Modchips of the State

Video thumbnail (Frame 0) Video thumbnail (Frame 1515) Video thumbnail (Frame 2308) Video thumbnail (Frame 3236) Video thumbnail (Frame 4000) Video thumbnail (Frame 4738) Video thumbnail (Frame 7492) Video thumbnail (Frame 8344) Video thumbnail (Frame 9177) Video thumbnail (Frame 10518) Video thumbnail (Frame 12201) Video thumbnail (Frame 12960) Video thumbnail (Frame 14248) Video thumbnail (Frame 15200) Video thumbnail (Frame 16092) Video thumbnail (Frame 16949) Video thumbnail (Frame 18437) Video thumbnail (Frame 19318) Video thumbnail (Frame 20027) Video thumbnail (Frame 21117) Video thumbnail (Frame 21919) Video thumbnail (Frame 22708) Video thumbnail (Frame 23777) Video thumbnail (Frame 24561) Video thumbnail (Frame 25660) Video thumbnail (Frame 26417) Video thumbnail (Frame 27261) Video thumbnail (Frame 28552) Video thumbnail (Frame 31369) Video thumbnail (Frame 32549) Video thumbnail (Frame 33335) Video thumbnail (Frame 34364) Video thumbnail (Frame 35246) Video thumbnail (Frame 36072) Video thumbnail (Frame 36800) Video thumbnail (Frame 37807) Video thumbnail (Frame 39079) Video thumbnail (Frame 39784) Video thumbnail (Frame 40600) Video thumbnail (Frame 41443) Video thumbnail (Frame 42255) Video thumbnail (Frame 43207) Video thumbnail (Frame 44265) Video thumbnail (Frame 45586) Video thumbnail (Frame 48015) Video thumbnail (Frame 50383) Video thumbnail (Frame 51299) Video thumbnail (Frame 52371) Video thumbnail (Frame 54348)
Video in TIB AV-Portal: Modchips of the State

Formal Metadata

Title
Modchips of the State
Subtitle
Hardware implants in the supply-chain
Title of Series
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we'll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these "modchips" and increase our trust in our systems.
Keywords Security

Related Material

Video is cited by the following resource
Proof theory Functional (mathematics) Roundness (object) Inheritance (object-oriented programming) Computer hardware Video game Musical ensemble Mikrocomputer Computer
Sigma-algebra Multiplication sign Computer hardware Source code Musical ensemble
Laptop Server (computing) Server (computing) Sigma-algebra Projective plane Physicalism Horizon Disk read-and-write head Mereology Software Computer hardware System programming Gamma function Firmware Booting Booting
Component-based software engineering Medical imaging Zoom lens Email System on a chip Server (computing) Computer hardware Bus (computing) Whiteboard Hacker (term) Mereology Firmware
Chain Hash function Memory management Chain Moment (mathematics) Virtual machine Coma Berenices Process (computing) Quicksort Information security Firmware Address space
Server (computing) Game controller Functional (mathematics) Hoax Serial port Flash memory Virtual machine Mereology Power (physics) Root Semiconductor memory Memory management Core dump Bus (computing) Software testing Firmware Physical system Condition number Key (cryptography) Electronic program guide PCI Express Volume (thermodynamics) Extreme programming Data management Software Computer hardware Internet service provider Website Acoustic coupler Whiteboard Hacker (term)
Data recovery Computer program Peripheral Information security Disk read-and-write head Information security
Motherboard Explosion Purchasing Inheritance (object-oriented programming) Server (computing) Query language Data center Set (mathematics) Whiteboard Information security Window
Computer hardware Operator (mathematics) Source code Text editor Permian Information security Information security Element (mathematics) Amenable group Electric current
Inheritance (object-oriented programming) Inheritance (object-oriented programming) Server (computing) Computer network Control flow Element (mathematics) Element (mathematics) Motherboard Chain Digital photography Process (computing) Blog Computer hardware Factory (trading post) Computer hardware Chain Design by contract Row (database) Process (computing) Information security Identity management Dean number
Mathematics Process (computing) Computer file Drill commands Auditory masking Order (biology) Tracing (software)
Multiplication sign Visual system Mereology Tracing (software) Product (business) Product (business) Connected space Component-based software engineering Motherboard Mathematics Regular graph Process (computing) Optics Function (mathematics) Factory (trading post) Design by contract Software testing Process (computing) Website Functional (mathematics) Multiplication Physical system Data integrity
Surface Entropie <Informationstheorie> Design by contract Line (geometry) Mereology Binary file Computer Product (business)
Process (computing) Personal digital assistant Connectivity (graph theory) Constructor (object-oriented programming) Mereology Information security Perspective (visual) Product (business)
Connectivity (graph theory) Visual system Software bug Motherboard Regular graph Optics Whiteboard Computer hardware Computer worm Process (computing) Lipschitz-Stetigkeit Website MiniDisc Information security Data integrity Zoom lens Digital electronics Product (business) Component-based software engineering Digital photography Motherboard Function (mathematics) Factory (trading post) Chain Design by contract Quicksort Whiteboard Functional (mathematics)
Type theory Chain Group action Inheritance (object-oriented programming) Blog Connectivity (graph theory) Chain Mathematical analysis Whiteboard Quicksort Extension (kinesiology) Condition number
Installation art Kolmogorov complexity Complex (psychology) Mereology Motherboard Component-based software engineering Process (computing) Whiteboard Computer hardware Function (mathematics) Process (computing) Authorization Functional (mathematics) Information security Surjective function
