- Page 1: Attacking Intel ® Trusted Executio
- Page 6 and 7: TPM 1.2 Passive I/O device (master-
- Page 8 and 9: PCR “extend” operation PCRN+1 =
- Page 10 and 11: TPM seal/unseal example # echo 'Sec
- Page 12 and 13: Both seal/unseal and quote operatio
- Page 14 and 15: BIOS ROM BIOS FLASH BOOT LOADER OS
- Page 16 and 17: Example #1: Disk Encryption Disk en
- Page 18 and 19: So, a malware can sniff it…
- Page 20 and 21: Example #2: User’s Picture Test :
- Page 22 and 23: Problems with SRTM
- Page 24 and 25: Dynamic Root of Trust Measurement (
- Page 26 and 27: A VMM we want to load (Currently un
- Page 28 and 29: TXT bottom line TXT late launch can
- Page 30 and 31: GRUB (1 st stage) GRUB (2 nd stage)
- Page 32: First we start “trusted” Xen (b
- Page 36 and 37: Thanks to tboot only when the trust
- Page 38: Tboot Demo #1: sealing to a trusted
- Page 42 and 43: SENTER is not obligatory!!! TXT and
- Page 44 and 45: Why would a user or an attacker be
- Page 46 and 47: AMD Presidio AMD’s technology sim
- Page 48 and 49: SRTM/DRTM (launch-time protection)
- Page 50 and 51: TXT: exciting new technology with g
- Page 52 and 53: Q: What is more privileged than a k
- Page 54 and 55:
Introducing “Ring -2” SMM can a
- Page 56 and 57:
SMM vs. TXT?
- Page 58 and 59:
Q: Does TXT measure currently used
- Page 60 and 61:
Q:So, how does the SENTER deal with
- Page 62 and 63:
TXT attack sketch (using tboot+Xen
- Page 64 and 65:
Address of the shellcode (in the gu
- Page 67:
The final outcome...
- Page 70 and 71:
Stay tuned! SMM exploiting to be pr
- Page 73 and 74:
More on the Implementation Bugs
- Page 75 and 76:
SMM research quick history
- Page 77 and 78:
No SMM bugs known... ...cannot read
- Page 79:
De-soldering?
- Page 84 and 85:
De-soldered SPI-flash chip
- Page 86 and 87:
The BIOS image on the SPI-flash is
- Page 88 and 89:
Remember our Q35 bug from Vegas? (W
- Page 90 and 91:
Now, applying this to SMM...
- Page 95 and 96:
We see we can access SMM memory usi
- Page 97 and 98:
So, what now?
- Page 99 and 100:
December 2008: Intel We think TXT i
- Page 101 and 102:
Intel confirmed the problems in the
- Page 103 and 104:
Intel believes the issues might aff
- Page 105 and 106:
CERT has assigned the following tra
- Page 107 and 108:
Stay tuned! (and don’t trust your
- Page 109 and 110:
Intel Solution to the TXT attack is
- Page 111 and 112:
Potential issues with STM STM seems
- Page 113 and 114:
Intel Why should we trust BIOS vend
- Page 115 and 116:
Intel offered us a chance to read t
- Page 117 and 118:
There are some other issues with ST
- Page 119 and 120:
Still, allowing TXT to work without
- Page 121 and 122:
Intel TXT is a new exciting technol