 know that when you have physical access to a machine, that's game over. But how much game over are we talking, actually? Let's find out how completely defenseless Intel chipsets are when faced with USB. Here's Maxim Goryaki with Tapping Into the Core. Let's give him a big round of applause. OK. My name is Maxim Goryaki. I am a security researcher as a positive technology company. Unfortunately, my author couldn't be here. His contribution to the work huge, and please consider that we did his work together. So I would like to cover the topic of hardware Trojan and tell about one of the modern Intel CPU design features that can be used for this purpose. It's Direct Connect Interface. OK. As you can see from the slide, we are going to review the debugging interface as a basis of such Trojan on the modern Intel CPU. We are going to review Direct Connect Interface. It's JTAG-like interface and his activation. And then I'm going to talk about several tips that can you help to detect such attack. And so a hardware Trojan is a malicious alternation of hardware that could under specific condition result in functional changes to the system. It can be inserted at the time of manufacture, shipment, and storage, or use. You can find information on this type and general technique of detection in the paper on the slide. I think there is no need to emphasize the timelines of this system attack vector. And in the NSA catalog, which recently became available to public, contains information on a dedicated device for Dell servers that, in effect, a classic hardware Trojan. What I've just said logically raises the following question. How much would it cost to implement such a Trojan on modern systems that is cost of the development and embedding such Trojans? And are those techniques available to people or organization who are not state security services? Our reports will show that, unfortunately, yes. And implementing such Trojan may be possible for anywhere who is willing to exploit the possibilities provided JTAG on the modern CPUs. And oh, sorry, sorry, sorry. It's NSA. Let's step aside a bit, review the JTAG debugging technique a little closer and try to find each Intel CPUs. JTAG standards for joint test action group. And you can find its description in IEEA with the detail available in the standards itself, how you can see a reference on the slide. There is also a video from a triple C conference available on YouTube, where the design is described in close detail. But sometimes, manufacturer, but generally, JTAG is good not only as a basis of Trojan. It can also be used for forensic. For example, if you don't trust the BIOS and would like to read firmware manually from SPI flash without a programmer or to detect a root kit, and JTAG can also be helpful in research for analyzing undocumented architecture technique. Also as boot guard or system management mode. And it also may simplify debugging of hypervisor and drivers or power consumption or UEFI models and some way. Often, manufacturers standard standard JTAG by adding their own functionalities. And Intel do it too. JTAG in Intel processor is described rather poorly. Some information can be found in the documentation I mentioned on the slide. And how you can see Intel CPU have three types of interface for JTAG. It's direct connection through Intel Intarget Prop Extended Debug port, ITP-XDP, and it's new technology Intel Direct Connect interface. It's special transport designed to enable the closed-chases debug through any of USB3 ports. You can use JTAG-like interface through USB3. And there are two types of DCI hosting interface in the platform, USB3 hosting DCI and USB hosting DCI. And now let's take a closer look at each of them. Intel ITP-XDP requires the special board and special socket. But it connects directly to the CPU. And it is capability with Intel System Studio. You can download the trial version from the manufacturer websites. And it has protocol protected by NDA and makes a lot noise and gets hot. Really. I'll check it. Starting with Skylake, Intel introduced Direct Connect interface technology. And you can find rather a specific description of it in the documentation. The diagram shows two types of connection using a special device and a simple USB3 debug cable. Hey, I would like to note that the target system does not require any software or hardware against. You need only cable or special device. OK. And this technology, unfortunately, is works out of box, or only with you serious chipsets. And let's take a closer look at each of connection type. OK. BSSB hosting DCI, its connection required special device. Intel Silicon View Technology Closer Chases Adapter, also known as SVT SCCA, or BSSB, provides access to defects feature and like JTAC and run control through USB3 ports on Intel Direct Connect interface-enabled silicon and platforms. It works through USB3 links, but implements a private protocol and makes it possible to manipulate the target system in deep sleep mode. Unfortunately, as of months ago, both XDP and SVT adapters may be able only after signing NDA with Intel, but is not problem. Because we have special device, USB3 hosting DCI is a common USB3 debug cable which works as an OTG device. That means that special device appears on the host system and activation. It's really true. It's its device. It's motherboard. And commands are sent to this device through a common USB interface. The device itself is integrated into a platform control hub and it transforms the command into JTAC. And it's JTAC for PURS. And small demo. One moment. We select a configuration, wait for connection to target platform, and stop execution on the old thread from this device. Current instruction, special MSR. And I'm sorry. That's OK. One step. OK. It's work. OK, demo is end. How to activate this magic function? There are several ways to do that. Through UEFI human interface infrastructure, PSHStrap, and special Hayden P2SB device. Now let's review each of them in detail. Activation via UEFI human interface infrastructure. UEFI human interface infrastructure is a special interface that allow creating a user form in UEFI. As well as processing and manipulating user input. If we look at how the modern UEFI BIOS designed, we can find a lot of Hayden options that are not available to the user but processed by BIOS. There is, in fact, the basis of our first technique. UEFI human interface infrastructure identifies default values for all options, including the hidden ones. And as soon as we find the option connected to decide, it can be activated to set defaults, decide enable, special Hayden option. And UEFI defines default value for the option. And we find the option connected with decide. It can be activated to set defaults, then resetting the BIOS to default using standard interface. And we obtain a working decide. It's easy. The edited image is programmed into SPI Flash by a programmer or through the standard BIOS firmware tool if you have privileges. And you can, those settings can be edited by a special BIOS configuration program on the slide. Is it? It's free. You can download it from my new website. And, but if