Co-Processor-Based Behavior Monitoring
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Intel's SL Enhanced Intel486(TM) Microprocessor Family
Intel's SL Enhanced Intel486(TM) Microprocessor Family http://www.intel.com/design/intarch/applnots/7014.htm Intel's SL Enhanced Intel486(TM) Microprocessor Family Intel's SL Enhanced Intel486™ Microprocessor Family Technical Backgrounder June 1993 Intel's SL Enhanced Intel486™ Microprocessor Family With the announcement of the SL Enhanced Intel486™ microprocessor family, Intel Corporation brings energy efficiency to its entire line of Intel486™ microprocessors. SL Technology, originally developed for mobile PCs, now provides superior power-management features for desktop computer systems. Such energy-efficient systems will be designed to meet or exceed the Energy Star guidelines set by the Environmental Protection Agency. The EPA's Energy Star program is aimed at reducing power consumption of desktop computer systems, thereby reducing their impact on the environment. In addition, SL Enhanced Intel486™ microprocessors will enable a new class of notebook systems -- high-performance Intel486™ DX2 CPU-based notebooks with color displays that do not sacrifice battery life. The SL Enhanced Intel486™ microprocessor family is available in a complete range of price/performance, package and voltage options. This flexibility allows PC makers to develop products that meet the mobile and desktop needs of all their customers in the mobile and desktop markets, from low-cost, entry-level Intel486™ SX microprocessor-based systems to high-performance, high-end Intel486™ DX2 microprocessor-based systems. Since the SL Technology in SL Enhanced Intel486™ microprocessors is the same as in Intel SL CPUs, computer manufacturers with prior experience developing systems based on existing SL BIOS will be able to incorporate System Management Mode's (SMM) power-management features into new systems. -
Multiprocessor Initialization of INTEL SOC in Coreboot
Multiprocessor Initialization OF INTEL SOC in Coreboot Pratik Prajapati ([email protected]) Subrata Banik ([email protected]) 1 Agenda • Intel Multiple Processor (MP) Initialization • Coreboot + Intel FSP Boot Flow • Problem with existing model • Solution space • Design • Future Scope 2 Intel Multiple Processor (MP) Initialization • The IA-32 architecture (beginning with the P6 family processors) defines a multiple-processor (MP) initialization protocol called the Multiprocessor Specification Version 1.4. • The MP initialization protocol has the following important features: • It supports controlled booting of multiple processors without requiring dedicated system hardware. • It allows hardware to initiate the booting of a system without the need for a dedicated signal or a predefined boot processor. • It allows all IA-32 processors to be booted in the same manner, including those supporting Intel Hyper-Threading Technology. • The MP initialization protocol also applies to MP systems using Intel 64 processors. • Entire CPU multiprocessor initialization can be divided into two parts – BSP (Boot Strap Processor) Initialization – AP (Application Processor) Initialization Reference: Intel SDM Multiple Processor Init - section 8.4 3 Coreboot + Intel FSP (Firmware support package) Boot Flow Coreboot/BIOS FSP * Coreboot uses its own temp ram init code. 4 Problem Statement with existing model • Background: Coreboot is capable enough to handle multiprocessor initialization on IA platforms. So ideally, CPU features programming can be part of Coreboot MP Init sequence. • But, there might be some cases where certain feature programming can't be done with current flow of MP init sequence. Because, Intel FSP-S has to program certain registers to meet silicon init flow due to SAI (Security Attributes of Initiator) and has to lock other registers before exiting silicon init API. -
Iocheck: a Framework to Enhance the Security of I/O Devices at Runtime
