Tapping into the core

Tapping into the C ore

Maxim Goryac hy

Mark E rmolov

C haos C omputer C lub (33C 3), Hamburg , 2016

Intel® Direc t C onnec t Interfac e as a bas is for hardware Trojans

Maxim Goryac hy

Mark E rmolov

P os itive R esearch C entermgoryachiy@ ptsecurity.com

mermolov@ ptsecurity.com

[email protected]@ptsecurity.com

Ag enda 3

• Definition of a Hardware Trojan• Debugging features as a basis of a Hardware Trojan• An overview of the debugging features in modern Intel CPUs• Activating debugging • Detecting enabled debugging

Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system.Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.

Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup BhuniaHardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009

Xiaoxiao Wang and Mohammad TehranipoorDetecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008

http://spywareremovers.com/


Hardware Trojan 4


Hardware Trojan (E xample) 5

What If You Are a White Hat

Use the JTAG, Luke!


6

What Is JTAG ?

Joint Test Action Group IEEE 1149.1• https://en.wikipedia.org/wiki/JTAG• IEEE Standard 1149.1

https://standards.ieee.org/findstds/standard/1149.1-2013.html• Blackbox JTAG Reverse Engineering [26C3]

https://www.youtube.com/watch?v=Up0697E5DGc

https://www.xjtag.com


7

Us es of JTA G

• Forensics (Dump Flash, rootkit detection)• Research (Cache as RAM, Secure Boot, Boot Guard, SMM)• Low-level debugging (UEFI DXE/PEI, drivers, hypervisor)• Performance analysis


http://partsolutions.com/

8

JTAG in Intel C PUs

• JTAG 101 IEEE 1149.x and Software Debughttp://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101-ieee-1149x-paper.pdf

• Debug Port Design Guide for UP/DP Systemshttp://download.intel.com/support/processors/pentium4/sb/31337301.pdf

https://upload.wikimedia.org


9

C onnec tion Types

• Intel In-Target Probe eXtended Debug Port (ITP-XDP)

• Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon.There are two types of DCI hosting interfaces in the platform:

USB3 Hosting DCI (USB Debug cable)

BSSB Hosting DCI (Intel SVT Closed Chassis Adapter)


10

Intel ITP-XDP

https://designintools.intel.com

Direct connection to CPU debugging interface

Price $3,000

Special board socket is required

Supported by Intel System Studio trial version

Protocol covered by NDA


11

Intel® Direc t C onnec t Interfac e (DC I)

Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH)

Works with U series out-of-box chipsets only


12

BSSB Hos ting DC I

https://designintools.intel.com

Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA orBSSB) provides access to DFx features, like JTAG and run control, through USB3ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.


Price $390

Private protocol using physical USB links


13

USB3 Hos ting DC I

http://www.datapro.net/

No extra hardware required (standard USB 3.0 cable)

OTG device, “magic” port needs to be found

Deep Sleep mode not supported


Run through the device integrated to the target platform

Standard USB protocol used


14

USB3 Hos ting DC I Devic e


15

What Is Simple USB-c able Able to Do…


http://www.datapro.net/

16

DEMO

ptsecurity.com

17

17

How to Ac tivate DC I?

• UEFI Human Interface Infrastructure (UEFI HII)

• PCH Strap (Intel Flash Image Tool)

• P2SB device


18

Ac tivation via UE FI HII

• UEFI Human Interface Infrastructurehttp://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF

• AMI BIOS Configuration Program 5.0https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/

• It is possible to reprogram BIOS by programmer or through SPI controller (ifprivileges allow), but the target platform could shut down with an errorif Boot Guard is running.

http://www.dediprog.com/


19

Ac tivation via UE FI HII


20

Ac tivation via PC H Strap

• Intel® Flash Image Toolhttp://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

• Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow)


21

Manually via P2SB Devic e


22

How to Fig ht Bac k?

• BootGuard

• Direct Connect Interface Enable bit check

• MSR IA32_DEBUG_INTERFACE


23

IA32_DE BUG _INT E RFA C E


24

New Ag e of BadUSB?

http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg


25

Summary

• Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system;

• Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers;

• Big vendor of motherboard vendor (we aren’t disclose);

• Ensure that your Skylake laptop has DCI disabled.


26

Thank you!

Questions?


github.com/ptresearch

27

Tapping into the core

Technology

Transcript of Tapping into the core