Placeholder Image

字幕列表 影片播放

  • A couple of guys are here. I want to stand in front of you and talk about the PCI express.

  • Joe and Miles, give them a round of applause. (  Applause  ) >> Hey, how's it going? Ok, who

  • here went to Mike Osman's RF Reflectors NSA Playset Talk? Ok, who went to Josh Jatko and Teddy

  • Reed's ITC Implant Talk? Who went to Dean Anlooki's GSM talk? Okay. Who here bought any NSA

  • Playset kit from Vendor Village? You don't have to say if your employer sent you to buy one for

  • research purposes, you know. So this is Stupid PCIe Tricks featuring NSA Playset PCIe. It

  • didn't really start out as an NSA Playset talk, but it fights right in because this is a

  • capability that they've got to have. It's got to be on one of the pages rejected or missing.

  • I'm Joe Fitzpatrick. I have an electrical engineering education with focus on CS and Infosec. I

  • spent eight years doing security research, speed debut and tool development for CPUs including

  • hardware pen testing of CPUs and security training for functional validators worldwide. I also

  • teach a really cool class, software exploitation via hardware hacking, aka SEx via

  • HEx, so if any of you are interested, you should google look for that. It's somewhat

  • safe. It's work safe. And our mandatory meeting, "if Joe Fitz, he sitz". If you missed the hot

  • tub at Tour Camp, you should go next time. It runs in two years. >> I'm Miles Crabill, I'm a

  • current student and hardware Newbie, but interested in computer science and met up with

  • Joe last year and have been working with him on the last couple months on this NSA

  • Playset PCIe stuff. I didn't come in with much hardware experience SP and I've pretty

  • much been learning as I went. It's been a great time. So I couldn't show this, of course.

  • >> Miles has been great because he makes it all look presentable. I'm a hardware guy

  • and not a coder. So a slight disclaimer, I didn't do really good research, I didn't cite a

  • lot of people, but there are tons of people who have done PCIe work and other stuff so,

  • the difference is in line with the NSA Playset goals, we try to make it accessible and

  • inexpensive. We want any 10 years olds to start doing DAM attacks and memory jumps and

  • lock screen bypasses. Miles will give us the run-down of what the heck is PCIe, because even

  • though you might know it, you may not know the next layer in detail. >> Okay. So what is

  • PCIe? Well, the answer is that PCIe is PCI extending on this old specification. It's been

  • around forever. It's for fast IO, right? If you have a video card or something like that,

  • network card, sound card, anything really that goes in an extension, it'll probably on

  • your motherboard, whether you're on a laptop, desktop, most modern computers use PCI and so

  • this is how you get fast stuff going on the hardware level. So there are also things that don't

  • match up. As you see here, they don't look exactly the same. However, PCIe is backwards

  • compatible with PCI and PTIX. On the lower level you have packets that are being transmitted

  • across lanes, and so a lane is four wires. When you see on a PCI card something like XX 4 or

  • X 16, that's the number of lanes and it corresponds to throughput, so the amount of

  • data you're able to transfer. Most video use X 16, because they're transferring a lot of

  • data. PCI enables DAM access. So PCI hierarchy. The root complex is the highest node in the

  • hierarchy and pretty much everything else descends from there. You see the switch

  • connected to the root complex, and PCI devices will connect to the switch and other PCI devices

  • can be connected to other PCI devices so you get a whole mess when you try underwriting this

  • stuff. So switching. This is the inside of the switch. From the upstream you have the bus, and

  • then you have these virtual PCI to PCI bridges, and then these actually interface with the real

  • devices that you have connected, the real PCI devices. So the layers of PCI building up from

  • the bottom, you have RxTX on the physical layer of things, the logical side and electrical side

  • data and then up to the transaction where you're actually working with packets. I

  • don't know how well you can see this, but this is the actual PCI spec stuff in the top like

  • device I.D. and vendor I.D. is how you would identify a device. So diving into that we have

  • LSPCI output, just checking out a specific device. You can see this highlighted area is the

  • vendor I.D. of a device, and so you can see this highlighted area is the vendor ID of the

  • device and so this is how you would check the manufacturer. They all have codes associated

  • and then this would be the device I.D. so this is like per a specific product or family of

  • products. Then the revision, so you can see that all of this is just right in these bytes that

  • you can access through LSPCI. And this is your class. Device class. Yes. So you can see that

  • this is a PCI bridge that's 0604. It's just the code that's assigned to this type of device.

