A Hijacker's Guide to the LPC bus
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 1 Motivation
Endpoint security and Trusted Computing
How about resilience against simple hardware attacks?
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 2 Trusted Computing in a nutshell
Trusted Computing (TCG-style) Trusted Platform Module Passive smart-card like component Stores and reports “measurement values” Platform Configuration Registers (PCRs)
Roots-of-Trust for Measurement Submit measurements to the TPM Construct a “chain of measurements”
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 3 Chain of Trust (static)
“Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended)
BIOS CRTM
Time TPM PCR 23
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 4 Chain of Trust (static)
“Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended)
BIOS Boot CRTM Loader
extend Time TPM PCR 23 08
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 5 Chain of Trust (static)
“Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended)
Evil Unknown OS dangers lurk here
BIOS Boot CRTM Loader
Good Safe harbor OS of trust
extend extend 47 Time TPM PCR 23 08 15 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 6 Chain of Trust (static)
“Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended)
Evil Unknown OS dangers lurk here
BIOS Boot Trusted CRTM Loader App.
Good Safe harbor OS of trust
extend extend extend 47 49 Time TPM PCR 23 08 15 42 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 7 Late-Launch (D-RTM)
“From untrusted to trusted” Objective: Establish one good measurement and “late-launch” trusted code
To trust or not to App. trust?
CPU
Time TPM PCR ??
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 8 Late-Launch (D-RTM)
Trigger the late launch sequence Trusted microcode inside the CPU takes over control
To trust or not to App. trust?
Trusted CPU Microcode
Time TPM PCR ??
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 9 Late-Launch (D-RTM)
Reset special purpose “D-RTM” PCRs CPU sends a special command to tell the TPM about the late-launch event
To trust or not to App. trust?
Trusted CPU Microcode
reset Time TPM PCR ?? 00
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 10 Late-Launch (D-RTM)
Measure and execute trusted code
To trust Trusted App. or not to Code trust?
Trusted CPU Microcode
reset extend Time TPM PCR ?? 00 42
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 11 Late-Launch (D-RTM)
Transition “from untrusted to trusted” is complete
To trust Trusted Safe harbor or not to App. Code of trust trust?
Trusted CPU Microcode
reset extend extend Time TPM PCR ?? 00 42
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 12 “The desktop PC”
RAM RAM Memory Hub RAM Main CPU (Northbridge)
Flash BIOS Claim: We can't trust the software on this platform. I/O Hub (Southbridge) There is no way to tell which software is running. Keyboard Super I/O Mouse Controller Floppy Drive
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 13 “The trusted desktop PC”
RAM RAM Memory Hub RAM Main CPU (Northbridge)
Flash BIOS Claim: We can trust the platform to tell us reliably I/O Hub TPM (Southbridge) which software is running.
(It is still up to us if we Keyboard Super I/O trust the software itself ...) Mouse Controller Floppy Drive (at least partially) Trusted System Component
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 14 TPM's view of a “Late-Launch”
RAM RAM Memory Hub RAM Main CPU (Northbridge) Microcode
TPM register writes pass through the North- and I/O Hub TPM (Southbridge) South-bridges to the LPC bus and the TPM.
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 15 TPM's view of a “Late-Launch”
RAM RAM Memory Hub RAM Main CPU (Northbridge) Microcode
TPM register writes pass through the North- and I/O Hub TPM (Southbridge) South-bridges to the LPC bus and the TPM.
Low Pin Count (LPC) bus
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 16 TPM's view of the “Late Launch”
Start of Late Launch Sequence (Dummy write to TPM_HASH_START register)
Trusted code is sent to the TPM for measurement I/O Hub (Multiple writes to TPM_HASH_DATA register) (Southbridge) TPM
CPU signals that the trusted code is being invoked (Dummy write to TPM_HASH_END register)
Unencrypted and Unauthenticated LPC Bus Traffic
Main CPU Late Launch Microcode
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 17 Local adversaries
Dishonest employee Leak/steal protected information ... Circumvent software policies ...
Malicious end-user Defeat Digital Rights Management ...
Curious researcher (e.g. me) Interested in why things work and how they break ...
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 18 What is a simple hardware attack?
