:49:48,940 --> 00:49:49,940 do. 1408 00:49:55,570 --> 00:49:56,730 I'm just going to yeah. 1409 00:50:00,740 --> 00:50:01,740 OK. 1410 00:50:03,190 --> 00:50:05,439 So the goal is to break 1411 00:50:05,440 --> 00:50:06,939 in a system manager mode by altering the 1412 00:50:06,940 --> 00:50:08,199 boot script. 1413 00:50:08,200 --> 00:50:10,059 This right here is system manager mode 1414 00:50:10,060 --> 00:50:11,439 you can't see, and it's all because the 1415 00:50:11,440 --> 00:50:13,689 memory controller hub is blocking access 1416 00:50:13,690 --> 00:50:15,309 to it from the CPU. 1417 00:50:15,310 --> 00:50:17,019 And we couldn't get into a DMA anyway 1418 00:50:17,020 --> 00:50:18,579 because this right here is the TSA get 1419 00:50:18,580 --> 00:50:20,769 off set a C set 1420 00:50:20,770 --> 00:50:22,029 to seven, seven, eight, which basically 1421 00:50:22,030 --> 00:50:23,769 means the same region is protected from 1422 00:50:23,770 --> 00:50:25,419 DMA access try to access. 1423 00:50:25,420 --> 00:50:26,649 She's going to fail horribly. 1424 00:50:26,650 --> 00:50:27,760 That I can show you that. 1425 00:50:35,270 --> 00:50:37,489 So I'm attempting a DMA read on 1426 00:50:37,490 --> 00:50:39,979 that region, and 1427 00:50:39,980 --> 00:50:42,169 it's not going to work, you get this real 1428 00:50:42,170 --> 00:50:43,849 nasty, weird error, I'm not really sure 1429 00:50:43,850 --> 00:50:46,309 what's going on, but essentially this 1430 00:50:46,310 --> 00:50:49,639 is DMA attempt is just failing whatever. 1431 00:50:49,640 --> 00:50:51,469 But what we're going to do now is 1432 00:50:52,790 --> 00:50:55,069 alter the boot script to move 1433 00:50:55,070 --> 00:50:56,629 to seg like we did on the limbic system 1434 00:50:56,630 --> 00:50:58,669 to five zero zero zero zero zero zero, so 1435 00:50:58,670 --> 00:51:00,229 that DMA protection basically won't exist 1436 00:51:00,230 --> 00:51:01,230 anymore in the system. 1437 00:51:04,450 --> 00:51:05,679 And we just have to go to sleep now. 1438 00:51:05,680 --> 00:51:08,169 I didn't do some fancy 1439 00:51:08,170 --> 00:51:09,729 wake up thing like I did because I don't 1440 00:51:09,730 --> 00:51:10,899 have the same dark Jedi powers, 1441 00:51:10,900 --> 00:51:12,729 apparently. But you could easily do that 1442 00:51:12,730 --> 00:51:14,379 by programing an event to just rework the 1443 00:51:14,380 --> 00:51:16,269 system immediately using windows. 1444 00:51:16,270 --> 00:51:17,619 But I didn't do that. 1445 00:51:18,730 --> 00:51:19,869 So I'm going to press the power button 1446 00:51:19,870 --> 00:51:21,009 again, basically to make it come back to 1447 00:51:21,010 --> 00:51:22,010 life. 1448 00:51:24,020 --> 00:51:25,020 Yeah, thank you. 1449 00:51:28,280 --> 00:51:30,249 OK, so the system didn't die. 1450 00:51:30,250 --> 00:51:31,989 That's good. All of our demos of work. 1451 00:51:31,990 --> 00:51:32,949 Yes. 1452 00:51:32,950 --> 00:51:34,899 And you can see right here t sag is set 1453 00:51:34,900 --> 00:51:36,969 to five zero zero zero zero zero 1454 00:51:36,970 --> 00:51:38,739 zero. And I'm be punished by the gods for 1455 00:51:38,740 --> 00:51:39,729 saying that all of our demos worked 1456 00:51:39,730 --> 00:51:40,730 because I hadn't finished this one. 1457 00:51:43,340 --> 00:51:46,249 So let's try the DNA again 1458 00:51:46,250 --> 00:51:47,360 seemed to work. 1459 00:51:51,440 --> 00:51:53,839 And here so this is the SMI handler, 1460 00:51:53,840 --> 00:51:55,069 which previously couldn't read, if you 1461 00:51:55,070 --> 00:51:56,179 were to disassemble this, you would see 1462 00:51:56,180 --> 00:51:57,269 all the same kind of stuff that you saw 1463 00:51:57,270 --> 00:51:58,249 on our fall system. 