  • And so enumeration, as I said before, it gets pretty messy because it's depth first,

  • traversal of the tree hierarchy and everything like switches and PCItoPCI bridges show up

  • multiple times. And so any kind of LSPCI VD output is just a headache to look out. It's huge.

  • So  ‑ ‑ >> Okay. I'm back on. Routing PCIe. So we talked a little bit about what PCIe is

  • from a conceptual level. The fundamental difference is PCI was 32 bits in parallel, a big

  • flat parallel bus with multiple devices sitting on it. PCI express is this highspeed

  • serial with differential signaling. When you route highspeed signaling and high speed

  • differential signals you have some rules to follow, okay? If you wanted to make your own PCI

  • express device, you have to follow the step by step complicated mandatory and

  • inflexible rules to routing PCIE. For every single one of these. Number one, route your

  • pairs at roughly equal length. That's pretty much it. They made this spec to make it easier for

  • designing boards, because routing 32 lines in parallel along with the cloth, they have

  • to be equal lengths. That's a pain in the ass. They said ok, we'll do each pair on it's own,

  • TX pair and RX pair, and as long as each pair is the same length, the next line over can be a

  • different length, the next line over can be a different length, which works well when you have a

  • long card. It doesn't matter. All of that is taken care of by the physical layer of the PCIE.

  • There's some specs, right? You have to have board traces and 12 inches or less, cards are

  • supposed to be 13 1/2 total. 2 chips on one board supposed to be 15 inches. And if you follow

  • the rules, your board might work. If you don't follow these rules, it might still work. So

  • PCI express 1 X, the lowest common denominator, is 2.5GHz TX, 2.5GHz RX and 100MHz Clock.

  • That is a common clock and that's actually optional. The device can actually generate

  • it's own clock. It depends on the system and device. You can do it with the clock. But we'll

  • throw it in there, just for, you know, because we have room. If we wanted to make a table to

  • connect this, what do we need? We need something that can do highspeed, and PCI express

  • specifies actually like external cabling and it's really expensive. I don't like

  • expensive things, because I'm cheap. This is a crosssection of the USB 3 cable. If you look

  • inside, you've got the red and the black are ground to BCC, and the green and white are your old

  • school USB, USB 2.0 wires, right? Those are designed go up to 240 megabytes, right? That's

  • what USB megabyte was and that's plenty to carry our clock. You have the two level pockets, the

  • red, blue, and the purple and orange and those hold the high speed lanes and those go at 5

  • gigahertz. Right? So we have this cable we can get them for a couple of bucks at pretty much

  • any store and they carry exactly what they need, they carry 5 gigahertz, 5GHz and 500MHz.

  • That's actually more than we need. I threw together this little PCB. It looks like a PCIe

  • card. There's a dotted line in a middle. That's because I'm cheap again. And you can get a 5x5 cm

  • board for one price and I wanted two boards, but I didn't want to have to pay for two boards, so I

  • put them on the same board. Cut them in half if you want or use as is. You can see those red and

  • blue lines those are the top and bottom layers where I just connect the wires together and I

  • actually did a really bad job of this. You can do your own production stuff, do your own.

  • You can actually buy these premade from several manufacturers on eBay and all

  • express and other places in China, but that's no fun. So I made my own. This is what the

  • board looks like, and I have the cool silk solder mask, silver lettering because that's really

  • important when you make PCB to have your logo on there. I call it PEXternalizer. There's the

  • board cut in half at the other end and assembled on the populated board. They're a 1X

  • PCI express socket up there and the end looks kind of mundged up and molten, that's because I

  • just got my soldering iron and ran through that to open it up so I could put a 16 X card in.

