SlideShare une entreprise Scribd logo

Tapping into the core

Positive Hack Days
Positive Hack Days

The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.

Technologie
1  sur  27
Télécharger pour lire hors ligne
Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan (E xample) 5
What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
DEMO ptsecurity.com 17 17
How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26
Thank you! Questions? mgoryachiy@ptsecurity.com mermolov@ptsecurity.com github.com/ptresearch 27

Recommandé

知って得するUnity エディタ拡張編
知って得するUnity エディタ拡張編知って得するUnity エディタ拡張編
知って得するUnity エディタ拡張編Shota Baba
 
[Ubisoft] Perforce Integration in a AAA Game Engine
[Ubisoft] Perforce Integration in a AAA Game Engine[Ubisoft] Perforce Integration in a AAA Game Engine
[Ubisoft] Perforce Integration in a AAA Game EnginePerforce
 
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例UnityTechnologiesJapan002
 
「宴」実装時に得られたUnityプログラムノウハウ
「宴」実装時に得られたUnityプログラムノウハウ「宴」実装時に得られたUnityプログラムノウハウ
「宴」実装時に得られたUnityプログラムノウハウRyohei Tokimura
 
UniTask入門
UniTask入門UniTask入門
UniTask入門torisoup
 
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜Mikito Yoshiya
 
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法Yoshifumi Kawai
 
Unityティーチャートレーニングデイ -認定アソシエイト編-
Unityティーチャートレーニングデイ -認定アソシエイト編-Unityティーチャートレーニングデイ -認定アソシエイト編-
Unityティーチャートレーニングデイ -認定アソシエイト編-Unity Technologies Japan K.K.
 

Recommandé

知って得するUnity エディタ拡張編
知って得するUnity エディタ拡張編知って得するUnity エディタ拡張編
知って得するUnity エディタ拡張編Shota Baba
 
[Ubisoft] Perforce Integration in a AAA Game Engine
[Ubisoft] Perforce Integration in a AAA Game Engine[Ubisoft] Perforce Integration in a AAA Game Engine
[Ubisoft] Perforce Integration in a AAA Game EnginePerforce
 
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例
【Unite 2018 Tokyo】『CARAVAN STORIES』のアセットバンドル事例UnityTechnologiesJapan002
 
「宴」実装時に得られたUnityプログラムノウハウ
「宴」実装時に得られたUnityプログラムノウハウ「宴」実装時に得られたUnityプログラムノウハウ
「宴」実装時に得られたUnityプログラムノウハウRyohei Tokimura
 
UniTask入門
UniTask入門UniTask入門
UniTask入門torisoup
 
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜
文脈を操る美しきZenjectプロジェクトからの眺め 〜Contextの扱い方と活用方法〜Mikito Yoshiya
 
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法Yoshifumi Kawai
 
Unityティーチャートレーニングデイ -認定アソシエイト編-
Unityティーチャートレーニングデイ -認定アソシエイト編-Unityティーチャートレーニングデイ -認定アソシエイト編-
Unityティーチャートレーニングデイ -認定アソシエイト編-Unity Technologies Japan K.K.
 
Unity エディタ拡張
Unity エディタ拡張Unity エディタ拡張
Unity エディタ拡張Shota Baba
 
【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018Unity Technologies Japan K.K.
 
HADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPoolHADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPoolYasuyuki Kado
 
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)Yuki Tamura
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
Game Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji KikuchiGame Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji KikuchiKeiji Kikuchi
 
核開発とStuxnet
核開発とStuxnet核開発とStuxnet
核開発とStuxnetSeiya Ishibashi
 
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術Unity Technologies Japan K.K.
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Editor スクリプティング 入門
Editor スクリプティング 入門Editor スクリプティング 入門
Editor スクリプティング 入門Keigo Ando
 
人工知能とゲーム(後篇)
人工知能とゲーム(後篇)人工知能とゲーム(後篇)
人工知能とゲーム(後篇)Youichiro Miyake
 
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッTatsuhiko Yamamura
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編UnityTechnologiesJapan002
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systemsVandana Salve
 
【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道Unity Technologies Japan K.K.
 
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMERエピック・ゲームズ・ジャパン Epic Games Japan
 
Music engineadx
Music engineadxMusic engineadx
Music engineadxSho Iwamoto
 
Comparativo entre Engines de Jogos em 3d
Comparativo entre Engines de Jogos em 3dComparativo entre Engines de Jogos em 3d
Comparativo entre Engines de Jogos em 3dMaico Fernando Wilges Carn
 
Android binder-ipc
Android binder-ipcAndroid binder-ipc
Android binder-ipcmagoroku Yamamoto
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 

Contenu connexe

Tendances

Unity エディタ拡張
Unity エディタ拡張Unity エディタ拡張
Unity エディタ拡張Shota Baba
 
【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018Unity Technologies Japan K.K.
 
HADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPoolHADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPoolYasuyuki Kado
 
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)Yuki Tamura
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
Game Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji KikuchiGame Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji KikuchiKeiji Kikuchi
 
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術Unity Technologies Japan K.K.
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Editor スクリプティング 入門
Editor スクリプティング 入門Editor スクリプティング 入門
Editor スクリプティング 入門Keigo Ando
 
人工知能とゲーム(後篇)
人工知能とゲーム(後篇)人工知能とゲーム(後篇)
人工知能とゲーム(後篇)Youichiro Miyake
 
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッTatsuhiko Yamamura
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編UnityTechnologiesJapan002
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systemsVandana Salve
 
【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道Unity Technologies Japan K.K.
 
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMERエピック・ゲームズ・ジャパン Epic Games Japan
 

Tendances (20)

Unity エディタ拡張
Unity エディタ拡張Unity エディタ拡張
Unity エディタ拡張
 
【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018【Unite 2018 Tokyo】エディター拡張マニアクス2018
【Unite 2018 Tokyo】エディター拡張マニアクス2018
 
HADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPoolHADOにおけるUniRxのObjectPool
HADOにおけるUniRxのObjectPool
 
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
失敗から学ぶゲーム開発(ドラゴンジェネシス〜聖戦の絆〜の場合)
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
 
Game Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji KikuchiGame Creators Conference 2019 Keiji Kikuchi
Game Creators Conference 2019 Keiji Kikuchi
 
核開発とStuxnet
核開発とStuxnet核開発とStuxnet
核開発とStuxnet
 
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
【Unity道場スペシャル 2017京都】最適化をする前に覚えておきたい技術
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Editor スクリプティング 入門
Editor スクリプティング 入門Editor スクリプティング 入門
Editor スクリプティング 入門
 
人工知能とゲーム(後篇)
人工知能とゲーム(後篇)人工知能とゲーム(後篇)
人工知能とゲーム(後篇)
 
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
誰もAddressableについて語らないなら、自分が語るしかない…ッッッッ
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
 
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
【Unity道場Houdini編】UnityとHoudiniで作るRealtimeVFX実践解説 後編
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systems
 
【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道【Unite 2017 Tokyo】Navmesh完全マスターへの道
【Unite 2017 Tokyo】Navmesh完全マスターへの道
 
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
『バランワンダーワールド』でのマルチプラットフォーム対応について UNREAL FEST EXTREME 2021 SUMMER
 
Music engineadx
Music engineadxMusic engineadx
Music engineadx
 
Comparativo entre Engines de Jogos em 3d
Comparativo entre Engines de Jogos em 3dComparativo entre Engines de Jogos em 3d
Comparativo entre Engines de Jogos em 3d
 
Android binder-ipc
Android binder-ipcAndroid binder-ipc
Android binder-ipc
 

Similaire à Tapping into the core

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerIJERA Editor
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processorsNebyueAwoke
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoTteam-WIBU
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsSpeck&Tech
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 

Similaire à Tapping into the core (20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
Embedded C workshop
Embedded C workshopEmbedded C workshop
Embedded C workshop
 
Design and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web ServerDesign and Development of ARM9 Based Embedded Web Server
Design and Development of ARM9 Based Embedded Web Server
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
SoC: System On Chip
SoC: System On ChipSoC: System On Chip
SoC: System On Chip
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Resume
ResumeResume
Resume
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 

Plus de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Dernier

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Dernier (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Tapping into the core

