Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems

Video thumbnail (Frame 0) Video thumbnail (Frame 1266) Video thumbnail (Frame 2517) Video thumbnail (Frame 4140) Video thumbnail (Frame 6899) Video thumbnail (Frame 8661) Video thumbnail (Frame 11139) Video thumbnail (Frame 13219) Video thumbnail (Frame 15165) Video thumbnail (Frame 17598) Video thumbnail (Frame 19199) Video thumbnail (Frame 20768) Video thumbnail (Frame 27253) Video thumbnail (Frame 28840) Video thumbnail (Frame 32249) Video thumbnail (Frame 36512) Video thumbnail (Frame 38087) Video thumbnail (Frame 43360) Video thumbnail (Frame 45197) Video thumbnail (Frame 48543) Video thumbnail (Frame 50176) Video thumbnail (Frame 54287) Video thumbnail (Frame 57897) Video thumbnail (Frame 60359) Video thumbnail (Frame 68900) Video thumbnail (Frame 72756) Video thumbnail (Frame 75471) Video thumbnail (Frame 76851) Video thumbnail (Frame 78191) Video thumbnail (Frame 79629) Video thumbnail (Frame 81366) Video thumbnail (Frame 82869) Video thumbnail (Frame 85146)
Video in TIB AV-Portal: Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems

Formal Metadata

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Place

Content Metadata

Subject Area
Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.
Presentation of a group Mathematics Computer animation Core dump Self-organization System programming Summierbarkeit Pattern language Basis <Mathematik>
Type theory Presentation of a group Computer animation Mapping Semiconductor memory Gender Model theory Bit Limit (category theory) Computer programming Descriptive statistics
Point (geometry) Statistics Functional (mathematics) Game controller State of matter Quantification Open set Image registration Revision control Mechanism design Semiconductor memory Operating system System programming Energy level Data structure Metropolitan area network Moment (mathematics) Basis <Mathematik> Division (mathematics) System call Befehlsprozessor Computer animation Personal digital assistant Buffer solution Right angle Summierbarkeit
Point (geometry) Functional (mathematics) Game controller Context awareness Open source Type theory Computer animation Personal digital assistant Blog Core dump Buffer solution Right angle Cycle (graph theory) Reading (process)
Point (geometry) User interface Standard deviation Presentation of a group Game controller Service (economics) Information and communications technology Bit Cartesian coordinate system Computer animation Buffer solution Interrupt <Informatik> Operating system Configuration space output Collision Table (information) Proxy server
Covering space Functional (mathematics) Multiplication Link (knot theory) Graphical user interface Component-based software engineering Computer animation Personal digital assistant Bridging (networking) Network topology Musical ensemble Data structure Extension (kinesiology) Communications protocol Resultant Spacetime
Windows Registry Functional (mathematics) Game controller Digital media State of matter Robot Range (statistics) Medical imaging Mechanism design Semiconductor memory Bus (computing) Extension (kinesiology) Binary multiplier Set theory Boss Corporation Cellular automaton Moment (mathematics) Electronic mailing list Sphere Message passing Computer animation Configuration space Speech synthesis Right angle Spacetime Surjective function
Area Numbering scheme Mapping Direction (geometry) Electronic mailing list Revision control Process (computing) Computer animation Semiconductor memory Representation (politics) System programming Configuration space Hydraulic jump Spacetime
Slide rule Numbering scheme Spring (hydrology) Computer animation Different (Kate Ryan album) Semiconductor memory Sound effect Configuration space Circle Mereology Resource allocation
NP-hard Functional (mathematics) Game controller System administrator Multiplication sign Range (statistics) Mereology Code Theory Formal language Fluid statics Mechanism design Latent heat Semiconductor memory Different (Kate Ryan album) Computer hardware Bus (computing) System programming Boundary value problem Address space Metropolitan area network Touchscreen Weight Physicalism Database transaction Type theory Particle system Uniform resource locator Computer animation Ring (mathematics) Telecommunication Order (biology) Video game Configuration space Website Right angle Cycle (graph theory) Routing Spacetime
Web page Functional (mathematics) Game controller Mapping Forcing (mathematics) Flash memory Range (statistics) Content (media) Variable (mathematics) Perspective (visual) Medical imaging Virtual memory Computer animation Commitment scheme Personal digital assistant Semiconductor memory Order (biology) System programming Configuration space Cycle (graph theory) Reading (process) Writing Address space
Addition Dataflow Multiplication Game controller Functional (mathematics) Graph (mathematics) Run time (program lifecycle phase) Multiplication sign Range (statistics) Moment (mathematics) Content (media) Electronic mailing list Mereology Mathematics Mechanism design Computer animation Causality Logic Different (Kate Ryan album) Semiconductor memory Core dump System programming Right angle Position operator
Addition Mathematics Computer animation Different (Kate Ryan album) Bridging (networking) Bit Quicksort Event horizon
Boss Corporation Functional (mathematics) Numbering scheme Shift operator Email Local area network Range (statistics) Binary code Content (media) Physicalism Total S.A. Theory Type theory Mechanism design Virtual memory Computer animation Personal digital assistant Semiconductor memory Cycle (graph theory) Position operator Address space Window Spacetime
Logical constant Slide rule Context awareness Game controller Greatest element Touchscreen Multiplication sign Chemical equation Decimal Range (statistics) Planning 3 (number) Branch (computer science) Bit Data management Hexagon Computer animation Different (Kate Ryan album) Semiconductor memory Bridging (networking) Configuration space Address space Spacetime
Enterprise architecture Functional (mathematics) Greatest element Group action PCI Express Mereology Disk read-and-write head Mechanism design Computer animation Data compression Core dump Configuration space Right angle Writing Reading (process) Computing platform
Logical constant Slide rule Game controller Functional (mathematics) Range (statistics) Mereology Mechanism design Bit rate Data compression Semiconductor memory Core dump Ideal (ethics) System programming Energy level Set theory Metropolitan area network Address space Computing platform Boss Corporation Touchscreen Software developer Content (media) Cartesian coordinate system Orbit Computer animation Personal digital assistant Motherboard Order (biology) Configuration space Right angle Figurate number Cycle (graph theory) Whiteboard
Game controller Numbering scheme Functional (mathematics) Plotter Range (statistics) Process capability index Insertion loss Regular graph Mereology Event horizon Mechanism design Semiconductor memory Bridging (networking) Hacker (term) System programming Boundary value problem Computing platform Address space Set theory Rhombus Condition number Boss Corporation Enterprise architecture Email Touchscreen Content (media) Parallel port Bit Line (geometry) Limit (category theory) Exploit (computer security) Particle system Type theory Computer animation Personal digital assistant Blog Right angle Quicksort Cycle (graph theory) Communications protocol Reading (process) Spacetime Asynchronous Transfer Mode