  • Here's a quick screen shot basically. This PCI express wireless adapter in, and it's

  • connected and running, and I can connect to wireless networks. That's all well and good, but

  • that's old news. What else can we do? What devices can we add PCI express to that don't

  • generally have it? Have you seen this? Intel Galileo. It's an arduino board, but it actually

  • has a mini PCIe board on the back. What can you do with that? It's supposed to only work with

  • WiFi adapters, but that's no fun. Anybody can put a WiFi adapter in an arduino. Yeah,

  • make light flash. Oh, I'm not wearing that shirt. Oops. Makers make lights flahs. Hackers make

  • other people's lights flash. I made another version of the board, a miniPCIE version.

  • I'll show you pictures. We'll look over. I'll actually show you. Oh, whoa. So we've got here

  • a nice  ‑ ‑ oh, there. It's upside graphics card backwards. We've got our Intel Galileo and

  • flip on the other side we have the mini PCIe card with the USB header. Again it's USB header

  • it's just USB header and cable because they're cheap. On the other end I have the populated

  • thingydo which has a little power regulator on the end. We don't have the power supply and

  • cables and extra VGA to hook it up and show you, but basically we plug  ‑ ‑ stay still. I'm

  • looking at the screen. Whoo! Anybody sick yet? Pop it in the slot. >> Oh, gosh. >> There we

  • go. So you got that, right? You got it. There we go. You have more than 12 inches. Yeah. Do

  • you think it still works? Yeah, it still works. And so here's a screen shot. Whoa, here we go.

  • Actually when we tried it out, we used a bigger graphics card because bigger is better, right?

  • So wired them up PCIe that tiny Arduino and that nice big burly graphics card hovering over it

  • and if we hook it and we look, I had to do a little bit of custom building of that, which is

  • annoying because of the software and I hate software. If you do all this PCIe, same tools as

  • before. It's on the Galileo board already. You see a whole bunch of 8086, 8086, 8086.

  • Anybody knows who vendor I.D. that is? All the way down at the bottom is the 10de. Who do you

  • think that might be? Invideos. So, ya know. Sneak it in there and put it Invidy with Intel in

  • bed a little longer. Here we go. I hooked you up to my full HD display, to say, hey, I have X

  • running. There's no keyboard input or anything like that, but at this point it's a software

  • problem and I'm a hardware guy. It's someone else's problem, right? So let's move on. The

  • other device I played around with, and I don't have it here to show off is not fully working

  • yet. This is a Pogoplug. It's a network storage device. It has an Ethernet port and USB port

  • and you plug it in. It shares it with the whole world. It doesn't tell you about that part. If we

  • look at two versions of the PCE, the cheap and expensive one. The big difference in the upper left

  • corner is an extra chip that's a USB‑ 3 chip. You want USB 3 on your very slow network storage

  • device. The way it's connected is PCI express. If you see on this one, the purple wires on

  • the left hand side, those are my PCI express lanes. I have TX and Rx pairs and then I've got a

  • clock line. He took it with my phone through my magnifying glass, but you see on the left

  • we have a couple tiny little resistors that have it over it. Can you see it? You can't? Oh,

  • no. You can. So you see right there, there's a couple resistors because the resistance

  • loaders, you have to put on the clock lines, and over here's they're still very small, but

  • you see that little brown spot right there and there? Those are capacitors that are soldered to

  • the tip of USB connector and then the wire is soldered to the other edges side. It looks

  • pretty fancy. But a year and a half ago I sucked at soldering and still do. You find a friend

  • who can do it. Thanks, Kenny. He's not here, but you know. Those of you who know Kenny, he

  • does good work. Again, that goes out to a USB connector, which is the same Pen out as this chain

  • again. So my plan there is to get it working and see if I can compile those drivers for ARM

  • instead. So introducing SLOTSCREAMER. This is where we get into the NSA Playset side of

  • things. It reset our timer. Oh, its 2:16. We're good. Introducing SLOTSCREAMER, its in

  • all CAPS because it's cool to have things in all CAPS. I've had some critiquing because the

  • name sounds too good, it's not random and silly enough for NSA Playset because it actually is a

  • device that goes in a slot. I apologize. Again, I mentioned before I didn't do a lot of