Operations research Workstation <Musikinstrument> Execution unit Server (computing) User interface Firewall (computing) Computer-generated imagery 1 (number) Non-standard analysis Dynamic random-access memory Computer Product (business) Mach's principle Inclusion map God Operator (mathematics) Computer hardware Quicksort Intercept theorem Information security
Covering space Execution unit Kolmogorov complexity Covering space Complex (psychology) Component-based software engineering Motherboard Goodness of fit Whiteboard Motherboard Computer hardware Function (mathematics) Factory (trading post) Chain Ideal (ethics) Authorization Process (computing) Functional (mathematics) Multiplication Physical system Surjective function
Installation art Personal identification number Serial port Model theory Connectivity (graph theory) Flash memory Function (mathematics) Bit Motherboard Data management Whiteboard Read-only memory Internetworking Software Computer hardware Process (computing) Series (mathematics) output Multiplication Surjective function Physical system Game controller Serial port Kolmogorov complexity Flash memory Complex (psychology) Bit Complete metric space Component-based software engineering Symbol table Data mining Befehlsprozessor Computer hardware Function (mathematics) Authorization Whiteboard Functional (mathematics) Physical system Firmware
Moore's law Arm Befehlsprozessor Commodore VIC-20 Whiteboard Spacetime
Personal identification number Email Serial port Asynchronous Transfer Mode Personal identification number Flash memory Flash memory Bit Data transmission Power (physics) Writing Symbol table Function (mathematics) Computer hardware output Selectivity (electronic) Maize Emoticon output Multiplication Address space Physical system
Serial port Asynchronous Transfer Mode Group action Personal identification number Flash memory Streaming media Bit Function (mathematics) Incidence algebra Limit (category theory) Bit Power (physics) Data stream Mathematics Estimator Estimation Emoticon output Multiplication
Noise (electronics) Email Flash memory MIDI Interior (topology) Content (media) 1 (number) Bit Content (media) Mereology Non-volatile memory Partition (number theory) Mathematics Kernel (computing) Root Personal digital assistant Auditory masking Kernel (computing) Hash function File system Source code Booting Spacetime
Point (geometry) Meta element Computer file Multiplication sign Simultaneous localization and mapping Flash memory Virtual machine Device driver Non-volatile memory Revision control Crash (computing) Computer hardware File system Gastropod shell Videoconferencing Software protection dongle Partition (number theory) Window Scripting language Demo (music) Inheritance (object-oriented programming) Clique-width Building Software-defined radio Coma Berenices Syntaxbaum Kernel (computing) Process (computing) Software Function (mathematics) Configuration space Right angle Musical ensemble Video game console Whiteboard Spacetime
Octahedron Server (computing) Serial port Code Multitier architecture Bit Syntaxbaum Root Motherboard Password Quilt Bus (computing) Gastropod shell Video game console Gastropod shell Video game console Figurate number Booting
Logikanalysator Reading (process) Data stream Logic Flash memory 1 (number) Bus (computing) Virtual machine Website Quicksort Booting Task (computing)
Frame problem Regulärer Ausdruck <Textverarbeitung> Maxima and minima Price index Hypercube Sequence Read-only memory Semiconductor memory Communications protocol Firmware Physical system Source code Length Physicalism Streaming media Root Internetworking Personal digital assistant Computer hardware Point cloud Permian Backdoor (computing) Physical system Flag Firmware Booting
Quark Polar coordinate system Inheritance (object-oriented programming) Memory management Quark Hill differential equation Firmware Laptop Physical system
Code Computer hardware Bit Disk read-and-write head Firmware Physical system
Module (mathematics) Service (economics) Group action NP-hard Division (mathematics) Computer Field programmable gate array Data storage device RAID Power (physics) Root Minimal surface Befehlsprozessor Core dump Computer hardware National Institute of Standards and Technology Video Genie Computing platform MiniDisc Computing platform Physical system Firmware
Server (computing) Standard deviation Time zone Kerberos <Kryptologie> Cloud computing Open set Integrated development environment Root Googol Software Computer hardware Right angle Information security Firmware Annihilator (ring theory) Physical system Extension (kinesiology)
Server (computing) Whiteboard Motherboard Computer hardware Open set Machine vision
Connectivity (graph theory) Projective plane 1 (number) Exploit (computer security) Menu (computing) Open set 1 (number) Whiteboard Googol Information security Firmware Booting Physical system Firmware Booting
Collaborationism Building Open source Source code Open set Formal language Root Semiconductor memory Firmware Booting Sinc function Vulnerability (computing) Physical system Booting
Game controller Root Root Code Computer hardware Computer hardware Virtual machine Firmware
Standard deviation State of matter Projective plane Musical ensemble Pressure Booting Computer
Programming paradigm Befehlsprozessor Open source Internetworking Line (geometry) Firmware Booting Number Hand fan Power (physics) Computer architecture Physical system