Butgate is running, this technique don't work, because the system will not boot. Since this tool changes the UEFI model. But you can activation with a PSH strap. This decide can also be activated by configuration specific bit on the PSH configuration. As a manual, they are located in flash descriptor region. Or by using flash image tool. It is a special tool for create firmware BIOS. This technique works even if Butgate is activated. It's good. And finally, you can try to activate it directly through P2SB device. You can find a special index and register in documents for different PC generation. Right, it's six generation and left from seven generation. And use those data for desactivation on the fly if BIOS has not blocked decide setting changes. OK, right. We know some other bot where it's work. And the lead to the question, how can we protect ourselves from such Trojans? We propose activating Butgate in order to make the modification descriptive in the first. And then you can check the decide enable bit and debugging disabling register through special debug interface MSR. In this case, decide maybe enable it, but execution cannot be stopped. And as a result, it's impossible to get access to memory and register. And you can see documentation. The least significant bit this register makes it possible to restrict CPU debugging. So we need to set to zero and lock the register itself recording bit one into a special field. And can you help us to protect your platform, your laptops, and new age of USB? You can find or make a special device which transmits commands from USB or Wi-Fi and use it to implement a backdoor in servers, in laptop or servers or another motherboard or computer. And more than the CPUs allows using debugging tools which help to USB 3 available to numerous platforms. These tools make it possible to control a system totally, making the technology attractive not only for debugging under search, but also for deploying hardware Trojan. And please check your Skylake laptops. And thank you for your attention. And maybe we publish special tool on GitHub of our company which can help you to check your motherboard. Thank you for your attention. Thank you, Maxime. So questions. Do we have any questions for Maxime about JTAG over USB? See one already here in the front. Thanks for a great talk. Two questions. First of all, could you share which motherboards allow enabling such debugging features? We know only one vendors, but we don't search another vendors. And we don't know how much it is available to use this functionality. Second question. Is it possible to send debugging data not via USB, but via network itself? Why not? You have management engine processor. Scary things. OK, we have a question from the internet. Hello? OK. The internet wants to know if you have tried reverse engineering the protocol the USB box uses. Yeah. But it's next series here in the front. So have you conducted Intel and if yes, what they said? Yes, they don't set anything in the back by the camera. So the debugging features can be disabled by the BIOS, right? Sorry, what? The debugging features can be disabled depending on your vendor by the BIOS, right? DCI. Unfortunately, sometimes no, because configuration of DCI enable is enabling two PCH strap. And if in PCH strap on platform hub is activated, BIOS can't disable it. And if you have DCI, you always enable any features because you can stop on the reset vector. Sorry. So any idea how widespread this is? The question was, do you have any idea how widespread this problem is? I don't know. Maybe I think that Intel implemented special technique, which connection with cryptography, but don't use it now. And I think that maybe in next generation, he activated it. We have another question from the internet. The internet wants to know if it's possible to use this to do something to bypass some kind of signature check or something. So if you can modify what's being executed basically. No, because PCH strap is not signatory. And you can rewrite it for BIOS. And boot guard on another technology don't see it. Is there a follow-up question from the internet? Yeah, there's a different question. That is, people want to know if and where they can get your slides and read more about your research. Sorry. They want to know if and where they can get the slides and read more about your research. In my email, OK, write me. I asked about. I tell about it. OK, in the back. Yeah, thanks for the talk. Did you do any research on platforms prior to Skylake? Let's say Haswell or something like that. Haswell has the same technique. But unfortunately DCI is hardware technique. In Haswell, it's software technique. And sometimes, and I didn't see. Special firmware which can use this JTAG like interface. Its technology, SVT adapter works from Haswell. But only after signing NDA. So Haswell doesn't work with a simple USB device? No, no, no. Only Skylake, only Skylake, thanks. In the EFF shirt. Are you familiar with antivirus products that also use the Intel debug states like checkpoint sandblast, for example? And how is this similar? Or does it interfere with the hardware? It's difficult because it's very non-stable bugs. So does that technique interfere? Like would the checkpoint sandblast detect this? The checkpoint, it's maybe because this technique have some troubles. For example, it use hardware register. And you can read addresses. And you can read modify of memory which doing this SVT or USB JTAG like device. And it's detect for virus. And maybe you can use it, but not good sometimes. Okay, we have time for about three more. Did you have a follow up? No, okay, then in the front. Is tracing capabilities possible to trace code and maybe read memory while the core is in SMM mode? Yes, yes, yes. Okay, so you can just read all the SMM procedures and you can pick the vectors. You can use this technique to write SMM. You can use hardware breakpoint for special register on the right. Insert this breakpoint and don't able to lock the memory which use to system management mode, for example. And read it, we're doing it, yeah. Okay, in the back, right? So the protocol, as you said, is protected in the NDA. Are you aware of any open research on this topic? Yes, it's open research. Okay, another thing, is it like following the normal USB protocol or do you really need some special electric properties? For SVT special adapter, it's property protocol which using the signal of USB3, but it's not USB3. And this cable, it's simple USB3 protocol and yes, you can write program which, for example, can trace your target system. Yeah. Okay, and last one in the back. Is it like JTAG compatible in such a way that it has a scan chain and stuff or is this some Intel invention, this DCI protocol? I know, I think that this is a special device which retranslated the commands from USB to JTAG chain, JTAG tabs, yeah, right? So it's like toggling the JTAG signals? Yeah, yeah, yes. So that's what happens, wow. And is there any chance to put this support into open OCD or such open source software? Or maybe in the future. Thanks. Okay, let's put our hands together for Maxime one more time.