 that when you have physical access to a machine, that's game over. But how much game over are we talking, actually? Let's find out how completely defenseless Intel chipsets are when faced with USB. Here's Maxim Goryaki with Tapping Into the Core. Let's give him a big round of applause. OK. My name is Maxim Goryaki. I am a security researcher at the Positive Technologies Company. Unfortunately, my author couldn't be here. His contribution to the work huge, and please consider that we did his work together. So I would like to cover the topic of hardware Trojan and tell about one of the modern Intel CPU design features that can be used for this purpose. It's Direct Connect Interface. OK. As you can see from the slide, we are going to review the debugging interface as a basis of such Trojan on the model Intel CPU. We are going to review Direct Connect Interface. It's JTAG like interface and his activation. And then I'm going to talk about several tips that can you help to detect such attack. And so a hardware Trojan is a malicious alternation of hardware that could under specific condition result in functional changes to the system. It can be inserted at the time of manufacture, shipment, and storage, or use. You can find information on this type and general technique of detection in the paper on the slide. I think there is no need to emphasize the timelines of this system attack vector. And in the NSA catalog, which recently became available to public, contains information on a dedicated device for Dell servers that in effect are a classic hardware Trojan. And what I've just said logically raises the following question. How much would it cost to implement such a Trojan on modern systems that is cost of the development and embedding such Trojans? And are those techniques available to people or organization who are not state security services? Our reports will show that, unfortunately, yes. And implementing such Trojan may be possible for anywhere who is willing to exploit the possibilities provided JTAG on the modern CPUs. And oh, sorry, sorry, sorry. It's NSA. Let's step aside a bit, review the JTAG debugging technique, a little closer, and try to find each Intel CPUs. JTAG standards for joint test action group. And you can find its description in IEEA. With the detail available in the standards itself, how you can see a reference on the slide, there is also a video from a triple C conference available on YouTube, where the design is described in close detail. But sometimes, manufacturer, but generally, JTAG is good not only as a basis of Trojan. It can also be used for forensic. For example, if you don't trust the BIOS and would like to read firmware manually from SPI Flash without a programmer or to detect a root kit, and JTAG can also be helpful in research for analyzing undocumented architecture technique, also as boot guard or system management mode. And it also may simplify debugging of hypervisor and drivers or power consumption or UEFI models in some way. Often, manufacturers extend the standard JTAG by adding their own functionalities. And Intel, due to JTAG, Intel processor is described rather poorly. Some information can be found in the documentation I mentioned on the slide. And how you can see Intel CPU have three types of interface for JTAG. It's direct connection through Intel in target prop extended debug port, ITP-XDP. And it's new technology, Intel Direct Connect Interface. It's special transport designed to enable closed chases debug through any of USB3 ports. You can use JTAG-like interface through USB3. And there are two types of DCI hosting interface in the platform, USB3 hosting DCI and USB hosting DCI. And now, let's take a closer look at each of them. Intel, ITP-XDP, it requires special socket. But it has a special port with a special socket. And it has capability with Intel System Studio. You can download the trial version from the manufacturer website. And it has protocol protected by NDA. It has protocol not protected by a law. And it gets hot. I checked it. Introduced direct connection with SkyLake. And you can find a specific description of it in the documentation. You can find special documentation in the documentation. There are two types of connection, a special device and a simple USB cable to debug. Hey, I would like to note that this system does not require any software or hardware changes. You only need a cable or a special device. OK. And this technology is out of box or with serious chipsets. Let's take a closer look at each of them. We should take a closer look at each of them. This USB hosting DCI, its connection requires a special device. Intel Silicon View Technology Closer Chases Adapter. Also known as SVT-SCCA or BSSB-A. And it has a special DFX feature. And it is on Intel Direct Connect Interface, the DCI. And it implements a private protocol and makes it possible to manipulate the target system in deep sleep mode, in deep sleep mode. Unfortunately, these adapters have been SVT-SCCA for a few months and others are only available after you sign up for NDA. But that doesn't matter. Because we have a special device, a special device. Here it is. USB-3 Hosting DCI is a commonly used USB 3-debug cable, which works as an OTG device. It's a special device if you are on the host system and activation. Absolutely. It's a device. It's motherboard. And commands are sent to this device through a commonly used interface. The device itself is integrated into an USB interface. And it transforms the command into JTAC. And it's a JTAC. And it's a small demo. And here's a little demo. One moment, please. We select a configuration. I choose a configuration here. I wait for it to be connected to the target platform. Stop. Execution. I listen to the whole thread. With the execution on. And here it is. From this device. Through this current instruction. The current command. Special, sir. Special message. I'm sorry. Sorry. That's OK. One step. One step. It's work. It works. Demo is end. That's it. Yes, man. The demo worked. How to activate this magic function? How did we get this magic function? There are several ways to do that. You will find human interface infrastructure. UEFI human interface infrastructure. And special hidden B2SB device. And a special P2SB. Activation where you find human interface infrastructure. You find human interface infrastructure. This infrastructure, this UEFI infrastructure, is a special interface that allows a user interface to create a user form in UEFI. A user input device in UEFI to create. If we look at how the