Merken

Getting Physical with USB Type-C: Windows 10 RAM Forensics and UEFI Attacks

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
I have that non-member movement hand or move a hollowing out
while 2017 right
welcome everyone I'm sorry for the surprising TBA as I wasn't sure what I talked about but I figured out last nite so the today stocks me
about on USB type C and what that means for word DMA attacks against Windows specifically arm and also some unifying realizations that they come across so that arm especially in the light of type c becoming much more prevalent in all sorts of new machines out there
and so this will be about myself and I live in green in Windows by the sea kernel code and I've been doing this for about 17 years now which seems like a really long time and so I like to look at windows and operations in general and mostly double on softer side but every once in a while I like remind myself that is harder to and confidence and stuff around SMC firmware and and today I'll be talking about of type C and and thunderbolt the so basically the what's happening these days is this the starting to be cheap not at the GA-based affordable USB 2 PCA you of devices for example like the 1 I got right here which is in a few hundred dollars which is still expensive but it's way cheaper than other kinds of devices that give you access to the PCI bus which are actually I thousands of dollars or you need to know by and build your PGA in do your own programming of it 2nd that's happening is type C is bringing thunderbolt 3 through Windows devices and now this matter devices so this is leading to an explosion of fundable 3 kW vices and 3 is basically PCI Express over cables so we're starting get new as BBC expressed becoming a commodity were cited C. PC over B type C become a commodity and so combines together we can never cheaply have access to all of the the PCI Express bus of another machine over the USB the bus from another which is exactly what I'll be showing today so this is the
cost for example 9 thousand 199 dollars you can still buy this they something called capture God and you got 9 thousand 199 dollars on by 1 of these cards and you can do memory acquisition and lost password recovery and on other machines but with modern hardware today you can rebuild pretty much exactly
that for about 3 and 50 dollars and that's it's really easy like I am because otherwise you could is actually rather chips that you need and cost you probably have 50 dollars instead but if you just wanna buy no ready-made cards plug them in together and that's the end of the year 50 dollars and dense not cheap yeah but it's still a lot better than 9 thousand 199 dollars sold article about
previous research around the space because obviously there's been a lot of work done around external attacks around thunderbolts swords 1 going out the existing body of work around that I'll talk a little about type and specifically summable 3 or Type C can how that looks like and the security as a lot of whatever specific very special chip call the USB 33 which is going powers alt-ac OMP the are really talk about something called the user model framework for you and the other which is a really nice windows building framework for writing PCI and use the drivers in about 2 hours a code so if you can induce see can probably ITC expressed revenue when now and I'll talk specifically about some very interesting Windows physical memory forensic details on some structures that are in physical memory that often misunderstood we get to the bottom of where the structures live why they're there an interesting data we can get from that and finally I will talk about how to actually mountain attacks using everything is learned visibly target words windows leveraging some most of that unifies them it possible for us then I'll wrap up with some concluding thoughts on this so course on a point on a sprawling many of you know that external coordinate accident around for a while 1 of the main popularize ones was a firewire against Apple computers we could plug in a fake iPod for something up at the Linux machine a pretend that it was a laptop an iPod and because fire were essentially give you the main axis and bus-mastering was a really nice way to external attack on Mac laptops and if you the Windows laptops that had so far worked well this was also doable through expressed part because when expressed got him out is essentially a PCI Express bus inside of your laptop so this and other attacks against other types of supports and that at some point or a prevalence of course today no 1 has expressed got on the laptop anymore noone probably has fire on the left of any anymore to those initial attacks actually led to some changes done to bio as vendors on 1 thing that happened is maybe lesser stopped allowing bus-mastering and or DMA until the user log n for the applied of blocks on gender classes devices or simply when machines locked little of certain operations happen at the end of the day that 0 for compatibility reasons the Austin device classes that still end up having bus-mastering and of course you can own and control the arm the device 18 a vendor ID you can still pretend you 1 of those devices that still gets bus-mastering so if the image but it was kind of the 1st time that was vendor started locking
things down no assignable specifically which you know became very popular thanks Apple arms there of course there'd of some attacks again again against this so to the D. mysterious Jobs's and of course from the Hudson with the famous thunder strike attack on a lot of these 1st of all recall uh relied on option wrong so the idea was a you plug PC Express hardware over thunderbolt and then the option run execute an and execute malicious payload against machine and at worst suitably really well against Apple computers because Apple you 5 essentially based off if I 1 . 12 with lots and lots of improvements but it doesn't have secure boot enabled so without secure boot option runs just execute ominous cosine or thing like that you know very recently apples actually on closed off a lot of those attacks now option Ramsdell executed all and more was press a special sequence so again thanks to travel and so there are map a lot done a lot of their and the interfaces as well on top of that we now have IOM menu of the that's enabled by default on Macs as well which prevents against the e-mail access even if you can do it around I was based on me so have the 1st bypass the security around now again these attacks really useful but because they relied on thunderbolt a fumble to their limited mostly to Mac hardware there's very little Windows machines out there that had the sets of ports and that you could that you could influence we what changed is of presentation than 4 years ago by Joe Fitzpatrick and of the spattered discovered this USB 3 3 device essentially gives you a USB 3 to me PCI Express interface got 1 right here very tiny little device BCI expressed me PCI for someone and USB 3 on the other hand you have a very small package that gives you a specially bridge between the commands you want some across users B and that you wanna see across PC expressed or vise versa right and this really is a game changer for 2 types of of attacks talk about because this used to be you know giant boxes in FPGA XOR very expensive hardware this is basically 150 dollars on and it's probably could probably get it for cheaper than that if you want to make you own echoing what but now it has 1 problem which is a can only do 32 bit DMA so 1 of the big problems around the taxes were how to attack a monitoring system which of course has physical addresses above just before you might range the initial usage of this device also is only about 3 megabytes a 2nd Joe was using the PCI in NPC out PCA out points which essentially just do arm configuration register access and if you make better 2nd can take a while to mount an attack the and also unfortunately this type of hardware design light have an option wrong lets you modify lots and lots of registers but you cannot provide an option with this you can do the attacks but not directly have US things to cook both
frisk then a few years later modernize the attack by adding DMA support to this other piece of hardware is actually has a certain a 4 DMA endpoints and by enabling MA endpoints over USB you cannot do attacks or dumps at 150 megabytes a 2nd or was the 3 which is a hell of a lot faster than 3 megabytes he also basically the bypass the need to have the official toolchain from the company makes a chip set which is under NDA which only work systems and so the original wrote Linux driver the metal of flashing hardware and then after that I can use from Windows as well they also figured out a really simple way to talk to the user decide which simply the formatting pretend it's Android phone were a Google for a Google Glass and to be more specific and it's a simple and driver on the Windows side or any side you can talk to use report for this made it a lot more is bowling is a git hub with plans based on this device for Linux for on and for Windows typically leveraging on assignable to or going through various kinds of arms interconnects in the middle so there's already by