  • research or citation, but I was at Black Hat and I saw this awesome slide which was from

  • Steven Weiss talking about protecting date in-use from firmware and physical attacks,

  • which is kind of what we're about to do. I figured I'd throw his slide in here. Thank you to

  • all of these people for all the work they have done, because I wouldn't have done this if it

  • wasn't done before me including all the citations. So it's also really cool to go into someone

  • else's talk and see my name on it. Whoo. This is my first time talking at DEF CON. (  Applause 

  • ) >> It's Miles' first time, too. I'm glad we could have our first time together Miles. ( 

  • Applause  ) >> A lot of people are playing with this doing these PCI Express attacks, but a

  • lot of them are using FPGAs. FPGAs are expensive and they're difficult and they're hard and

  • you have to download like 28 bytes of software to get them working. Which who cares about

  • that software stuff. So I looked around and found this cool it'll ASIC. It's a PLX technology.

  • It's a USB 3380 its aPCItoUSB bridge that works. It's a USB device port. You can plug it

  • into your system and load drivers and make it look like a mass storage control. You can

  • use this configure differently and make a PCI express device work over the USB. You can have

  • an attached graphics adapter, right? Right? This is a block diagram, one side you have PCI

  • Express, the other side you have USB. That's all there is to it. You know, every chip that is

  • configurable is configurable in ways they didn't intend, so that's what I did. They have

  • this PCI out end point. An endpoint is something that shows up from USB, so from USB  ‑ ‑

  • I'm going really fast, aren't I? Am I going too fast? I apologize. >> We have a lot of

  • slides. >> We're on 49 of 92. Okay. We're actually going a little fast. Let's slow down.

  • PCI out. Okay. It's actually good, because I thought we wouldn't have enough time, and I

  • was going to tell them to go away. Since he came at the right time. How is it going? >> Good.

  • >> What's all this? >> We heard this track was going a little bit fast, so we thought we would

  • mellow it out a bit. That's why we're here. How are they doing? (  Cheers and applause  ) >> I

  • guess they really want you to slow down. The slides are a bit of an eyechart, although when

  • you had the picture of the device up, the board. I got the detail on that. >> All right.

  • New speakers to DEF CON. >> Cheers. (  Applause  ) >> I did that for all of you. Hold on.

  • Thank you. Can I continue now? PCI out end point. This shows up on the USB side of things,

  • right? This is a packet format. We need to write a bunch of bytes for USB so this guy and

  • actually fills out what's called a PCI master control register and the PCI master address

  • register. What happens is when these registers get filled up, the chip, this guy, receives the

  • data from the USB side. He takes it into his little hardware stuff. Don't worry about it,

  • it's hardware. You guys wouldn't understand and he generates a PCI Express packet. Which goes

  • out over PCI Express to the root complex, the root complex processes it, does whatever you

  • want or whatever you told it to and sends back a response. Once we enabled it, so this comes out

  • of the spec, sorry for the eye chart, if we look down here we have this little end point

  • enabled bit. So you think something silly like this would be off by default. But look

  • actually oh, Others = 1, it's on by default. How convenient. This makes sense because if you look

  • at the drivers for this device, the standard Linux drivers for USB gadget events, which lets

  • you use it as a device port so you can turn your computer into a mass storage controller, they

  • have this little section where they explicitly disabled these dedicated end points. And I

  • think in another kernel version they have like, for security reasons, we need to disable

  • these end points, which is great. I like when I see things like that in documentation. I

  • talked to PLX service engineers asking about this. We don't do that. That's not what it's for.