Personal identification number Serial port Set (mathematics) Function (mathematics) Wellenwiderstand <Strömungsmechanik> Mereology Power (physics) 2 (number) Mathematics Motherboard Different (Kate Ryan album) Personal digital assistant Duality (mathematics) output Series (mathematics)
Randomization Computer file Connectivity (graph theory) Bit Parameter (computer programming) Mereology Product (business) Mathematics Latent heat Personal digital assistant Factory (trading post) Whiteboard Family
Motherboard Connectivity (graph theory) Parallel port Whiteboard Error message Number
Serial port Code Flash memory Function (mathematics) Shape (magazine) Number Sign (mathematics) Root File system Circle Firmware Booting Personal identification number Software bug Trigonometric functions Electronic signature Digital photography Process (computing) Kernel (computing) System on a chip Hill differential equation Whiteboard Video game console Quicksort Hacker (term)
Cartesian closed category Musical ensemble Semiconductor memory Scalable Coherent Interface
[Music] so travel Hudson who is standing here he's taking things apart don't worry not life on stage but he will give us a proof of concept and some details and functionalities about hardware implants so the same things that we heard from Bloomberg article talking about Apple and Super Micro computers with implants that yeah were implanted into those into those computers and I'm really excited to see this in action please give a warm round of applause to trauma Hudson [Applause]
[Music] before we begin talking about hardware implants just two quick disclaimers the first from my employer to Sigma investments as it says there are chocolate bars this is not investment advice and secondly I don't actually
know what the story is behind the Supermicro story no one outside of Bloomberg and their sources do but I have spent a lot of time thinking about Hardware implants starting with the
Thunderstrike firmware attack against Mac books as well as the Thunderstrike
to where we were able to get software to write into the firmware on the Mac books
I've also been thinking a lot about how to defend against Hardware implants with things like the heads firmware for slightly more secure laptops and also as
part of my co-lead on the Linux boot project we're thinking about how to protect servers from physical and software attacks so with all of this you
know concentrated thinking about firmware and hardware attacks I was really excited when I saw the Bloomberg
story back in October but what really intrigued me was the the animated image that they had at the header that highlighted one small part of the board
as where the implant was but what I found really interesting is that is
exactly where I would install a hardware
implant as they described on the spy bus a lot of other people in the hardware
and firmware security community thought it sounded plausible other people pointed out that supply chain attacks come up periodically and they are definitely a concern some people thought
the attack as described was was entirely implausible and in general you know we
sort of had a whiskey-tango-foxtrot moment is everybody scrambled to figure out what's going on inside their machines so let's step back write
quickly and review what the key claims that Bloomberg alleged happened first they said that Amazon's
testers found a tiny microchip that wasn't part of the board's original design that had been disguised to look like a signaling condition signal conditioning coupler and that these illicit chips were connected to the base board base board management controller or the BMC which gave them access to machines that were turned off that might sound kind of extreme but that's actually what the role of the BMC is that in most servers the BMC is running anytime the machine is hooked up to power and it's connected to the power supplies so that it can turn the machine on and turn it off frequently you want to be able to do this over a network so it has a its own dedicated land port but it can also share the land port with the with the main system serial over LAN is a really useful way to debug the systems so it provides that functionality it can also provide fake USB volumes to allow you to do unattended OS installation a lot of sites also want remote KVM so it has VGA but that VGA support means that it's on the PCIe bus and because it's on PCIe it can do DMA into main memory it also has typically must into the spy flash for the host firmware which allows it to modify it and on some systems it's even connected to the TPM which allows it to circumvent the core root of trust so with all of this capability inside this chip it's really unfortunate that
they are really not well put together at the head of your security says they have no protection against attacks there's no ability to detect if an attack has happened and there's no ability to recover from an attack so having a hardware implant on the BMC is a really big concern
the other claim in the article is that it affected 30 different companies including Apple and Bloomberg alleges
that Apple found malicious chips independently on their super micro boards they went to the FBI about it and that they then severed ties with Super
Micro this particular claim was interesting because it corroborated a
story that had shown up back in early 2017 that Apple had removed Super Micro from their data centers Apple denied that there was a firmware issue but it censoring that perhaps these two were related the third set of claims is that
on some of these implants they were actually put between the layers on the PCB and then the most explosive claim is that this was done by operatives from China the Chinese People's Liberation Army with the story with this you know