Web page Point (geometry) Logical constant Dataflow Implementation Presentation of a group Run time (program lifecycle phase) Ferry Corsten Range (statistics) Parameter (computer programming) Mereology Code Software bug Usability Estimator Virtual memory Different (Kate Ryan album) Computer configuration Semiconductor memory System programming Address space Social class Default (computer science) Standard deviation Theory of relativity Forcing (mathematics) Physicalism Variable (mathematics) Entire function Type theory Uniform resource locator Word Arithmetic mean Pointer (computer programming) Computer animation Personal digital assistant Free variables and bound variables Right angle
Laptop Functional (mathematics) Game controller Numbering scheme Computer animation Multiplication sign System programming Planning Bit Reading (process)
Numbering scheme Presentation of a group Computer animation Semiconductor memory
Point (geometry) Game controller Uniform resource locator Computer animation Semiconductor memory Personal digital assistant Range (statistics) Content (media) Right angle Variable (mathematics)
Befehlsprozessor Computer animation Operator (mathematics) Range (statistics) Content (media) System programming Right angle Address space
Logical constant Scripting language Run time (program lifecycle phase) File format Range (statistics) Content (media) Mathematical analysis Variable (mathematics) Code Type theory Computer animation Semiconductor memory Data compression Computer hardware Negative number File archiver Configuration space Right angle Position operator Address space
Presentation of a group Multiplication sign Range (statistics) Combinational logic Data dictionary Web 2.0 Optical disc drive Computer configuration Semiconductor memory Extension (kinesiology) Enterprise architecture Boss Corporation Block (periodic table) Binary code Data storage device Type theory Vector space Order (biology) Configuration space Normal (geometry) Right angle Virtual reality Reading (process) Spacetime Point (geometry) Slide rule Functional (mathematics) Branch (computer science) Code Event horizon Goodness of fit Operating system Ideal (ethics) Authorization Energy level Address space Default (computer science) Mathematical analysis Generic programming Database Vector potential Cache (computing) Uniform resource locator Kernel (computing) Computer animation Integrated development environment Personal digital assistant Object (grammar) Pressure
at al pattern Matt come ruled by the sum it and the i are Udale half
17 the changes my name is Alex curious URI uh we work and once attracted such human until enemy here to presented there and uh new presentation by in this system neuron are built this core tentative I basis system uh move that would go to the presentation i want to say thank you to the organizers of recon sound you are some frequent Brussels US-owned thank imagine uh years so
and the real presented a new type of reliability and In our gender we
have that small recap about their previous and abilities and then introduction about memory of map they all the download description about animal your bar overlapping show examples of the seizure in a unified program corkboard from our limitations mitigation stole some conclusions and their
got this really want them to do for this presentation because there inability is some a little bit similar to the previous 1 and in many perspective and expose them to put the bill is here in a models that evolve them the but this the on the same uh and so what this as
my poison point about to so Sony statistics system you have a couple people at level in the most prolific system and and there is a mechanism to communicate it and operation system and this moment and there is going that uh and impression system OK the buffer and then there's the other so the buffer through some structure and the pencil there version of the former and then there someone called read that my friend the pencil functionality can read or write in to give on a basis from rather than to buffer and the other so the buffer rubescent through general-purpose register the bx that indicate tool and there's uh mechanism named combat for and the others of combat for special through a unified it the ball and the in normal be here and uh there and the other so this call marker is somewhere controlled by the operation system but if it points
and others uh that this amount has someone doesn't have a chair and we have arbitrary right in this man called um using this right green into the usual control the others were the right but that is not open control data at some of the exposition Mr. previously read or write zeros and then it'll make an explorative define the structure in CPU so state and uh some based registration and vendor alright this register the next system I will start executive from unprotected memory and the 0 talker and you can control it make a privilege escalation to the summum course and then discernibility was fixed set by it in the chair in a somewhat handlers so as some of them were checked there there and this is the point into sum but what we had but what it is we have scenario bandit have high Pariser of for example had prior as a basis for the protection like this and all just ahead produce our petition in this case we can point the ages and in general purpose register 0 income buffer so some of the structure of the hypervisor and or either that and in this case and then hand untrusted guests from reading 0 and make approach escalation to the hypervisor and the interest in fact this and that even if the base abilities budget and the former and former raised fully protected and there the dentists against can use that tomake it aprila discussion like confuse division fact when there is no learnability but you can still exploit and make quantification of federalism and we demonstrated that
exploit to the sound which basically uses some from our inability uh told compromise reassignment dump credentials uh remembers them and 2015
but as was nice example of and has some i . or ability of found uh by H R and then publish it by the this subject to assess a cycle up and the is pretty similar that the violence so it trade in the buffer from the purpose register but the buffer of the function was data and the function refers data using function read and you control and that also called the destination a control of the source and the size and in this case there is no checks aware that this will be so if you I as in the solute and the right this summer from for really nice work right up also middle who published many mn coupled inflation coupled blog post about different type of some Point Arena villages uh so
