Protecting Data In-Use from! Firmware and Physical Attacks

Steve Weis! PrivateCore About Me

• Cryptography & Information Security

• Co-founder & CTO of PrivateCore

• Ex-Google Security

• PhD in crypto

Steve Weis! saweis.net @sweis Today’s Talk Spot the implants

4 NSA ANT

NSA Observer https://nsa-observer.laquadrature.net/ • Targets the BIOS firmware ! • BIOS exploits system management mode (SMM) ! • Infection through a USB stick System Management Mode (SMM)

FigureSystem 11-1.SMRR Management Mapping Mode (SMM) with a Typical Memory Layout

FigureSystem 11-1.SMRR Management Mapping Mode (SMM) with a Typical Memory LayoutTo p of M em o ry ( To M) System Management Mode (SMM)

System ManagementHigh Mode (SMM) Memory

SMRAM + IEDRAM is To p of M em o ry ( To M) mapped byFigure the CS11-1.SMRR Mapping with a Typical Memory Layout as TSEG and in the Figure 11-1.SMRR MappingHigh with aMemory Typical Memory Layout4 GB CPU with the SMRR Figure 11-1.SMRR Mapping with a Typical Memory Layout

System Management Mode SMRAM + IEDRAM is PCI Memory Hole mapped by the CS To p of M em o ry ( To M) as TSEG and in the 4ToTo pGB p p of of M of M em emL o ory o w (ry To M M)( To em M) o ry ( To L M) CPU with the SMRR High Memory PCIIEDRAM Memory Hole SMRAM + IEDRAM is HighHigh Memory Memory G R (4MB Minimum) • “Ring -2”: Highest levelE Rofmapped SMRAMprivilege by + theSMRAM IEDRAM CS + IEDRAM is is To p of L o w M em o ry ( To L M) mapped by the CS IEDBASE = SMRR_PHYSBASE + 4MB S Mas TSEG and in the T mapped byas TSEGthe CS and in the S 4 GBGB CPUas with TSEG the andCPU SMRR within the the SMRR IEDRAM (MUST be aligned on 4MB boundary) G R SMRAM 4 GB E CPUR with the SMRR PCI(4MB MemoryPCI Minimum) Memory Hole Hole S PCI Memory Hole IEDBASE = SMRR_PHYSBASE + 4MB • M To p of L o w M em o ry ( To L M) Installed by BIOS T S (MUSTSMRR_PHYSBASETo p of L be o w alignedM em o ry on( To L4MB= M) ToLM boundary) – TSEG Size SMRAMIEDRAM To p of L o w M em o ry ( To L M) G R (MUST be aligned on 8MB boundary) E R IEDRAM(4MB Minimum) G R S M (4MBIEDRAM Minimum) IEDBASE = SMRR_PHYSBASE + 4MB E G R RT S SMRR_PHYSBASE(MUST be aligned on 4MB = boundary) ToLM – TSEG Size S E M R Low Memory(4MB SMRAMMinimum) IEDBASE = SMRR_PHYSBASE + 4MB T S (MUSTIEDBASE be = alignedSMRR_PHYSBASE on 8MB +boundary) 4MB • SMRAM is not accessible to TOSS M (MUST be aligned on 4MB boundary) S SMRAM SMRR_PHYSBASE(MUST be aligned = ToLM on 4MB– TSEG boundary) Size Low MemorySMRAM (MUST be aligned on 8MB boundary) SMRR_PHYSBASE = ToLM – TSEG Size Low Memory SMRR_PHYSBASE = ToLM – TSEG Size (MUST be aligned on 8MB boundary) • Non-maskable interrupts (SMIs) 1(MUST MB be aligned on 8MB boundary) LowLow Memory Memory Conventional Memory 1 MBMB ConventionalConventional Memory Memory 0 01 MB ConventionalConventional MemoryMemory

0

BIOS Writer’s Guide (BWG) 309

BIOS Writer’s Guide (BWG) 309 BIOS Writer’sBIOS Writer’s Guide Guide (BWG) (BWG) 309309

BIOS Writer’s Guide (BWG) 309 • Infects Juniper firewalls ! • Again, targets the BIOS & SMM ! • Since 2008 & unit cost: $0 ! • Other attacks on Cisco & Huawei • Targets hard drive firmware ! • Corrupted firmware modifies the disk master boot record (MBR) ! • Since 2008 & unit cost: $0 Boot Integrity Attacks

• BIOS / EFI

• Device firmware / Option ROMs

• Master boot records

• Keyboard controllers

• Management engines and controllers • Combined software, firmware, and hardware exploits. ! • Paired with PCI implant device. ! • Persists across OS reinstalls The Notorious Tribble Do-it-Yourself PCIe Attack

• Intelligent Network Adapter

• Boots independently of host

• Exfiltrates data over network Firewire & Thunderbolt Memory Bus Analyzers Cold Boot Attack Non-Volatile RAM

• Contents are saved to flash memory on power loss

• Easily capture crypto keys

• Multiple persistent technologies in the pipeline Defenses and Mitigations Diagnostics Tools

• Flashrom: General purpose tool to read firmware http://flashrom.org

• Intel CHIPSEC: Platform security assessment framework https://github.com/chipsec/chipsec ! • MITRE Copernicus: Extracts BIOS and checks if modifiable Verified Boot

• Root of trust in read-only firmware

• Each step verifies signatures on the next step

• Modifying any part of the boot process invalidates the chain. Trusted Execution Technology

BIOS Option ROMs Firmware and software Platform Config SINIT needed to boot Kernel OS Config

Remote Attest Measure

TPM CPU TXT Attack Vectors

Provenance BIOS Option ROMs Forge? Platform Config SINIT Overflow Kernel OS Config Hash Collision? Spoof CPU

Extract Spoof Paperclip Past Keys TPM Bus CPU Hypothetical Current IOMMU

• Intel VT-D: Virtualization Tech for Directed I/O

• Protects against DMA

• Not universally enabled

B/D/F, Addr CPU I/O Main IOMMU Memory I/O X Registers L3 Cache Memory Disk Software Pinned Encrypted Cryptoprocessor CARMA Pinned Disabled

Frozen Cache No Fill Exposed Encrypted

Tresor Exposed Encrypted

Cryptkeeper Encrypted

Status quo Encrypted Upcoming Technologies Software-Based Attestation

• Typical approach is to measure a performance metric

• Changes in expected code cause measurable difference

• Need to assure device is not being simulated

• One approach is to use HW-rooted key material in device… Enhanced Privacy ID (EPID)

• Successor to Direct Anonymous Attestation (DAA)

• Provides ability for CPU to anonymously sign data.

• Could authenticate CPUs as real, without leaking identity.

• Rooted in globally unique key material in CPU hardware. SGX Programming Environment Software Guard Extensions (SGX) Protected execution environment embedded in a process

• Small, user-mode “secure enclaves” OS Enclave With its own code and data Code Provide Confidentiality Enclave • Fully attested by CPU-based keys Data Enclave Provide integrity Enclave (DLL) With controlled entry points • Backed by fully-encrypted memory. App Data TCS (*n) Supporting multiple threads App Code With full access to app memory • Could be great for DRM User Process Enclave

6 My Wishlist

• A mature SMM transfer monitor (STM) or some other means of isolating the SMM.

• Extended support for hardware-based memory encryption

• A way to provision my own keys into a CPU root of trust

• Finer L3 cache controls, e.g. line locking, coloring, etc. Thank you