this many claims and this significant of of allegations we'd hope that it'd be really well sourced and for a normal story 17 independent sources that Bloomberg editors agreed to grant an amenity to including six national security to people inside of AWS and three senior insiders an apple seems like pretty solid source in except as soon as this article was published
everyone denied it the Director of National Intelligence said they'd seen no evidence of this Amazon said that
they've never found any issues of modified hardware nor have they been engaged with the government over it
Apple was even more blunt CEO Tim Cook said this did not happen there is no truth to this and Supermicro wrote a
fairly lengthy letter about what they do to protect the supply chain and why they think this attack did not happen and it's worth going through to look at some of the things that they they say that they do to protect their supply chain they point out that if there's any unauthorized physical alterations during the manufacturing process other design elements would not match and those things would be detected to sort of understand how circuit boards are made I recently visited a PCB Factory in Guangzhou this is not a super mikro Factory this is just a holiday photos so
in order to add new vias they would have to modify the drill files which would
then get electroplated if they had to
add new traces they would have to be able to subvert the masking and etching process and any changes to either the
drills or the etching on individual layers would be caught by the optical inspection that's done on those bare circuit boards additionally the
allegation that things were inserted between circuit boards would require that the lamination process be subverted and the the implants somehow aligned into the system if that implant changes any of the connectivity the flying probe testers would pick it up or the bed of nails testers which checks all of the connectivity of all the traces to make sure that there are no shorts and to make sure that everything that is supposed to be connected is electrically conductive so it would be very difficult to circumvent the production process at this stage and it's also would be very difficult to contain because the PCB factory doesn't know which customers are going to receive those circuit boards
Supermicro also points out that during the assembly process when the parts are installed they have their employees on-site the whole time on my same holiday trip I also visited some PCB assembly companies and spoke with
companies that are using doing contract manufacturing and they said that they also send their employees to the production line to observe the
pick-and-place machines and the reflow and the rest of the surface mount assembly their big concern is that if they don't have someone there the parts that are
fed into the picking place will be replaced with either counterfeits or with salvaged parts I visited the electronics market in Washington Bay where there are people disorder and a waste and then sorting the the parts and the bins and selling these salvaged
components by the kilo and for a few extra from NIMBY they'll put them on reels for you so that you can save a few pennies on your production process the other concern that these companies have is not just salvaged parts but
straight-up counterfeits especially for things that cost more than a few dollars each the Arduino community was hit a few years ago with a bunch of counterfeit FTDI chips where the internal construction was entirely different in this case it caused reliability issues but you can imagine from a security perspective this is really worrisome that parts that look identical might have completely different functionality inside of them
Supermicro also mentions that they they x-ray their main boards to look for anomalies and I wasn't able to take any
photos inside a factory that was doing x-rays but in this Wikipedia photo we can clearly see active components like this SOI see chip are different from things like the SMD resistors and capacitors so if an attacker we're trying to subvert the supply chain by putting a disguised component it could be detected at this step another interesting thing in this photo are these these inductors that are encased in dip packages this is really common in a lot of Ethernet board and occasionally people have thought they had some sort of hardware implant than they found inductors and their ethernet jacks but it's pretty it's fairly common and it shows it pretty clearly on the x-ray some other security
researchers like Sophia - Antoine did an extensive teardown of Super Micro boards including x-ray analysis and her group found a few oddities but nothing they didn't find anything malicious there are no smoking guns they just appeared to be sort of supply chain type things you can read her blog post for more details about where they found things that
shouldn't have been there but turned out to be just actual signal conditioning components so super micro in their super
markers letter they keep reinforcing that the manufacturing process that it's the assembly process it's during the manufacturing process and I agree with them it would be very difficult to circumvent their security in a reasonable way in that part of the process but that's not the only place this could happen
we know that national security agencies intercept shipments of computer hardware and then have their tailored access operations open the computers install Hardware implants reseal them and then have them continue on their way in shipment the NSA even has a catalogue of