  • We can try it and see if it works. Didn't really say what would happen if I turned it on

  • in this mode, but I heart undefined behavior. Is that sticker still on there? At least

  • it's not on my shirt. Thank you, Mike, for the shirt. Anyway. So let's enable it. We're still not

  • going too fast. I showed you the three registers here. If we look inside, this is the PCI master

  • control register. Basically what we do is we need to write bits that will end up in here and do

  • these things that it says and this bits 5 to 4 two bits, we can basically say, do a memory

  • read and memory write, or an IO read, an IO write or conf read or config write, or PCI express

  • message. Let me explain for a second what each of these are. Memory read/memory write is

  • exactly that. PCI express devices need to have the memory maps so they can read and write

  • to buffers in the main memory. So if you want to read some memory, we can do that. If we

  • want to write to memory, and we can do that. IO read and write, really nobody uses this anymore,

  • it's all legacy stuff, but we might as well try it because all of the Legacy stuff wasn't

  • tested as well as all of the new stuff. Configuration read and write, those are when we are

  • actually directly accessing PCI Express devices. So when you enable things on the graphic

  • cards you do a configuration write to a bunch of registers on the card. That's what maps to

  • the table of class codes and stuff Miles talked about briefly before. Another eye chart. This

  • is all well and good, but we need to have this device just work. We want to plug it in a

  • socket and have it do stuff. We don't want it to deal with loading drivers, because who is

  • going to load drivers to a fax machine? No one clicks on silly things, right? So we can modify

  • the firmware. Basically there's a little chip on the POX board. Where is my board? That will

  • hold configuration data, and when the chip turns on and powers up, it will read this

  • data and set the registers right. You think, okay, a lot of work put into this custom

  • firmware that I made, I've been talking all about it, you think I did a lot of work? I'm lazy.

  • It's these. How many bytes is that? That's it. That's the content of the E prompt. To

  • decode it for you to those that speak XXD. Basically I have two registers I wrote to. The first

  • register that 497000049, right, that's the content of the what ports to a register and I slap

  • the bit to enable USB. When the device turns on, first thing it does is enable USB. Second thing

  • I do is this E414BC16. That's the vendor ID and device I.D. of the Broadcom secured digital

  • card reader. Because it's a secured digital card readers everyone trusts them. If I tell

  • them I'm one of them, they'll turn everything on. They'll turn on bus master even if they don't

  • need to. That's pretty much all that I did to configure this chip to make it do my bidding.

  • So let's attack the PCIe. >> So as Joe said, who wants to load a driver? We have this whole

  • category of target side software where we have to make sure the target has all the stuff we need

  • to get the attack roll, but no, no, nothing. So on the attacker side, we actually do have some

  • stuff. So what we do is use high USB, which is a nice Python library for interacting with

  • devices over USB to interact with the PCI end points on the swat screen, the USB 3380. So

  • this is just a little snippet of code showing a dirty PCI memory read and write by PyUSB. At the

  • top you see read where we're actually making a packet to send and you can see this OXCF and

  • the F denotes the read, and down at the bottom here you see the 4F means that it's a write and

  • so now we have a demo. >> Well you  ‑ ‑ >> So you do the whole switches of screens here.

  • Basically we have this little device here. It's a Nook Intel makes them, they're tiny and

  • they compute. We hook up this device to a little board. It's upsidedown. >> Oh, no. It's

  • still on my screen. >> I stepped on the power strip. You're flaky power strip. I saw the light.

  • There we go. I have to reboot my Nook. Luckily it boots fast. Oh. I'm sorry. Please. I won't step

  • on it again. I promise. What time is it? 2:27. Are you ready in no. We need to unplug and

  • play it. That's not it. That is it. You just need to mirror your screens. I didn't recognize the

  • picture. It's not my desktop. I never got around to changing the default desktop anyway. That's

  • my fault. There you go. There we go. Patience, patience. So I'm using Python, and I'll stay away

  • from the power strip. I'll step back from here. Can you see that? It's backwards, isn't it?

  • >> Yeah. >> I'm sorry. It's a crypto challenge. So what I'm going to do is basically I wrote

  • this little sampler in init PCI and I'm going to hit enter and it actually worked. Whoohoo! So

  • it initialized the link from this PC to the hacker's hack device over PCI. It found two

  • endpoints 0x0e and 0x0e out. Those actually line up to what I showed you on the chart before.

  • I'm sure you all wrote those down. Then I'm going to read PCI and so I give it an address and

  • how many byes to read and right there and I just get a whole bunch of, it's Python software

  • you see, Fs and 0s and Bs and some strings and stuff. So yeah I just read memory. This is off

  • of this guy on PCI. Whoo. It's not the greatest demo, but you know, we're getting there. All

  • right. >> Okay. And so how many of you have heard of inception, not the movie? That's a few.