1464 00:51:58,250 --> 00:52:00,919 So at this point, we can use DMA to 1465 00:52:00,920 --> 00:52:02,569 blow past the system management 1466 00:52:02,570 --> 00:52:04,249 protections and then get DMM and then 1467 00:52:04,250 --> 00:52:05,989 corrupt the firmware on here just on all. 1468 00:52:05,990 --> 00:52:07,129 So pretty much all your systems are 1469 00:52:07,130 --> 00:52:08,599 vulnerable to this attack. 1470 00:52:08,600 --> 00:52:10,549 Sorry about that. I don't even think Pat 1471 00:52:10,550 --> 00:52:11,899 has been released yet. 1472 00:52:11,900 --> 00:52:13,209 Sorry. 1473 00:52:13,210 --> 00:52:14,210 Um. 1474 00:52:23,810 --> 00:52:26,359 OK, so I think that 1475 00:52:26,360 --> 00:52:28,099 reference is if you want to check some of 1476 00:52:28,100 --> 00:52:29,719 those things, any questions at this 1477 00:52:29,720 --> 00:52:30,720 point? 1478 00:52:38,230 --> 00:52:40,179 Access, please line up in front of a mike 1479 00:52:40,180 --> 00:52:43,179 if you have a question like one, 1480 00:52:43,180 --> 00:52:45,579 and so so I agree with that, 1481 00:52:45,580 --> 00:52:47,679 I think and I stopped using it for a long 1482 00:52:47,680 --> 00:52:49,989 time. I think I began using 1483 00:52:49,990 --> 00:52:52,359 it. I think when when nothing 1484 00:52:52,360 --> 00:52:54,429 changed. And in fact, I think I was one 1485 00:52:54,430 --> 00:52:55,449 of those people that thought things would 1486 00:52:55,450 --> 00:52:56,509 change under Obama. 1487 00:52:56,510 --> 00:52:57,819 There would be some accountability, like 1488 00:52:57,820 --> 00:52:58,929 if you torture people, you're held 1489 00:52:58,930 --> 00:53:00,819 accountable for torturing people and then 1490 00:53:00,820 --> 00:53:02,229 that didn't. So. 1491 00:53:02,230 --> 00:53:03,429 So, yeah, I agree. 1492 00:53:03,430 --> 00:53:04,600 We need a new term for that. 1493 00:53:07,700 --> 00:53:09,939 Not going to comment on that question and 1494 00:53:09,940 --> 00:53:11,079 wait for the next one. 1495 00:53:11,080 --> 00:53:12,080 Next one and. 1496 00:53:14,960 --> 00:53:15,960 This is after 1497 00:53:17,090 --> 00:53:19,459 work. Yeah, so speaking 1498 00:53:19,460 --> 00:53:21,769 of protection, obviously 1499 00:53:21,770 --> 00:53:23,899 Intel is supposed to theoretically 1500 00:53:23,900 --> 00:53:26,389 protect against these because 1501 00:53:26,390 --> 00:53:29,029 we don't want to put trust into 1502 00:53:29,030 --> 00:53:31,759 Vieaux, whatever, but of course, 1503 00:53:31,760 --> 00:53:34,829 it is vulnerable to some attack, 1504 00:53:34,830 --> 00:53:35,830 so. 1505 00:53:36,460 --> 00:53:38,289 Because you mentioned you spoke to less 1506 00:53:38,290 --> 00:53:41,139 of pictures, Intel and 1507 00:53:41,140 --> 00:53:43,249 various developers and other folks. 1508 00:53:43,250 --> 00:53:44,760 What's the state of the storm? 1509 00:53:46,150 --> 00:53:48,129 Your guess is pretty much as good as 1510 00:53:48,130 --> 00:53:49,539 mine. I've never seen one in the wild. 1511 00:53:49,540 --> 00:53:52,119 In fact, I believe the specification 1512 00:53:52,120 --> 00:53:53,709 is not even public yet. 1513 00:53:53,710 --> 00:53:55,029 Right. Can even confirm that. 1514 00:53:55,030 --> 00:53:56,679 But I have heard that it's been at 1515 00:53:56,680 --> 00:53:58,839 version point nine nine like and 1516 00:53:58,840 --> 00:54:00,399 they keep you can't go further. 1517 00:54:00,400 --> 00:54:02,559 So just like a provision B, C, D 1518 00:54:02,560 --> 00:54:03,639 and E and further. 