  • 1. Tapping into the C ore Maxim Goryachy Mark Ermolov Chaos Computer Club (33C 3), Hamburg, 2016
  • 2. Intel® Direct C onnect Interface as a bas is for hardware Trojans Maxim Goryachy Mark Ermolov Positive Research Center mgoryachiy@ptsecurity.com mermolov@ptsecurity.com
  • 3. mgoryachy@ptsecurity.com mermolov@ptsecurity.com Agenda 3 • Definition of a Hardware Trojan • Debugging features as a basis of a Hardware Trojan • An overview of the debugging features in modern Intel CPUs • Activating debugging • Detecting enabled debugging
  • 4. Hardware Trojan is malicious alteration of hardware that could, under specific conditions, result in functional changes of the system. Hardware Trojan can be inserted at the stage of production, shipment, storage, or use.  Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia Hardware Trojan: Threats and Emerging Solutions, IEEE HLDVT 2009  Xiaoxiao Wang and Mohammad Tehranipoor Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, IEEE HOST 2008 http://spywareremovers.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com Hardware Trojan 4
  • 6. What If You Are a White Hat Use the JTAG, Luke! mgoryachy@ptsecurity.com mermolov@ptsecurity.com 6
  • 7. What Is JTAG? Joint Test Action Group IEEE 1149.1 • https://en.wikipedia.org/wiki/JTAG • IEEE Standard 1149.1 https://standards.ieee.org/findstds/standard/1149.1-2013.html • Blackbox JTAG Reverse Engineering [26C3] https://www.youtube.com/watch?v=Up0697E5DGc https://www.xjtag.com mgoryachy@ptsecurity.com mermolov@ptsecurity.com 7
  • 8. Uses of JTAG • Forensics (Dump Flash, rootkit detection) • Research (Cache as RAM, Secure Boot, Boot Guard, SMM) • Low-level debugging (UEFI DXE/PEI, drivers, hypervisor) • Performance analysis mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://partsolutions.com/ 8
  • 9. JTAG in Intel C PUs • JTAG 101 IEEE 1149.x and Software Debug http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/jtag-101- ieee-1149x-paper.pdf • Debug Port Design Guide for UP/DP Systems http://download.intel.com/support/processors/pentium4/sb/31337301.pdf https://upload.wikimedia.org mgoryachy@ptsecurity.com mermolov@ptsecurity.com 9
  • 10. C onnection Types • Intel In-Target Probe eXtended Debug Port (ITP-XDP) • Intel Direct Connect Interface (DCI): transport technology designed to enable closed chassis debug through any of USB3 ports out from Intel silicon. There are two types of DCI hosting interfaces in the platform:  USB3 Hosting DCI (USB Debug cable)  BSSB Hosting DCI (Intel SVT Closed Chassis Adapter) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 10
  • 11. Intel ITP-XDP https://designintools.intel.com  Direct connection to CPU debugging interface  Price $3,000  Special board socket is required  Supported by Intel System Studio trial version  Protocol covered by NDA mgoryachy@ptsecurity.com mermolov@ptsecurity.com 11
  • 12. Intel® Direct C onnect Interface (DC I) Intel® 100 Series and Intel® C230 Series Chipset Family Platform Controller Hub (PCH) Works with U series out-of-box chipsets only mgoryachy@ptsecurity.com mermolov@ptsecurity.com 12
  • 13. BSSB Hos ting DC I https://designintools.intel.com Intel® Silicon View Technology Closed Chassis Adapter (also known as SVTCCA or BSSB) provides access to DFx features, like JTAG and run control, through USB3 ports on Intel® Direct Connect Interface (DCI) enabled silicon and platforms.  Supported by Intel System Studio trial version  Price $390  Private protocol using physical USB links mgoryachy@ptsecurity.com mermolov@ptsecurity.com 13
  • 14. USB3 Hos ting DC I http://www.datapro.net/  No extra hardware required (standard USB 3.0 cable)  OTG device, “magic” port needs to be found  Deep Sleep mode not supported  Supported by Intel System Studio trial version  Run through the device integrated to the target platform  Standard USB protocol used mgoryachy@ptsecurity.com mermolov@ptsecurity.com 14
  • 15. USB3 Hos ting DC I Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 15
  • 16. What Is Simple USB-cable Able to Do… mgoryachy@ptsecurity.com mermolov@ptsecurity.com http://www.datapro.net/ 16
  • 18. How to Activate DC I? • UEFI Human Interface Infrastructure (UEFI HII) • PCH Strap (Intel Flash Image Tool) • P2SB device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 18
  • 19. Activation via UEFI HII • UEFI Human Interface Infrastructure http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_5_Errata_A.PDF • AMI BIOS Configuration Program 5.0 https://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/ • It is possible to reprogram BIOS by programmer or through SPI controller (if privileges allow), but the target platform could shut down with an error if Boot Guard is running. http://www.dediprog.com/ mgoryachy@ptsecurity.com mermolov@ptsecurity.com 19
  • 20. Activation via UEFI HII mgoryachy@ptsecurity.com mermolov@ptsecurity.com 20
  • 21. Activation via PC H Strap • Intel® Flash Image Tool http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp- System-Tools.html • Manually (Flash Descriptor, PCH Strap): reprogram BIOS by programmer or through SPI controller (if privileges allow) mgoryachy@ptsecurity.com mermolov@ptsecurity.com 21
  • 22. Manually via P2SB Device mgoryachy@ptsecurity.com mermolov@ptsecurity.com 22
  • 23. How to Fight Back? • BootGuard • Direct Connect Interface Enable bit check • MSR IA32_DEBUG_INTERFACE mgoryachy@ptsecurity.com mermolov@ptsecurity.com 23
  • 24. IA32_DE BUG_INTE RFAC E mgoryachy@ptsecurity.com mermolov@ptsecurity.com 24
  • 25. New Age of BadUSB? http://www.extremetech.com/wp-content/uploads/2014/07/chipsbank_usb_drives.jpg mgoryachy@ptsecurity.com mermolov@ptsecurity.com 25
  • 26. Summary • Modern CPU (Skylake+) design allows using JTAG-like interface through USB which gives total control over the system; • Being a low cost and non-NDA technology, JTAG provides new opportunities for researchers; • Big vendor of motherboard vendor (we aren’t disclose); • Ensure that your Skylake laptop has DCI disabled. mgoryachy@ptsecurity.com mermolov@ptsecurity.com 26