Thunderbolts and Lightning: Very Very Frightening

  • Published on
    17-Aug-2015

  • View
    10

  • Download
    3

Embed Size (px)

Transcript

<ol><li> 1. SNARE &amp; RZN @ SYSCAN APRIL 2014 THUNDERBOLTS AND LIGHTNING VERY, VERY FRIGHTENING </li><li> 2. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHO ARE THESE IDIOTS? OBLIGATORY INTRO SLIDE rzn aka SamPhD student at UoAresearch into ray-tracing on FPGAsextensive collection of name tags and hair nets snare aka Loukascomputer guy at Azimuth Securitydid some OS X kernel and UEFI rmware stuff one timeworlds strongest millionaireinternet-famous feet </li><li> 3. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHAT IS THIS TALK ABOUT? Apparently Thunderbolt DMA attacks are totally a thing But we havent seen a PoC yet And it sounded like fun Its not actually about Lightning (the iDevice connector)Sorry Stefan </li><li> 4. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening THINGS WHAT WE IS GOING TO TALK ABOUT AGENDA FireWire DMA attacks Thunderbolt How is PCIe formed? What the fuck is an FPGA? Our approach to attacking Thunderbolt Sweet stunt hack demo and stuff Defence </li><li> 5. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS See Metlstorms Hit By A Bus circa 2006 (Ruxcon) First done by Quinn the Eskimo (Apple awesome dude) Won MacHack 2002 by drawing a screensaver over FireWire! See also Inception - a FireWire DMA tool How does it work? Using SBP-2 Firewire chipset does DMA R/W on PCIe bus Stream data out FW interface </li><li> 6. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS </li><li> 7. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS TARGET HOST MEMORY MCH FIREWIRE PCI EXPRESS </li><li> 8. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS TARGET HOST MEMORY MCH FIREWIRE PCI EXPRESS ANALYSIS HOST FIREWIRE PCI EXPRESS STORAGE </li><li> 9. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS TARGET HOST MEMORY MCH FIREWIRE PCI EXPRESS ANALYSIS HOST FIREWIRE PCI EXPRESS STORAGEbro, read data at 0xDEADBEA7 </li><li> 10. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS TARGET HOST MEMORY MCH FIREWIRE PCI EXPRESS ANALYSIS HOST FIREWIRE PCI EXPRESS STORAGEDMA read 0xDEADBEA7 </li><li> 11. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FIREWIRE DMA ATTACKS HIT BY THE SHORT BUS TARGET HOST MEMORY MCH FIREWIRE PCI EXPRESS ANALYSIS HOST FIREWIRE PCI EXPRESS STORAGEhere ya go pal </li><li> 12. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening LIMITATIONS HIT BY THE SHORT BUS Obviously requires that there be a FireWire interface 32-bit addressing = only lower 4GB of RAM On OS X FireWire DMA is disabled when the screen is locked &amp; FileVault is enabled Kernel tells FW chipset not to do DMA any more #sadface </li><li> 13. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening EH? Thunderbolt == PCIe + DisplayPort + pixie dust! ! ! ! ! ! ! Send DMA requests directly over PCIe? WHATS A THUNDERBOLT? </li><li> 14. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening EH? Thunderbolt == PCIe + DisplayPort + pixie dust! ! ! ! ! ! ! Send DMA requests directly over PCIe? WHATS A THUNDERBOLT? PIXIE DUST </li><li> 15. Thunderbolts and Lightning Very,Very Frightening PICS OR GTFO WHATS A THUNDERBOLT? Slightly more useful diagram </li><li> 16. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening CHEATING WITH FIREWIRE THUNDERBOLT DMA THUS FAR Thunderbolt DMA Connect Thunderbolt to FireWire adapter ??? Prot Subject to the same limitations as regular FireWire </li><li> 17. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH HOW IS PCIE FORMED? Serial point-to-point interconnect </li><li> 18. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH HOW IS PCIE FORMED? Serial point-to-point interconnect A lane consists of a tx and rx differential pair (4 wires per lane) </li><li> 19. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH HOW IS PCIE FORMED? Serial point-to-point interconnect A lane consists of a tx and rx differential pair (4 wires per lane) Scalable number of lanes, negotiated at link setup </li><li> 20. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH HOW IS PCIE FORMED? Serial point-to-point interconnect A lane consists of a tx and rx differential pair (4 wires per lane) Scalable number of lanes, negotiated at link setup Layered, packet based, transaction protocol Physical layer Data link layer Transaction layer </li><li> 21. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening WHEN PCI AND PCI-X LOVE EACH OTHER VERY MUCH HOW IS PCIE FORMED? Serial point-to-point interconnect A lane consists of a tx and rx differential pair (4 wires per lane) Scalable number of lanes, negotiated at link setup Layered, packet based, transaction protocol Physical layer Data link layer Transaction layer Level sensitive or message signaled interrupts </li><li> 22. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening DMA HOW IS PCIE FORMED? Four transaction types I/O read/write Conguration read/write Memory read/write Messaging DMA: Conguration write to grant device bus master Write target address and command to device Device interrupts when nished </li><li> 23. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array </li><li> 24. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array Matrix of congurable logic blocks, each containing slices </li><li> 25. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array Matrix of congurable logic blocks, each containing slices Slice contents are the core of FPGA functionality Look up tables (LUTs) Flip-ops Carry chain Muxes </li><li> 26. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array Matrix of congurable logic blocks, each containing slices Slice contents are the core of FPGA functionality Look up tables (LUTs) Flip-ops Carry chain Muxes Additional general features: blockRAMs, FIFOs, DSP blocks, clocking resources (PLLs, DCMs) </li><li> 27. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array Matrix of congurable logic blocks, each containing slices Slice contents are the core of FPGA functionality Look up tables (LUTs) Flip-ops Carry chain Muxes Additional general features: blockRAMs, FIFOs, DSP blocks, clocking resources (PLLs, DCMs) Device specic features: PCIe, Ethernet, DDR2/3 </li><li> 28. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening [1] WIKIPEDIA WTF IS AN FPGA? Field Programmable Gatorade Gate Array Matrix of congurable logic blocks, each containing slices Slice contents are the core of FPGA functionality Look up tables (LUTs) Flip-ops Carry chain Muxes Additional general features: blockRAMs, FIFOs, DSP blocks, clocking resources (PLLs, DCMs) Device specic features: PCIe, Ethernet, DDR2/3 Reprogrammable </li><li> 29. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening LUTS LUTS LUTS WTF IS AN FPGA? logic truth table LUT! ! ! ! ! ! ! ! A LUT is essentially a 6-input memory, containing the desired output for each set of inputs (addresses) It doesnt matter how simple or complex the function, it is only limited by the inputs S1 S0 D C B A F 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 1 1 1 1 1 0 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 0 LUT I0 I1 I2 I3 I4 O INIT=11110F0F0303 A B C D S0 F S0 S1 F A B C D </li><li> 30. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening ITS ALL ABOUT THE LOLS WTF IS AN FPGA? Application logic is described in an HDL; verilog or vhdl </li><li> 31. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening ITS ALL ABOUT THE LOLS WTF IS AN FPGA? Application logic is described in an HDL; verilog or vhdl You can leave it all to the synthesis tool to infer logic, but it is important to understand how a LUT works </li><li> 32. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening ITS ALL ABOUT THE LOLS WTF IS AN FPGA? Application logic is described in an HDL; verilog or vhdl You can leave it all to the synthesis tool to infer logic, but it is important to understand how a LUT works Maximum frequency determined by levels of logic A level of logic is the combination of LUT delay and routing delay between two ip-ops LUT delay = static, constant property of the device Routing delay = dynamic, inuenced my LUT placement </li><li> 33. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening ITS ALL ABOUT THE LOLS WTF IS AN FPGA? Application logic is described in an HDL; verilog or vhdl You can leave it all to the synthesis tool to infer logic, but it is important to understand how a LUT works Maximum frequency determined by levels of logic A level of logic is the combination of LUT delay and routing delay between two ip-ops LUT delay = static, constant property of the device Routing delay = dynamic, inuenced my LUT placement Reduce levels of logic, place LUTs closer together = higher clock frequency </li><li> 34. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening </li><li> 35. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening Microblaze is a micro-controller that can be implemented in FPGA logic </li><li> 36. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening Microblaze is a micro-controller that can be implemented in FPGA logic Interfaces with AXI bus Standard interface to easily memory map other custom or off-the-shelf IP blocks </li><li> 37. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening Microblaze is a micro-controller that can be implemented in FPGA logic Interfaces with AXI bus Standard interface to easily memory map other custom or off-the-shelf IP blocks Code is written in C or C++, compiled with XSDK </li><li> 38. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening Microblaze is a micro-controller that can be implemented in FPGA logic Interfaces with AXI bus Standard interface to easily memory map other custom or off-the-shelf IP blocks Code is written in C or C++, compiled with XSDK Really useful for writing control logic Previously youd write large state machines in HDL Also means noobs (snare) can write code for it </li><li> 39. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening Microblaze is a micro-controller that can be implemented in FPGA logic Interfaces with AXI bus Standard interface to easily memory map other custom or off-the-shelf IP blocks Code is written in C or C++, compiled with XSDK Really useful for writing control logic Previously youd write large state machines in HDL Also means noobs (snare) can write code for it Connect it via serial and you can printf debug your logic! </li><li> 40. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening BUTT, HOW DO WE DO PCIE? WTF IS AN FPGA? </li><li> 41. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening BUTT, HOW DO WE DO PCIE? WTF IS AN FPGA? AXI PCIE core uses FPGA device specic features to implement PCIE </li><li> 42. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening BUTT, HOW DO WE DO PCIE? WTF IS AN FPGA? AXI PCIE core uses FPGA device specic features to implement PCIE Memory mapped to MicroBlaze Read/write to memory mapped AXI core translates to PCIE read/write TLPs Read/write TLPs from PCIe translate to memory mapped AXI core read/write </li><li> 43. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FAKE IT TILL YOU BREAK IT OUR APPROACH Become bus master ??? Prot </li><li> 44. Thunderbolts and Lightning Very,Very FrighteningThe Mathematics of Wonton Burrito Meals TARGET HOST MEMORY MCH PCI EXPRESS THUNDER BOLT THUNDERBOLT DMA MEMORY CAPTURE </li><li> 45. Thunderbolts and Lightning Very,Very FrighteningThe Mathematics of Wonton Burrito Meals TARGET HOST MEMORY MCH PCI EXPRESS THUNDER BOLT THUNDERBOLT DMA MEMORY CAPTURE ANALYSIS DEVICE THUNDER BOLT FPGA PCI EXPRESS STORAGE </li><li> 46. Thunderbolts and Lightning Very,Very FrighteningThe Mathematics of Wonton Burrito Meals TARGET HOST MEMORY MCH PCI EXPRESS THUNDER BOLT THUNDERBOLT DMA MEMORY CAPTURE ANALYSIS DEVICE THUNDER BOLT FPGA PCI EXPRESS STORAGE DMA read @ 0xDEADBEA7 </li><li> 47. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening FAKE IT TILL YOU BREAK IT OUR APPROACH TARGET HOST XILINX SP605 THUNDERBOLT PCIE AXI PCIE CORE MICROBLAZE BPLUS TH05 DSL2210 ANALYSIS HOST SERIAL AXI Board circuitry handles PCIE physical layer AXI PCIE core handles data link layer We write code for the MicroBlaze that reads and writes to the AXI core </li><li> 48. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening OK, SO FPGA TALKS PCIe ATTACKING A MAC Phase 1 - write our own driver Make FPGA bus master Tell it what to do! Phase 2 - imitate another device Change device id, vendor id in conguration space Trick the OS into loading an existing driver that will make us bus master </li><li> 49. Thunderbolts and Lightning Very,Very FrighteningThunderbolts and Lightning Very,Very Frightening STUNT HACK?! ATTACKING A MAC PoC -...</li></ol>