a huge body of work here so you know what it what I do when I hear talk about Wolpert's 1st of all I a small bugs in the actual firmware that almost lot of had been flashing on this so that the data sheets and realized some of the retches off on so this ship has a low stability issues if you touch some wrong parts around work you don't memory to quickly there's lots of things that are in make basically die out so I figured out how to do this make you work a little more reliably especially if use USB 2 which is a bit slower will get about 50 megabytes a 2nd on it's a lot more reliable and is that of relying on the Linux PCI driver to actually flashier problem and I created a U driver and still talk about each day's schemes Achilles abusing Windows now without requiring to Buddha Linux petition at 1st and most importantly part of the stock figured out a universal implant clique their works always with memory under 40 bytes but you don't have to be the hard for specific OS techniques to get access to something that get you at the lectures to the implant using if I runtime services we can actually something pretty universal and see that you unifies always under 4 specifically on windows were also urging the how heat so far by the how he even kind of how it's how's relevant to this end also modernize attack to work across use B type C because again the original text of a thunderbolt so a few limited Windows laptops and mostly MACs with type this opens it up to basically everything so again appointed knowledge and all the work
that went in before the it so always talk about kind types inflammable 3 so basically type C is a specification for connector and a cable is basically reversible USB connector it to support up to 100 watts of power delivery of 20 voltage is huge and the key thing about this cable is a key program support alternate modes and there's so far 3 standards for all noses DisplayPort altered node a thunderbolt Elton mode in age the mild and vote but in theory you could write Ethernet over this cables well you could drive is the anything that can be signalled accordingly orders cable and so thunderbolt 3 since about genes thousand 15 you can our out fundable 3 signals over type C up a little bit slower than the fall flammable 340 gigabits or type see today it's still only 10 whether generation 2 coming out which along which ladder then sky leaked chip sets which herb known be almost simple chip sets of 4 kb Lake came out this year on scary subsets now have native thunderbolt 3 controllers in the actual chip so most brand new Windows laptops even Laplace when lattice about a year ago and this is a use Dale from a year and a half ago now come in the midrange option usually with the fundable 3 or USB type C connector Apple backup prose of course not come with 4 of them the end new motherboards as well that are coming out now I have a thunderbolt for desktops as well so really seeing emergence to use the C from Apple and also from from their PC manufacturers now thunderbolt 3 specifically is a highly highly proprietary standard even to use it on Windows the special Intel drivers that year PC manufacture sponsorship a Windows does not have a built-in fumble 3 driver and from what I've heard from my friends of even have access to the specs so they can even write a driver it's highly initiated by Intel the then you bias actually also the support enables fundable 3 controller specifically the label some security levels and the way it works on PCs if you plug in a thunderbolt 3 devised the driver is actually and notify you on new fundable device has been attached and yet she has been administrator pressed OK then you get a dialog that asks you what would you like to enable this honorable 3 bytes and you can say just this time nope or always allow so you have to acid administrator manually authorized the connection with some 3 vise which in theory sounds pretty secure was a question is you know is that admin dialog security boundary you know there's a dryer heaven and document Rockville have looked at it I will know but you know its history would suggest all the way for non-admin due to click that button anyway and but as I what I'm looking at today are not near dissecting the security of bedrock but by the fall to get a little a little pop up there now that actually pens though on
how you frog under bias so this Dell laptop and has a few options for example it has an option to set the security level and by the fall secured level set user authorization this is what makes windows have little pop up through the affable driver if I said to no security then that pop up 1 matter as soon as that plug in the device the controller will will activated and secure connects means that the device not only gives you part of lecture has a unique ID and in theory if you plug in any other fundable 3 device of the same type but the difference you'll number it'll still these to recognize that so I either authorize this thing here or I might offer lies any kind of fundam tenable 3 blocks of by similar factors so the level I authorized this 1 authorizes all other ones like at the the secure connected only authorizes this 1 and the secure levels DisplayPort only which basically turns out she expressed signaling it only allows DisplayPort as an alternate mode and of course there's supposed to be no data over DisplayPort up a lot of course what's interesting is that the laptop has by default always allowed Bell box and I haven't looked at this either we have firmware but I'm willing to bet that always allowed del . if you have the vendor ID of Bell and the Vice idea of dark you probably get through and bypass this and this is set by default the you also some other options which are not on by default but the very interesting 1 is stable fundable at boot and 1 is enable thunderbolt NPC expressed the
thunderbolt trade routes so this basically gives you access to the 2nd power on the machine you have fundable 3 access and this was while the mission is wouldn't up you'll have thunderbolt three-axis a highly configurable and by default I'm always allowed all boxes on the end user authorization is I've also manually labeled boot options under several more fun with the
lights but so here's an interesting facts about the cell if you enable fundable 3 freeboot or add boots you basic give up the Security because if i does not have a little pop up to ask you do you want to allow the lights so regardless of the security let you set as soon as he enable fundable that boots history because so the plug it in the if I mode or have philosophy 5 firmware regardless of secure was settings so already I could you know inject something machine at boot but even after boot windows is not reset the bus or rather the Intel secure governors and we set so as long as they don't unplug in reply the thunderbolt 3 vise it was plugged in that good it'll silently remain active regardless of the driver and what it sets so basically bypasses completely 0 point obviously be tread on in legacy motor and no security this also complete bypasses the authorization and while people or so that have fundable devices definable to devices in many cases there likely going to need to enable legacy note factors searching on Google last nite going over a few forms I saw a lot of uniform posts from people saying I can get this to work what should I do and people suggesting notice that legacy motor and a security not the thing is very interesting about this and I can show to you because I can do project so this trust me on this arm is when I plug in this PCI Express to flammable 3 on device which is designed to let you use an external the acquired when I plug it in what thunderbolts prosecutor offices is you're plugging in a PCI Express box and I authorize it was it authorized the box regardless of what I put in the PCI Express slot its authorized so finally have you gotten here were some of the PCI Express device and you come in and which of authorizing you come in a swap it out and put a different card inside I don't because even in the strongest Secure ID unique ID mode it still doesn't recognize that about you got a different PC Express device plugged in the bridge which is since completely broken tuning authorizing the bridge not actually device that's going to be on the bridge the and of course with the default allowed del . by default on and I'm pretty sure if you just put the right of it and indeed in there maybe there's a symmetric key who knows I'm pretty sure you can bypass that as well so there's a lot of nice security toggles but in practice they're they're not really strongly implemented today the so let's talk about the 3 380 itself the 3 380 basically is a 15 dollar check now with that word so the more expensive and it gives you PCX preservation to USB 3 . has 40 a channels so you can do in and out depending on my program them and has to PCI channels as well so you can asset MIO touch BCI configuration resistors and so on and so forth and has specifically channels for configuring the device as well she can access almost any PC I had a a register almost you and use be register manatees is you can kind of influence your own was beat I saw in implement own PC restaurants on top of that it even has on the chip on the controller and 80 51 microcontroller and a few atomic controller can be connected to the problem any connection of code that executes and the 1851 has full access to all the registers arm as well and there's a company Taiwan or China nature they have both websites called B plus and B plus lecture sell you some development