IOCheck: A Framework to Enhance the Security of I/O Devices at Runtime Fengwei Zhang Center for Secure Information Systems George Mason University Fairfax, VA 22030 [email protected] Abstract—Securing hardware is the foundation for implement- Management Mode (SMM), a CPU mode in the x86 archi- ing a secure system. However, securing hardware devices remains tecture, to quickly check the integrity of I/O configurations an open research problem. In this paper, we present IOCheck, and firmware. Unlike previous systems [11], [12], IOCheck a framework to enhance the security of I/O devices at runtime. enumerates all of the I/O devices on the motherboard, and It leverages System Management Mode (SMM) to quickly check checks the integrity of their corresponding configurations and the integrity of I/O configurations and firmware. IOCheck does not rely on the operating system and is OS-agnostic. In our firmware. IOCheck does not rely on the operating system, preliminary results, IOCheck takes 4 milliseconds to switch to which significantly reduces the Trust Computing Base (TCB). SMM which introduces low performance overhead. In addition, IOCheck is able to achieve better performance compared to TXT or SVM approaches. For example, the SMM Keywords—Integrity, Firmware, I/O Configurations, SMM switching time is much faster than the late launch method in Flicker [10], [13]. We will demonstrate that IOCheck is able to check the integrity of array of I/O devices including the BIOS, I. INTRODUCTION IOMMU, network card, video card, keyboard, and mouse. With the increasing complexity of hardware devices, Contributions. The purpose of this work is to make the firmware functionality is expanding, exposing new vulner- following contributions: abilities to attackers. -
Coreboot - the Free Firmware
coreboot - the free firmware vimacs <https://vimacs.lcpu.club> Linux Club of Peking University May 19th, 2018 . vimacs (LCPU) coreboot - the free firmware May 19th, 2018 1 / 77 License This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/. You can find the source code of this presentation at: https://git.wehack.space/coreboot-talk/ . vimacs (LCPU) coreboot - the free firmware May 19th, 2018 2 / 77 Index 1 What is coreboot? History Why use coreboot 2 How coreboot works 3 Building and using coreboot Building Flashing 4 Utilities and Debugging 5 Join the community . vimacs (LCPU) coreboot - the free firmware May 19th, 2018 3 / 77 Index 6 Porting coreboot with autoport ASRock B75 Pro3-M Sandy/Ivy Bridge HP Elitebooks Dell Latitude E6230 7 References . vimacs (LCPU) coreboot - the free firmware May 19th, 2018 4 / 77 1 What is coreboot? History Why use coreboot 2 How coreboot works 3 Building and using coreboot Building Flashing 4 Utilities and Debugging 5 Join the community . vimacs (LCPU) coreboot - the free firmware May 19th, 2018 5 / 77 What is coreboot? coreboot is an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems. As an Open Source project it provides auditability and maximum control over technology. The word ’coreboot’ should always be written in lowercase, even at the start of a sentence. vimacs (LCPU) coreboot - the free firmware May 19th, 2018 6 / 77 History: from LinuxBIOS to coreboot coreboot has a very long history, stretching back more than 18 years to when it was known as LinuxBIOS. -
Embedded Intel486™ Processor Hardware Reference Manual
Embedded Intel486™ Processor Hardware Reference Manual Release Date: July 1997 Order Number: 273025-001 The embedded Intel486™ processors may contain design defects known as errata which may cause the products to deviate from published specifications. Currently characterized errata are available on request. Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or oth- erwise, to any intellectual property rights is granted by this document. Except as provided in Intel’s Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel retains the right to make changes to specifications and product descriptions at any time, without notice. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an ordering number and are referenced in this document, or other Intel literature, may be obtained from: Intel Corporation P.O. Box 7641 Mt. Prospect, IL 60056-7641 or call 1-800-879-4683 or visit Intel’s web site at http:\\www.intel.com Copyright © INTEL CORPORATION, July 1997 *Third-party brands and names are the property of their respective owners. CONTENTS CHAPTER 1 GUIDE TO THIS MANUAL 1.1 MANUAL CONTENTS .................................................................................................. -