1519 00:54:03,640 --> 00:54:04,689 So I don't really know 1520 00:54:06,160 --> 00:54:08,409 what's up with the SDM 1521 00:54:08,410 --> 00:54:09,849 vaporware right now. 1522 00:54:09,850 --> 00:54:10,850 My understanding. 1523 00:54:11,860 --> 00:54:13,239 Can you my two back on 1524 00:54:14,470 --> 00:54:15,159 two. 1525 00:54:15,160 --> 00:54:17,529 So we ruled out we roll out 1526 00:54:17,530 --> 00:54:20,119 at and other alternative protection 1527 00:54:20,120 --> 00:54:21,139 you suggest. 1528 00:54:21,140 --> 00:54:22,959 What do you use for your laptops. 1529 00:54:24,940 --> 00:54:25,940 Faith in God. 1530 00:54:33,490 --> 00:54:35,459 Like one eye, 1531 00:54:36,690 --> 00:54:38,639 does this attack work regardless if 1532 00:54:38,640 --> 00:54:40,799 you're using a modern system in legacy 1533 00:54:40,800 --> 00:54:42,269 mode or you unified mode? 1534 00:54:42,270 --> 00:54:44,789 I mean, so the race condition works 1535 00:54:44,790 --> 00:54:46,859 no matter legacy or 1536 00:54:46,860 --> 00:54:49,139 Wi-Fi, because it's it's 1537 00:54:49,140 --> 00:54:50,609 a problem with the underlying hardware 1538 00:54:50,610 --> 00:54:51,539 itself. 1539 00:54:51,540 --> 00:54:53,549 But the boot script, I'm pretty sure it 1540 00:54:53,550 --> 00:54:55,229 didn't exist. 1541 00:54:55,230 --> 00:54:56,939 And legacy bias stays or might have been 1542 00:54:56,940 --> 00:54:58,589 something like that, but I can't speak to 1543 00:54:58,590 --> 00:54:59,590 that. 1544 00:55:01,750 --> 00:55:04,239 Mike, for hey, 1545 00:55:04,240 --> 00:55:06,939 so did the tanks that you demonstrators 1546 00:55:06,940 --> 00:55:09,279 were using, 1547 00:55:09,280 --> 00:55:11,109 you needed to be able to either excuse 1548 00:55:11,110 --> 00:55:12,849 artillery, cozying Carland context or you 1549 00:55:12,850 --> 00:55:14,659 needed real access to memory. 1550 00:55:14,660 --> 00:55:17,139 So in a situation where you have either 1551 00:55:17,140 --> 00:55:19,569 signed a requirement to sign car drivers 1552 00:55:19,570 --> 00:55:22,659 or no 1553 00:55:22,660 --> 00:55:24,639 ability to perform voluntary DNA from 1554 00:55:24,640 --> 00:55:26,949 userspace, do you have an attack 1555 00:55:26,950 --> 00:55:28,179 that would still work in that situation? 1556 00:55:28,180 --> 00:55:30,309 I still one this lines you mentioned 1557 00:55:30,310 --> 00:55:31,809 get foamer variable. 1558 00:55:31,810 --> 00:55:33,999 Is there any way to manipulate data via 1559 00:55:34,000 --> 00:55:36,309 the if I set variable interface 1560 00:55:36,310 --> 00:55:38,889 that can still trigger these 1561 00:55:38,890 --> 00:55:39,579 issues? 1562 00:55:39,580 --> 00:55:41,679 So I'll answer 1563 00:55:41,680 --> 00:55:42,879 that two ways. 1564 00:55:42,880 --> 00:55:44,469 One is that I did give a presentation, a 1565 00:55:44,470 --> 00:55:46,119 black hat that was only using the set 1566 00:55:46,120 --> 00:55:48,069 variable API to get access to the 1567 00:55:48,070 --> 00:55:49,449 firmware, but it was doing a very 1568 00:55:49,450 --> 00:55:50,559 complicated memory corruption 1569 00:55:50,560 --> 00:55:52,629 vulnerability that honestly would be 1570 00:55:52,630 --> 00:55:54,069 very hard to do in practice. 1571 00:55:54,070 --> 00:55:55,070 And the wild 1572 00:55:56,410 --> 00:55:58,539 second answer to your question is you say 1573 00:55:58,540 --> 00:56:00,029 that it's a requirement to have early 1574 00:56:00,030 --> 00:56:01,809 sign driver like for Windows eight, for 1575 00:56:01,810 --> 00:56:02,709 instance, and that's true. 1576 00:56:02,710 --> 00:56:04,949 But as Joanna 1577 00:56:04,950 --> 00:56:06,939 Rakowski pointed out, like back in twenty 1578 00:56:06,940 --> 00:56:09,339 seven, if your administrator 1579 00:56:09,340 --> 00:56:10,509 on Windows system, there really is no 1580 00:56:10,510 --> 00:56:11,769 barrier to getting into the kernel. 