We all know that when you have physical access to a machine, that's game over. But how much game over are we talking, actually?

Let's find out how completely defenseless Intel chipsets are when faced with USB. Here's Maxim Goryaki with Tapping into the Core. Let's give him a big round of applause.

OK. My name is Maxim Goryaki. I am a security researcher. It's a positive technologist company. Unfortunately, my author couldn't be here.

His contribution to the work is huge. Please consider that we did his work together. So, I would like to cover the topic of hardware charging and tell about one of the modern Intel CPU design features that can be used for this purpose.

It's a direct-connect interface. OK. As you can see from the slide, we are going to review the debugging interface as a basis of such a trojan on the modern Intel CPU.

We are going to review a direct-connect interface. It's a JTAG-like interface and his activation. Then, I'm going to talk about several tips that can help you to detect such an attack.

And so... A hardware trojan is a malicious alternation of hardware that could, under specific conditions, result in functional changes to the system. It can be inserted at the time of manufacture, shipment,

storage or use. You can find information on this type and the general technique of detection in the paper commented on this slide. I think there is no need to emphasize the timelines

of this system attack vector. And in the NSA catalogue, which recently became available to the public, it contains information on a dedicated device for Dell's servers

that, in effect, are classic hardware trojans. And what I've just said logically raises the following question. How much would it cost to implement such a trojan on modern systems that is the cost of the development and embedding such trojans?

And are those techniques available to people or organizations who are not state security services? Our reports will show that, unfortunately, yes. And implementing such trojans

may be possible for anyone who is willing to exploit the possibilities provided by JTAG on the modern CPUs. And, sorry, sorry, sorry. It's NSA.

Let's step aside a bit, review the JTAG debugging technique a little closer and try to find Intel CPUs. JTAG standards for joint test action group. And you can find its description in IAAA

with the detail available in the standards itself, how you can see a reference on the slide. There is also a video from the CCC conference available on YouTube where the design is described in close detail.

And... But sometimes manufacture... But generally, JTAG is good not only as a basis of trojan. It can also be used for forensics. For example, if you don't trust the BIOS

and would like to read firmware manually from SPI flash without a programmer or to detect a rootkit, JTAG can also be helpful in research for analyzing undocumented architecture technique.

Also as boot guard or system management mode. And it also may simplify debugging of hypervisor and drivers or power consumption or UEFI models.

And... So, in some way... Often manufacture extended standard JTAG by adding their own functionalities. And Intel do it too.

JTAG in Intel processor is described rather poorly. Some information can be found in the documentation I mentioned on the slide. And how you can see Intel CPU

have three types of interface for JTAG. It's direct connection through Intel in-target prop extended debug port, ITPXDP, and... Intel... It's new technology, Intel Direct Connect Interface.

It's special transport designed to enable close chases debug through any of USB3 ports. You can use JTAG-like interface through USB3.

And there are two types of DCI hosting interface in the platform. USB3 hosting DCI and BSB hosting DCI. And now let's take a closer look at each of them.

Intel ATP-XDP requires a special board and a special socket. But it connects directly to the CPU. And it is a capability with Intel System Studio.

You can download the trial version from the manufacturer websites. And it has a protocol protected by NDA. And it makes a lot of noise and gets hot.

Really. I'll check it. Starting with Skylake, Intel introduced Direct Connect Interface technology. And you can find a rather specific description of it in the documentation.

The diagram shows two types of connection using a special device and a simple USB 3.0 debug cable.

I'd like to note that the target system does not require any hardware or hardware against. You need only cable or special device.

And this technology unfortunately works out of the box or only with U-Series chipsets.

Let's take a closer look at each of the connection types. BSB hosting DCI. Its connection requires a special device. Intel Silicon View technology closes the chasis adapter.

Also known as SVT-SCCA or BSSB. It provides access to a defects feature. And like JTAG and run controls through USB 3.0 reports on Intel Direct Connect Interface enabled silicon and platforms.