it's they'll sell you the pp th 3 380 which is an actual PCI Express cards down as a kilobyte E-Prime bill so he was B 3 3 EVB which is what I showed you earlier which is a small mean PCI Express version which has only 26 by the prime and of Express card version but no 1 has been able to actually get that to work with with some of the torques and talk about now unfortunately a few months ago PLX actually makes the chip on and got bought by broadcom and now you know NDA taxes datasheets you you to do anything and so thankfully you know i've got all the I got all the sub before the accident happened in other ways have to sign up for the Broadcom account and and worry about that again those if you browser chip can only to 32 bit DMA so you're stuck with ATIS below 40 bytes and also if you you DNA to an incorrect address basically a memory hole reserve region of RAM more and MMI 0 devices you lock up in some cases yeah shift power it off with a few seconds powered back on some of just we plug and unplug the vise dies if you may on about memory the was both of of the big issues is modern operate systems have memory above 40 bytes a lot times most the time and you don't know ahead of time where the physical address space of the emission looks like I'm obviously has some well-known addresses like as a member and they should never touch but you might have some specific memory will on Isabel and then all the lights locks up on which makes attacking and reliability of a lot harder and is gonna where interesting mean can I find ways to make solar
better so of the box by this 3 380 device on it's in a kind of a inert states the PCI Express injuries is active but the USB side is not so you have to flash it with your own custom 0 prime and yearly from has basically of 2 2 of the 6 bytes and minimum of configuration registers and you go through the prom configure how devices than act so you can configure the CID the device ID a user control rats that you want so at minimum needle header and then you can specify the size of firmware and in this case we're setting up from the use the control register to this value which if you look at a datasheet basically enables USB site so if we set these I these bytes in this you at the problem this old man the use the controller that's kind of the very basic steps the with a firmer works is you essentially it's all big-endian and you take the register that you want to modify and divided by 4 into index of you wanna modify register c divided by 4 Xerox 23 and then specify if it's a USB control register or if it's a PCI Express resistor in this case is was the and data comes after that so this is how I was settings value in the years the control register
that other things you'd like to do is give this thing a more interesting PCI Express vendor and device for example brought the reader this is actually give the device bus-master access even during logon even before lot about Serena configure PC arresters 0 to give is that PCI vendor ID and I device ID then we're frog under the points 1 endpoint . 4 out for right skills were like get a 1 more speed on reads rights and 3 different humane endpoints for reads each of these points into 16 megabytes a 2nd so you can do the math a give us a pretty on pretty fast transfer speed especially can multithreading and things as well the to never idea man points actively that fake PCI ID the last thing that we need to do is for example said about Google Glass you BID this make the was beside look like a Google Glass will make easier press I look like a brought them as the car driver it is essentially a standard on COE prime of for example the use on in his attacks in the blue glass just so we can then drop an Android um ADB driver without having to write a custom signed driver for that but will see there's not you don't necessarily need to go down that route no other dimension is the PP 380 that PCI 1 another 1 using actually has an equal by the product so because the 1851 ship that's there which is only not running has full access to you as being PCI this entire track them after doing through to separate machines I could have implemented all of this in the 51 he problem in a single plant device that displays and I use the seaport right so doesn't have the will of those unwieldy they can be a simple types the device that you know the right they said or even this'll chip you plug it in full E prime on it and you mount attack directly this given amount attack and the reads from the switching the other but because of the some chip is very easily just directly and this is very surprising right as before this ever a ship he had to have your own FPGA would do its narrative for example which is put MIT sonnets on this is makes it much much much easier you on top of that you have some nice diagnostic LED is that the bus but on this euphoria ladies 3 orange and 1 blue and this can be very useful during development actually a blink bilities and he was going on and specific if using III 51 you can use the LED is kind of signaling to know OK and connected OK the DMA work OK tax at this stage and is a really nice neat little package the bits is everything you could need and thought almost like they thought about whether their target market is going to be so people
given without the firmware arm and you can see a use Suel pour control on 1 side and again see nothing on the other so the 1st thing we program that's silly from the program this helium from we need an actual driver to attach to the PCI Express device memory mapped the bars and then access the rest a supremum the VC port so for this you need a driver now writing PCX press drivers sounds like a really hard thing to do but it turns out the max of needed really really easy was something we call you and the other which is the user-mode driver framework and I'm gonna teach you how to write a driver moral basically show you in a few slides just how easy
sets so we need a driver to map the MMI arranged on the PC Express device and we need to flashier now real kernel-mode driver is hard to write Lisa movies of death and also has to be site especially those versions of Windows 10 has to be signed by Microsoft submitted to the WIC acidification of page and you know tough luck getting a no DMA attack drivers serially prompt larger Simon max now the nice thing is that you and the In specifically winners 8 and later now has full access to the PCI Express bus and with the right settings you i a file you can actually as memory-mapping she express them in user mode and natively access it as well as nearly accessing edges as well and you have the of drivers a deal else that running user mode and so you don't have all the strict signing checks In fact the only signing checked is at installation if it's signed by something in your local trust authority so for example would move there when he published the Windows driver is is Bayes rule dollar that has his certificate installs the interior and trusted roots installs the driver and then to the certificate once this is all there's no load time checks whatsoever so technically you and the use modems don't have to be signed when the load of the user to be signed when they were installed and they just have to be signed by something year local certificate store unlike real kernel drivers assured much more coded than that so basically you and the other driver on just he's an iron FIO we configure these 2 settings allow direct harder access and register using using when mapping anybody in the PCI device idea that you want control and the first one year is when the device comes up in its default state base with before we program at and this is after we parameters abroad come is the card so this can act as a driver both for the original on flash the guys also after or custom Flash once you had the iron file done basically like 3 lines of
code to create your driver objects 10 lines of code to then create the device which will react whatever the device is plugged in and
the 1 devices is plugged in that's when you have 15 lines of code to basically
enumerate the resources find the brown see that's a kilobytes which is the default size of the the MI arrange basically map it and that's mapped in user mode and we can flashes and were pretty much done except if you wanna be good programmers we also they
need to clean out when the harder is
released so 4 slides of about 40 lines of code and
without a PC Express driver and doesn't decide and we can flash the firm on
this thing the once we've done this then basically will come up as an android Abdul Google glacier ice and is getting the Google drivers which already signed anyway the user models as well I will now give us a win USB interface now now long-term my plan is that you write a proper non Google Glass relying USB driver for this using you other but because all has already done all the work this BCI reach tool and why reinvent the wheel so to make to keep pistol working with some the stuff I'm gonna show I just kept it as the world lasts a linear works natively with with his skill aren't PCA which is really really nice it all bunch of things here basically extended for some of things are going to be talking about in this section so now I've got a who glass on 1 side of another PC Express device on the other the so now what are the fun things we can do with this is that I have you may access the bottom 32 bits of memory well 1st all talk but how he the value that's something I 1st talked about it since can about 5 years ago I'm using as far as the CPI physical attacks and ever since then people have found more and more interesting ways of using the healthy but a lot of misunderstanding exact about how the hell he works where it is our logical say that static when in fact it is inferred on a drill down and can have the final word on what what the hell he is and
