 Mojte. Zvukaj pa sem bilo površen, da so promatovali. So, razvaja, posledaj. Prdne, bomo ga počutite počutiti o pletformu procesoru in o pletformu procesoru. Zato se lahko dobro vse izgledaj. Na pletformu postavimo izgleda in skupaj svoj skupaj na vsega svetu. Tako, X86 procesor je, da se možete vzve, je veliko je procesor od lat 70-jih, in nekaj zelo je, da je procesor veliko zelo vse procesor, ki je veliko začala, je veliko začal. from 1984 and also 1983. Those processors were the platform processors without a possibility to change the firmware, but they had important functions, which in that time was a keyboard and also the resetting, the whole platform and the famous A20 hardware. Ja so znamo bo, da sem da sem gatherila, kaj je veliko tukaj čega, z pošpos, v kaj se tažem so gordi, in za to, kaj je V820? Vse, staj z našem vzdušenjem. Tako je OK. Vsi so to, še se du posludi precezes. Po našeho, tudi dobrali se dobrali, nekaj nekaj neki prececes, da bi je všeho katilitva z izgleda laži. plug-in events in special keys in so on, and this controller has usually 8051 CPU or some super Hitachi CPUs and so on. So, this x86 platform currently is using such things, and if we look how it looks in today, that we will find that the border between the hardware and software somehow diminishes a little, and that there is a lot of firmware present if you look to the Linux kernel, which has this firmware directory or the package you will immediately spot that virtually any peripheral today has a kind of firmware, which needs to be uploaded and to operate. But in our lecture, I would like to concentrate on the platform processors, which are helping the main processor, and let's start with the Intel processor. As you might know, there is one, which is remarkable. It's an Intel management engine. Who knows this one? Yeah, great. So, let's go. Let's go to the AMD, because maybe it's not so many known. So, in AMD platform, which you can buy today, you will find several other processors. The first one, which I listed, is the system management unit, which will be more on that later today. Then there is even a small AT51, which is located in the south bridge, which is called integrated microcontroller. And of course, there is also some other controller in the USB, which you can figure out in your homework what kind of controller it is. And in the end, the very recent AMD processors comes with something, which is called platform security processor. And this processor is ARM Cortex A5, with a trust zone thing. And the reason why AMD introduced this processor is to redo the chain of the root of the trust. So, the idea perhaps behind this is to have something else, which gives the root of the trust, while booting the x86 processor. So, in fact, something which verifies the BIOS before even the BIOS is started. But in this lecture, as I said, we will concentrate on the system management unit. But x86 is not the only platform, which has such kind of special platform processors. If you look to ARM or PowerPC, you will notice that there are special channel or DMA processors, which are also running there, if you know. And here is just a funny table. I hope I have it correct. So, I'm not aware if there is any malware running on this kind of platform processors, but as for today, I can put the platform processor as some bugs. So, let's have a look. And to finish my introduction, I think it's a good way to increase kind of awareness of this. And because these platform frameworks are in every modern platform, and you cannot simply disable it, because it's a part, it's a generally part of the system. So, you have to live with it, and there could be possible security problems. And this is, I think, a very important point that the hardware engineers are involved, which means most of them are not the software engineers. So, if you ever have looked to some BIOS assembly codes, or some small embedded system platforms, you know how clumsy they are, and this doesn't help the security much. And there is kind of an event of some very special firmware, which can be loaded to the current platforms. Most likely you are aware of the bad USB stuff, which I think I have it. It's not in fact in the USB 3.0 controller, but in the client, in the USB device. But what you can also run is that you can run Linux in your hard drive, because somebody with the Sprite TM name found out that the hard drive PCB contains free ARM processors, and you can run MMU less Linux inside your hard drive, and also fix the ATC shadow, if necessary, for example. So, as you can see, now we live in the age where those processors are somehow bubbling out, and something needs to be done. Yes, and I was speaking about the open source firmware, and I believe there are also perhaps some close source firmware, and here you can choose your right permutation of the vendor. Okay, so this was just the first part of my story, and the second part is about how I went through the SMU stuff, and as usual it begins that people read books and some read also datasheets, and if you do that and have a look to this document, which is very nice, it describes most of the stuff, how the modern AMD processor is working, it's called AMD BIOS and Developers Guide, and if you have a look into this document for the very recent families, you will find there this quote, that there is something which is called the system management unit, and it takes responsibility for the power management and system related tasks, and the last sentence is quite nice. It says the SMU contains a microcontroller to assist, and this is the point where I started to think, let's have a look, what is it, and if I can get some fun of it. And because I like the stuff like ciphers and so thing, so it was very ideal topic for me. And this thing