hardware exploitation · 2019. 5. 24. · compass-security.com 7. using a web-based control panel,...
TRANSCRIPT
![Page 1: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/1.jpg)
compass-security.com 1
Hardware Exploitation
![Page 2: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/2.jpg)
compass-security.com 2
![Page 3: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/3.jpg)
compass-security.com 3
Ring -1, -2, -3
![Page 4: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/4.jpg)
compass-security.com 4
“Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich, Google”
Exploiting Ring <0
![Page 5: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/5.jpg)
compass-security.com 5
▪ Ring -1: Hypervisor
▪ ESX, HyperV, Xen etc
▪ Makes it possible to run multiple kernels (VM’s) at the same time
▪ Ring -2: SMM
▪ System Management Mode
▪ 16 bit mode
▪ Handling of interrupts
▪ Ring -3: Intel ME
▪ Management Engine
▪ Separate Microprocessor (!)
▪ Works if your computer is off
▪ Has TCP/IP stack
▪ Minix OS
▪ Access to Screen (KVM)
▪ Intel AMT
Ring -1, -2, -3
![Page 6: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/6.jpg)
compass-security.com 6
https://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/
Intel ME
![Page 7: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/7.jpg)
compass-security.com 7
Using a web-based control panel, accessible from port 16992 and 16993, which
comes pre-installed on the chipset, an administrator can remotely manage a
system.
The Intel AMT Web Interface works even when the system is turned off, as long as
the platform is connected to a line power and a network cable, as it operates
independently of the operating system.
To exploit this logical flaw in Intel AMT Web Interface, all an unauthorized
attacker needs to do is send nothing (null) into user_response to the server.
Intel ME / AMT Bug
![Page 8: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/8.jpg)
compass-security.com 8
Non Intel/AMD/ARM
Embedded Systems
![Page 9: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/9.jpg)
compass-security.com 9
▪ Non Linux/Windows Systems
▪ ESP8266, ROTS, ESP32, Zephyr, Fuchsia OS (Google), …
▪ Reference:
▪ Jos Wetzels
▪ http://samvartaka.github.io/work
Embedded Systems
![Page 10: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/10.jpg)
compass-security.com 10
https://hardwear.io/document/rtos-exploit-mitigation-blues-hardwear-io.pdf
![Page 11: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/11.jpg)
compass-security.com 11
Embedded Systems
The Industrial Internet of Sitting Ducks, Jos Wetzels, Swiss Cyberstorm 2017
https://hardwear.io/document/rtos-exploit-mitigation-blues-hardwear-io.pdf
![Page 12: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/12.jpg)
compass-security.com 12
▪ Have their own CPU implementation, instruction set
▪ May or may not have Exploit Mitigation
▪ DEP (CPU+OS)
▪ ASLR (OS)
▪ Stack Canaries (compiler)
▪ May or may not enable them by default
▪ May or may not have to create your own ROP technique (JOP, SOP,…)
▪ Have to create your own shellcode
Embedded Systems
![Page 13: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/13.jpg)
compass-security.com 13
https://googleprojectzero.blogspot.ch/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
Exploiting Broadcom’s Wi-Fi Stack
![Page 14: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/14.jpg)
compass-security.com 14
https://googleprojectzero.blogspot.ch/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
▪ Exploit for WiFi Chip Broadcom (Nexus 5, 6, 6P, Samsung, iPhones, …)
▪ Via WiFi frames
▪ Heap overflow (heap massage)
▪ After RCE: Escalate to Host OS
We’ve seen that while the firmware
implementation on the Wi-Fi SoC
is incredibly complex, it still
lags behind in terms of security.
Specifically, it lacks all basic
exploit mitigations – including
stack cookies, safe unlinking and
access permission protection
Exploiting Broadcom’s Wi-Fi Stack
![Page 15: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/15.jpg)
compass-security.com 15
ESP8266, ESP32
▪ No real OS (no processes, filesystem)
▪ One single process. TCP/IP, drivers etc. as library
▪ Wifi, bluetooth, ...
▪ Stack is (by hardware) not executable
▪ https://def.camp/wp-content/uploads/dc2017/Day%201_Carel%20&%20Philip_xtensa_exploitation_DRAFT.PDF
Microcontrollers
![Page 16: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/16.jpg)
compass-security.com 16
https://www.youtube.com/watch?v=eDyxBgIUaR8
What about ASA (Cisco)
![Page 17: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/17.jpg)
compass-security.com 17
Attacking Hardware
![Page 18: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/18.jpg)
compass-security.com 18
RAM Attack: Rowhammer
Row hammer is an unintended side effect in (DRAM) that causes memory cells to
leak their charges and interact electrically between themselves, possibly
altering the contents of nearby memory rows that were not addressed in the
original memory access.
The row hammer effect has been used in some privilege escalation computer
security exploits
▪ Write into other memory cells in RAM (bypass OS/CPU protection)
▪ Integrity of data not guaranteed
▪ Who is affected? Everyone!
▪ What is the fix?
▪ …
Local Kernel Exploits - Hardware - Rowhammer
![Page 19: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/19.jpg)
compass-security.com 19
▪ Meltdown / Spectre
▪ Read memory of kernel, of other userspace processes, of other vm's, …
▪ Confidentially of “protected” memory pages not guaranteed
▪ Stealing encryption keys
▪ Bypass kASLR
▪ Can be exploited via Browser (JavaScript) (need code execution first)
▪ Who is affected? Everyone! (Intel, ~AMD, ARM, …)
Local Kernel Exploits - Hardware - Meltdown/Spectre
![Page 20: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/20.jpg)
compass-security.com 20
![Page 21: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/21.jpg)
compass-security.com 21
As expected, there's more! - RIDL/Fallout
![Page 22: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/22.jpg)
compass-security.com 22
As expected, there's more! - RIDL/Fallout
![Page 23: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/23.jpg)
compass-security.com 23
Conclusion
![Page 24: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/24.jpg)
compass-security.com 24
▪ X86 hardware has layers we cannot control, and which are insecure
▪ Most embedded platforms are very insecure
▪ Our hardware itself is insecure
▪ Nothing can be trusted
Hardware Attacks - Conclusion
![Page 25: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/25.jpg)
compass-security.com 25
Area41 2014: Halvar Flake: Keynote
Trusting our computers
![Page 26: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/26.jpg)
compass-security.com 26
Area41 2014: Halvar Flake: Keynote
Trusting our computers
![Page 27: Hardware Exploitation · 2019. 5. 24. · compass-security.com 7. Using a web-based control panel, accessible from port 16992 and 16993, which comes pre-installed on the chipset,](https://reader035.vdocument.in/reader035/viewer/2022071414/610f39941628c724fe651c6c/html5/thumbnails/27.jpg)
compass-security.com 27