It works through USB 3.0 links but implements a private protocol and makes it possible to manipulate the target system in deep-slip mode.

Unfortunately, as of months ago, both XDP and SVT adapters may be able only after signing in DA with Intel. But it's not a problem because we have a special device.

USB 3.0 hosting DCI is a common USB 3.0 debug cable which works as an OTG device.

That means that special device appears on the host system and activates. It's really true. It's a device. It's a motherboard. And commands are sent to this device through a common USB interface.

The device itself is integrated into platform control hub and it transforms the command into JTAG. And it's JTAG for ports.

And small demo. One moment. We select a configuration. Wait for connection to target platform.

And stop execution on the old thread from this device.

Current instruction. Special MSR.

And... I'm sorry. That's okay. One step. Okay. It's work.

Okay. Demo's end.

How to activate this magic function? There are several ways to do that. Through UEFI Human Interface Infrastructure, PCH Strap and special HIDEN P2SB device. Now let's review each of them in detail.

Activation via UEFI Human Interface Infrastructure. UEFI Human Interface Infrastructure is a special interface that allows creating a user form in UEFI. As well as processing and manipulating user input.

If we look at how the modern UEFI BIOS is designed, we can find a lot of HIDEN options that are not available to the user but processed by BIOS. There is, in fact, the basis of our first technique.

UEFI Human Interface Infrastructure identifies default values for all options, including the hidden ones. And as soon as we find the option connected to DSI,

it can be activated to set defaults, DSI-enabled special HIDEN option. And...

UEFI defines a default value for the option and we find the option connected with DSI, it can be activated to set defaults, then resetting the BIOS to default using standard interface. And we obtain a working DSI, it's easy.

The edited image is programmed into SPI Flash by a programmer or through the standard BIOS firmware tool, if you have privileges.

And you can... Those settings can be edited by a special AMI BIOS configuration program on the slide, is it? It's free, you can download it from the AMI website.

But if Bootguard is running, this technique doesn't work because the system will not boot, since this tool changes the UEFI module.

But you can activate WebPCH Strap. DSI can also be activated by a configuration-specific bit on the PCH configuration.

As Romanoli, they are located in the Flash Descriptor region, or by using the Flash Image Tool, it's a special tool for creating firmware BIOS.

This technique works even if Bootguard is activated. It's good. And finally, you can try to activate it directly through a P2SB device. You can find a special index and register in documents

for different PC generation. Right, it's 6th generation and left from 7th generation. And use those data for this activation on the fly,

if BIOS has not blocked desired settings changes. Okay, right. We know some motherboard where it works. And it leads to the question, how can we protect ourselves from such trojans?

We propose activating Bootguard in order to make the modification descriptive in the first. And then you can check the DSI-enabled bit and debug and disable registers through a special debug interface MSR.

In this case, DSI may be enabled, but execution cannot be stopped. And as a result, it's impossible to get access to memory and register. And you can see the documentation.

The least significant bit this register makes it possible to restrict CPU debugging. So, we need to set to zero and lock the register itself, recording bit 1 into a special field.

And can you help to protect your platform, your laptops and new edge of USB? You can find or make a special device

which transmits commands from USB or Wi-Fi and use it to implement a backdoor in a laptop or servers

or in other motherboards or computers. And modern CPUs allow using debugging tools

which help USB 3.0 available to numerous platforms. These tools make it possible to control a system totally, making the technology attractive not only for debugging and research, but also for deploying hardware trojans. And please check your Skylake laptops.

And thank you for your attention. And maybe we publish a special tool on GitHub of our company which can help you to check your motherboard.

Thank you for your attention. Thank you, Maxime. So, questions. Do we have any questions for Maxime about JTAG over USB?

I see one already here in the front. Thanks for a great talk. Two questions. First of all, could you share which motherboards allow enabling such debugging features?