  • There's a cool utility that Carston wrote that exploits the DNA features of fire wire to

  • basically patch some  ‑ ‑ you might see here there's some selections that you can choose

  • to target with signatures. So it can identify based on the signatures certain operating

  • systems and inject code into it bringing it up. For example the OSX one makes all passwords

  • nothing. So what we have instead of inception, we have into PCIe, which is an extension that

  • we're  ‑ ‑ >> It's an anagram. >> I didn't know that. Yeah, so, we extended inception to PCIE

  • and we're still working on it. Ironing out bugs and that kind of thing, but that's the goal.

  • >> This is right from Carson's documentation. What we're doing is hopping through memory and

  • looking for the page that contains whatever authentication or password. You did a whole

  • process up in the password. Yes, you got it right and no you didn't at the very end. It has a

  • signature, which is listed as a chunk of memory data. It looks for that signature at a certain

  • offset in every 4k page. So it doesn't matter if you have ASLR or anything within a 4k page it

  • always ends up the same spot. Then you go and patch it, and the patch goes to offset.

  • Basically just change the jump to an up or something like that. You bypass, so when you type in

  • blah, blah, blah enter, no matter what blah, blah, blah is it lets you bypass the locked

  • screen. (  Applause  ) >> We didn't do the work there. Other people have been doing the

  • Spyware stuff for a long time. Don't clap. We just imported into this PCI Express interface,

  • which is great because you don't require drivers. Firewire require that the host offers

  • install drivers, and you're supposed to talk about this later on. >> So you see here the

  • chunk, which is actually the signature that you're trying to look for to identify in this

  • case OS X 2.9. So earlier this week Joe and I were in a hotel room taking dumps together. As

  • you can see from this little highlighted into PCIe business and all of the SLOTSCREAMERS on

  • the desk. I decided after taking all those dumps, Jason stool analysis, you've heard of

  • volatility is a cool analysis framework, so this is the demessage log of the attack

  • straight off of the victim. You can see my solarized color scheme there. So at the top you

  • can see the thunderbolt first being recognized when plugged in, and then some PCI

  • configuration going on. And I decided, hey SHTHS why not do more analysis because the

  • utility has all these nice scripts? This is just another dump. This is a MAC that we're

  • dumping apple dot something, something, something. And various other  ‑ ‑ >> I was

  • looking around for the files, and I find some of Miles' cookies in his dumps . >> Here

  • you can see, I don't know if its major version or minor version what it means, but I'm running

  • 10.9.4.6 OS X. I had the perfect amount of memory, 4 gigs, on this machine not for not

  • actually using things because these kind of attacks are a little limited because of PCIe

  • is at 32 bit addresses and so we can't actually go over the 4 gig over the threshold. However, if

  • you know what you're doing, 4 gigs is for our assessment. >> You know what thunderbolt is.

  • It's fun stuff. It's basically PCI Express out of your system. Kind of that whole USB crap, but

  • without the sketching boards and stuff. When you have Thunderbolt, you have two chips,

  • and it's straight from the thunderbolt device programming guide, and you have a chip

  • inside your Macintosh and you have a chip on your device. The chip takes PCI Express in

  • display port in and they crunch it together into some other physical layer really fast to

  • transport mechanism, and the other side extracts what it needs to, right? You can also

  • even pass the stuff through. You can connect a display port to something else, daisy chained

  • along the end or fun stuff like that. Of course, we try to plug our device into the PCI express

  • thunderbolt enclosure, and in line with the NSA Playset, we decided to give that a new name.

  • So HALIBUTDUGOUT is the slotscreamer when inserted into a thunderbolt enclosure. And

  • you'll see the little logo for Great Scott Gadgets, he's awesome, he sent me a bunch of

  • hardware when he heard what I was working on and that kind of motivated me to keep working on

  • this. Thank you, Mike. So I'm forgetting what's next. In my mind there's a gap here. Again,

  • we talk about DMI. People have showed off the DMI for a long time and they're inaccessible

  • they didn't give full disclosure on exactly how to do it all or the code for the FPJ or anything

  • like that. So in line with the NSA Playset, there's a little page, click on there. We have

  • all of the utilities and firmware available for you to download and do this yourself.