hardware implants like this JTAG implant ethernet jacks with embedded computers in them as well as firmware specific ones that target servers SMM and then some that can do data exfiltration via RF so that sort of tailored access operations
is really ideal for this supply chain
attack because it allows them to contain the the exploit to a single customer it allows them fairly good concealment as well as good cover that if it's discovered it's really hard to attribute where things went wrong unlike if you find something inside your motherboard between the layers you know that had to have happened at the factory so super
micro also claimed that this was technically implausible that it was highly unlikely that unauthorized Hardware would function properly because a third party with lack complete knowledge of the design I think that's inaccurate both because we know the NSA does it and also because i-i've done it
really all that you need to know is that these are common components these flash chips show up on all the boards you can search the internet for the datasheet and find exactly how its wired into the rest of the system and the only thing that we need to know to communicate to the BMC is the serial output pen from this component so the BMC flash is connected over to the BMC CPU via the serial output and it goes through a small series resistor and that is where my implant goes in mine's a little bit
larger than that resistor it clips on to the board and it has a small FPGA that hangs off off side but it's completely
plausible to fit it into something that small in fact a modern arm m0 fits in
the space of two transistors from a 6502 from a few years ago you know the Moore's law means we can pack an amazing amount of CPU into a very very small amount of space so you know on that that
zero six zero three resistor could fit around a hundred cortex-m zeroes would be plenty powerful for it for this system the problem is we only have those
two pins so ordinarily on the spy flash you need at least six pins but we don't have power and ground so we have to passively power this through the the data signal that's passing through it we don't have the chip select pen so we have to guess when this chip is being talked to we don't have the data input pin so we don't know what addresses are being read or what commands are being sent we have to reconstruct it from the
data output pen and we also don't have a clock pen so we have to figure out how to synchronize to that clock lastly we don't have the ability to make arbitrary data changes all we can do is disconnect the pen from the BMC so we can only turn one bits into zero bits we can't go the other way around so with these limitations you know we we can still do some pretty interesting things
recovering the clock is actually pretty easy we can look at the data stream and find the shortest bit transitions from 0 1 0 or 1 0 1 2 estimate what the clock is which allows us to then reconstruct that data stream be incident to the BMC
if we look at the flash contents we can see that a lot of it is you know fairly random noise but a lot of it is is all white which in this case would mean that it's all 1 bits so if we if we look at
the the way the flash is organized we can see there's the the u-boot bootloader and that's executable that's kind of difficult to make useful changes then the kernel and the root filesystem are both compressed so that they look effectively like random noise but the NVRAM region is a JFS to file system and this file system it's three Meg's it's mostly empty and all that empty space is FF which is all ones so this is plenty of ones for us to work on additionally it has fairly nice headers that we can we can match on so when we see these magic bit masks we know when we've entered different parts of the file system so given that we can now
reconstruct the clock we can figure out where we are in the file system this hardware implant can start to inject new data we're into what was the empty space so this this short file that we put in here is a small shell script and it is one of the network configuration scripts so this is where I'm going to try a live demo and I hope this works we're running in qmu since I didn't bring a super micro board and what we have on the left is the flash console do you need the hardware implant console and then on the right we have the serial console from the BMC so we can see I just loaded the the kernel and then in a second it's going to we should see a bunch of traffic okay so the implant is active it has replaced the data when when that in vram filesystem was mounted the BMC is now continuing on doing it set up it's going to load a bunch of device drivers for the video it pauses here for some reason that I haven't diagnosed because it's that's not my job and eventually it's going to configure the networks and it does that by running that shell script off of the NVRAM partition okay it starts the KPM stuff brings up some things all right [Music] [Applause] [Music]
okay so luckily we got to that point without you having to fake the demo in the hardware it's really flaky my version works about one in eight times but it doesn't typically cause a crash so that's actually good for concealment because it becomes now much harder to determine which machines are affected in qmu because it's simulating it's a little more reliable but it's still it's only two out of three if we let the BMC
boot a little bit further it actually prints out this message and if you hit enter it drops you to a shell with no password and you can then just run commands as root on the BMC and that's a lot easier than all this stuff with the spy bus if you wanted to build a hardware implant against it I don't know