is also very special because it lives in North Bridge, and North Bridge is the part of the system of chip, and it means in the end that it lives in the CPU, and this was the reason why I put the name Matroshka processor. And while I was preparing my lecture, then I noticed that the Western people are not, they simply don't know what the Matroshka is, and so I brought one to show you. So this is the main CPU, and if you open it, there is a smaller one. And so this is not a part of the Czech culture, because we were the Soviet satellites some 20 years ago, and there were not other presents available, so we kind of have still some of them hidden in our homes, but please do not buy them in Prague as a tourist souvenir, because it's a tourist trap, and please don't do that in the end. Okay, so now back to our lecture. So what kind of microcontroller is there? Of course, nowadays the Google knows quite a lot of answers, and if you put this to the Google, you will get some more datasheets, which we will need later, but also you will get something from LinkedIn, and not just this one, but also a lot of other pages, which describes a lot about what the SMU is in fact doing. So here I won't read it at all, but in fact, as you can see it is LATIS LM32 processor, it's doing some dynamic power stuff, and this guy apparently implemented the adaptive algorithm to deal with the power management. But please don't blame this one, because there is many more on LinkedIn, especially for the AMD employees and other employees. Okay, so if you know that this is LATIS Micro LM32, then here is quite a short introduction. So it is, let's say, open core processor, you can get SDK for it, or you can download, or you can compile your own tool chain, and you can get also the reference manual. So this is in general a very good start to think about this. And the LM32 processor really likes the number 32, because it's a 32-bit processor with 32-bit instruction size, and you can guess how many registers inside processor it has. Yes, it's 32. And because in the next part of the lecture I will need this information so just quickly, we have the R0, which should hold the 0, and the rest is quite obvious. This architecture is not like x86, it uses link register to save the return address from the function. Yes, and so far we know what kind of architecture we have, but we don't know where to look for the firmware. So the hard way is, of course, to desolder the flash, or the flash chip, which is on the main board, read it out in some programmer, and look if there is not the firmware, but in fact there is an easy way, because on these platforms the BIOS image is a complete image of the flash. So you can have a look for the firmware in this image, so you don't need to do the soldering stuff and reading out. And I put some clue here that the firmware is part of something, which is called AGSA. This is AMD platform initialization blob, which initialize the every aspect of the AMD platform, and this is included from AMD into the vendor BIOS, and it is called, during the BIOS execution, to perform the initialization steps. And to get the firmware, you can download virtually any BIOS from the net, for example, for the FM2 motherboard, which I was using for my experiments. And now, because I already told you, it's in the BIOS image, so you can try the text search, and the search is for the SMU. And if you do that, you will find something like this. If you look to the slide, there is underscore SMU underscore SMU, and this thing is most likely just an encore to allow other, perhaps AMD people to find it more easily inside the blob. I have no other explanation of this. Then the bold text is actual firmware, which is for the SMU part. And you have many firmwares, many, like, three or four in the IJESA, because one IJESA supports different CPUs, like Trinity or Richland, and also others like Arizo, for example. So, the next thing is that we are on the Communication Congress, so we have to communicate also with this processor, and we would like to communicate from the X86 processor, so. And this is where the document I mentioned is, again, helping, because it is described and documented in the public documentation, that there are these two registers, which you can use as kind of gateway to this other space of this processor. And here let me take a little detour, that if it is not documented, it doesn't mean it doesn't exist, it's just a delay. And on the other hand, I do appreciate that AMD is putting a lot of efforts to have documented platforms way more than the Intel, so please try to support them at least like this. So, let's write some simple utility to dump the address space of the system management unit from running system. I use the Linux. So, if you do that, I know it's rather small, but, well, I will fix it later. If you do that, you will see that it's kind of strange data. It's repeating 55, 55 AA, and again, and this is for the first 64 kilobytes. So, then it's getting a little bit better, because you will immediately see that at the offset of 64 kilobytes, it starts to be the same as you have found already in the BIOS image you or I analyzed. But what is strange is that after the 500, sorry, 256 bytes, there is again this 55, 55 AA, which means that the runtime firmware is most likely hidden from you, so you cannot modify it, and then some random garbage flows. So, this is how it looks if you dump first to 64 kilobytes segments. I put it into the nice table, so it is more easily understandable. We will look now to the header, and then we go back to the firmware. Okay, and I need to drink some water, because... So, this is quite easy stuff in the firmware header. You will find what you think it should be there, and you will find out that there is a