A Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1

Transcription

1 A Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1

2 Motivation Endpoint security and Trusted Computing How about resilience against simple hardware attacks? IAIK/EUROPKI2011/HIJACKER'S GUIDE 2

3 Trusted Computing in a nutshell Trusted Computing (TCG-style) Trusted Platform Module Passive smart-card like component Stores and reports measurement values Platform Configuration Registers (PCRs) Roots-of-Trust for Measurement Submit measurements to the TPM Construct a chain of measurements IAIK/EUROPKI2011/HIJACKER'S GUIDE 3

4 Chain of Trust (static) Measure before execute Platform Configuration Register are not directly modifiable (the can only be extended) BIOS CRTM TPM PCR 23 Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 4

5 Chain of Trust (static) Measure before execute Platform Configuration Register are not directly modifiable (the can only be extended) BIOS CRTM Boot Loader TPM PCR extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 5

6 Chain of Trust (static) Measure before execute Platform Configuration Register are not directly modifiable (the can only be extended) Evil OS Unknown dangers lurk here BIOS CRTM Boot Loader Good OS Safe harbor of trust TPM PCR extend extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 6

7 Chain of Trust (static) Measure before execute Platform Configuration Register are not directly modifiable (the can only be extended) Evil OS Unknown dangers lurk here BIOS CRTM Boot Loader Trusted App. Good OS Safe harbor of trust TPM PCR extend extend extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 7

8 Late-Launch (D-RTM) From untrusted to trusted Objective: Establish one good measurement and late-launch trusted code To trust or not to trust? App. CPU TPM PCR?? Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 8

9 Late-Launch (D-RTM) Trigger the late launch sequence Trusted microcode inside the CPU takes over control To trust or not to trust? App. CPU Trusted Microcode TPM PCR?? Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 9

10 Late-Launch (D-RTM) Reset special purpose D-RTM PCRs CPU sends a special command to tell the TPM about the late-launch event To trust or not to trust? App. CPU Trusted Microcode TPM PCR?? reset 00 Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 10

11 Late-Launch (D-RTM) Measure and execute trusted code To trust or not to trust? App. Trusted Code CPU Trusted Microcode TPM PCR?? reset extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 11

12 Late-Launch (D-RTM) Transition from untrusted to trusted is complete To trust or not to trust? App. Trusted Code Safe harbor of trust CPU Trusted Microcode TPM PCR?? reset extend extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 12

13 The desktop PC RAM RAM RAM Memory Hub (Northbridge) Main CPU Keyboard Mouse Flash BIOS Super I/O Controller I/O Hub (Southbridge) Claim: We can't trust the software on this platform. There is no way to tell which software is running. Floppy Drive IAIK/EUROPKI2011/HIJACKER'S GUIDE 13

14 The trusted desktop PC RAM RAM RAM Memory Hub (Northbridge) Main CPU Flash BIOS TPM I/O Hub (Southbridge) Claim: We can trust the platform to tell us reliably which software is running. Keyboard Mouse Floppy Drive Super I/O Controller (It is still up to us if we trust the software itself...) (at least partially) Trusted System Component IAIK/EUROPKI2011/HIJACKER'S GUIDE 14

15 TPM's view of a Late-Launch RAM RAM RAM Memory Hub (Northbridge) Main CPU Microcode TPM I/O Hub (Southbridge) TPM register writes pass through the North- and South-bridges to the LPC bus and the TPM. IAIK/EUROPKI2011/HIJACKER'S GUIDE 15

16 TPM's view of a Late-Launch RAM RAM RAM Memory Hub (Northbridge) Main CPU Microcode TPM I/O Hub (Southbridge) TPM register writes pass through the North- and South-bridges to the LPC bus and the TPM. Low Pin Count (LPC) bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 16

17 TPM's view of the Late Launch Start of Late Launch Sequence (Dummy write to TPM_HASH_START register) I/O Hub (Southbridge) Trusted code is sent to the TPM for measurement (Multiple writes to TPM_HASH_DATA register) TPM CPU signals that the trusted code is being invoked (Dummy write to TPM_HASH_END register) Unencrypted and Unauthenticated LPC Bus Traffic Main CPU Late Launch Microcode IAIK/EUROPKI2011/HIJACKER'S GUIDE 17

18 Local adversaries Dishonest employee Leak/steal protected information... Circumvent software policies... Malicious end-user Defeat Digital Rights Management... Curious researcher (e.g. me) Interested in why things work and how they break... IAIK/EUROPKI2011/HIJACKER'S GUIDE 18

19 What is a simple hardware attack?... What is the definition of a simple hardware attack?... Going to a local electronic store, purchasing twenty dollars worth of parts, putting the parts together and defeating the [ ] protection is a simple hardware attack.... [David Grawrock; Dynamics of a Trusted Platform, Intel Press, 2009, p. 132] IAIK/EUROPKI2011/HIJACKER'S GUIDE 19