what it means for you so the how heap is basically how referred to a special region of address space that the kernel the boot-loader and the Windows hot abstraction how treat allocator pre reserve even before boot and the virtual address space of this has always been FFC 0 0 0 0 and so fff fff fff for total 4 megabytes so everyone kind of knows not to touch this region that's what the how can allocate things because the how allocate things for the Mary manager comes up so we e-dictionary Madden never tries to use of a flatter sets that a megabyte after the beginning of the how space is would keep itself starts so the how keeping the allocation of a help make are 1 megabyte after the beginning of the address range which is F F D 0 0 0 0 0 0 when a 64 bit this simply extended so becomes that of of of of of of of of of of of of the 0 0 0 0 0 0 on any Windows machine you're going to have something there except in craters update so Windows 10 are coming up this staple Redstone to they have now randomizes region so no longer is at that address and it is the final Kermode addresses that had resisted randomization for many many years now this is in the randomized as well as the ruler busy decided to put it and tells everything else after that were in a city with physical accesses the same ways around now in a lot of places that how he in physical memory is set to begin a 0 x 100 thousand especially Oliver's windows for example even on um and on a blog on core security at publishing abusive a stables through the presentation but those assumption 0 the how he that 0 is 0 some thousand and it's a zeros 1 thousand when is it going 1 matter because yes usually there is some memory there but actually in some cases the researchers was really looking at how he they thought they were so we'll talk about what exactly is there and they don't have to the how he doesn't have to be a that's what you see where where it's really going to be is a static the the physical allocation is static but it can be predicted if you understand where comes from same the border words lattices even before Redstone to people have assumed that within that how how he range so reallocations always somewhere that's actually not the truth the reality if I was in the region that we call the how he there's actually a an actual heap in there and as actual other allocation that I made as well so the how he this kind of a very misuse workers is the HAL address then what bicycle the how heap inside address space and as the heat inside a Hal Hebe address space but other non heaps of as well so I was going to stand like people get confused about about all this so worth policy how allocations come to be in this in this heap so 1st we have house over to Al-Qaeda the virtual here is very simple it starts at a base address which up until very recently was fff the 0 0 0 0 and it grabs the next available virtual address so there's no randomization or ordering here just the next the velvet lattice the physical allocator wooden decides which physical pages in the math behind a virtual page is all the more complicated 1st of all checks for special flag called discard low memory which you can actually enabled the city and so show you the and on K. Pick systems so office and have an 8 bit which is most systems today this is set is a set by default so this Scoville memories automatically turn on if you have a pick system like a really old you know x 86 with a single CPU that it is not as a whole so this is this is able to so they do not discard low memory the use memory also have hydrazine labeled and you're not putting on the root partition they'll also be visible so we're gonna use low memory then it's gonna check what is the maximum physical pager willing to accept misallocation lunar reality memory through how you specify what's the maximum if the maximum is below 1 megabyte and you have less than 1 megabyte were the pages and discard low memory is disabled we're gonna pick 0 x 1 thousand as the 1st abbess Minister allocating at 4 kilobytes of page 1 page 2 page 3 if only discardable memory is turned on and there is no requirement for your physical address to be below 1 megabyte then we're gonna start a 1 megabyte and at 1 megabyte of an find free pages or temporary from page anything his Marcus firmer temporary or free starting at 1 megabyte sobeys there's 2 possibilities either we allocate saying it amended or we allocate starting at 4 kilobytes based on the pattern the she have and based on what the requester actually so here's an example of the machine at boot up we can see here that the how has started using page 103 because it started at 100 but are you have something in 100 from the bootloader Iady has something 1 1 you have something in 1 of 2 so they start allocating and 1 of 3 the example on on these machines the how the business started physical page the Xerox 100 if any any tag that assume that would would break automatically because actually do have 3 allocations here unlike other machine only after the start of 100 so it'll start somewhere near 100 and there you're guaranteed that pages will be contiguous and so you get the beginning but you might have to do some scanning it's not a Sudanese rests on or it could have actually been starting at once if I had a big machine a enabled ifi able discard and so that's regular bit of
variance know what actually lives in this how he well any allocations they're done very early and boots by their how before the kernels actually initializing a manager so there's an actual heat that is used to uh out by how and then allocate memory there's the CPI so they're acpi tables are cached it uses the how he I'm also something called allocate early pages whatever dryer once early pages it is there how he the page tables for how he itself come from and how he and to give a kernel debugger blood then the sum allocation that skin and the coming from the how he does well plus a DMA buffers and to be allocated there so there's a whole bunch of stuff that uses the how he so the structure house actually look like in virtual address space is also gonna be will be different the for example if you have kernel debugging enabled then the very 1st thing that gets allocated in the how he is going to be a kernel debugger structure a little structure how users to identify the physical device using foreground debugging the if you don't have a currently blogger attached then the 1st allegation was going to get made is actually be a timer objects entertainer object lives in the internal heat so the basis of the internal heat is going to end up being a little bit different because the but devices come from internal heat and the 1st thing that we allocate is a kernel debugging device the internal he begins here if on the other hand you don't have currently bagging then something else is that you can use that address and see what it is and then the 1st internal heap allocation actions to start a page later so the actual internal the part of the how he doesn't by the fall actually started at the beginning of the how he that starts appease later a a debugger blood in to imagine while AI researchers parliament doing their work they have a debugger attached and so the thing that is at the beginning of internal heat when in fact in most cases they be that other types of this is pretty terminus that's as 1 of those 2 depending on what the you curly butter plugged-in were not then within that internal on Commissioner curly burger at device might be registered on then at object gets registered then use controller gets registered and ejected you have fairly bugging than a secondary copy of that about device can register so alternately if you move watch the allocation that I made their which always then this in order and they're all the same size you can pretty much predict what is going to look
like come and so you know this is a diagram there make more sense on the next slide and was that
publish it but basically this is the entire space of the internal heat and the how and why you can understand you know you you able to understand what you know the allocations what every single thing of whatever 1 of these things that's for every machine while you're booting out there how he was
going have the same allegations elites for Windows 10 right obviously Mexican add more code more places can change but it is hyperdeterminants that once you know where to
actually start to example this is mostly