version number. There is a length of the header, there is a length of the firmware. There is also something which looks like entry point at the offset C, and then at the offset 10 in hexadecimal, there is something which looks like a checksum, it looks like very random data. And in the end of the header, there is a 55AA signature, and then it continues with some firmware, which we don't know yet. It could be the first instruction. So, let's have a look at the instruction stuff. So, as I said, it immediately follows the header, and if you disassemble this instruction, this 0000, like 3098 at the end, and the second one is the same, so you will get this instruction, which is quite unhappy, and it is garbage. But you have to try something else, and it's like big end-end, for example. And if you do that, you will get something which is very promising, because as I have shown you, it is expected that in register R0 is in fact a zero. So, it looks good. And is there someone which can do something with the radar software? Yes, please, I will need some kickstarts to this, because as you will see, I did it in very own way. So, I decided I will convert the firmware to the L file, and I did it with the object copy, like this. So, I created one section, which I marked that is executable, and then I used object dump to dump it back, and if I have done it, so I get these first steps. So, here, as you can see, it's just zeros. I don't know why twice time, but it is so the R0, then it disables interrupts and setups the exception handlers. And then it sets in other place in the routine, setups the stacks and zeros the BSS, and it's classic CRT zero startup. So, I decided I will put back some more symbols, so I can use nicer object dump, and exception handlers were described in the LM32 manual, so I could add more data to my linker script and identify the exception handlers of the firmware. And if you look to the functions, they look pretty standard, they have some prologs and epilogs, so I just skip this for now. And here I think it was a great idea. And I said that let this SDK, and I looked into the SDK and found out there is CRT zero RAMS and some C functions, which were handling the interrupts, and interrupts routines, allocation, and registration, and so on. And I also checked the binary image of the example, which let this included in the SDK, and I found out that AMD, in fact, uses this also. So, I was able to fill my linker script again with some more functions. It's not exactly the same because of the different GCC, most likely, but it's very similar. Okay, so let's see how to communicate with the firmware from the operating system or from the BIOS. You can read in the manual that it is possible to invoke something which is called SMU firmware request, and this is documented again. And you will just write some request number to a doorbell register, then you will just trigger the interrupt inside the doorbell register, and the SMU will get the interrupt and proceed with this kind of interrupt, and then also return if the interrupt or this routine was successful or not. So, in the detail, this is what I found out is that most of the stuff is power management related. It's something which is called budget aware of power management, and that the custom registers are usually located at the end of the second 64 kilobyte segment. And this is not only this. There were also some functions or some service functions which were quite easy to understand and there were some for the flashing of the data caches and instruction cache. There was also a very special request which I nicknamed pink request because it just incremented by one sum register and this was all what it was in fact doing. So, now we know quite a lot about this SMU and now we need to ask some questions. So, if it is possible to run some program, our own program on it and what are the problems? So, the obvious problems could be that there is this protection thing which doesn't, which means that the code is protected from the runtime modification plus there is something which looks like the checksum. Plus if we would modify the BIOS, it would mean that the BIOS on its own has some kind of checksums so, this is the problem that we need somehow to solve. So, this is again just from the firmware headers I was telling in the beginning. So, there is this 20 bytes of something which we will need to find out and this 20 bytes is in fact 160 bits. So, what this could be? Yes, that could be SHA1. So, I tried really hard with many permutations like computed from the firmware without the header, with the header a little bit in the end with zeros instead of the places where it is and I simply failed. I didn't find out how to do that. Yes, and this is what I said already. So, the second thing is runtime code injection. So, how to do that? We have this problem that the code and data segment is hidden and it looks like it's protected. So, but there are also ranges which are not protected and this was seen in the big dump I showed you in the beginning. And let's examine this further and see if we can write there something. So, in this slide you see that there is this 55 and so on again and at the offset DC50 it stops and there is some random stuff. And the header as I have told you already is also visible. So, these are these two regions and in the end of the 64 kilobyte segment there is this communication area with some random garbage. So, if you look to the offset data which are to be seen right after the protection ends, it looks something like this and there are some strange things happening here. So, the offset data matches some functions in the firmware which I need to tell you. What is it? So, I don't know. And what is more strange is that this part is still part of the BIOS