modern UEFI BIOS works, then we find a lot of hidden options that are not accessible to the user, but are processed by BIOS. The basis for this technology is human interface infrastructure. So this human interface infrastructure. So the UEFI human interface infrastructure. It processes all the options to decide. And they are connected to the DSI. It can be activated with its defaults. Design enable, special hidden option. That's a special hidden option. And UEFI indefines default value for option. And UEFI has a standard value. UEFI is connected with the DSI. It can be activated to set defaults. And then resetting the BIOS to default users. And then we have a functioning DSI. The edited image is programmed into SPI flash by a programmer. Or through the standard BIOS firmware tool. If you have the privilege, it has written in. So settings can be edited by a programmer. So settings can be edited by a software. And the settings can be changed by a BIOS configuration program. On the slide. Is it? It's free. You can download it from IMU website. But if the boot guard is running, this technique won't work. Because the system will not boot. Since this tool changes the UEFI model. Because this tool has changed the UEFI model. Activation with a PSH strap. Then the next option is the PCH band. And you can activate it. With the PCH configuration it can be switched on. In the flash descriptor region. Or you can create the image with a special tool. This is a BIOS tool. This technique works even if the boot guard is activated. And finally you can try to activate it through a P2-SB device. In the documentation for different generations of PCH. You can find the documentation left from the 7th generation. The data for desactivation on the fly. If BIOS is unlocked, the settings changes. On the fly activation can be found if it is not blocked by BIOS. There are a lot of motherboards that worked for me. How can we protect ourselves from such trojans? We can protect ourselves from such trojans. We can use the boot guard. Then you can check the DCI-enabled bit. You can check the DCI-enabled bit. In this case, the DCI may be enabled. But execution cannot be stopped. You can see documentation. The documentation shows us which bit is more important. And how to set it to 1CPU debugging. You have to write bit 1 in the special field. And this can help protect the laptops. You can build a special device which transmits commands from USB or Wi-Fi. And this can be used to implement a backdoor in the server or laptop. Modern CPUs use debugging tools which are available to numerous platforms. There are many platforms that make it possible to control the system completely. They are not only attractive for debugging and research, but also for trojan deployments. We recommend you to check the Skylake laptops. Thank you for your attention. Maybe we will publish a special tool on our Github. Thank you for your attention. Any questions for JTAC over USB? Thanks for a great talk. Could you share which motherboards enable debugging features? We only know one manufacturer. We don't know how much it is available to use this functionality. Second question, is it possible to send debugging data not via USB, but via a network? Why not? You have the management engine processor. We have a question from the internet. The internet wants to know if you have tried reverse engineering the protocol, the USB box. But it's next series here in the front. Have you conducted Intel and if yes, what they said? They didn't say anything. So the debugging features can be disabled by the BIOS? So what? The debugging features can be disabled by the BIOS, right? Unfortunately, sometimes no. No, no, no. The DSI can sometimes not be disabled. Because the configuration of DSI is enabled through the PSH strip. And if the PSH strip is disabled, then you can't disable it. DSI enables any features because you can stop on the reset vector. The question was, do you have any idea how widespread the problem is? I don't know. I think that Intel implemented a special technique which was connected to cryptography. But don't use it now. I think that maybe in the next generation, we have another question from the internet. The internet wants to know if it's possible to use this to do something. So if you can modify what's being executed basically. No, the PSH strip is not to be signatureing. No, the PSH strip is not to be signatureing. You can overwrite it. For BIOS and BIOS and BIOS and BIOS don't see it. Is there a follow up question from the internet? There's a different question that people want to know if and where they can get the slides and more about your research. And where they can get the slides and read more about your research? In my email. Okay, write me. I asked about it. I tell about it. I'll write you back. Thanks for the talk. Next question. Have you researched on old platforms before Skylake? For example, on Haswell. Haswell has the same method. But luckily, this is a hardware technique in Haswell. No, in Haswell is a software technique. I haven't seen a specific firmware that can use this JTAG-like interface. The SVT adapter works from Haswell, but you have to write an NDA. Haswell doesn't work with the USB device. Only Skylake works with the USB device. Next question. Are you using antivirus products that use this interface? It's difficult because it doesn't always work at the same time. The checkpoint. Maybe because this technique has some trouble. For example, it uses hardware registers. You can read addresses. You can read and modify the memory. You can change the SVT or USB device. You can change the memory of a JTAG device. Maybe you can use it, but you can't detect it from the inside. It's not so good. Here's another question. Is it possible to trace the code and read it? You can read all the procedures. Can you use this technique to write SMM vectors? You can use hardware to write SMM vectors. You can use hardware breakpoints on special registers to read on these breakpoints. It's not possible to lock the memory. You can read system management modes. The protocol is protected by NDA. You need some special adapters. You need a special adapter for SVT. It's a special protocol. You can write a program that can trace your target system. Is it compatible with JTAG? Is it a scan chain? Or is it a DCI protocol? I think it's a special device that translates the commands from USB to JTAG. It's like toggling the JTAG signals. Is there any chance to put this support into OpenOCD? Let's put our hands together for Maxim one more time.