called their community and tremendous react on this of how it and there is a protection which I already mentioned told check that the adjustment points into this from summer on and photons in a assignment these buffer outside this an umbrella it's fixing the problem as a firm about a dozen fixing the problem of is there hypervisor and where and the bypass to be which is collision to the fertilizer so fix this manner ability and there was and as a mitigation added uh tool them limited co-mom for others and if so others now should be fixed and there is an ACK table the name of windows and so many deviation this a table which is basically should be initialized it by the trauma and but the operation system which is based in the configuration of the mitigation and and there is coupled bits of their 1 is defined in that the common buffer is fixed at them and then define application and there some Members shaken all the input and output buffer and as understand nest that that meaning that if you have a point inside the con buffer a chicken this point us as well as and uh another protection is that that you have to look at that that some of the configuration of the cadre of tags abusive during the exam which services uh for example and interrupt controller idea immune and so on and that kind of mitigation was that after the published for this research and communicate presenters on a little bit
about them my because this Bakis really and rely on the different the hearer them idea so in in exodus
assistant to communicate with the GUI is there is beside expressed protocol and and this political there is so far it's which had which contain multiple um complements the components and interconnected to tool such and apologists and this topology there's a road conference which has multiple ports and there's endpoints reaches bridges the all of them is connected to the PC PressLink link uh every in physical component has up to 8 little physical functions and all of that and some of them and may integrate to the of complex so basically and this protocol
is a until talk to the you and send you a and so on every DOS has been fixed space in the US and that PC can fix space contained them said that of and understand that and of the cover band contain the they say expressed probability structure and their extensions so the entire structure is for K uh about result extensions this uh 256 bytes to get the X
still them the the sand perceived configuration there is still interfaces 1 is stored get access to precise configuration space is important uh your essay of ACS when media and concerned that others known in the bus Device and functional set which want to read from the specific device and then the pass through their sphere city we can read and write the specific registered in this state configuration tool get access to the X the extended configuration space we need to use some and hence configuration assessment mechanism which is implanted as memory-mapped so basically uh memory ambitious but by 40 kilobytes speech by was function and for that memory can access to that accession cooperation space or their and device and read the register from there so to read them and we use animal control and memory map a convict register Plaza boss multiply that multiply a multiplier and k pleasant device multiply image appointment k + sponsor plus a set and then we can understand the use of person memory access and you can read and write to registers so they're they're basically all of
that configuration of all of that for the same configuration this fall storing some configuration register for the DOS but even for k was not enough for modern devices they want to store much more like graphics onto storm megabytes and hero was there uh whenever my own become so then moments of them in a range of memory and access to that range is forwarded to the dealers and your eyes will handle them and this ranges is defined through and only bias and I'm only a bias is in the state of the space which the total press light and if you see a whole like there's a kind of that history uh on the configuration space and there device a gene there's the ideas such as registry some other register and and based on that the base and is 0 is the 1st uh and only a bot as city here there's just that others so we don't know the size and then and there the and the bastard cell there's self-alignment million if you're right all as to the bar and that this feature didn't flip from 0 to 1 is that list which define and the size so that the enormity of our for example if there's 1 by dinner flip then meaning that you have and on to 56 per cent so that bar the Titos's by so here is that a simplified
version of the layout in the memory I'm just going to get the small uh and uh representation over some areas so the fellow deer and there is system and protected by some arousal there is a graphic memory than have bullet and various and my configure them there is slow job all of the body was defined to PC economic space and there is a direct mapping bias and there we have high jumps all the bias of the plants our here yeah and here's a couple examples of the
number your bias and there is the name of the biology teacher modern reaches 1st and the other so 0 0 0 2 0 down this tennis and also and then it has the size of the men device so all of them as you can use the chips tool to just randomly a list and there known to say Boris economy of our science the so 1 of the
important aspects of the animal your introduced and number bias is that they can be really capable at runtime and ask and relocate them to an as allocation some of them only a bias is not really capable they're fixed circle Walcott but the from about some of them is a look at and now URI will
explain why it is nation the the
the the everyone to I take it you can generate that just I just noticed that although the animation they spend hours on spring much gone from the slides that's convenient this I guess the difference between part 1 and part of by failing so how's that related to well it's been talking about these issues or depend upon this memory mapped by you configuration believer in effect they're kind of caused by the
way for a more of them and talks to the devices yeah it talks to the devices through the memory-mapped fail the us to the we do would the way former users of this memory Mateo mechanism and communicates with the devices that and this is specifically to the Islamist better to keep in mind that the entire firm including the blue firmer regardless of which type of firmer that is you 5 is formal recorded base for or just like supplies for anything anything else but also talks to the devices through the memory-mapped from you the mechanism so there is a young BCI configuration space in each device were actually each virtual device for a function of the device that the the In together and it has a it has this base address register which defines the that the days of the memory range for that particular device and so on How would usually my slanders do as well as any other from a with former on the gets the Bayes register they read the Bayes register to get the base address of this so my range and then they either reads registers within that range and why registers or right those registers or read-modify-write those registers so basically in order to also send the idle cycles through all that to the particle advice and so us to have this is how the essentially communicates with the device now no the problem the theory of the problem becomes that there is an implicit trust assumptions on the former site on the from a part of that there was a hardware registers so therefore they're part of the harbor in harvest for the trust of boundary and so basically from 1 of the most of the for the for the most part trust all the hard work right including those registers so there's an assumption that no we can change those registers however those are just ring 0 accessible from registers that could be modified by any rings 0 code right so that's 1 example of what are the rings OS-level code can do or of the year the code the Ring Ring 3 code if it has enough privileges to or talk to