Rafal Wojtczuk and Joanna Rutkowska - Black Hat

01.07.2015 Views
Example #1: Disk Encryption Disk encrypted with a key k, that is sealed into the TPM... Now, only if the correct software (VMM, OS) gets started it will get access to the key k and would be able to decrypt the disk! MS’s Bitlocker works this way.

But the key k must be present in the memory all the time... (the OS needs it to do disk on-the-fly decryption)

Page 1: Attacking Intel ® Trusted Executio

Page 4 and 5: Intel ® Trusted Execution Technolo

Page 6 and 7: TPM 1.2 Passive I/O device (master-

Page 8 and 9: PCR “extend” operation PCRN+1 =

Page 10 and 11: TPM seal/unseal example # echo 'Sec

Page 12 and 13: Both seal/unseal and quote operatio

Page 14 and 15: BIOS ROM BIOS FLASH BOOT LOADER OS

Page 18 and 19: So, a malware can sniff it…

Page 20 and 21: Example #2: User’s Picture Test :

Page 22 and 23: Problems with SRTM

Page 24 and 25: Dynamic Root of Trust Measurement (

Page 26 and 27: A VMM we want to load (Currently un

Page 28 and 29: TXT bottom line TXT late launch can

Page 30 and 31: GRUB (1 st stage) GRUB (2 nd stage)

Page 32: First we start “trusted” Xen (b

Page 36 and 37: Thanks to tboot only when the trust

Page 38: Tboot Demo #1: sealing to a trusted

Page 42 and 43: SENTER is not obligatory!!! TXT and

Page 44 and 45: Why would a user or an attacker be

Page 46 and 47: AMD Presidio AMD’s technology sim

Page 48 and 49: SRTM/DRTM (launch-time protection)

Page 50 and 51: TXT: exciting new technology with g

Page 52 and 53: Q: What is more privileged than a k

Page 54 and 55: Introducing “Ring -2” SMM can a

Page 56 and 57: SMM vs. TXT?

Page 58 and 59: Q: Does TXT measure currently used

Page 60 and 61: Q:So, how does the SENTER deal with

Page 62 and 63: TXT attack sketch (using tboot+Xen

Page 64 and 65: Address of the shellcode (in the gu

Page 67: The final outcome...

Page 70 and 71: Stay tuned! SMM exploiting to be pr

Page 73 and 74: More on the Implementation Bugs

Page 75 and 76: SMM research quick history

Page 77 and 78: No SMM bugs known... ...cannot read

Page 79: De-soldering?

Page 84 and 85: De-soldered SPI-flash chip

Page 86 and 87: The BIOS image on the SPI-flash is

Page 88 and 89: Remember our Q35 bug from Vegas? (W

Page 90 and 91: Now, applying this to SMM...

Page 95 and 96: We see we can access SMM memory usi

Page 97 and 98: So, what now?

Page 99 and 100: December 2008: Intel We think TXT i

Page 101 and 102: Intel confirmed the problems in the

Page 103 and 104: Intel believes the issues might aff

Page 105 and 106: CERT has assigned the following tra

Page 107 and 108: Stay tuned! (and don’t trust your

Page 109 and 110: Intel Solution to the TXT attack is

Page 111 and 112: Potential issues with STM STM seems

Page 113 and 114: Intel Why should we trust BIOS vend

Page 115 and 116: Intel offered us a chance to read t

Page 117 and 118: There are some other issues with ST

Page 119 and 120: Still, allowing TXT to work without

Page 121 and 122: Intel TXT is a new exciting technol

intel

senter

bios

tboot

disk

hypervisor

currently

hash

kernel

resets

rafal

wojtczuk

rutkowska

digitalpiglet.org

Rafal Wojtczuk and Joanna Rutkowska - Black Hat

Rafal Wojtczuk and Joanna Rutkowska - Black Hat ... View more Rafal Wojtczuk and Joanna Rutkowska - Black Hat

Delete template?

Save as template ?

Rafal Wojtczuk and Joanna Rutkowska - Black Hat Rafal Wojtczuk and Joanna Rutkowska - Black Hat