1581 00:56:11,770 --> 00:56:13,989 You just have to load is a but vulnerable 1582 00:56:13,990 --> 00:56:16,569 driver and then exploit 1583 00:56:16,570 --> 00:56:17,889 it. Or you're seeing I was using read, 1584 00:56:17,890 --> 00:56:19,959 write everything on the system that's 1585 00:56:19,960 --> 00:56:22,089 assigned utility that 1586 00:56:22,090 --> 00:56:23,329 reads and writes everything. 1587 00:56:23,330 --> 00:56:25,089 So I mean once you have administrator 1588 00:56:25,090 --> 00:56:27,219 access on a Windows system, getting a 1589 00:56:27,220 --> 00:56:28,629 physical memory access I don't think is 1590 00:56:28,630 --> 00:56:29,630 really a barrier 1591 00:56:30,850 --> 00:56:32,229 to anything. 1592 00:56:32,230 --> 00:56:33,230 Mike, say. 1593 00:56:36,460 --> 00:56:38,649 Is it possible for the buyers 1594 00:56:38,650 --> 00:56:40,809 or if you want us to 1595 00:56:40,810 --> 00:56:43,149 fix this vulnerability 1596 00:56:43,150 --> 00:56:45,519 by applying and update? 1597 00:56:45,520 --> 00:56:47,319 Yeah, sure. 1598 00:56:47,320 --> 00:56:49,569 So the vulnerability can 1599 00:56:49,570 --> 00:56:51,939 be solved in two ways, either 1600 00:56:51,940 --> 00:56:54,309 using the lockbox as a lockbox that 1601 00:56:54,310 --> 00:56:56,529 we talked about and not 1602 00:56:56,530 --> 00:56:58,809 screwing up things, or 1603 00:56:58,810 --> 00:57:01,029 you can just move the locking 1604 00:57:01,030 --> 00:57:03,309 code before interpreting 1605 00:57:03,310 --> 00:57:05,769 the script. So both of these 1606 00:57:05,770 --> 00:57:07,000 is fixable. And 1607 00:57:08,500 --> 00:57:10,899 we contacted the vendors about 1608 00:57:10,900 --> 00:57:12,319 in August. 1609 00:57:12,320 --> 00:57:14,739 So at least some of them responded 1610 00:57:14,740 --> 00:57:15,809 that they have parties ready. 1611 00:57:17,140 --> 00:57:19,389 I can say, too, that we did receive 1612 00:57:19,390 --> 00:57:21,459 some patches for evaluations from vendors 1613 00:57:21,460 --> 00:57:23,709 that did fix the issue correctly, but 1614 00:57:23,710 --> 00:57:24,849 I'm not sure if they're publicly 1615 00:57:24,850 --> 00:57:26,919 available yet. So if you're like an I.T. 1616 00:57:26,920 --> 00:57:29,109 manager for a large organization, my 1617 00:57:29,110 --> 00:57:31,389 recommendation is to contact your 1618 00:57:31,390 --> 00:57:33,339 guy there and see what the deal is and 1619 00:57:33,340 --> 00:57:35,349 see if you can lean on them to get those 1620 00:57:35,350 --> 00:57:36,350 patches out faster. 1621 00:57:38,470 --> 00:57:40,689 Last question, Mike, for 1622 00:57:40,690 --> 00:57:43,179 assuming there is an high malware 1623 00:57:43,180 --> 00:57:46,029 on the system, can itself cloak 1624 00:57:46,030 --> 00:57:47,259 against those attacks? 1625 00:57:47,260 --> 00:57:49,269 Can you make it sort of invisible to 1626 00:57:49,270 --> 00:57:50,760 those accesses? 1627 00:57:51,880 --> 00:57:54,279 Say it again. I assume you have a malware 1628 00:57:54,280 --> 00:57:55,899 on UAP mode. 1629 00:57:55,900 --> 00:57:58,149 Where low can it hide itself 1630 00:57:58,150 --> 00:58:00,429 from those probings, from those reading 1631 00:58:00,430 --> 00:58:02,509 those memory is the way you can 1632 00:58:02,510 --> 00:58:05,139 kind make the system look 1633 00:58:05,140 --> 00:58:07,029 normal and clean. 