the BCI convict space would say modified the 2nd thing registers like the smaller so the and so the the problem is that the screen very code or OS-level code can modify those bar registers in really keep the range for a particular device are somewhere else in physical address addressable space it could be somewhere in other in my it could be overlapping with some other things but it could also can also be in the deer are in the system memory and specifically 1 particular location where the attacker would be interested in is the system management known memory so the of the the the the the exploit code could modify and really keep in memory of Matteo range of to overlap with this man the then when some I I interrupt is generated it was hard work war by the attack itself of the the the former my life from attempts to communicate with the devices through this now that range attempts to reregister so right registers and so basically our instead of actual sending cycles to the device as a minor cycles of which are memory cycle somebody said was the it sends memory transactions to little memory or some other memory depending on where the attack you really at this and marriage out so that potentially can expose data because it reads it so memory were basically modified modify the control-flow somehow it read some attacker many belated data work so that it can potentially corrupt the memory became because of the memory right cycles to to the in languages
and so that's the theory of the of this problem can we observe to multiple types of firmer including you find core with former or is that the Islamist communicate with a lot of time and 1 ours the 10 examples include ideation I use B to a a lot of time on the data the net land on Route complex my 0 that's the main way for the peace teachers of war specifically the registers the basically in order to communicate with the spy flashlight right to this by literary from this by flesh I BCI static controller MIO on X HCI use B 3 controller integrated graphics device on and my oath basically GTT or on the range for the graphics on a device or some other time I was like for example there I think it's a lid controllers something on the on on on a different bus specific systems from it could
be it could be more this is what we seen of it could be it could be more so there might be a specific system that has a specific it's my hand which communicates with a specific device or maybe has some functionality are specific to that system communicating with the generic device stop so this is an example of this
is an example of of communicating with the spy controller in order to read something from spy flash write something to spy for so I there's a command basically the uh the 1st plant is attempting to store a persistent configuration for the U 5 former into this by flesh is called the 5 variable if you're familiar but basically it's the so it's the configuration of the former so this is the 1st command attempts to store something into this by force this configuration in the 2nd images dumps the of the of this is the memory map memory map range all the registers I I don't show all the rage this here I'm just showing the of rich that I'm interested in so you can see that there's a Yale SPI status and control register which tells the status of the spin as best cycle it also since it's not a sense that is best cycle only the about others a there's an SPI flash address it's the it's the rich so that is programmed with the flashed on in on the on the established device In there is also a whole bunch of rich there's there are programmed with the contents of what you want to write to the spin flesh or what you want to read from the perspective of so in this particular case this is the contents of that variable that I've been writing in the 1st commitment so you can see all 40 to 42 that's be right so that that the contents of the variable was all these and and you can see that all of these registers now contain that the contents of the variable so obviously if we overlap this is the i and my range with with something else like the the the the SM RAM or or some other page protected and then we can cause the this conference of the variables onto the onto that range so how do we find
harvest of a vicious so obviously you know it's doing so this as my hand writing something to spy were 2 of sorry to any of my war and to me it looks like to find all those problems it's just as easy as a dump the contents of the and my range then causing some I and then don't begin see which registers changing the SMI on and now you know that that of the this my hand the modify the system enforcing this is a young people I have a lot more complex than that initially we thought it would it would be very similar to identify those issues at runtime but in reality it's pretty cold up in the reason is because those are not memory contents so in addition to firmer other parties are also writing to those resources so the harbor itself the devices for integrated controllers were some logic in the harbor bright to registers in pretty much any amine bar are for example are some of the bars like graph explores the the the the harbor rights to thousands of registers in the in the in the online range so it's pretty difficult you will actually and identify which reduces served it has been modified by the by the US like itself Our so that's cavity high-level all the entire flow and we can solve that problem so basically what we do is that was is that we for everywhere range we dump the on my range multiple times with a delay would say 20 times and will find all the registers that and that normally change without is my handlers so we have those register listing colored a normal difference from that and then we triggers minus were a cause of function like the variable right that would trigger an as my and and then we have a of a of a of a facade after and every some I wouldn't that range again but see which registers have changed and compare them with that normal difference with the registers that normally change if we see any new register that is not part of the normal difference basically we suspect that the french so might have been changed in the Islamic so we send in a somewhat the same as some idea maybe the multiple times to confirm that this register changes every time I was on the same as summer In the even with that mechanism there are lots of false positives because even when we create normal difference I wouldn't catch all the registers so it happens that will be treated as a minor some rich the changes but it's not really because the as my hammer but because of the device decided that at this moment I want to write to that you register
OK Austin the that's not the and yeah
so that's an example essentially just just of running this sort of a tool that my monitors the the the changes in the in India and when Boris this particular example monitors changes in the of ECA each CI use the bar and you can see that the event it then it it created normal difference with just to register solid change then attributes of multiple Asmara said the 1st my found that 1 register additional bridge the change so we trigger that is my again and the rich that didn't change it's it's it's it's also it also can be an that's uh a false negative as well because the you know this my hammer might be flipping bits putting 1 foot and back and so on but this is a suspect to investigate