where the serial port is on the on the super micro but on a different tier one
server mainboard I was able to probe around with the oscilloscope and locate the serial console for the BMC figure out it's 115 killa baud and it has the same code that you hit enter and you can run commands there so that's a much easier way to do it a big question a lot
of people have is how would we actually detect this sort of flash implant a lot
of high assurance sites replace all of their roms with ones that they flash themselves but that doesn't give her the implant because it's outside of the ROM chip
likewise reading the ROM chip it doesn't show anything because it's not in the ROM itself it sits outside of it even
hooking up a logic analyzer to the bus and watching as the machine boots and seeing the data stream coming out of the flash won't actually reveal the implant because you would have to put the logic probes on the BGA pads on the flat on the BMC itself and that's a much harder task
some people think oh well we can see the the weird network traffic when the BMC tries to exfiltrate the data but that would be that's only one way for the for the BMC to affect things there's a great
talk a few years ago at Def Con from Intel ATR where they showed how something that can control the system firmware can backdoor hypervisors and then they give a use case where a unprivileged guest on a cloud system could read all of the rest of physical memory so you could see all of the other guest memory so what do we do now you
know it's the big problem is the BMC has way too many privileges it's connected
to pretty much everything in the system but the BMC is not our only concern as
white quark said our PCs are just a bunch of embedded devices in a trench coat and they all have firmware in fact
pretty much everything on your system more complex than a resistor probably has firmware and if you have one of those super micro implants maybe even your resistors have firmware as well
I've found that the firmware and things
like the power supplies can be used to gain code execution on the BMC you know it's really interesting how tightly connected all of our systems are and as
Joe Fitz pointed out in his black head to you talk you know these are not multi-million dollar attacks that these are five euro bits of hardware that we now have to really be worried about I
really like the guidelines that the NIST is published that suggests that we think about our systems more in this holistic manner although they end up Rudi and pretty much everything into the TPM is
the trusted platform module for doing this attestation and I think we as a community need to do more to use the TPMS they're actually a really good tool for securing our systems but they are also potentially subject to their own Hardware implants the NCC group TPM geni is able to subvert the the core root of trust by interposing on the TPM so a lot of folks are proposing
we should move to other trusted execution environments like SGX or trust owned and I think these have a lot of
promise especially for for trusted cloud computing there also there's a lot of innovation in Hardware roots of trust going on right now between the Google Titan which initially was for their servers and there's now showing up in all of their Chromebooks the Microsoft Cerberus chip which again is the is your system they're actually publishing their firmware and the ASIC design so that people can have a little more faith in it and they hope it will become an open standard in companies like Apple have also gone their own way with the t2 and the teachers are really amazing ship for securing systems but it does so at the expense of user freedom and that gets in
the way of what I think the real way that we need to we need to solve this problems we need to get rid of a lot of these secrets counter to what the super
micro CEO said having a secret motherboard design does not make you more secure things like the Open Compute Hardware I think is a good vision for how we can move forward that when you
buy an Open Compute server it comes with
the full schematics and Gerber files so
that motivated customers can verify that the systems that they're buying are the ones that they think they that they're buying that all of the components are what they think they should be I think the firmware also needs more
openness Ron Minich at Google is my co-lead on Linux boot project and we think that Linux in the firmware is a way forward to get a more secure more
flexible and more resilient system we're working with a spin-off project called
micro BMC that is using the Linux boot tools to build BMC firmware and this is open source it's reproducibly built it can work with roots of trust for attestation it's written in a you memory safe language since it's a
Google collaboration and go and more importantly we've thrown away all of the legacy features that have been a source of a lot of security vulnerabilities in these systems so did it happen I don't
know is it technically possible I think so I hope I've convinced all of you that this is definitely a technical possibility that we need to be concerned about and I hope that the way forward through Hardware roots of trust with attestation and more importantly with open hardware so that we know that what the machines were running are running code that we know the code that we built that we understand and that we can actually have a good chance of be able
to take control back of them if you're interested in more discussion on this and also an open firmware there's an