  • The hardware itself is this  ‑ ‑ right now I'm using a reference board, and you don't even have

  • to solder to make it work, right? You buy the reference board from a sketchy company in

  • China, H.W. tools.net. I sent thousands of dollars and they sent me cards and they're pretty

  • reliable. And I've talked to their tech support a few times. They're pretty good with that.

  • That's a device on there. Its got the chip on there. Instead of that, there's a little bit of

  • hardware hacking. You have to find a jumper. Do you remember what jumpers are? You have to

  • put it over the first set of pins to connect the E prong with that chip right there. And then

  • you have to go and flash it yourself. We sold a bunch of these in the vendor area

  • yesterday all preflashed and ready to go for all of you wants to go back to the undisclosed

  • employers to show off what you learned at DEF CON. All the software is on the NSA play set

  • get DAIB hub. We put it all up there, did you make it all private? It will be up there

  • very soon, but now that we've got all of you basically enabled to dump people's memories and

  • check out their dumps and modify and do all that stuff, what could be done to fix this,

  • right? Part of the NSA Playset mission is like ok state actor has had this capability for a

  • long time. Forensics has had this ability. Now that all of you have this ability, maybe

  • they'll actually fix it. I started with an antiApple, antiThunderbolt slant to this,

  • but it actually came out pretty good. In Linux, if you look for this Bus Master enable bit, any

  • device plug in the system gets Bus Master enabled turned on. Welcome to the show. What memory

  • would you like? There really isn't a software remediation for this, right? You can't just not

  • load the Fire wire drivers like you could with the regular inception attack. You can use an

  • IOMMU. Are you familiar with virtualization? How about virtualization of hardware?

  • Virtualization on the left, you just have software VMs that run a code and interfaced with an

  • extraction layer. On the other side you've got  ‑ ‑ whether you use BTD or an IOMMU of some

  • sort, where you can actually assign a device to a specific software VM, you can actually

  • have two graphic cards plugged into your system, each running native drivers in a separate VM

  • and no one knows the difference. All that memory DMA access is remapped. If you configure a BTD

  • write like Apple does 10.8.2 on IP version they actually configure BT later, unless you

  • change the argument and turn BT off, which is good for a demonstration. You can go and

  • modify memory. Why those limitations? Why haven't they rolled them back to IP bridge?

  • Any system with thunderbolts should have BTD on to protect you against certain things. Any

  • system that has an express card. Any system you leave anywhere you don't see that someone can

  • open it up and pop a card in. You should be careful. Your operating system vendor should

  • be writing and providing this stuff by default. It's just important. Until then what

  • solution do we have? Abstinence, right. Miles would ever plug into sketchy into your display

  • port/Thunderbolt port? >> Of course not. >> What's plugged in there right now? >> It's just a

  • VGA cable. >> Where does it go? What's this? Oh, oh. >> Whoops. >> I have the power cord out,

  • too. We have five minutes. Okay. So yeah, yeah. Miles plugged in this little cable that looks

  • pretty simple. It's like one of those stupid $30 Apple adapters. But actually we look at the

  • other end and its really just a thunderbolt cable going to the thunderbolt enclosure attached

  • to an adapter. So this is how you could basically one of these yourself. We call this

  • ALLOYVIPER. We need a new name, because it's a cosmetic change to commercial products. So  ‑ ‑

  • actually this one has a list price of 300,000, maybe a little less if you buy them in bulk.

  • It's actally pretty pricey because one cable alone is 50 bucks. So you take one of these

  • Thunderbolt cables and you go to radio shack and GED get one of these module telephone Jack and

  • use these little metal thingies. Thank you. I can push buttons now. You can get heat shrink

  • tubing, open everything up and thread your thunderbolt cable through that. Close it up, get

  • your heat shrink tubing, thread the Thunderbolt cable through that. Put the metal enclosure on

  • the end, and that's pretty much it. You basically say here, I already got an adapter for you.