so I this was a theory about the issues and saliva give a few examples of the positions in you 5 Roma as wasn't for wood so we'll start with a
unified But sadder we've had we find those issues in the by you I'd say we have a and if I binaries will of the many in either in the end I had we find those so 1 way of finding a this type of issues as you can you can you can find places where as my handlers were the former on on that reads the contents of the base address register and because we know the addresses for every device we know the edges of the base address register so for example of this and GV LAN and work on it has a multiple and my ranges of 1 of them is so cold and I'm MMI a war 80 and borrow which is defined by the US of 10 hats In the GV LAN devices the boss 0 device 20 5 also 20 9 think I have functions here so the if the firm is further can use to mechanisms as well as described and 1 is a legacy mechanism through the CFA face if the I O ports and 1 is enhanced mechanisms to the memory map of men can space so the 1st mechanism on use with work in the edges of that bar register for the 1st mechanism is calculated as you know device number on the left shift 11 that's plus the offset there's also worst boss number on the left shift 15 that's the thing of but in the end the function number but in this case by 0 and and and functions so we have we have an address of that registers and which is pretty unique in in a lotta cases below when its use for a lower with the legacy the 2nd thing forgets mechanism and when you set enable that for the peace 2nd pick cycle which is the 3rd 1 then you have 8 and th 10 for the on this in my borrowed GV LAN device so for the 2nd mechanism it's a it's calculated similarly so you have you have well are a member mapped convicts phase divided into portal by chance for each develop otherwise function and the rich there's some somewhere within the for public chunk for that particular device and so are you need to add a memory in Fig Bayes address of this never met and space in you to add an offset you to find of this for like chunker within the memory that convict space and then you need to find the register within that portal lecture so you calculate the the offset to that register but pretty pretty similarly but it but remember that that this mechanism allows you to access all of the uh PCA header in all of the 4 kilobytes of registers rather than 100 frames of 256 bytes approach there's a so that's why you have seat 8 0 times that of the 10 as in the previous so you have a constant you have on you have this total edges in memory physical edges in memory for that particular more now you can identify all the places were firmer uses that war were reads that more but want to do that so once you do that you
can figure out if the Burma how the former uses that war doesn't check that the addresses somewhere else were uh does not my so does it read or write to the registers in the more so this is a this is the example for the GDE Plan and where war in the device 25 this is the kind of the the 1st we call it an bar and while the yellow thing and this 2nd but no sorry this 3rd time access the 3rd constant you see F 8 0 C 8 years she that's reading configuration of register a problem of the interview and context based but it's a different registers for management control status registers so the bar itself is the F 8 0 C 8 0 0 10 and that's why the reds in there so that that's the kind that that's that's where firmer reads the year of the actual address of the bar and out now then later on you can see that the promise is is is actually writing or reading some registers in that war it's not very clear on this particular
screenshot so it's better to look at it at the next screen shot now you can see that the former is using that my range range in writing some balance of there's a writing some kind of some of the bridge the the detector controls or writing some constant value let's say this 7 1 2 3 I don't know what that constant as to the on the edges or offset 32 decimal in this and Boromir meiosis writing some values to the registers and so this is the year without actually checking so there is no check for that and my of range whether it's overlaps with the other lesson RAM or whether it's overlapping with the IP it's overlap with something else so there's no checking so basically by modifying and borrow you the can fix space of that GPU device you could potentially control on we're on the Aslan there is writing data this is another example for the use BOY war can pay and it's pretty similar so you calculate open great I didn't actually I put the initial and and final constants but you can see that there is a use B of a base address register is of is red and from the offset 10 hex off the UCI and my over on the controller and then there there or accesses to the offset of that branch and access to offset 20 at the bottom of the slide R where it flips the bits it doesn't like control values it just flips the bits so to and this is also an example of where the the and you know in December in this Assembly you don't you don't see the actual constant the actual the full address of India memory-mapped convict space because the addresses uh as calculated but you do see it an address of the memory mapped convict space then you see the the offset of the barber's the multiple ways to do
that so it's it also helps with finding those issues it also helps to find the actual functions of that read or write configuration space so the 1st function on the left it actually it uses the legacy of the 2nd curation mechanism through CFA tissue you can see a of z effective supports there are the bottom of the bottom 1 is using extended mechanism uses memory-mapped configuration axis on the you are read by configuration registers are the the right part is just an example how former uses that so you can see that it writes on on it it reads the of register be 8 in a device 31 and then writes some value to go to that average sources read-modify-write and yeah it actually yet it it rights and then returns so basically what it what it's what it's doing it's so it's clearing status that's most likely yeah the on so
those were examples in the U 5 from was talk about those examples in the core of it by now you probably understood that these issues are not you are not really specific to the type of from because those issues or depending on the platform architecture and it's the firmer trying to communicate with the divine PCI-E device endpoint devices are on the PCA on platform that adheres to PCA architecture so regardless of which side the former head you you have core group were like the survivors a you 5 biased those issues might exist the so because we have a source code for
