Placeholder Image

Subtitles section Play video

  • A couple of guys are here. I want to stand in front of you and talk about the PCI express.

  • Joe and Miles, give them a round of applause. (  Applause  ) >> Hey, how's it going? Ok, who

  • here went to Mike Osman's RF Reflectors NSA Playset Talk? Ok, who went to Josh Jatko and Teddy

  • Reed's ITC Implant Talk? Who went to Dean Anlooki's GSM talk? Okay. Who here bought any NSA

  • Playset kit from Vendor Village? You don't have to say if your employer sent you to buy one for

  • research purposes, you know. So this is Stupid PCIe Tricks featuring NSA Playset PCIe. It

  • didn't really start out as an NSA Playset talk, but it fights right in because this is a

  • capability that they've got to have. It's got to be on one of the pages rejected or missing.

  • I'm Joe Fitzpatrick. I have an electrical engineering education with focus on CS and Infosec. I

  • spent eight years doing security research, speed debut and tool development for CPUs including

  • hardware pen testing of CPUs and security training for functional validators worldwide. I also

  • teach a really cool class, software exploitation via hardware hacking, aka SEx via

  • HEx, so if any of you are interested, you should google look for that. It's somewhat

  • safe. It's work safe. And our mandatory meeting, "if Joe Fitz, he sitz". If you missed the hot

  • tub at Tour Camp, you should go next time. It runs in two years. >> I'm Miles Crabill, I'm a

  • current student and hardware Newbie, but interested in computer science and met up with

  • Joe last year and have been working with him on the last couple months on this NSA

  • Playset PCIe stuff. I didn't come in with much hardware experience SP and I've pretty

  • much been learning as I went. It's been a great time. So I couldn't show this, of course.

  • >> Miles has been great because he makes it all look presentable. I'm a hardware guy

  • and not a coder. So a slight disclaimer, I didn't do really good research, I didn't cite a

  • lot of people, but there are tons of people who have done PCIe work and other stuff so,

  • the difference is in line with the NSA Playset goals, we try to make it accessible and

  • inexpensive. We want any 10 years olds to start doing DAM attacks and memory jumps and

  • lock screen bypasses. Miles will give us the run-down of what the heck is PCIe, because even

  • though you might know it, you may not know the next layer in detail. >> Okay. So what is

  • PCIe? Well, the answer is that PCIe is PCI extending on this old specification. It's been

  • around forever. It's for fast IO, right? If you have a video card or something like that,

  • network card, sound card, anything really that goes in an extension, it'll probably on

  • your motherboard, whether you're on a laptop, desktop, most modern computers use PCI and so

  • this is how you get fast stuff going on the hardware level. So there are also things that don't

  • match up. As you see here, they don't look exactly the same. However, PCIe is backwards

  • compatible with PCI and PTIX. On the lower level you have packets that are being transmitted

  • across lanes, and so a lane is four wires. When you see on a PCI card something like XX 4 or

  • X 16, that's the number of lanes and it corresponds to throughput, so the amount of

  • data you're able to transfer. Most video use X 16, because they're transferring a lot of

  • data. PCI enables DAM access. So PCI hierarchy. The root complex is the highest node in the

  • hierarchy and pretty much everything else descends from there. You see the switch

  • connected to the root complex, and PCI devices will connect to the switch and other PCI devices

  • can be connected to other PCI devices so you get a whole mess when you try underwriting this

  • stuff. So switching. This is the inside of the switch. From the upstream you have the bus, and

  • then you have these virtual PCI to PCI bridges, and then these actually interface with the real

  • devices that you have connected, the real PCI devices. So the layers of PCI building up from

  • the bottom, you have RxTX on the physical layer of things, the logical side and electrical side

  • data and then up to the transaction where you're actually working with packets. I

  • don't know how well you can see this, but this is the actual PCI spec stuff in the top like

  • device I.D. and vendor I.D. is how you would identify a device. So diving into that we have

  • LSPCI output, just checking out a specific device. You can see this highlighted area is the

  • vendor I.D. of a device, and so you can see this highlighted area is the vendor ID of the

  • device and so this is how you would check the manufacturer. They all have codes associated

  • and then this would be the device I.D. so this is like per a specific product or family of

  • products. Then the revision, so you can see that all of this is just right in these bytes that

  • you can access through LSPCI. And this is your class. Device class. Yes. So you can see that

  • this is a PCI bridge that's 0604. It's just the code that's assigned to this type of device.

  • And so enumeration, as I said before, it gets pretty messy because it's depth first,

  • traversal of the tree hierarchy and everything like switches and PCItoPCI bridges show up

  • multiple times. And so any kind of LSPCI VD output is just a headache to look out. It's huge.

  • So  ‑ ‑ >> Okay. I'm back on. Routing PCIe. So we talked a little bit about what PCIe is

  • from a conceptual level. The fundamental difference is PCI was 32 bits in parallel, a big

  • flat parallel bus with multiple devices sitting on it. PCI express is this highspeed

  • serial with differential signaling. When you route highspeed signaling and high speed

  • differential signals you have some rules to follow, okay? If you wanted to make your own PCI

  • express device, you have to follow the step by step complicated mandatory and

  • inflexible rules to routing PCIE. For every single one of these. Number one, route your

  • pairs at roughly equal length. That's pretty much it. They made this spec to make it easier for

  • designing boards, because routing 32 lines in parallel along with the cloth, they have

  • to be equal lengths. That's a pain in the ass. They said ok, we'll do each pair on it's own,

  • TX pair and RX pair, and as long as each pair is the same length, the next line over can be a

  • different length, the next line over can be a different length, which works well when you have a

  • long card. It doesn't matter. All of that is taken care of by the physical layer of the PCIE.