Sok: Hardware Security Support for Trustworthy Execution
SoK: Hardware Security Support for Trustworthy Execution Lianying Zhao1, He Shuang2, Shengjie Xu2, Wei Huang2, Rongzhen Cui2, Pushkar Bettadpur2, and David Lie2 1Carleton Universityz, Ottawa, ON, Canada 2University of Toronto, Toronto, ON, Canada Abstract—In recent years, there have emerged many new hard- contribute to lowering power consumption, which is critical ware mechanisms for improving the security of our computer for resource-constrained devices. systems. Hardware offers many advantages over pure software Furthermore, hardware is the Root of Trust (RoT) [48], as approaches: immutability of mechanisms to software attacks, better execution and power efficiency and a smaller interface it bridges the physical world (where human users reside) and allowing it to better maintain secrets. This has given birth to the digital world (where tasks run as software). To securely a plethora of hardware mechanisms providing trusted execution perform a task or store a secret, the user trusts at least part of environments (TEEs), support for integrity checking and memory the computer hardware. safety and widespread uses of hardware roots of trust. Dedicated hardware security support has seen its prolif- In this paper, we systematize these approaches through the lens eration since the early days of computers. It can take a of abstraction. Abstraction is key to computing systems, and the interface between hardware and software contains many abstrac- straightforward form as discrete components to assist the tions. We find that these abstractions, when poorly designed, can CPU, ranging from the industrial-grade tamper-responding both obscure information that is needed for security enforcement, IBM Cryptocards (e.g., 4758 [37]), Apple’s proprietary secure as well as reveal information that needs to be kept secret, leading enclave processor (SEP [84]) for consumer electronics, to the to vulnerabilities. -
SMM) Xeno Kovah && Corey Kallenberg Legbacore, LLC All Materials Are Licensed Under a Creative Commons “Share Alike” License
Advanced x86: BIOS and System Management Mode Internals System Management Mode (SMM) Xeno Kovah && Corey Kallenberg LegbaCore, LLC All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ ABribuEon condiEon: You must indicate that derivave work "Is derived from John BuBerworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at hBp://opensecuritytraining.info/IntroBIOS.html” 2 System Management Mode (SMM) God Mode AcEvate 3 Batteries Not Included! From http://support.amd.com/us/Processor_TechDocs/24593.pdf 4 System Management Mode (SMM) Overview • Most privileged x86 processor operating mode • Runs transparent to the operating system • When the processor enters SMM, all other running tasks are suspended • SMM can be invoked only by a System Management Interrupt (SMI) and exited only by the RSM (resume) instruction • Intended use is to provide an isolated operating environment for – Power/Battery management – Controlling system hardware – Running proprietary OEM code – etc. (anything that should run privileged and uninterrupted) 5 System Management Mode (SMM) Overview • The code that executes in SMM (called the SMI handler) is instantiated from the BIOS flash • Protecting SMM is a matter of protecting both the active (running) SMRAM address space but also protecting the flash chip from which it is derived – Protect itself (SMBASE (location), SMRAM Permissions) – Write-Protect Flash • So far in our research, only about 5% of SMRAM configurations were directly unlocked and vulnerable to overwrite • However, since > 50% of the BIOS flash chips we've seen are vulnerable, that means > 50% of SMRAM will follow suit 6 System Management Interrupt (SMI) • SMM can only be invoked by signaling a System Management Interrupt (SMI) • SMI’s can be received via the SMI# pin on the processor or through the APIC bus • SMI’s cannot be masked like normal interrupts (e.g. -