corpus and by the way I I just wanted to thank or the team in wrong but in particular for i in about working with us on this so because we have a from the source code for core we can look at the source code so in order to find those issues on on on on core you can you can do this and you can find the functions that we PCA Our configuration registers as in the previous of produce slides on in the source code and then you can find functions that the right into the memory mapped ranges so in particular yn core those are functions of the BCI ReConFig 32 or PCA we can think 16 on to read the figuration registers and then functions right 16 right that it's you were reading the 32 in order to read or write memory-mapped registers up so in this in this particular case of you can see that the the former his reading the year of range from a integrated graphics device on and offset 10 packs in there and it's writing some registered to the PP control offset of that range in the graphics range with very specific part with a specific value which is which scalpelling for sometimes in the source code obviously the other developers our naming the boss with their names as they defined in the art and in India applicants facts were on chip sets that for which he spent and so for example on Int'l systems you can you can you can find those axis by just are most of the most of the bars by the by their names on the there are CBA worse by Boris by I am I or said this Anderson and so on so you can look up the rate bar rich surnames and just essentially just grapple it's rescued by by the names are so that's a on that's a
particular example in our our main board I O trap and the SMI handler in orbit around so the this is my hand the it's not and suffer some my hand so it's not the islam that you would trigger by writing some value to be to register I you know I O board it's in a handed that is caused by the chip set I our own trapping of ideal cycle to some other poorer it's called a attract mechanism Our 1 described in details that mechanism but basically it's another way to trigger a lot of Islamist in in on on the platforms probably the 2nd most used mechanism to generate as my hand in a ice art and so with this as my 100 it reads on a mn may range base address the from a divorced from a device 0 1 + 1 and offset 1 uh 18 hats and it reads the edges in there and it's checking 1 register it's called L TMA deal note level but in that in that no I range it checks whether the value is greater than 10 hats if it is then it tries to either the decreases if it's less than half 0 then it tries to increase so what it's doing is essentially it's it's trying to change the brightness and you probably don't see this yes evasive when you press the button on the core with system it would generate an SMI and depending on which button you pressed it decreases the brightness of the screen or increases the brightness of the screen so it does that by writing by reading the contents of register incrementing or decrementing the constants of the rest and then writing back so basically potentially by pressing the button are you can in and overlapping that war with something else like as a man are you can cause the Islamic to override itself and and and and and get the potentially memory corruption of litigation the so that all were the 3 0 attacker might generate that is my on your behalf without oppressive person about so in other
cases another case number of but for is another as my hammer it's called a backlight off i which is very similar but it's trigger when you press the part about and the system goes to his 5 assumption and so on uh I surmise regenerated the former takes control it needs to turn off devices including it wants to turn off the brightness of world not brightness it is you off the this back quite a 2 0 2 0 the screen in so I don't remember this specific system that this is my 0 and there was on but it's basically what it's doing it's again it's reading gave up register base the base for the m my advisor for the for the MMI 0 range of the integrated graphics device in and it also writes a different value to the same RTP control register but on entry is 5 are still potentially by entering is 5 you can control the valley of the offsets in in the memory of the you overlaps of people in the memory that you overlap with the with the graphics device in my a war are the attacker in this case would need to simulate this 5 event trigger events and prevent the system from going actually into the as 5 but are still causing the Islamic by just directly calling my hum so are by now you
might have figured that there aren't lots of living parts and this type of blogs in this set of issues there limitations the 1st limitation for the exploits is that's the answer my handlers or any other former is writing to specific so you don't really control fully control the others you don't have an arbitrary rights of primitive you you you only control the base address for the offset on end of the bars like I mentioned most of the bars a self aligned were size aligned so if you have 4 kilobyte large plot of the only range then it's reliant on by and boundary but if this is not a requirement this is most of the plot and do that but only architecturally BCI say BCI architecture defined that the boss what might be a smaller 16 bytes and line at 16 bytes so there might be there might be a and ranges there as a smaller 16 bytes and you pretty much have a fine granularity of the edges that you control but for our portal by bites you have pretty if you quite a quite a few possibilities but you're right but for larger loss let's say 16 kilobytes that's that becomes more difficult for Boris there even larger like the graphics device more of those bars or 2 megabyte large were 4 megabyte large I have a very few of possibilities in the exploit may not be able to control the values the either because of the year from or the as my hammer is typically use right specific phallus reflect specific bits of those offsets were even read a value than modified somehow and and write or read the valley and right to some other bridges to the see and so you know you you may you may not be exploit mean not control the the the Dallas although as we solve for some and why ranges exploit like control so for example in the variable right so for example use all the the contents of the variable that you full control I did it the other limitation is that because those are all naming that's IAO ranges does not regular memory DRAM ranges then that means that the former is actually implementing a protocol and a lot of cases so it's not just writing like I wanna write 0 to this offset no usually implement some sort of protocol and particle could be used as simple as read the valley that Deloitte has some you know if the leverage that has specific value or its greater were less than something then right to somewhere else that's of easily controllable because of you don't just feel like at the bar into memory and you also create the contents in memory off all the registers as if they were in the and my range so you can you can control that but if the particle is more complex like for example are it is that the former is fishing specific cycle some specific boss then it's typically writing to some registers in reading back other races holding on the values in those registers than writing some some some something else not so in that case you may not really be able to have I control that because you only have 1 chance you populated the year fake my range in memory and if the former write something and expects us to change and then you're out of luck because you don't have any agents running in parallel in certain cases that might be by possible platforms buttons larger cases you're out of luck in this case the and so plus there are lots of conditions that that as hammer will write to that war depending on let's say platform mode uh is or we may see diamond or not is the prior is the device and communicating with supporting this functionality this this mode or or this feature right and plus triggering those a surmise that an I communicate with the devices might even cause some complications because it's not as just the trigger some I through writing to beat you know this is my hand as it is or might be because when you enter as 3 or Exodus 3 reason from us 3 or when the interest Socher down some like that some kind of a complications on how you can trigger the the the the Arabs our so young and for a certain number of wars better non-architectural basically they're not defined in the PCI compatible space but not below 40 hacks in the BCI header of those bars on might be looked down by the from so there's mechanism in the harbor that allows me to just walk down the register and of 3 look down until the until reset nobody can change so we cannot for those bars he cannot relocate cost the firm might forget to lock them down as we saw many times but in that case you can relocated lockable boss but it from a dozen forget what down all the bars then you cannot do look at them to you can do look at something else in overlap with the bar but that's a different story so how and where the