for reference on that earlier picture these are all the allocations were able to see with the fixed size and the fixed the types is that 1 of the interesting things I noticed while doing the analysis is actually a body in the in the code in the how armed that allocates the space that needs it i it takes a unique code string very has the number of bytes and things as the number of characters in multiplies by 2 again so you know there's a little bit of a waste and how deep as well but it can all be understood once you see with the static allocations Russia going to be so what have we learn here so 1st so we learned that if the kernel debuggers attached then FS DE 0 0 0 they be the internal says the house and the 1st the the internal Bayes error the power and the 1st time the object is to be at Xerox and fades plus invariable sites the because the 1st allocation is actually be the debugger object then the time around if you don't have currently body and there's something else is going to be enough the 0 0 0 you can wait for it and how he watches the at of the 0 1 0 0 0 and the 1st object there will be a time objects now nice by the time object it's got some callbacks it's essentially have an arbitrary right will ability either in a virtual memory or in physical memory you can patch 1 the time Roger that's which is the beauty terministic addresses either in a b over here or there plus some offset if you pat etiological back to get instant code execution and this is actually been leveraged in on the of the core security blog they attack this object but again amid some assumptions about where going to be which don't always hold true after these initial allocations every other allocation can be somewhere else so there's a whole number of all the things that may come at the place in the interplay and it that's how many CBI
tables you have and so on and so forth the so the physical memory said that either starts of a megabyte or starts said um 4 kilobytes but individual allegations can themselves specify a maximum addressed so example acpi cache memory and the main memory always must be below 16 megabytes of says that's a cap and then another occasion called the little stub always wants to be below a megabyte which means that ended the file system where the hell he starts allocating at 0 x 100 at 1 megabyte because the low style is the only thing that requested being below 1 megabyte the only page have below made is low stub and the low style will always be the x 1 thousand no 1 Earth is a low the of is 1 of the most undocumented structures that I've seen in my entire reverse injuring history known and talk about the server is a tiny little piece of 16 bit code that still lives in even a 64 bit Windows and it's using 2 cases where you booting of the processes at boots because as some of you probably know when he would appear fancy caveolae processor what is it would up as a 16 bit processor thinking there's always 640 K of memory so we need to have some memory and 640 K real mode to bring it up and protected mode and then bring it up in long mode battle most of 2nd most of those is an abbreviation to sleep during a machine to S 1 year OK but S 2 and S 3 sleep states they wipe the CPU's states so what is the resumes from sleep what is the think it is a 16 bit processor with only 640 K of memory solos initializes the processor brings it back and protected no razorback along mode and brings about where need to be so the low style has been a Windows since and T 1 never seen anyone and even even talk about the status exists and because of the allocation policies and modern hardware it's always going to be the x 1 thousand which has some interesting opportunities because that low stop isn't just 16 bit code it's a little GTT is well a little ITT the on identity map and perhaps most interestingly a structure called processes state which is documented in the symbol files and in the header files and that process state structure
contains Sierra 3 the
instruction pointer the stack pointer N and so basically you can leak at a fixed virtual address on any us fixed physical address on almost any machine in the world at at a 0 x 1 thousand the address of the kernel beta at 3 PM or 4 or 0 3 which a were since you have this physical memory acquisition becomes really easy and on almost any modern machine is going to be a you know 0 x 1 thousand plus whatever the office of the structure you can also get the answer of the kernel enterprise beginning at the end of the kernel stack indigenous of the motor block which is another key move structure plus what's really nice is the lowest of actually has a selfmap pointer which gives you the virtual address to the low so you know where it is in RAM is pretty much fixed and it also tells you where it a virtual memory and you know it's in the how he somewhere at some offset off heap so even and creators of the way a randomized the how he well you know exactly where it's going to be if you can access the x 1000 with an arbitrary read primitive India or with the DNN attack so basically now that we have a low stub we can get the address of the how he'd been virtual memory and even if you have a system with a loss of is not a 0 x 1 thousand is be is a x 2 thousand and 3 thousand in the case where we discard low memories that enable right is the housing habits of allocation of your 1000 2000 will something be some after that this other and 1 thousand or summer near 1 thousand if you have an XT 6 pick system and you can just scanner and them so now we have a serious restructuring of the page directory and we can now this an interesting attacks with work lattices was on top of that which is no topic of this talk that searches a CPI sleep to a really nice persistence point with you put your own code in new and the low stubborn machine just as tourists we sleep when it comes back it take direct control the CPU before anything else units run on it so at the little out of scope for now that's an interesting research related OK that's a little stub
but also so there's another allocation that happens in the house at the of the 0 0 0 0 if you don't have the curly about enabled if you have the curly but enabled them is actually be are some thousands this all allocation is done super earlier do as early as possible x of the of the it's a view of the butter and it's a structure called the acpi by a small flame note which is a piece of code has been around since N T 1 based on the old 16 bit aboral look up in detect . com which used to run on old systems detector hardware and a created this acpi bias multi-node what's that
structure well it's the physical address of the CPI cables and then an array of ACP IT h 20 entries and the 20 entries was the old way in the 19 eighties the by doing in from 15 you could get a physical map of all the physical pages and the current views which was the holes which host ROS memory which should not be touched cetera even today on a brand new 64 bit system with you if I and with no bias nothing like that Windows and Linux still to raise the 820 entries by either getting them from the bias or emulating the bias the if phi maps so the fights occasion has as a whole new way of creating a romance what every always does is it takes that and rebuild the twine that because that's what I was guys have been doing for you know 20 years that so they wanna get back to so basically that structure contains in virtual memory at a fixed address essentially every single physical page and range I should say and if it's usable off reserve so now combining these 2 things we have a fixed address in RAM where we can get the page directory of the kernel plus the virtual address space of the how he and we have an almost guaranteed Addison virtual memory which is going to be a 50 0 0 0 worth of the 1 0 1 0 0 0 which has a complete physical memory mapped the and remember the 2 problems we have those with the USB 3 380 was we need that that's something below 40 bytes reliably and we need to know the physical memory mappers because we're touching about page we rational whole device was offline now I know it's about page and not so now I can attack the system but what do we do now well we get that the CPI sleep interface with good time the CPI ideals but those or the complicated tax and they're gonna rely on the machine going to sleep or their ion on the CPI interpreter I would like to thank the West self the OS is likely to be somewhere above the 40 wide range so we're going to do is rare that you find
is that of attacking you know us now the vise
something but basically called runtime services and what's interesting about if 5 that it still has support 32 bit systems especially because your CPU's the woods up 16 bit motormen Johnson very the protected nodes especially because you can still stall 32 bit Windows on any laptop in the world 32 bit Windows wouldn't know how to react a 64 bit physical addresses and so the if i is guaranteed to have all this allocations below the 40 about arranged on any machine in the world so they can tacky and I we don't need to worry about where the OS is we can guarantee the presence of the pages below the 4 D right range now attacking if I
sum Southwark something can do at boot but such is something you do after Buddha's as well because the if I has a set of run-time services and runtime services provide the operating systems of access to time access to be able to reset the system access to new environment variables and access to updating framework at a 10 or Mac OS and Linux and Windows they all use if I runtime services so we can patch those we can then have a implies B called regardless of what the US sets so we have to find where those runtime services are there is Ravana table call the RuntimeService stable this is allocated in the if I pull in the if I pull has a nice little signature that we can look for 1 for free allegations 1 for actual