  • Thanks for presenting. My apology to Joe Grand. You were here last. My apology to Miles,

  • that dump I did was actually not your Nook. I didn't find any cookies in your dump, though.

  • And basically on the other end, you put a standard adapter, look, I'm using the laser

  • pointer on the screen. I apologize. Right here I can point at this one. Is this

  • better? This is a screen that was used on the corner and draws it on the projector. It's the

  • disclosure. Pay no attention to the man behind the curtain. When you plug this in, it defines the

  • display port to the adapter on the other end and It just passes it through. That's what we've

  • been presenting the whole time. That's why it stopped when I stepped on the power cable.

  • Sorry. I thought I almost blew the cover. So some acknowledgements, this is an

  • incomplete list. Thanks for all the NSA Playset Crew for working together on some awesome talks

  • and working together getting things up there and running. Carsten for his work on

  • inception again he built inception based on many many prior works before his. Again

  • Great Scott Gadgets, thank you motivating me to get it started. Thanks for Dean for telling me,

  • you haven't submitted that to DEF CON yet? I'm like oh I haven't done any work on it yet.

  • Just submit it. You'll get it done. Don't worry. Snare and Sam did a talk just last year using

  • FPGA board, which is basically the exact same thing as this, but you know. It's expensive.

  • And everyone else who I forgot to. And Miles for fixing my ugly software code. So any questions?

  • Applause  ) What's your question? (  Inaudible question  ) >> Did you have a question?

  • Yes? (  Inaudible question  ) >> I don't know anything about the mitigation in Windows 8.1. So

  • the questions are what mitigations are built into Windows 8.1. I don't know. I

  • haven't tried it yet. I haven't tried it with 8.1 before. You want an NSA Playset pin. I'm

  • sorry. >> Anybody that has questions can come to the microphone right here so

  • everybody can hear the question as well. Thank you. >> It doesn't matter what operating

  • system they're running or anything because you don't need any drivers? You just go ahead

  • and plug and play? >> Yeah. No drivers needed unless you've got to figure something out in those

  • Mac versions that we mentioned. >> Is it 4 gigs? Because why isn't it 2 gigs? >> Why 4 gigs?

  • PCIe has 32 bit DMA natively. That's just... >> Can you offset? >> You can offset it.

  • You need to change the DMA offset register which requires some device side drivers or

  • software. Again, you have access to the 40 bits of memory. You can do it with memory and a lot

  • of stuff there and inject whatever code you want and do fun stuff. >> Thanks for doing

  • this. >> We have time for two more questions. >> Did you look into USB DMA 3. >> It will

  • require drivers, though. >> I don't know. Most likely. I don't know. >> I'm more interested in

  • the  ‑ ‑ running the VMs with certain PCIe. Is the information you presented going to be up on

  • your website? >> I'm sorry. I can't really hear everything. >> I'm looking for the information

  • on building external PCIe connected to virtual machines. Have you discussed that a little

  • bit? >> Using the  ‑ ‑ >> Yes. >> Let me just make an announcement. Somebody dropped

  • their iPhone in this section. Everybody please check and make sure you have your iPhone on you

  • if you have such a device. >> I work in building a virtual machine connecting external

  • PCIe. The information you presented, will they be up on the website? >> I'm sorry. I

  • thought  ‑ ‑ I can't hear what you are saying. I'm sorry. Yeah. (  Inaudible question  ) >>

  • We'll talk offline. He wanted to know how to connect external devices to a virtual machine

  • with PCIe. I think we have one more moment. I guess not. No more questions? Okay. ( 

  • Applause  )

A couple of guys are here. I want to stand in front of you and talk about the PCI express.

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級 美國腔

DEF CON 22 - Joe FitzPatrick和Miles Crabill - NSA Playset:PCIe (DEF CON 22 - Joe FitzPatrick and Miles Crabill - NSA Playset: PCIe)

  • 100 3
    Griffin 發佈於 2021 年 01 月 14 日
影片單字