1634 00:58:07,030 --> 00:58:10,179 OK, so. So you think once I have 1635 00:58:10,180 --> 00:58:12,579 all this access in the bioscan, I 1636 00:58:12,580 --> 00:58:14,529 load a Trojan in a way that's not 1637 00:58:14,530 --> 00:58:15,679 visible. 1638 00:58:15,680 --> 00:58:17,919 It can be done in millions of ways. 1639 00:58:17,920 --> 00:58:19,779 That's really not not the subject of this 1640 00:58:19,780 --> 00:58:21,729 way. But, you know, the generate 1641 00:58:21,730 --> 00:58:23,859 responses is something like a blue 1642 00:58:23,860 --> 00:58:26,529 light. You can load hypervisor 1643 00:58:26,530 --> 00:58:28,789 very early and then wrap the whole system 1644 00:58:28,790 --> 00:58:29,790 in. 1645 00:58:30,160 --> 00:58:32,139 And then it is very difficult to really 1646 00:58:32,140 --> 00:58:34,449 detect that uranium in the hypervisor. 1647 00:58:34,450 --> 00:58:36,549 And again, once 1648 00:58:36,550 --> 00:58:39,159 you have this level of access, it's 1649 00:58:39,160 --> 00:58:41,469 at least cat and mouse 1650 00:58:41,470 --> 00:58:44,049 game. Right, because the 1651 00:58:44,050 --> 00:58:45,879 of way of hide your presence of the 1652 00:58:45,880 --> 00:58:47,289 system, there are millions of ways of 1653 00:58:47,290 --> 00:58:48,940 getting them. So that's 1654 00:58:50,710 --> 00:58:51,169 difficult. 1655 00:58:51,170 --> 00:58:53,349 Right. But the point is that you 1656 00:58:53,350 --> 00:58:55,269 need at least to be aware that such a 1657 00:58:55,270 --> 00:58:57,549 possibility exists and that way 1658 00:58:57,550 --> 00:58:59,409 of persistence is possible. 1659 00:58:59,410 --> 00:59:00,849 But that's a topic for a totally 1660 00:59:00,850 --> 00:59:01,579 different topic. 1661 00:59:01,580 --> 00:59:04,029 But there's another, um, 1662 00:59:04,030 --> 00:59:05,229 some colleagues of mine did a 1663 00:59:05,230 --> 00:59:07,629 presentation at Canseco this past year 1664 00:59:07,630 --> 00:59:09,729 that was basically using a virus 1665 00:59:09,730 --> 00:59:11,649 implant. And you can attempt to detect it 1666 00:59:11,650 --> 00:59:13,599 by reading this by Flash and looking for 1667 00:59:13,600 --> 00:59:14,619 malicious changes. 1668 00:59:14,620 --> 00:59:16,239 But there's actually a hardware mechanism 1669 00:59:16,240 --> 00:59:17,949 such that S.A.M. can interpose on 1670 00:59:17,950 --> 00:59:19,419 attempted reads of the Flash. 1671 00:59:19,420 --> 00:59:21,669 And you can use this to, uh, you 1672 00:59:21,670 --> 00:59:23,159 know, fake out the attempt to read it. 1673 00:59:23,160 --> 00:59:24,789 Now, you could try to detect that with 1674 00:59:24,790 --> 00:59:26,949 timing stuff, but then it gets kind 1675 00:59:26,950 --> 00:59:28,149 of. 1676 00:59:28,150 --> 00:59:30,519 And finally, finally, 1677 00:59:30,520 --> 00:59:32,499 I mentioned operating D.T. 1678 00:59:32,500 --> 00:59:35,169 Bounds. So what they did was 1679 00:59:35,170 --> 00:59:37,239 Trojan biopsies and gain presence 1680 00:59:37,240 --> 00:59:39,579 in smen, so then operating system 1681 00:59:39,580 --> 00:59:41,869 loads, but also runs concurrent 1682 00:59:41,870 --> 00:59:43,689 to it and it's still under attack 1683 00:59:43,690 --> 00:59:46,229 control. And once you are in 1684 00:59:46,230 --> 00:59:47,799 your control of the operating system in a 1685 00:59:47,800 --> 00:59:49,149 pretty stealthy way. 1686 00:59:49,150 --> 00:59:52,059 There was a presentation in 2008 1687 00:59:52,060 --> 00:59:53,559 about that as well. 1688 00:59:53,560 --> 00:59:55,239 So it's fully applicable. 1689 00:59:55,240 --> 00:59:58,149 Again, topic for a different OK. 1690 00:59:58,150 --> 01:00:00,279 Well, that was a deep dove the last 1691 01:00:00,280 --> 01:00:02,499 round of applause for Raffone Corey.