allocations and 1 for the tail of the allocation so in between the hit is 0 and the p-tau there's maybe an allocation and then the runtime services table itself has a signature which is run search so by just scan all mineral 40 bytes and I jump already at a solution or invalid because the red the memory map in the CPI buys multi-node I can find runtime services stable at image about the right thing because if I add up the header size the
tail size and cross correlated with the runtime table size it Akimiski mission
about the right thing and if few sizes see the picture that now the 1 difficulty is that Windows case better runtime service table and virtualizes they came maps in virtual memory all the functions and changes the address the plus if you have devised got turned on it will some cases around in detail 1 as well so when this kind of change all those pointers Mills than elsewhere passes them to the how in the hell can select only a few of those banners and then stories and another table with me that if you do find a table the pointers in their 90 valid anymore because the move somewhere else and number 2 even if you find a table and Patchett winners doesn't actually is a runtime services table it uses its own copy of the table which is moved elsewhere so this kind of sad it had depressing at 1st however for some interesting reason when Windows patches the if I go out when it moves the fire runtime functions elsewhere it actually a thing accidentally or bizarrely patches the runtime table with the address of the new functions so even though would nothing is gonna use those that run timetabling warmer winters still takes care of updating the runtime table with where it put the functions then makes its own table so forget actually still find original firmware table 11 passed by the OS with the pointers and on top of that there are 2 point is that it doesn't touch which will have the physical address left in so graphically it can explain so that better here is essentially the if I run table and here is the pull header with a size of B 0 and the type of 6 which means runtime memory then at the bottom I've got the pool tailed with the size of the 0 and so in between about the if I runtime services and there's a signature here
that says Ron sir because he always wonder that that that that that that that that that of a this is where the kernel remap the addresses so I have the virtual addresses and in the middle is to find you the still have completely different pointers which are the physical address so they actually leak the physical address of at least 2 of functions plus if you have virtual memory acts of the page rectory you can get a virtual functions as well now what this is even easier is that all the runtime functions in the firmware they actually even at the files so all those functions are actually pointers to functions in the same PE files so if you have the physical lattice of 1 of the functions you can just look up and so you find it the header or in the header and then you know where the actual if I runtime drivers you can get as base address in you can do this some simple
math to figure out well OK if this address physical is you know close to this address virtual and got it the header I can figure out this and I can get the physical address of all the pages or because we've got the ML for we can also just use of worth lattices directly rights as we do have the kernel space directory we can look up those addresses but the point is that you don't have to because of the use of physical pointers leaking making it the virtual pointers on as well some of it is that we can patch not the table but 1 of the functions that's pointed to by the table with their own implant coat and the only thing that's left is
getting the call getting the implant to run the and this is unfortunately kind of an open problem because Windows does not have a simple mechanism that's a non have been you can use to basically um get any affine function to run the BCD which uses the A 5 killer gasses by admins the firm environment variables even to read a firm environment viable we have to be an admin windows so there's no command ideal define it to force the phi function to run but periodically you're going to get things like the memory diagnostic our when this sender volume snapshot system restore they will end up calling get viable at some point and if you've get variable you'll eventually get is ecution on but you do have to kind of wait around for the system to be able to do that so if someone figures out a way to trigger this in a
wide I'd welcome the um the input so let me actually do a quick little demo going to plug in the of of the PCI devices here should probably turn off the power 1st and then these BCI reach
to try to get the runtime table hoping that it works tested this way instead Ch OK so that's 1 end of that have but this year hoping we're that'll be you sound we split this year it would who has powered up this melodies is a good and allow the connection of the box k here with Ozal and you try to find my hadn't men from them I should have opened up there is the so now try 1
command which is to search action to dump the i you reuse the canonical patterns are
lazy but this should find a memory
so it's called patch of the patch what is command does is it looks at the CPI buys multi-node which again is maybe be hard-coded arm in physical memory or we can Stanford and now I know exactly all the physical addresses on this laughter that I can access some of them are reserved for better not touch them the ones that are not reserved I conducted then I can search for the runtime table using that information so when the search the search will take a little time and then obviously but the LED is a kind of blinking here indicators axes going on and this again be searching for the arm that runs
table and if we find it demagogues and it'll print out the function pointers and the data such that In this has a scan the entire arm address space physical address space if you don't know whether I think it was new we know below 4 gigs somewhere the lecture should
pass in the flat that was in a crash so all all do it 1 more time on what actually
scanning I'm just a kind of conclusion fast here so 1st of all you have to run Windows then of hybrid enabled 2 things can happen is a the firmware services are going to be in the kill 1 they're going to be in the out protected region of the hypervisor memory as if you try to do the in attack against the if I memory you will be able to would devise got turned on you actually OK but here's the interesting thing the only run the firmware the salon earlier slide the only 1 the firm or indeed kill 1 in the protected environment if it's actually not that w x or x so if you form a developer like on surface did the right thing and the former is not writable and executable they actually don't protected because they assume it's OK it's not writable everything's fine they only protected it's actually rival and executable they projected in the hypervisor to make sure the rings your explicandum packets so ironically what trying to protect the former ring 0 exploits they d protected on most systems against the MAX what's so if you have like vulnerable if I for ordering 0 exploits will be protected if you have a firm more that's not vulnerable cases right w x or x they won't protected Lu with the iron mean you and then you get a patch of the image kind of weird the 2nd thing is that the memory M that I use less than 1 megabyte memory option if you use BCD edits and said 1st megabyte policy to use all of this should make it a little bit harder for attackers find a low style is now you can be the court case New Guinea the corner case where allegations don't start a megabyte but they started 4 kilobytes so low studies maybe someone the middle of all the other allocations going by default the 1st megabyte policies to ignore the 1st megabyte that's where the only thing that ends up there is a little stuck and of course if you have a laptop with thunderbolt you know don't use in Windows always enable don't disable fundable security and I would recommend not enabling things like always trust del . arm and definitely don't enable fundable that booth because that bypasses in all of the security that Windows and gives you
there we go so this finished found if I
runtime services and use all the virtual lattices where the other functions are on the bell and again notice these 2 pointers here which early physical lattices tonight and allow me to figure out everything else it's you can match the city nothing calls them that's why there's still old but if you can I use as the patch and everything else this now gives you a
universal attack against Windows machines even against Linux lump both actually read a lot of work on earlier desolate she's as what so wrap up and Joe also obviously there once you kind of figured out the use 3 380 they did the initial for Fred they did all presentation on this so they have these are huge kudos for Help the you'll be able to do that this version of the attack that focuses on on Windows with 3 the 1st there and travel for all of will work pleaded on before that but also a friend of my from max after she allowed me to plug the device into remarks of corpora laptop for the 1st time to try out how things were working and then index them by Mike user corpora credentials user corpora password cool it works I am also really wanna think the recon organizers for doing an amazing job with the 1st recon Brussels I think it's amazing on on a monitor been here for the 1st for the 1st 1 so I'm big shout out to tera from recon work so hard to bring this year so with that I'm open up to any questions