assembly here in this hall that has a bunch of folks working on coreboot and Linux boot and a lot of these projects where you can help contribute and you can help also pressure vendors to make these this a standard and a way forward for a more secure computing so thank you all for coming and I really enjoyed the chance to show off my MA up of the state [Applause] [Music]
[Applause] create talk thank you very much trouble
now we have 10 minutes for questions so please line up at the microphones if you have questions and we also have the signalization problems with questions from the internet so any questions microphone number three yes - pc-based once so the question is
about the Tallis power nine based systems paradigm is a really interesting architecture the it is using a open firmware very similar to Linux boot called a pedi boot that moves Linux into the bootloader I'm a big fan there's a lot of folks in the open-source community who are very excited about it I'm hoping that there would be more more power 9 systems coming out I'm also very excited about the risk 5 systems I think having open-source CPUs is a real way that we can have more assurance that our systems are what we think they are thank you - please scope probe over this
serial because it's just a series
resistor which were replacing if you just put - scope probes on there and measure the voltage over it in your situation you would see a voltage change there once in a while yes normal case which is actually quite constant current so if you lower the input impedance of the BMC chip you might already have already have seen you we already might have already have fixed part of the attack because the output sourcing current of your export is probably limited due to the limited supply you only case but do you see a way to actually get more power into your set it may be using about other power sources other than the two pins or maybe there's some way of would would it be a way to do more arbitrary changes through redesigning the implant one of the goals was to fit with only those two pins so that a single piece on the motherboard could be replaced you know with it with the dual probe soldering iron you can pop it out and stick a new one down in a matter of seconds so yes if you have more if you have more pins where you can get more power from you can do much more interesting things but that would require a different set of changes to the motherboard thank you microphone one please
arguments that these implants were not
feasible by a super microworld we also showed the pictures from the fab that you have to change the edging and the optical inspection and so on and so on but how paavo would you wait the fact that some actor just intercepted the manufacturing files and added that component over a new file because then all the in an optical optical inspection and that would all say well that matches what was sent to us but that is not necessarily what went Micro sent to the family so the question is could someone have modified all of the manufacturing files that went to the factory and that's absolutely a possibility but that's also very likely that that would be detected by the super micro itself that in a lot of cases you don't necessarily want to trust the the company that is making the product to also test it you know you probably want to have a separate company that does random spot checks to verify that the boards are actually being produced to the specification that you that you desire so it's certainly possible and you know I really don't wanna speculate as to you know the accuracy of that part of the story but yeah it would require quite a bit more changes and also would be much more likely to be detected in the spot check
created microphone number two please yes a lot of motherboards they are also
quite a few components not populated some of which are on which you could consider sensitive myths wouldn't that make it yeah exactly it is but wouldn't that make it very easy to to just pop something on there in parallel with one of the components and not have it be detected because it's like the board isn't modified there is a component error you have no way of telling whether it had to be populated or not supermicro puts a
lot of extra pads on the board in the this one particular one they have both eight pin and sixteen pin flash chip pads that are just in parallel together so depending on which shape is cheaper that day of the week or who knows what they will populate one or the other so that's why in this particular photo having the position of that that circle on the data output pin you know is very very interesting question answered okay so one more
question the microphone number two please how far can a signing of Lima be a solution to this problem said signing firmware solves a lot of the issues it does however not all typically not all of the firmware assigned specifically you boot is probably going to be signed in in a modern BMC the kernel and maybe the root file system might be signed but the envy of RAM file system in this BMC is designed to be user modifiable so it can't be signed by the manufacturer so this this sort of attack would work against a signed BMC just as well also the hit enter to get a serial console attack you know circumvent any sign in there are things on the host firmware on the x86 like boot guard that do a really good job of making it harder to to get code execution during the boot process but there have been several CBE's where it has been implemented poorly so even though signatures the firmware is signed people have still managed to get code execution during that process hey thank
you travel hudson again walmart applause thank you very much [Applause]
[Music] [Music]
Feedback