options for to mitigate this attacks 1 option is that out of the Islamist can verify that the address these edges of the MI range that it red from the red bar register doesn't overlap with asthma that's a pretty straightforward mitigation and it's a module mitigation that was done for the previous type of class issues the pointer bugs and it should be done at the end of the word to really check the point that it you're in the you're not writing to your own code but it will be only solves the problem portion it prevents you from overwriting the conscience of Islam but it doesn't prevent you from pointing that I'm I edges so that you will write to to something else all-sided estimate that's a hypervisor protected pages for when a standard yes protect pages on so in that case how of mitigation might be a difference you the the the parameters and my might verify that the edges these edges of the of my range is actually in the you in the memory map that he saw from Alex's part of the presentation it's above this topic on off flow usable durum so you can check that the bar is actually in that range and not overlapping not pointing somewhere inside the deer of considered mitigation although you still might be writing to some relations able to write so it's also partial mitigation I think are so there is another option on that of the of the of the firm minus Islamist might do it is on 1 of the system that's a good firm might allocate the default range the reserve range my and placeholder words there in all and and when the US my handlers are invoked at runtime during the OS execution many as my hammer might check the value of the Bayes edges for the entire range in and command mean of checking if it's within this default research French if it's not our force it into the default range this the it is the fault location and use the default locations and then upon either just restore the live the it depends on the firm implementation in this case you just forcing the that the uh the as my hammer runtime former will rights to a new location in a fixed location for them and also the
particulars there mitigation was was done for the spy bar on example with the arbitrary constants of the variable that can be written by the you by the by the explicit so that case are starting later ask like systems I I think the of the of the from the former allocates the range at FB 0 1 and for his ears in physical addressable and physical addressable space and for the SBI and my range and so on any of as some I beseech type my the chipset type as some I the the the Islamic checks that the base address of the spineline ranges is at that address and if it's not then it but basically overly overwrites it with the with the default upon if the 0 1 belly of then and you would then as my hammer persisting but it's the would used to do some of the and basically kind prevent you from overlapping the range with anything else that you shouldn't have access to are so that's a kind of a screenshot i with this example of this of this mitigation but 1st attacker of Bill case this is books by bar overlaps it but the something else just Brigadier memory then causes the variable right on and that's of the reason some i and in upon exit from the US my the the the among just checking the valley spy boring you can see that that it actually change to the to the default location the so long are basically try to show you that on the
system time and you may not
be able to see that on the back the bits
you know you can later on you can you can check
so I'm reading a yacht offset and x and the device that 1 function 5 that's the spare control on leader systems some reading and you can see it as value at the of 0 1 how 40 years the it on
this laptop via the keyboardist typing numbers on its own without plan
as so now I will check the just the
number of uh somewhat consider 15 acts as some ice has been generated so
for I it then
that relocating the bar yes some the sorry since I started showing that with the
individual commands some relocating the bar
to the which is in memory I before the presentation I prepared it's a and copy contents of
despite bar into that many the the
the the OK checking the bar again
so we can see that relocated points despite spy on SPI memory-mapped range and points to do have and
they I'm writing contents of the variables
but you can see that the right was successful even tho the SMI handler should not have access to this by controller in this case because they really get to some modest memory it's not a spy and my 0 arranging in more than 1 the so it's already assigned take the
tagged and we will succeed I yeah
so I'm I'm I'm reading gave the
contents of the bar again in you can see that it it get restored to all of the original location I'm checking the value of the someone i and you
saw 15 there now it's 19 next so you get for some i generated so during this operation 1 per logical CPU and so on so I'm checking the contents of the of the bar so MIO don't SPI the lower and not at this address on just a temperature
somewhere here this dialog and you can see
that the contents of the variable that I wrote are actually in the my range so the variable the
wrote is is this so it has a low quality
and for the whole thing has all of the bees so . 42 acts so
of that basically shows that this laptop but and this this system of restores the SBI amelioration to default location and on and and on and then only then proceeds to communicate with the especially on flesh of device right
so we will have a couple tools that can find those issues at runtime obviously you can you can proceed with you know there there's are disassembling the of the binaries or look at the source code but I will release of couple tools that will help finding those issues so 1 is that just so I'm finds all of the registers that the Islamist rights to modify and the other 1 is the is the 1 that attempts to actually looking at all the NY Rangers into our memory of then follows the smallest in and see their eyes if the memory contents changed None of these tools are perfect on on they give false positives false false negatives so it's more of a can about they need to be of on complemented with the manual analysis yeah so I there it causes