image. So, somehow something went wrong with that. Even more than terribly. So, there is a first problem that there is some problem that the 256 bytes is missing in the protection and the header is also the same length. So, it looks like it's kind of a problem that this part is not covered because someone forgot it to edit over there. So, because of this we need to ask more, can we change this offset data during runtime? And answer is yes. And is there something which involves this function pointer from the offset data? And answer is also yes. In fact, there is IRC, there is this patcher which handles various interrupt requests from the SMU and one of the requests is also which is present there, this SMU request function handler which gets invoked. So, now we can think about how to run the program. So, I took the obvious approach to load it to unused part of the second 64 kilobyte segment. I put there the quotes because I don't know if it was a really unused place or I was just lucky. So, we can modify the pointer in the offset data and then when finished we return the control to the original function to handle the request and also the IRQ request so it's cleanly done. And while at it, I also included here this is actually the function which is invoked for the SMU request and now we can also go through this one. So, first it acknowledges this SMU request interrupt which came because of this doorbell register. It loads the request number which was stored in some other register then it masks it and shifts it and then it loads the base of the function pointer table which is different from previous. This is another function and load it to the register R2 and then call it. So, is here anyone who sees already the problem? No, okay. So, I give you more time. Okay, so there is no check for the bounds. So, in fact it means that you can run something which is not in the array for the pointers and this is bad. So, something went wrong again because we control this 15-bit value which we are passing to the request to this function then the offsets where the pointer table starts is also known. So, we can simply load to some address pointer to our function which we can load there and if we call the SMU request with the right number which matches then we can again execute our own code yes, including our injected functions. Yes. So, in this case it means that we can execute our own code inside the SMU but there are still some regions which are not available to us and I was interested what I can find there. So, in this case it is the region for the first 64 kilobytes. Yes. So, everything begins like writing a program so let's start and write some and this one will be quite easy we will use the methods I told you right now to actually program some kind of function which allows us to copy 4 bytes from any place inside the firmware and copy it to some place which is not protected which we can read and we can use this damper as many times as we like and it means we can dump the first 64 kilobytes to see what is there. Yes. So, let's have a look what is there. I do think it's most likely a ROM I like my processor and I have written data there only once very covertly and nothing happened so most likely this part is a ROM part. What is interesting is that it has the same structure as the runtime firmware but with more complex initialization and it implements only SMU request 0 which verifies the firmware which is loaded by the BIOS. So, while the computer is starting most likely this ROM gets executed first then it waits for this request and BIOS will load BIOS will load the firmware from the BIOS image to the second 64 bit 64 kilobytes then invokes this and the firmware in the ROM will authentificate this kind of firmware. So, and if we can analyze it we can also see what went wrong with this 256 byte offset and of course what kind of hash is used. So, this function if you look it is not one function in fact it's much more than one function and there are some strange constants like this anyone knows what these constants are? I didn't know either so I had to use a help and if you look there is another clue that it's SH1 or HMAC and I had now difficulties because I didn't have any proper disassembler so how to make sense of these big functions and I found out I can use something which is obviously known it's called QMU so QMU it has support for LM32 and I hack it a little bit to have support for this memory layout which was like there will change to one file so I load it in the QMU the ROM part firmware and RAM part firmware and I also load I started the QMU to executing the authentificate function and I was able to debug it with the GDB and to see what's really happening so now what I have found out is here so the authentificate function it loads data from the firmware header it flashes the data caches computes the hash function flashes data caches again and then it checks if the hash is matching in the firmware in the firmware header here it is using the constant time algorithm so it means if the hash is different you cannot use the timing attack as it was possible I believe in the nintendo vii or something like this so far so good it setups also the protection registers and here is the problem because the size of the firmware doesn't include the header so they thought it's included but it was not and this explains why there is this 256 bytes gap on the part which should be covered but it is not and it changes also the reset vector of the LM42 so next time the ROM is not executed anymore and the authentificate firmware is run and in the end it signals back the results to the bios so how it looks with the header checksum so it is not a checksum but a hash and debugging helped and this is what I was telling class time and it is also