alone guessing Silurian hungry but the
think again for your time and think again for for regard for hosting promising and some of them are what we go in the back so you made an assertion at the beginning that even if you run vulnerable answer the most secure mode where it's using unique idea on the device knowing challenge response that it's actually only authorizing the British rather than the devices saying like you've got a dark you're slipping in different PCI cards and if you sort of a different PCA kernel still actually have authorized the dog not the card I don't think that's true I think the I mean the thing is I don't think there's any devices out that actually use the random idea of the unique ID and the challenge response protocol so I don't think you could actually tested but basically it should be the actual PCI device itself not like bridges and between witches sending the challenges and doing the responses so you say that the design is actually save gasses with implementation of the harder it is incorrect at home saying that it's not the mode that like Dell users by default there was just 1 of those optional modes for the thunderbolt security level sure things by that factor going bias and I enable that mode which is an option I've tried it out and it is the lessons so I didn't have any of device is not actually a thing that so you can turn on the mode but basically yeah and right inspected the Delphinidae and they're turning on a motor not actually but do not actually enforcing the policy that requires the unique at which it which inhabit is broken it should have a warning saying you know this is not supported or something like that to that just on the the the can feel secure with foreign words which wouldn't actually check the signature of our problems the for anyone of any other questions but on when editing their lunch they much
Virtuelle Maschine
Computerforensik
Datentyp
Rechter Winkel
Bildschirmfenster
Datentyp
Wort <Informatik>
Innerer Punkt
Quick-Sort
Computeranimation
Kernel <Informatik>
Gateway
Information
Code
Computeranimation
Kernel <Informatik>
Strategisches Spiel
Virtuelle Maschine
Bereichsschätzung
Datenverarbeitungssystem
Datentyp
Bildschirmfenster
Computersicherheit
Passwort
Optimierung
Nichtlinearer Operator
Softwareentwickler
Datentyp
Hardware
Reverse Engineering
Objektklasse
Chipkarte
Spannweite <Stochastik>
PCI-Express
Motion Capturing
Festspeicher
Generizität
Firmware
Grundsätze ordnungsmäßiger Datenverarbeitung
Prozessfähigkeit <Qualitätsmanagement>
Bus <Informatik>
Notebook-Computer
Wiederherstellung <Informatik>
Speicherverwaltung
Chipkarte
Punkt
Klasse <Mathematik>
Mathematisierung
Physikalismus
Virtuelle Maschine
Kartesische Koordinaten
Computerunterstütztes Verfahren
Systemzusammenbruch
ROM <Informatik>
Raum-Zeit
Framework <Informatik>
Code
Computeranimation
Eins
Virtuelle Maschine
Font
Informationsmodellierung
Prozessfähigkeit <Qualitätsmanagement>
Gamecontroller
Notebook-Computer
Minimum
Datentyp
Bildschirmfenster
Datenstruktur
Druckertreiber
Computerforensik
Bildgebendes Verfahren
Leistung <Physik>
Computerforensik
Datentyp
Computersicherheit
p-Block
Objektklasse
Arithmetischer Ausdruck
Hoax
Chipkarte
Druckertreiber
Framework <Informatik>
Geschlecht <Mathematik>
Festspeicher
ATM
Mereologie
Bus <Informatik>
Wort <Informatik>
p-Block
Bridge <Kommunikationstechnik>
Speicherverwaltung
Humanoider Roboter
Chipkarte
Bit
Punkt
Konfiguration <Informatik>
Adressraum
Bridge <Kommunikationstechnik>
Computerunterstütztes Verfahren
Bildschirmfenster
Stangenzirkel
Computeranimation
Arithmetischer Ausdruck
Field programmable gate array
Prozess <Informatik>
Prozessfähigkeit <Qualitätsmanagement>
Gamecontroller
Wärmeübergang
Bildschirmfenster
Druckertreiber
Default
Schnittstelle
Hardware
Computersicherheit
Wurm <Informatik>
Disjunktion <Logik>
Firmware
Humanoider Roboter
Konfiguration <Informatik>
Menge
Rechter Winkel
Prozessfähigkeit <Qualitätsmanagement>
Trigonometrische Funktion
Speicherverwaltung
Proxy Server
Schnittstelle
Folge <Mathematik>
Quader
Automatische Handlungsplanung
Kombinatorische Gruppentheorie
ROM <Informatik>
Virtuelle Maschine
Spieltheorie
Datentyp
Booten
Konfigurationsraum
Hardware
Lipschitz-Bedingung
Booten
Default
Physikalisches System
PCI-Express
Druckertreiber
Speicherabzug
Bridge <Kommunikationstechnik>
Speichermodell
Verkehrsinformation
Bit
Abstimmung <Frequenz>
Konfiguration <Informatik>
Hauptplatine
Randwert
Atomarität <Informatik>
Information
Datensicherung
Computeranimation
Übergang
Intel
Umwandlungsenthalpie
Standardabweichung
Reverse Engineering
Bildschirmfenster
Computersicherheit
Druckertreiber
Umwandlungsenthalpie
ATM
Datentyp
Reverse Engineering
Computersicherheit
Übergang
Nummerung
Firmware
Konfiguration <Informatik>
Teilmenge
Randwert
Dienst <Informatik>
Generator <Informatik>
Verbandstheorie
Menge
Festspeicher
ATM
Ordnung <Mathematik>
Schlüsselverwaltung
Standardabweichung
Speicherverwaltung
Stabilitätstheorie <Logik>
Systemverwaltung
Hauptplatine
Dienst <Informatik>
Physikalische Theorie
Knotenmenge
Polarkoordinaten
Notebook-Computer
Datentyp
Inverser Limes
Äußere Algebra eines Moduls
Optimierung
Leistung <Physik>
Hardware
Einfach zusammenhängender Raum
Rechenzeit
Konfigurationsraum
Systemverwaltung
Menge
Keller <Informatik>
Programmfehler
Druckertreiber
Mereologie
Firmware
Flash-Speicher
Gamecontroller
Notebook-Computer
Subtraktion
Konfiguration <Informatik>
Mereologie
Quader
Zahlenbereich
Physikalische Theorie
Computeranimation
Datensichtgerät
Übergang
Virtuelle Maschine
Autorisierung
Notebook-Computer
Bildschirmfenster
Datentyp
Computersicherheit
Äußere Algebra eines Moduls
Booten
Default
Leistung <Physik>
Autorisierung
ATM
Booten
Computersicherheit
Eindeutigkeit
Übergang
Routing
Ähnlichkeitsgeometrie
p-Block
Teilbarkeit
Konfiguration <Informatik>
PCI-Express
Druckertreiber
Menge
Mereologie
Gamecontroller
Bell and Howell
PROM
Chipkarte
Bit
Konfiguration <Informatik>
Punkt
Extrempunkt
Natürliche Zahl
Adressraum
Versionsverwaltung
Bridge <Kommunikationstechnik>
Computeranimation
Intel
PCI-Express
Arithmetischer Ausdruck
TUNIS <Programm>
Serielle Schnittstelle
Gamecontroller
Prozessfähigkeit <Qualitätsmanagement>
Uniforme Struktur
Bildschirmfenster
Computersicherheit
Druckertreiber
E-Mail
Default
Cliquenweite
Metropolitan area network
Verschiebungsoperator
Private-key-Kryptosystem
ATM
Computersicherheit
Mikrocontroller
Arithmetischer Ausdruck
Teilbarkeit
Arithmetisches Mittel
Menge
Automatische Indexierung
Rechter Winkel
Festspeicher
ATM
Prozessfähigkeit <Qualitätsmanagement>
Projektive Ebene
Eindeutigkeit
Speicherverwaltung
Aggregatzustand
Schnittstelle
Proxy Server
Maschinenschreiben
Subtraktion
Web Site
Quader
Physikalismus
EEPROM
Zellularer Automat
Implementierung
E-Mail
Code
Virtuelle Maschine
Bildschirmmaske
Adressraum
Booten
Softwareentwickler
Optimierung
Konfigurationsraum
Transaktionsverwaltung
Leistung <Physik>
Peripheres Gerät
Autorisierung
Einfach zusammenhängender Raum
Booten
Default
Zwei
Eindeutigkeit
Datenmodell
Indexberechnung
Physikalisches System
Chipkarte
Office-Paket
PCI-Express
Druckertreiber
Whiteboard
Injektivität
Firmware
Gamecontroller
Bus <Informatik>
Wort <Informatik>
Bridge <Kommunikationstechnik>
Kernel <Informatik>
Bit
Subtraktion
Punkt
Extrempunkt
Datensichtgerät
Hausdorff-Dimension
Mathematisierung
EEPROM
Computer
Wärmeübergang
ROM <Informatik>
Framework <Informatik>
Computeranimation
PCI-Express
Virtuelle Maschine
Weg <Topologie>
Serielle Schnittstelle
Gamecontroller
Code
Prozessfähigkeit <Qualitätsmanagement>
Datentyp
Optimierung
Softwareentwickler
Druckertreiber
Konfigurationsraum
Metropolitan area network
Obere Schranke
Einfach zusammenhängender Raum
Einfache Genauigkeit
Routing
Primideal
Humanoider Roboter
Biprodukt
Hoax
Kombinatorische Gruppentheorie
Rechenschieber
Druckertreiber
Funktion <Mathematik>
Rechter Winkel
Festspeicher
ATM
Firmware
Gamecontroller
Prozessfähigkeit <Qualitätsmanagement>
Energieerhaltung
Speicherverwaltung
Standardabweichung
Kernel <Informatik>
Chipkarte
Unterring
Versionsverwaltung
Schreiben <Datenverarbeitung>
Template
Computeranimation
Homepage
Vorzeichen <Mathematik>
Standardabweichung
Code
Prozessfähigkeit <Qualitätsmanagement>
Bildschirmfenster
Wurzel <Mathematik>
Default
Druckertreiber
Gerade
Parametersystem
ATM
Installation <Informatik>
Stellenring
Arithmetischer Ausdruck
Modem
Menge
Framework <Informatik>
ATM
Prozessfähigkeit <Qualitätsmanagement>
Aggregatzustand
Objekt <Kategorie>
Web Site
Kontextbezogenes System
Code
Unendlichkeit
Flash-Speicher
Elektronische Unterschrift
Reelle Zahl
Speicher <Informatik>
Autorisierung
Digitales Zertifikat
Konfigurationsraum
Schlussregel
Elektronische Publikation
Visuelles System
Chipkarte
Objekt <Kategorie>
PCI-Express
Druckertreiber
Last
Gamecontroller
Bus <Informatik>
Innerer Punkt
Innerer Punkt
Humanoider Roboter
Schnittstelle
Programmiergerät
Bit
Konfiguration <Informatik>
Physikalismus
Automatische Handlungsplanung
Dicke
ROM <Informatik>
Kontextbezogenes System
Code
Computeranimation
Flash-Speicher
Informationsmodellierung
Code
Prozessfähigkeit <Qualitätsmanagement>
Skript <Programm>
Druckertreiber
Default
Gerade
Schnittstelle
ATM
Datentyp
Humanoider Roboter
Optimierung