that's of this type of issues is that the promises that they all the harvest trust including all of the and registers in the configuration races for all the hardware devices were the entire chips but they're not they're they're not modified by some malicious goes on for example of what down and then so other formation assumes that the constants of the base address registers are on immutable because any Ranger code can modify most them and they can be relocated to anywhere in memory including on top of the SMM itself are and so on therefore of check the constants for addresses of those registers it and this problem is not specific to the US amount because the you know the the yes ma'am it's pretty obvious target here is there there's a long from the but the even the of the former dead found I the reads contents of fossil the registers upon that's say resume from sleep are using the the script or archive reads contents of the MI ranges from somewhere else like you 5 variables ah it also can be In tricked into using of memory ranges which are not really my ranges but some something else and potentially can override it's OK so if that the performer should do the same thing as the runtime from on so I think that's
all we have couple minutes for questions
have thank you for listening if that be do it but it was it the hello as readout and so you're talking about kind of with the goal in mind of getting code execution in the context of as of i on the web using this type of attack utilized to universalize environment where you're Gaston hypervisor that's allowing pass through to PCI devices and housing relocations we you over right into the host kernel or something like that to break out on the other things which were the question so we haven't verified all the hypervisors but I so but we have done some analysis on the on let's say the exam and when you are in when you stand on normal world petition allows you to write to the moral prejudice and so on we have not done the full analysis of whether this can be used for cannot be used as an attack but at least the the entry points are are there In the 4 other hypervisors if that would be possible to use this type of attacks upon against hypervisors then that would be possible might be possible from of additional on not from on British guess but then and I 1 other quick question you're talking about a lot of the behavior of immediate surmises to do a read modified right and so just thinking like this vector if you have an offset into a kernel where you have a predictable increments of that culture as the way this block move that increments and I'm about with so that makes sense it does I have a high pressure height definite not and not sure that there is a way to block it and on the kernel level but also from I don't think he would attack the kernel itself with the speakers in in in the in the in the general case you have to have a an nexus to the BCI configuration space of the devices so in order to really keep a memory-mapped base-space addresses somewhere else in the in the memory of and that already assumes that you have write access to the 2nd pick space which is 0 in majority of cases so I but you wouldn't use this attack fewer attack on like this but I was thinking in a virtualized environment but in the case yeah thinking that the on the virtual as environment sorry on it in a virtualized environment the hypervisor might prevent of course the 1st way to prevent that is to not allow any against including administrative guessed 2 from the not allowed to modify the base address often my right that's the 1st and the pretty straightforward and should be done on but you can also monitor memory with with extended pitch also cause a it's you violations some certain events but that would be I I I guess performance having it I thanks for the intestine dolls I have a question regarding the relocation for them and ii uh register of the you Oracle few walking the last slides you don't do that someone you'll that has an i handler Monday maybe if I gave contig of the edges and the story to the case right now but that would be the so the things that we have not understood is that the outlet as designed in these authorities of that maybe some device can I would like to where we're looking uh Hammamet act ideal binary register for some odd reason of objects in the memory-mapping register and that cities you good nice when it's illegal to do that tho it's not really got to let the I mean there is some way to the guy SMI and learn that these are not where 1 of the promise of I let me see injure how you like multiple questions in the same act in the same question so is it legal to own modify the and you which suffer legitimately can modify the base address registers for the for the my boss of generally BCI can BCI architecture allows a west you really Kate MI ranges any time in at any time at once are in a what accuses I don't think that happens often rather than when a Westchester some members but so this is a a BCI architectural but capability so that not any operating system can relocate ranges because they need to do uh you know devices may be added they have branches and so they they they should be able to relocate all the branches Our so I don't think there's is a generic way to know where they were there you know relocation of the Rangers is linearly or not on and again with a virtualized environment you can prevent it from time exactly in their last that others may be given that usually know locked up you show that they David Emma Emma Emma high you about a register has been restored it might mean what they was 1 and 1 thing that in that case you can do for each SMI I can look the same things because maybe someone needs to do legally OK the I get so you cannot you cannot do this same mitigation for slanders that said that that's your question I am found I think you're correct that it's not a very generic mitigation on and that's why there are like 3 options that that that the former should consider and a kind combination of those 3 options should be implemented I think but it also works for or if you if you know because the US minor and a mentioned being sold in front the should a fixed so you know it well you know where each has some land there is is a is added new which devices communicating with which you can leverage its the writing to a reading from and in that case it might be a right a relatively generic mitigation but because you know that in advance on but yeah I think it's a combination of 3 options that should be the yes that that could sector question thank you could the if you I I had dictionaries suggestion maybe possible additional litigation for some devices that should not be nominal like databases like the same respect and honor maybe if Americans just stores it as a buyer and do not data from the device each time and yet except when he were the bora the cash develop the you would say ROS or exploit code really kids you're still writing to your original valid because he cashed it and you're not using it not reading from the that then you're not really talking to us by for and I functionality is broken but you don't care because this is an attack the trouble is it's like it's more than the functionalities broken they they they they exploit could might force you to about read writes to the cache location which now might be used by something else that is there is a potential for the issue that's why this option 3 is is more of a you need to cash that on beforehand funded from the goods but you also force the fear the this default location into the actual registers so you know that you're actually talking to the voice as well so it right I think that's the time for the next presenter thank you