Quadcore with Coreboot / Libreboot on the T500 (Hopefully the T400 As Well)
QuadCore with Coreboot / Libreboot on the T500 (hopefully the T400 as well) (Translator’s note: Unfortunately, I couldn’t get pdflatex to compile with images, so here’s the link, I’ll put lines in at least so that you can see where each image goes) I tested the quadcore-mod from here first on a T500 mainboard, but back then, the BIOS did me a great disservice, see here and read the paragraph “Why this can’t be done for the T500 and W500” at the end of the first post. Meanwhile, we got Libreboot for the T500, which is basically Coreboot without BLOBs, i.e. CPU microcode. The code differs from coreboot in certain other aspects, however I don’t know exactly. With the ROMs offered for the T500, Quads don’t work either. Finally, I got to actually using a Pandaboard to debug Libreboot’s boot process with a Quad-core installed. The boot process hangs when the third CPU is to be initialized. Looking at the code, I found out that the kconfig data is built to the original specs. In the case of the T500 (which takes the data from the folder for the T400), the maximum count for the CPU is set to two. I changed the count to 4, generated the ROM again, flashed it –> You got quadcore. Because the current Libreboot version doesn’t support screens larger than 1280x800 with the T500, I had to extract the original VGA-BIOS for the Intel graphics from the original Lenovo BIOS and integrate it instead of the “native VGA init” into the ROM. -
How to Create a Trust Anchor with Coreboot
How to create a trust anchor with coreboot. Trusted Computing vs Authenticated Code Modules Philipp Deppenwiese About myself Member of a hackerspace in germany. 10 years of experience in it-security. Did a lot work on trusted computing and system security at my last job at Rohde and Schwarz Cybersecurity. I am a Gentoo user. Now I am a web developer and system administrator. Basics Important acronyms TPM - Trusted Platform Module TCB - Trusted Computing Base PCR - Platform Conguration Register ACM - Authenticated Code Modules PKI - Public Key Infrastructure TEE - Trusted Execution Environment TPM Trusted Platform Modules are smartcards with extra feature set. Version 1.2 and 2.0 are out. www.trustedcomputinggroup.org does the specication and compliance. The authorization is done via ownership model. User can own the TPM. A TPM is always passive and not active ! TPM 1.2 Created for Digital Rights Management but never used for it. Huge portests in the internet done by the FSF. TCG stepped back and modied the specication in order to provide an ownership model, DAA and revokable Endorsement Key in order to stop identication and provide full control. Algorithm sizes are limited RSA-2048 and SHA-1. There is one open source software stack. TPM 1.2 TPM 2.0 Mainly build for Microsoft! Compliance testsuite and everything else was designed for Windows usage only. Specication was removed shortly after it appeared. You can't nd it on the internet. Supports modern cryptographic algorithms. TPM 2.0 Two software stacks. IBM and Intel. TPM architecture/hierachy got much more complex. Protected against bus attacks by having DH key exchange to establish a secure connection. -
Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and X86 Architectures
Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and x86 Architectures Matt Spisak Endgame, Inc. [email protected] Abstract the OS. With KPP in place, attackers are often forced to move malicious code to less privileged user-mode, to ele- In this paper, a novel hardware-assisted rootkit is intro- vate privileges enabling a hypervisor or TrustZone based duced, which leverages the performance monitoring unit rootkit, or to become more creative in their approach to (PMU) of a CPU. By configuring hardware performance achieving a kernel mode rootkit. counters to count specific architectural events, this re- Early advances in rootkit design focused on low-level search effort proves it is possible to transparently trap hooks to system calls and interrupts within the kernel. system calls and other interrupts driven entirely by the With the