Understanding UCR Firmware Attacks and Security

slide1 n.w
1 / 16
Embed
Share

Explore the world of UCR firmware attacks and security, focusing on peripheral devices, DMA vulnerabilities, Intel Virtualization Technology, and the real story of Stuxnet. Learn about data exfiltration, keyloggers, bootkits, and the challenges of securing firmware systems. Discover how firmware offers a wide attack surface that is difficult to secure effectively.

  • Firmware Security
  • DMA Vulnerabilities
  • Intel Vt-d
  • Stuxnet
  • Bootkits
rayaanacharya
dthol Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. UCR Firmware Attacks and Security introduction 1

  2. UCR Firmware attacks We have focused on software and CPU security, but what about peripheral devices? They run microcontrols/firmware Often this is large and complex Can be attacked Often they have physical access to the devices not mediated by OS or CPU Real danger, many published attacks on variety of I/O devices and buses E.g., Stuxnet worm 2

  3. UCR Common attack 1: Data Exfiltration I/O devices can have DMA access to memory DMA memory permissions do not go through the page table Can access arbitrary memory, recover data, keys etc Understanding DMA Malware paper shows how this can be used to launch stealthy attacks They implement a keylogger Defenses? IO/MMU and things like Intel Vt-d 3

  4. UCR Typical x86 system 4

  5. UCR DMA 5

  6. UCR Intel Virtualization Technology for Directed I/O (Vt-d) Currently implements: I/O device assignment Allows administrator to assign I/O device to VMs in any configuration DMA Remapping: supports address translation device DMA transfers Interrupt remapping: provides VM routing and isolation of device interrupts Reliability: record software DMA and interrupt errors that otherwise may corrupt memory and impact isolation https://www-ssl.intel.com/content/www/us/en/virtualization/virtualization- technology/intel-virtualization-technology.html?iid=tech_vt+tech 6

  7. UCR Still can be attacked Check the Understanding DMA Malware paper Keylogger through one of the processors on the motherboard Had to solve some problems, mostly to do with virtual to physical address mapping and figuring out ASLR Lesson is firmware/system offers a big attack surface that is difficult to secure 7

  8. UCR The Real Story of Stuxnet, IEEE Spectrum, Feb. 2013 8

  9. UCR Common attack 2: Bootkits Multiple pieces of firmware load prior to or during execution of OS Attackers with software access (if they are vulnerable and expose interfaces) or physical access can compromise any of them Boot process is compromised, anything can be booted Could run in a more privileged mode than the OS (e.g., System Management Mode) Very old attack: e.g., viruses compromising Master Boot Record Solution? Secure load/attested load using the TPM 9

  10. UCR Aside: SMM Feature started in 386SL Allows the OS to be interrupted Code in the SMM runs at a very high privilege level OS has no idea that it is running (undetectable other than timing) SM-RAM holds SMM state inaccessible in normal mode Has some legitimate uses (e.g., emulating hardware) But has mostly been a haven for rootkits 10

  11. UCR NSA Likes it 11

  12. UCR Common (?) Attack Backdoors/trojans 3: Backdoors/trojans installed by the manufacturers Several reported; prevalence unknown 12

  13. UCR Example: Hard drive backdoor Can exploit firmware (not well written code usually) Once you exploit it (remotely) you can: Make a disk commit suicide Or mess with data any way that you want But can you exfiltrate the data or have it act as a backdoor? Yes! NSA was doing that too, but this is based on a research paper Linked on website 13

  14. UCR 14

  15. UCR Do not need manufacturer help reverse engineering kit 15

  16. UCR Protection and Detection? Is the problem different from hardware trojans? Next class Firmware integrity verification? Yes, unless the firmware comes with the backdoor Updates? Sign those too Yukun will tell us about Viper Intrusion detection? Encryption? 16

Related


No related presentations.

More Related Content