Rechenschieber
Druckertreiber
Kommandosprache
Meter
Festspeicher
Flash-Speicher
Garbentheorie
Wort <Informatik>
Eigentliche Abbildung
Term
Speicherverwaltung
Betriebsmittelverwaltung
Hydrostatik
Kernel <Informatik>
Bit
Gewichtete Summe
Virtualisierung
Freeware
Web log
Extrempunkt
Adressraum
Seitentabelle
Dicke
Bildschirmfenster
Raum-Zeit
Computeranimation
Homepage
Kernel <Informatik>
Intel
Umwandlungsenthalpie
Datenmanagement
Gamecontroller
Fahne <Mathematik>
Bildschirmfenster
Mustersprache
Speicherabzug
Computersicherheit
Randomisierung
Wurzel <Mathematik>
Default
Betriebsmittelverwaltung
Datentyp
Computersicherheit
Abstraktionsebene
Störungstheorie
Zeiger <Informatik>
Web log
Teilmenge
Extreme programming
Funktion <Mathematik>
Verbandstheorie
Festspeicher
Phasenumwandlung
Hypercube
p-Block
Zentraleinheit
Speicherverwaltung
Tabelle <Informatik>
Objekt <Kategorie>
Partitionsfunktion
Subtraktion
Stabilitätstheorie <Logik>
Gruppenoperation
Mathematisierung
Physikalismus
Zentraleinheit
Kombinatorische Gruppentheorie
ROM <Informatik>
Homepage
Systemprogrammierung
Virtuelle Maschine
Puffer <Netzplantechnik>
Spannweite <Stochastik>
Interrupt <Informatik>
Adressraum
Datentyp
Virtuelle Realität
Booten
Datenstruktur
Peripheres Gerät
Varianz
Hilfesystem
Basisvektor
Programm
Tabelle <Informatik>
Booten
Raum-Zeit
Default
Schlussregel
Physikalisches System
Partitionsfunktion
Schlussregel
Office-Paket
Objekt <Kategorie>
Puffer <Netzplantechnik>
Debugging
Mereologie
Basisvektor
Gamecontroller
Hilfesystem
Wort <Informatik>
Speicherabzug
Speicherverwaltung
Objekt <Kategorie>
Differential-algebraisches Gleichungssystem
Betriebsmittelverwaltung
Unterring
Web Site
Bit
Sechsecknetz
Web log
Invarianz
Adressraum
Physikalismus
Zahlenbereich
Dicke
Extrempunkt
Information
Code
Raum-Zeit
Computeranimation
Kernel <Informatik>
Hydrostatik
Multiplikation
Adressraum
Datentyp
Bildschirmfenster
Virtuelle Realität
Virtuelle Adresse
Betriebsmittelverwaltung
Analysis
Leistung <Physik>
Tabelle <Informatik>
Computersicherheit
Eindeutigkeit
Dateiformat
Variable
Zeichenkette
Objekt <Kategorie>
Rechenschieber
Diagramm
Rechter Winkel
Ganze Zahl
Festspeicher
Debugging
Speicherabzug
Programmbibliothek
Speicherverwaltung
Fehlermeldung
Zeichenkette
Betriebsmittelverwaltung
Kernel <Informatik>
Bit
Prozess <Physik>
Extrempunkt
Aggregatzustand
Extrempunkt
Computeranimation
Homepage
Gruppe <Mathematik>
Prozessfähigkeit <Qualitätsmanagement>
Bildschirmfenster
Nichtunterscheidbarkeit
Dateiverwaltung
Ordnung <Mathematik>
E-Mail
Betriebsmittelverwaltung
Caching
ATM
Hardware
Debugging
Kugelkappe
Datenstruktur
Festspeicher
Server
p-Block
Zentraleinheit
Tabelle <Informatik>
Aggregatzustand
Speicherverwaltung
Partitionsfunktion
Vektorraum
Zentraleinheit
ROM <Informatik>
Kontextbezogenes System
Code
Homepage
Unendlichkeit
Virtuelle Maschine
Systemprogrammierung
Pufferspeicher
Reelle Zahl
Adressraum
Coprozessor
Datenstruktur
Tabelle <Informatik>
Booten
sinc-Funktion
Telekommunikation
Symboltabelle
Elektronische Publikation
Schlussregel
Mapping <Computergraphik>
Rahmenproblem
Existenzsatz
Caching
Betriebsmittelverwaltung
Retrievalsprache
Kernel <Informatik>
Einfügungsdämpfung
Bit
Punkt
Adressraum
Computeranimation
Kernel <Informatik>
Homepage
Einheit <Mathematik>
Konfigurationsdatenbank
Virtuelle Adresse
Betriebsmittelverwaltung
Sichtenkonzept
Hardware
p-Block
Verbandstheorie
Datenstruktur
Rechter Winkel
Festspeicher
p-Block
Schlüsselverwaltung
Verzeichnisdienst
Lesen <Datenverarbeitung>
Speicherverwaltung
Multiplikation
Physikalismus
Keller <Informatik>
Gebäude <Mathematik>
ROM <Informatik>
Code
Kontextbezogenes System
Homepage
Virtuelle Maschine
Systemprogrammierung
Verzeichnisdienst
Adressraum
Virtuelle Realität
COM
Booten
Primitive <Informatik>
Zeiger <Informatik>
Datenstruktur
Betafunktion
Konfigurationsraum
Physikalisches System
Office-Paket
Kreisbogen
Rahmenproblem
Gamecontroller
Speicherverwaltung
Unternehmensarchitektur
Kernel <Informatik>
Formale Semantik
Bit
Multiplikation
Virtualisierung
Adressraum
Physikalismus
Virtuelle Maschine
ROM <Informatik>
Computeranimation
Homepage
Homepage
Kernel <Informatik>
Physikalisches System
Systemprogrammierung
Virtuelle Maschine
Spannweite <Stochastik>
Verzeichnisdienst
Umwandlungsenthalpie
Konfigurationsdatenbank
Adressraum
Bildschirmfenster
Virtuelle Realität
Booten
Datenstruktur
Virtuelle Adresse
Schnittstelle
Tabelle <Informatik>
Binärcode
Interpretierer
Sichtenkonzept
Benutzerfreundlichkeit
Raum-Zeit
Güte der Anpassung
Systemplattform
Einfache Genauigkeit
Ideal <Mathematik>
Physikalisches System
Widerspruchsfreiheit
Spannweite <Stochastik>
Mapping <Computergraphik>
Extreme programming
Datenstruktur
Festspeicher
ATM
Ganze Funktion
Verzeichnisdienst
Speicherverwaltung
Betriebsmittelverwaltung
Bit
Stabilitätstheorie <Logik>
Gewichtete Summe
Physikalismus
Adressraum
Dienst <Informatik>
E-Mail
Zentraleinheit
ROM <Informatik>
Steuerwerk
Framework <Informatik>
Computeranimation
Homepage
Physikalisches System
Systemprogrammierung
Komponente <Software>
Virtuelle Maschine
Spannweite <Stochastik>
Knotenmenge
Variable
Elektronische Unterschrift
Adressraum
Code
Notebook-Computer
Netzbetriebssystem
Konstante
Bildschirmfenster
Booten
Tabelle <Informatik>
Rechenzeit
Rechenzeit
Firmware
Programmierumgebung
Physikalisches System
Zeiger <Informatik>
Elektronische Unterschrift
Variable
Netzwerktopologie
Dienst <Informatik>
Datenstruktur
Funktion <Mathematik>
Menge
Rechter Winkel
Programmierumgebung
Tabelle <Informatik>
Betriebsmittelverwaltung
Kernel <Informatik>
Unterring
Punkt
Adressraum
Flächentheorie
Steuerwerk
Computeranimation
Code
Bildschirmfenster
Strebe
Punkt
Virtuelle Adresse
E-Mail
Lineares Funktional
Zeiger <Informatik>
Elektronische Unterschrift
Spannweite <Stochastik>
Dienst <Informatik>
Datenstruktur
Funktion <Mathematik>
Rechter Winkel
Festspeicher
p-Block
Tabelle <Informatik>
Speicherverwaltung
Maschinenschreiben
Stabilitätstheorie <Logik>
Mathematisierung
Virtuelle Maschine
Zahlenbereich
Dienst <Informatik>
E-Mail
ROM <Informatik>
Homepage
Physikalisches System
Elektronische Unterschrift
Adressraum
Datentyp
Konstante
Virtuelle Realität
Booten
Zeiger <Informatik>
Bildgebendes Verfahren
Tabelle <Informatik>
Rechenzeit
Rechenzeit
Mapping <Computergraphik>
Netzwerktopologie
Ganze Funktion
Firmware
Steuerwerk
Kernel <Informatik>
Punkt
Virtualisierung
Adressraum
Physikalismus
Mathematisierung
Dienst <Informatik>
Raum-Zeit
Computeranimation
Homepage
Kernel <Informatik>
Physikalisches System
Umwandlungsenthalpie
Adressraum
Code
Virtuelle Adresse
Zeiger <Informatik>
Druckertreiber
E-Mail
Tabelle <Informatik>
Lineares Funktional
Rechenzeit
Rechenzeit
Elektronische Publikation
Druckertreiber
Funktion <Mathematik>
Verbandstheorie
Rechter Winkel
Firmware
Verzeichnisdienst
Tabelle <Informatik>
Demo <Programm>
Punkt
Dienst <Informatik>
Computeranimation
Spezifisches Volumen
Service provider
Physikalisches System
Variable
Bildschirmfenster
Spezifisches Volumen
Figurierte Zahl
Leistung <Physik>
Kraftfahrzeugmechatroniker
Lineares Funktional
Rechenzeit
Systemverwaltung
Systemaufruf
Ideal <Mathematik>
Firmware
Physikalisches System
Programmierumgebung
Ein-Ausgabe
Systemaufruf
Variable
Offene Menge
Festspeicher
Prozessfähigkeit <Qualitätsmanagement>
Programmierumgebung
Einfach zusammenhängender Raum
Quader
Gruppenoperation
Mustersprache
Rechenzeit
Computeranimation
Tabelle <Informatik>
Lineares Funktional
Physikalismus
Adressraum
Hochdruck
Rechenzeit
ROM <Informatik>
Computeranimation
Eins
Festspeicher
Indexberechnung
Information
Zeiger <Informatik>
Ganze Funktion
Tabelle <Informatik>
Betriebsmittelverwaltung
Proxy Server
Bit
Extrempunkt
Systemzusammenbruch
ROM <Informatik>
Computeranimation
Intel
Unterring
Flächentheorie
Notebook-Computer
Bildschirmfenster
Computersicherheit
Booten
Softwareentwickler
Default
Bildgebendes Verfahren
Beobachtungsstudie
Rechenzeit
Computersicherheit
Firmware
Physikalisches System
Exploit
Konfiguration <Informatik>
Software
Dienst <Informatik>
Rechter Winkel
Softwareschwachstelle
Festspeicher
Firmware
Bridge <Kommunikationstechnik>
Programmierumgebung
Message-Passing
Selbst organisierendes System
Extrempunkt
Flächentheorie
Versionsverwaltung
Twitter <Softwareplattform>
Kombinatorische Gruppentheorie
Information
ROM <Informatik>
Computeranimation
Virtuelle Maschine
Physikalisches System
Prozess <Informatik>
Softwarewerkzeug
Notebook-Computer
Adressraum
Konstante
Bildschirmfenster
Zählen
Virtuelle Realität
Passwort
Zeiger <Informatik>
Grundraum
Lineares Funktional
Datentyp
Elektronische Publikation
Rechenzeit
Rechenzeit
Zeiger <Informatik>
Variable
Offene Abbildung
Dienst <Informatik>
Verbandstheorie
Automatische Indexierung
Speicherverwaltung
Sichtbarkeitsverfahren
ATM
Subtraktion
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Implementierung
Bridge <Kommunikationstechnik>
Elektronische Unterschrift
Quick-Sort
Teilbarkeit
Computeranimation
Übergang
Konfiguration <Informatik>
Kernel <Informatik>
Chipkarte
Endogene Variable
Prozessfähigkeit <Qualitätsmanagement>
Wort <Informatik>
Default

Metadaten

Formale Metadaten

Titel Getting Physical with USB Type-C: Windows 10 RAM Forensics and UEFI Attacks
Serientitel REcon 2017 Brussels Hacking Conference
Teil 14
Anzahl der Teile 20
Autor Ionescu, Alex
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32388
Herausgeber REcon
Erscheinungsjahr 2017
Sprache Englisch
Produktionsort Brüssel

Inhaltliche Metadaten

Fachgebiet Informatik

Ähnliche Filme

Loading...