it also means it is a symmetric key and if it is a symmetric key if there is anyone with a key he can or she can sign on firmware I know that this question will arise so I will answer it wait a second I do have some keys yes okay so now you can close your eyes yes yes so who has the closed eyes it's written no close your eyes really I'm watching you and wait for the next slide so the slides now you can open them so you can actually read that it's called the secret so now I will press the space now you can see there was a little spoiler because the 42 is in fact the slide number so let's move on the slide number 43 there will be no 43 there will be some joke which or which will be fun at least for someone is there anyone from Czech Republic so great this is not a secret in Czech Republic and it is not a secret anymore here so I will also skip it and the secret of course remains a secret so but now it is time to write some email to AMD and we need to write them something so this is what I have done I wrote to whom it may concern I have discovered security vulnerability in the recent AMD processor which allows arbitrary code execution on the system management unit and I have trouble to find out whom to write so I decided to use link at in to find some contact to some sensible engineers which looked like they are responsible for this and how to support the claim I changed the pink function to add instead of one to add 42 in hexadecimal and I fixed the hash and then I send it to the AMD and so and now something about how it went so I analyzed the firmware during the Christmas 2013 while I was watching chaos communication congress in a little window but in the big window the firmware and sometimes later I found the bugs I presented to you and I've written to AMD on last days of the of the April and in like two weeks I received a response please can you give us more information and so I started to and create the communication between me and AMD I've written in the detail what is the problem and then in July they acknowledged the problem in the meanwhile there was some communication and in November at the end I received a list of version which will contain the fix so now it is fixed and the conclusion is that they responded like to the next day and because they are on another continent then meet so it was fun to and fast sorry fast to speak with them and that's it and yes the fix problems both issues are now fixed so the firmware is now padded so there is not a problem again with this with this problem inside the inside the routine in which is authenticating the firmware the problem with the SMU request function I check it is also fixed and some other unrelated fix to these vulnerabilities in some other processors that are also fixed so how it looks as you as I already told you the SMU firmware is part of the AMD AGSOM and now it is time to ask your vendor for updated AGSOM and I think it is a good idea to do that and to support this because it's the vendors which are delivering the BIOS updates to you not the AMD and this is perhaps the only way how to force them to update also the older platforms is to simply bug them and ask them for the fixed AGSOM which is here so in this table you can see the processor names which are affected by these problems also the AGSOM version number which you can get if you search in the BIOS image for AGSOM string then there is this string likes begins with 1.1 and the SMU versions which are listed over here in my presentation in the slides if you go back then later I use the version AA which means 10.10 so you see now it's version 10.14 which already includes the fix and I use this let's say some nicknames of the processors but it is easy to find them using Wikipedia so you will find it or just ask me or drop me your email if you have some problems with that so thank you for your attention you would also agree to a Q&A session so please line up on the microphones microphones free yeah sorry I need another microphone and I have my own yes I know cool so two simple questions first of what can you actually do from the SMU can you read anything from memory can you actually do anything else than just respond to interrupt well it was not a purpose to analyze this for me I simply took my journey and I didn't want to damage my processor I'm not sure if it is even possible to physically damage it I don't know if there is any DMA available inside this processor I would bet it's in the USB3 controller which needs to use DMA I don't know if this processor uses the DMA but I forgot to tell you that I have here a guest from AMD which can most likely help me to answer please welcome David hi David hi everyone yeah with regard to that specific question the SMU appears to software as a PCI device and it has the same capabilities that you would generally expect of a PCI device which includes DMA it has of course some additional capabilities with regard to its specific function within the SSC regarding power management and things like that but yes it is able to read and write memory okay awesome so the other thing is help assistant is firmware once a geesa actually puts anything in it's basically volatile right so if I overwrite the like if I'm malicious and I patch the host's firmware the bias blob to have a malicious piece of LM32 code in in that blob that I recalculate the checksum for that I now can since I do know that older CPUs allow me to read it out and the ROM doesn't change since the last time I can basically just infiltrate any random CPU can't I? alright I guess I'll so your question is about the the window of vulnerability right between power on and when the firmware is loaded yep yeah that exists and that's unfortunately not something that we can really patch in the field I guess our