“... What is the definition of a simple hardware attack? ... Going to a local electronic store, purchasing twenty dollars worth of parts, putting the parts together and defeating the […] protection is a simple hardware attack. ...” [David Grawrock; “Dynamics of a Trusted Platform”, Intel Press, 2009, p. 132]
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 19 Why we can't simulate the “Late-Launch” in software … TPM Localities Simple hardware based mechanism to signal origin of a TPM transaction
Locality 4 – Trusted Hardware (D-RTM) Only usable by the late launch CPU microcode Illegal access attempts are filtered by the Southbridge D-RTM related TPM registers are only accessible by locality 4
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 20 A sneak peek at the LPC bus
Low Pin Count Bus Low-bandwidth devices (Super I/O chip, TPM) Minimal configuration: 7 bus wires 1x Clock, 1x Reset, 1x Start-of-Frame, 4x Address/Data
Weakest (hardware) link between CPU and TPM Low clock speed (33 MHz) Few bus lines (= fewer probe wires) No checksums/authentication/encryption
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 21 A sneak peek at the LPC bus
Two interesting types of LPC bus cycles Memory write cycle
START CTDIR 32-bit Address 8-bit Data TAR SYNC
TPM write cycle
START CTDIR 16-bit Address 8-bit Data TAR SYNC
4-bit Locality 12-bit Register Defined by the LPC bus specification (At least partially) controlled by the attacker Protected by trusted hardware (Southbridge)
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 22 Memory vs. TPM bus cycles
Memory write cycles Easy to generate in software (<50 LOC C program) Get root access on the target machine
Comparison memory vs. TPM cycles:
Start of Frame
Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC
TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 23 A time-shift experiment
Assume that we have two independent cycles One Memory cycle starting at time zero One TPM cycle starting a little bit later
Start of Frame
Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC
Start of Frame
TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 24 Hijacking the memory cycle
We can hijack a memory cycle ... … and piggy-back an arbitrary TPM cycle. We feed the TPM with a modified frame signal Hardware filter in the Southbridge does not detect us
Attacker-created delay
Start of Frame (Southbridge)
Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC
Start of Frame Locality is under full control (to TPM) of the attacker TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 25 Hijacking the bus in theory ...
RAM RAM Memory Hub RAM Main CPU (Northbridge)
Minimal hardware modifications Multiplexed Address/Data Lines Tap the address/data lines I/O Hub TPM (two are strictly required) Original frame signal (Southbridge) Break the original frame signal path anywhere along its way to the TPM
Hijacker Device
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 26 … and in practice! (Lab setup)
PC Southbridge Simulator
TPM v1.2 daugtherboard
LPC bus hijacking device
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 27 … and potential victim platforms
AMD processor with TPM on a daughter-board
Intel processor with fixed TPM (not shown here)
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 28 … LPC bus probing experiment
“Dead Bug” probe wires on top of a flash memory chip
Work time: ~45 min Disassemble Solder probes Install evil hardware Reassemble
Investigates feasibility of bus probing approach
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 29 … testing the hijacker device
Test setup on an old development board with TPM daughter-board.
Work time: ~15 min Disassemble Install T-adapter Install hijacker Reassemble
In-system operation of the hijacker
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 30 Impact
Simulated late launch (“Untrusted to untrusted”) TPM's view of the platform state got corrupted
To trust Evil HIC SUNT or not to App DRAGONES trust?
Hijacker LPC bus PCRs no longer reflect Device modification the actual platform state ...
reset extend Time TPM PCR ?? 00 42
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 31 Impact
Construction of fake measurement values Static RTM (via “TPM reset attack”) Described independently by Kauer and Sparks
Use LPC bus hijacking to simulate a D-RTM Introduced in our paper
There is currently no simple way for a verifier to distinguish fake measurements constructed in this manner from real measurements done on the same TPM.
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 32 Lessons learned
Attack resilience of “trusted” PC platforms TPM is hard target CPU and microcode are hard targets
Trusted PC platforms are (still) weak targets for attackers with physical access
Never trust a remote endpoint … … even if it has a TPM
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 33 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 34 Bill of materials
Testing equipment (hardware) ~15€ TPM daughter-board (from Amazon) ~450€ Spartan-3A DSP 1800 board (used as South-bridge simulator, from Avnet)
Attack equipment (hardware) ~10€ Breadboards, wires, resistors, etc. ~70€ Spartan-3E 100 board (used as hijacker device, from Avnet)
Software 0€ GNU VHDL simulator (GHDL) 0€ Xilinx ISE WebPack software (and Xilinx EDK evaluation license)
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 35 Acknowledgements
The FP7 SEPIA project is co-financed by the EC under the contract number 257433.
If you need further information, please visit our website www.sepia-project.eu.
Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 36