introduction of hardware virtualization exten- PMU. This offers an attacker the opportunity to redirect sions, hypervisor based rootkits became a popular area control flow to malicious code without requiring modifi- of study allowing malicious code to run underneath a cations to a kernel image. guest operating system [4, 5]. Another class of OS ag- The approach is demonstrated as a kernel-mode nostic rootkits also emerged that run in System Manage- rootkit on both the ARM and Intel x86-64 architectures ment Mode (SMM) on x86 [6] or within ARM Trust- that is capable of intercepting system calls while evad- Zone [7]. The latter two categories, which leverage vir- ing current kernel patch protection implementations such tualization extensions, SMM on x86, and security exten- as PatchGuard. -
80486DX2-66-Intel-Datasheet-7086155.Pdf
Distributed by: www.Jameco.com ✦ 1-800-831-4242 The content and copyrights of the attached material are the property of its owner. EMBEDDED IntelDX2™ PROCESSOR ■ Integrated Floating-Point Unit ■ SL Technology ■ Speed-Multiplying Technology ■ Data Bus Parity Generation and Checking ■ 32-Bit RISC Technology Core ■ Boundary Scan (JTAG) ■ 8-Kbyte Write-Through Cache ■ 3.3-Volt Processor, 50 MHz, 25 MHz CLK ■ Four Internal Write Buffers — 208-Lead Shrink Quad Flat Pack (SQFP) ■ ■ Burst Bus Cycles 5-Volt Processor, 66 MHz, 33 MHz CLK — 168-Pin Pin Grid Array (PGA) ■ Dynamic Bus Sizing for 8- and 16-bit Data Bus Devices ■ Binary Compatible with Large Software Base 64-Bit Interunit Transfer Bus 32-Bit Data Bus Core CLK Clock Clock 32-Bit Data Bus Multiplier Linear Address 32 PCD PWT Bus Interface Barrel Base/ Segmentation 2 A31-A2 Shifter Index Unit Paging Cache Unit 32 Address BE3#- BE0# Bus Unit 20 Drivers Register 32 Descriptor File Registers Physical 8 Kbyte Write Buffers Address 32 4 x 32 Translation Cache ALU Limit and D31-D0 Attribute PLA Lookaside Data Bus Buffer 32 Transceivers Bus Control ADS# W/R# D/C# M/IO# PCD PWT RDY# LOCK# 128 PLOCK# BOFF# A20M# Displacement Bus BREQ HOLD HLDA RESET SRESET INTR 32 NMI SMI# SMIACT# Prefetcher FERR# IGNNE# Micro- STPCLK# Instruction Request Sequencer 32-Byte Code BRDY# BLAST# Queue Burst Bus Code Control Stream 2x16 Bytes Floating Control & Instruction Bus Size BS16# BS8# 24 Point Unit Protection Decode Control Test Unit Cache KEN# FLUSH# Floating Decoded AHOLD EADS# Control Instruction Control Point Path Register File ROM Parity DP3-DP0 PCHK# Generation and Control Boundary TCK TMS TDI TD0 Scan Control A3223-01 Figure 1. -
Coreboot on RISCV Ron Minnich, Google Thanks to Stefan Reinauer, Duncan Laurie, Patrick Georgi,
coreboot on RISCV Ron Minnich, Google Thanks to Stefan Reinauer, Duncan Laurie, Patrick Georgi, ... Overview ● What firmware is ● What coreboot is ● Why we want it on RISCV ● History of the port ● Structure of the port ● Status ● Lessons learned Firmware, 1974-present, always-on ● Bottom half of the operating system ● Provided an abstract interface (Basic Input Output System, or Platform-independent code, BIOS) to top half loaded from (e.g.) floppy, ● Supported DOS, CP/M, etc. tape, etc. ● Sucked Platform code, on EEPROM ○ Slow or similar ○ No easy bugfix path ○ Not SMP capable Firmware, 1990-2005, “Fire and Forget” ● Just set up bootloader and get out of the way ● Set all the stuff kernels can’t do Linux ○ Magic configuration, etc. ○ Even now, Linux can not do most of what this code does Platform code, get DRAM going, set naughty bits, load ● LinuxBIOS is one example kernel, please go away ● 2000: boot complex server node to Linux in 3 seconds ● 2015: EFI can do the same in 300 seconds Firmware, 2005-present, “The Empire Strikes Back” ● Kernel is Ring 0 ● Hypervisor is Ring -1 ● Firmware is Ring -2 ● Firmware gets hardware going Platform-independent code ● But never goes away ● Sucks Platform code, on EEPROM ○ Slow or similar ○ No easy bugfix path ○ Not SMP capable on x86 ● This model is even being pushed for ARM V8 ○ :-( Why don’t we (ok, I) like persistent firmware? ● It’s just another attack vector ○ Indistinguishable from persistent embedded threat ○ Is the code an exploit or … ○ Not necessary in an open source world ○ Main function