We know only one vendor, but we don't search in other vendors and we don't know how much the vendors are available to use this functionality.

Second question. Is it possible to send debugging data not via USB but via network itself? Why not? You have a management engine processor.

Scary, thanks. OK, we have a question from the Internet. Hello? OK. The Internet wants to know if you have tried reverse engineering the protocol the USB box uses.

Yeah. But it's next series here in the front. So, have you conducted Intel and, if yes, what they said? Yes, they don't set anything.

In the back by the camera. So, the debugging features can be disabled by the BIOS, right? Sorry, what? The debugging features can be disabled depending on your vendor by the BIOS, right? DCI, unfortunately sometimes no, because configuration of DCI is enabling two PCH straps.

And if a PCH strap on a platform is activated, BIOS can't disable it.

And if you have DCI, you always enable any features because you can stop on the reset vector.

Sorry. So, any idea how widespread this is? The question was, do you have any idea how widespread this problem is? I don't know, maybe... I think that Intel implemented a special technique

which connects with cryptography, but don't use it now.

And I think that maybe in next generation he activated it. We have another question from the Internet. The Internet wants to know if it's possible to use this to do something to bypass some kind of signature check or something.

So, if you can modify what's being executed, basically. No, because PCH strap is not signatory. And you can rewrite it for BIOS.

And boot guard on another technology, don't see it. Is there a follow-up question from the Internet? Yes, there's a different question. People want to know if and where they can get your slides and read more about your research.

Sorry, repeat the question. They want to know if and where they can get the slides and read more about your research. In my e-mail... Okay, write me. I asked about...

I tell about it. Okay, in the back. Thanks for the talk. Did you do any research on platforms prior to Skylake, let's say Haswell or something like that? Haswell... Haswell has the same technique, but unfortunately DCI is a hardware technique.

In Haswell, it's a software technique and sometimes I didn't see a special firmware which can use this JTAG-like interface.

Its technology, SVT adapter, works from Haswell, but only after signing NDA.

So Haswell doesn't work with a simple USB device? No, only Skylake. Thanks. Okay, in the EFF shirt. Are you familiar with antivirus products that also use the Intel debug states like Checkpoint, Sandblast, for example? And how is this similar or does it interfere with the hardware?

It's difficult because it's very non-stable works. So does that technique interfere? Would the Checkpoint, Sandblast detect this? The Checkpoint... It's mainly because this technique has some troubles.

For example, it uses a hardware register and you can read addresses

and you can read modify of memory which is doing this SVT or USB JTAG-like device. And it detects for virus

and maybe you can use it, but not good sometimes. Okay, we have time for about three more. Did you have a follow-up? No? Okay, then in the front.

Is it possible to trace code and maybe read memory while the core is in SMM mode? Yes, yes, yes. Okay, so you can just read all the SMM procedures and you can take the vectors...

Can you actually use this technique to write SMM vectors? You can use hardware breakpoint for special register on the right. Insert this breakpoint and don't be able to lock the memory

which is used in system management mode, for example. And read it. We're doing it, yeah. Okay, in the back right. The protocol is protected under NDA.

Are you aware of any open research on this topic? Yes, it's open research. Another thing, is it following the normal USB protocol or do you really need some special electric properties? For SVT special adapter, it's a property protocol which uses the signal of USB 3

but it's not USB 3. And this cable, it's a simple USB 3 protocol and yes, you can write a program which, for example,

can trace your target system. Yeah. Okay, and last one in the back. Is it like JTAG compatible in such a way that it has a scan chain and stuff or is this some Intel invention, this DCI protocol? I know, I think that DCI is a special device

which re-translates the commands from USB to JTAG chain, JTAG types. Yeah, right. So it's like toggling the JTAG signals? Yeah, yes. So that's what happens, wow.

And is there any chance to put this support into OpenOCD or such open source software? Maybe in the future. Thanks. Okay, let's put our hands together for Maxim one more time.