response to that would be that if if you are able to have more trust in your early BIOS code to correctly load that firmware then that will help address that and so some of the technologies that we are working on with our newer products include things like Harbor Validated Boot where we have the reference platform security processor verify the integrity of that first BIOS block that executes so that you can have that chain of trust going forward but yes I agree there is a window hey that makes sense thanks the IRC has a question yes thank you the question is what is exactly in the SMU and is there power management unit also in it could it be used to overclock or activate more cores well I think it is used for the power management stuff like the the dynamic or adaptive power management I don't know if it if you can overclock way more or if you can unlock some other cores that's I don't think the David will tell this to us so I don't know yeah I would say go and have fun let me know what you find okay microphone 4 thanks for your talk just a quick question so currently the BIOS the actual BIOS image calls that SMU DERA request to verify the BIOS image right yes so you could in fact just remove that from the BIOS assuming you could re-compute the BIOS checksum and bypass the whole I'm not even sure if the computer can run without that so I think you have to you have to load it so well no no no I mean bypassing the SMU checksum not the SMU loading was it because if if the BIOS has started if the main CPU has started first I'm sorry I can't hear you very well sorry if the main CPU started first and then it loads the SMU image and then it calls something to verify the BIOS image was loaded correctly the BIOS image must have been already loaded right or am I getting a problem? the sequence is that the main CPU x86 starts to run with the and the SMU in maybe same moment is running also but it is running the ROM firmware and when the BIOS is doing its stuff it will load the image to the the RAM of the of the SMU unit the second 64 kilobytes and then it will invoke the authentication function and unfortunately I don't know any details what could happen if this is wrong or if you don't do that so again maybe David will yeah I think I may have created the confusion so let me try to address that the statement about verifying the BIOS code which loads the firmware is a statement with regard to newer products starting with the Mullins product that include a platform security processor where the platform security processor is the first microcontroller that comes up out of reset for the older parts that do not have that what Rudolph just said was correct okay thanks microphone 2 okay you notice that now we should rely on the mainboard vendors to supply BIOS updates containing the patched firmware blobs for my experience with inter mainboards I have very little trust in the mainboard vendors to do proper h-macking in their BIOS updates so do you see any chance in just swapping those blobs in existing BIOS updates I mean I know for Intel that it's definitely possible to patch BIOS updates which are not properly secured I think you will face the problems with some other BIOS checksums in the end and I would recommend you to use the core boot and because core boot has the fix for this problem also yeah that might work as well good point thank you microphone 1 hi I was just wondering I've heard from companies like Facebook, Microsoft and others that they put out pretty huge bounties for security vulnerability found so did AMD reward you for basically doing their job? no I'm buying them dinner what are you talking about? well well I didn't want to sell this because I thought if maybe some other people know about this so let's make it public to balance out the world, our world and yes it cost me some money to get in fact here and speak about you about this so I'm a little bit at the minus but I'm enjoying the congress very much so it's okay for me good for you number two yes thank you for your talk did AMD actually change the salt they use for the sharmacking? I think no it's still the same key so basically if you take the same steps that you did you can just find the salt and write around firmware for the... yes it's in general it is possible but there might be a ways how to put there the new keys or the new salts I don't know if they would then these would be supplied in bios updates and you can just extract the new seeds or the new seeds yes it's a fairly good game maybe David can tell something right so obviously the fix that was released is new firmware and so if you take that out and you write your own thing that gets loaded before that or something like that then you're running essentially with the same device that Rudolph did the the key or salt in question is hardcoded into the silicon itself so it's not something that unfortunately can be changed okay thanks number two the first part of my question you already answered because it was just that question so after applying the new firmware new vulnerabilities not with standing like the SMU is then safe like yes so so with this fix it's okay now because yes the window is closed you cannot access the memory anymore and you cannot load your own code into it anymore and as long as you have the bias blob in the chip it's okay as far as we know unless you guys find something else yeah thanks and if you do I'll just say since Rudolph's encounter where he had trouble finding someone to talk to you at our company we have set up in a new email alias that's listed on there so if if you do have time to experiment and you find anything we'd love to hear about it so please email us so thanks to Rudolph thank you very much for finding this bug and make us all safer thank you and for the talk