20 Why we can't simulate the Late-Launch in software TPM Localities Simple hardware based mechanism to signal origin of a TPM transaction Locality 4 Trusted Hardware (D-RTM) Only usable by the late launch CPU microcode Illegal access attempts are filtered by the Southbridge D-RTM related TPM registers are only accessible by locality 4 IAIK/EUROPKI2011/HIJACKER'S GUIDE 20

21 A sneak peek at the LPC bus Low Pin Count Bus Low-bandwidth devices (Super I/O chip, TPM) Minimal configuration: 7 bus wires 1x Clock, 1x Reset, 1x Start-of-Frame, 4x Address/Data Weakest (hardware) link between CPU and TPM Low clock speed (33 MHz) Few bus lines (= fewer probe wires) No checksums/authentication/encryption IAIK/EUROPKI2011/HIJACKER'S GUIDE 21

22 A sneak peek at the LPC bus Two interesting types of LPC bus cycles Memory write cycle START CTDIR 32-bit Address 8-bit Data TAR SYNC TPM write cycle START CTDIR 16-bit Address 8-bit Data TAR SYNC 4-bit Locality 12-bit Register Defined by the LPC bus specification (At least partially) controlled by the attacker Protected by trusted hardware (Southbridge) IAIK/EUROPKI2011/HIJACKER'S GUIDE 22

23 Memory vs. TPM bus cycles Memory write cycles Easy to generate in software (<50 LOC C program) Get root access on the target machine Comparison memory vs. TPM cycles: Start of Frame Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 23

24 A time-shift experiment Assume that we have two independent cycles One Memory cycle starting at time zero One TPM cycle starting a little bit later Start of Frame Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC Start of Frame TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 24

25 Hijacking the memory cycle We can hijack a memory cycle... and piggy-back an arbitrary TPM cycle. We feed the TPM with a modified frame signal Hardware filter in the Southbridge does not detect us Attacker-created delay Start of Frame (Southbridge) Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC Start of Frame (to TPM) TPM write Locality is under full control of the attacker START CTDIR 16-bit Address 8-bit Data TAR SYNC Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 25

26 Hijacking the bus in theory... RAM RAM RAM Memory Hub (Northbridge) Main CPU TPM Multiplexed Address/Data Lines Original frame signal I/O Hub (Southbridge) Minimal hardware modifications Tap the address/data lines (two are strictly required) Break the original frame signal path anywhere along its way to the TPM Hijacker Device IAIK/EUROPKI2011/HIJACKER'S GUIDE 26

27 and in practice! (Lab setup) PC Southbridge Simulator TPM v1.2 daugtherboard LPC bus hijacking device IAIK/EUROPKI2011/HIJACKER'S GUIDE 27

28 and potential victim platforms AMD processor with TPM on a daughter-board Intel processor with fixed TPM (not shown here) IAIK/EUROPKI2011/HIJACKER'S GUIDE 28

29 LPC bus probing experiment Dead Bug probe wires on top of a flash memory chip Work time: ~45 min Disassemble Solder probes Install evil hardware Reassemble Investigates feasibility of bus probing approach IAIK/EUROPKI2011/HIJACKER'S GUIDE 29

30 testing the hijacker device Test setup on an old development board with TPM daughter-board. Work time: ~15 min Disassemble Install T-adapter Install hijacker Reassemble In-system operation of the hijacker IAIK/EUROPKI2011/HIJACKER'S GUIDE 30

31 Impact Simulated late launch ( Untrusted to untrusted ) TPM's view of the platform state got corrupted To trust or not to trust? Evil App HIC SUNT DRAGONES Hijacker Device LPC bus modification PCRs no longer reflect the actual platform state... TPM PCR?? reset extend Time IAIK/EUROPKI2011/HIJACKER'S GUIDE 31

32 Impact Construction of fake measurement values Static RTM (via TPM reset attack ) Described independently by Kauer and Sparks Use LPC bus hijacking to simulate a D-RTM Introduced in our paper There is currently no simple way for a verifier to distinguish fake measurements constructed in this manner from real measurements done on the same TPM. IAIK/EUROPKI2011/HIJACKER'S GUIDE 32

33 Lessons learned Attack resilience of trusted PC platforms TPM is hard target CPU and microcode are hard targets Trusted PC platforms are (still) weak targets for attackers with physical access Never trust a remote endpoint even if it has a TPM IAIK/EUROPKI2011/HIJACKER'S GUIDE 33

34 IAIK/EUROPKI2011/HIJACKER'S GUIDE 34

35 Bill of materials Testing equipment (hardware) ~15 TPM daughter-board (from Amazon) ~450 Spartan-3A DSP 1800 board (used as South-bridge simulator, from Avnet) Attack equipment (hardware) ~10 Breadboards, wires, resistors, etc. ~70 Spartan-3E 100 board (used as hijacker device, from Avnet) Software 0 GNU VHDL simulator (GHDL) 0 Xilinx ISE WebPack software (and Xilinx EDK evaluation license) IAIK/EUROPKI2011/HIJACKER'S GUIDE 35

36 Acknowledgements The FP7 SEPIA project is co-financed by the EC under the contract number If you need further information, please visit our website IAIK/EUROPKI2011/HIJACKER'S GUIDE 36