A Hijacker's Guide to the LPC bus Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 1 Motivation Endpoint security and Trusted Computing How about resilience against simple hardware attacks? Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 2 Trusted Computing in a nutshell Trusted Computing (TCG-style) Trusted Platform Module Passive smart-card like component Stores and reports “measurement values” Platform Configuration Registers (PCRs) Roots-of-Trust for Measurement Submit measurements to the TPM Construct a “chain of measurements” Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 3 Chain of Trust (static) “Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended) BIOS CRTM Time TPM PCR 23 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 4 Chain of Trust (static) “Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended) BIOS Boot CRTM Loader extend Time TPM PCR 23 08 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 5 Chain of Trust (static) “Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended) Evil Unknown OS dangers lurk here BIOS Boot CRTM Loader Good Safe harbor OS of trust extend extend 47 Time TPM PCR 23 08 15 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 6 Chain of Trust (static) “Measure before execute” Platform Configuration Register are not directly modifiable (the can only be extended) Evil Unknown OS dangers lurk here BIOS Boot Trusted CRTM Loader App. Good Safe harbor OS of trust extend extend extend 47 49 Time TPM PCR 23 08 15 42 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 7 Late-Launch (D-RTM) “From untrusted to trusted” Objective: Establish one good measurement and “late-launch” trusted code To trust or not to App. trust? CPU Time TPM PCR ?? Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 8 Late-Launch (D-RTM) Trigger the late launch sequence Trusted microcode inside the CPU takes over control To trust or not to App. trust? Trusted CPU Microcode Time TPM PCR ?? Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 9 Late-Launch (D-RTM) Reset special purpose “D-RTM” PCRs CPU sends a special command to tell the TPM about the late-launch event To trust or not to App. trust? Trusted CPU Microcode reset Time TPM PCR ?? 00 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 10 Late-Launch (D-RTM) Measure and execute trusted code To trust Trusted App. or not to Code trust? Trusted CPU Microcode reset extend Time TPM PCR ?? 00 42 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 11 Late-Launch (D-RTM) Transition “from untrusted to trusted” is complete To trust Trusted Safe harbor or not to App. Code of trust trust? Trusted CPU Microcode reset extend extend Time TPM PCR ?? 00 42 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 12 “The desktop PC” RAM RAM Memory Hub RAM Main CPU (Northbridge) Flash BIOS Claim: We can't trust the software on this platform. I/O Hub (Southbridge) There is no way to tell which software is running. Keyboard Super I/O Mouse Controller Floppy Drive Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 13 “The trusted desktop PC” RAM RAM Memory Hub RAM Main CPU (Northbridge) Flash BIOS Claim: We can trust the platform to tell us reliably I/O Hub TPM (Southbridge) which software is running. (It is still up to us if we Keyboard Super I/O trust the software itself ...) Mouse Controller Floppy Drive (at least partially) Trusted System Component Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 14 TPM's view of a “Late-Launch” RAM RAM Memory Hub RAM Main CPU (Northbridge) Microcode TPM register writes pass through the North- and I/O Hub TPM (Southbridge) South-bridges to the LPC bus and the TPM. Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 15 TPM's view of a “Late-Launch” RAM RAM Memory Hub RAM Main CPU (Northbridge) Microcode TPM register writes pass through the North- and I/O Hub TPM (Southbridge) South-bridges to the LPC bus and the TPM. Low Pin Count (LPC) bus Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 16 TPM's view of the “Late Launch” Start of Late Launch Sequence (Dummy write to TPM_HASH_START register) Trusted code is sent to the TPM for measurement I/O Hub (Multiple writes to TPM_HASH_DATA register) (Southbridge) TPM CPU signals that the trusted code is being invoked (Dummy write to TPM_HASH_END register) Unencrypted and Unauthenticated LPC Bus Traffic Main CPU Late Launch Microcode Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 17 Local adversaries Dishonest employee Leak/steal protected information ... Circumvent software policies ... Malicious end-user Defeat Digital Rights Management ... Curious researcher (e.g. me) Interested in why things work and how they break ... Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 18 What is a simple hardware attack? “... What is the definition of a simple hardware attack? ... Going to a local electronic store, purchasing twenty dollars worth of parts, putting the parts together and defeating the […] protection is a simple hardware attack. ...” [David Grawrock; “Dynamics of a Trusted Platform”, Intel Press, 2009, p. 132] Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 19 Why we can't simulate the “Late-Launch” in software … TPM Localities Simple hardware based mechanism to signal origin of a TPM transaction Locality 4 – Trusted Hardware (D-RTM) Only usable by the late launch CPU microcode Illegal access attempts are filtered by the Southbridge D-RTM related TPM registers are only accessible by locality 4 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 20 A sneak peek at the LPC bus Low Pin Count Bus Low-bandwidth devices (Super I/O chip, TPM) Minimal configuration: 7 bus wires 1x Clock, 1x Reset, 1x Start-of-Frame, 4x Address/Data Weakest (hardware) link between CPU and TPM Low clock speed (33 MHz) Few bus lines (= fewer probe wires) No checksums/authentication/encryption Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 21 A sneak peek at the LPC bus Two interesting types of LPC bus cycles Memory write cycle START CTDIR 32-bit Address 8-bit Data TAR SYNC TPM write cycle START CTDIR 16-bit Address 8-bit Data TAR SYNC 4-bit Locality 12-bit Register Defined by the LPC bus specification (At least partially) controlled by the attacker Protected by trusted hardware (Southbridge) Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 22 Memory vs. TPM bus cycles Memory write cycles Easy to generate in software (<50 LOC C program) Get root access on the target machine Comparison memory vs. TPM cycles: Start of Frame Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 23 A time-shift experiment Assume that we have two independent cycles One Memory cycle starting at time zero One TPM cycle starting a little bit later Start of Frame Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC Start of Frame TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 24 Hijacking the memory cycle We can hijack a memory cycle ... … and piggy-back an arbitrary TPM cycle. We feed the TPM with a modified frame signal Hardware filter in the Southbridge does not detect us Attacker-created delay Start of Frame (Southbridge) Memory write START CTDIR 32-bit Address 8-bit Data TAR SYNC Start of Frame Locality is under full control (to TPM) of the attacker TPM write START CTDIR 16-bit Address 8-bit Data TAR SYNC Time Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 25 Hijacking the bus in theory ... RAM RAM Memory Hub RAM Main CPU (Northbridge) Minimal hardware modifications Multiplexed Address/Data Lines Tap the address/data lines I/O Hub TPM (two are strictly required) Original frame signal (Southbridge) Break the original frame signal path anywhere along its way to the TPM Hijacker Device Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 26 … and in practice! (Lab setup) PC Southbridge Simulator TPM v1.2 daugtherboard LPC bus hijacking device Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 27 … and potential victim platforms AMD processor with TPM on a daughter-board Intel processor with fixed TPM (not shown here) Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 28 … LPC bus probing experiment “Dead Bug” probe wires on top of a flash memory chip Work time: ~45 min Disassemble Solder probes Install evil hardware Reassemble Investigates feasibility of bus probing approach Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 29 … testing the hijacker device Test setup on an old development board with TPM daughter-board. Work time: ~15 min Disassemble Install T-adapter Install hijacker Reassemble In-system operation of the hijacker Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 30 Impact Simulated late launch (“Untrusted to untrusted”) TPM's view of the platform state got corrupted To trust Evil HIC SUNT or not to App DRAGONES trust? Hijacker LPC bus PCRs no longer reflect Device modification the actual platform state ... reset extend Time TPM PCR ?? 00 42 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 31 Impact Construction of fake measurement values Static RTM (via “TPM reset attack”) Described independently by Kauer and Sparks Use LPC bus hijacking to simulate a D-RTM Introduced in our paper There is currently no simple way for a verifier to distinguish fake measurements constructed in this manner from real measurements done on the same TPM. Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 32 Lessons learned Attack resilience of “trusted” PC platforms TPM is hard target CPU and microcode are hard targets Trusted PC platforms are (still) weak targets for attackers with physical access Never trust a remote endpoint … … even if it has a TPM Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 33 Johannes Winter IAIK/EUROPKI2011/HIJACKER'S GUIDE 34 Bill of materials Testing equipment (hardware) ~15€ TPM daughter-board (from Amazon) ~450€ Spartan-3A DSP 1800 board (used as South-bridge simulator, from Avnet) Attack equipment (hardware) ~10€ Breadboards, wires, resistors, etc.