  • There's some specs, right? You have to have board traces and 12 inches or less, cards are

  • supposed to be 13 1/2 total. 2 chips on one board supposed to be 15 inches. And if you follow

  • the rules, your board might work. If you don't follow these rules, it might still work. So

  • PCI express 1 X, the lowest common denominator, is 2.5GHz TX, 2.5GHz RX and 100MHz Clock.

  • That is a common clock and that's actually optional. The device can actually generate

  • it's own clock. It depends on the system and device. You can do it with the clock. But we'll

  • throw it in there, just for, you know, because we have room. If we wanted to make a table to

  • connect this, what do we need? We need something that can do highspeed, and PCI express

  • specifies actually like external cabling and it's really expensive. I don't like

  • expensive things, because I'm cheap. This is a crosssection of the USB 3 cable. If you look

  • inside, you've got the red and the black are ground to BCC, and the green and white are your old

  • school USB, USB 2.0 wires, right? Those are designed go up to 240 megabytes, right? That's

  • what USB megabyte was and that's plenty to carry our clock. You have the two level pockets, the

  • red, blue, and the purple and orange and those hold the high speed lanes and those go at 5

  • gigahertz. Right? So we have this cable we can get them for a couple of bucks at pretty much

  • any store and they carry exactly what they need, they carry 5 gigahertz, 5GHz and 500MHz.

  • That's actually more than we need. I threw together this little PCB. It looks like a PCIe

  • card. There's a dotted line in a middle. That's because I'm cheap again. And you can get a 5x5 cm

  • board for one price and I wanted two boards, but I didn't want to have to pay for two boards, so I

  • put them on the same board. Cut them in half if you want or use as is. You can see those red and

  • blue lines those are the top and bottom layers where I just connect the wires together and I

  • actually did a really bad job of this. You can do your own production stuff, do your own.

  • You can actually buy these premade from several manufacturers on eBay and all

  • express and other places in China, but that's no fun. So I made my own. This is what the

  • board looks like, and I have the cool silk solder mask, silver lettering because that's really

  • important when you make PCB to have your logo on there. I call it PEXternalizer. There's the

  • board cut in half at the other end and assembled on the populated board. They're a 1X

  • PCI express socket up there and the end looks kind of mundged up and molten, that's because I

  • just got my soldering iron and ran through that to open it up so I could put a 16 X card in.

  • Here's a quick screen shot basically. This PCI express wireless adapter in, and it's

  • connected and running, and I can connect to wireless networks. That's all well and good, but

  • that's old news. What else can we do? What devices can we add PCI express to that don't

  • generally have it? Have you seen this? Intel Galileo. It's an arduino board, but it actually

  • has a mini PCIe board on the back. What can you do with that? It's supposed to only work with

  • WiFi adapters, but that's no fun. Anybody can put a WiFi adapter in an arduino. Yeah,

  • make light flash. Oh, I'm not wearing that shirt. Oops. Makers make lights flahs. Hackers make

  • other people's lights flash. I made another version of the board, a miniPCIE version.

  • I'll show you pictures. We'll look over. I'll actually show you. Oh, whoa. So we've got here

  • a nice  ‑ ‑ oh, there. It's upside graphics card backwards. We've got our Intel Galileo and

  • flip on the other side we have the mini PCIe card with the USB header. Again it's USB header

  • it's just USB header and cable because they're cheap. On the other end I have the populated

  • thingydo which has a little power regulator on the end. We don't have the power supply and

  • cables and extra VGA to hook it up and show you, but basically we plug  ‑ ‑ stay still. I'm

  • looking at the screen. Whoo! Anybody sick yet? Pop it in the slot. >> Oh, gosh. >> There we

  • go. So you got that, right? You got it. There we go. You have more than 12 inches. Yeah. Do

  • you think it still works? Yeah, it still works. And so here's a screen shot. Whoa, here we go.

  • Actually when we tried it out, we used a bigger graphics card because bigger is better, right?

  • So wired them up PCIe that tiny Arduino and that nice big burly graphics card hovering over it

  • and if we hook it and we look, I had to do a little bit of custom building of that, which is

  • annoying because of the software and I hate software. If you do all this PCIe, same tools as

  • before. It's on the Galileo board already. You see a whole bunch of 8086, 8086, 8086.

  • Anybody knows who vendor I.D. that is? All the way down at the bottom is the 10de. Who do you

  • think that might be? Invideos. So, ya know. Sneak it in there and put it Invidy with Intel in

  • bed a little longer. Here we go. I hooked you up to my full HD display, to say, hey, I have X

  • running. There's no keyboard input or anything like that, but at this point it's a software

  • problem and I'm a hardware guy. It's someone else's problem, right? So let's move on. The

  • other device I played around with, and I don't have it here to show off is not fully working

  • yet. This is a Pogoplug. It's a network storage device. It has an Ethernet port and USB port

  • and you plug it in. It shares it with the whole world. It doesn't tell you about that part. If we

  • look at two versions of the PCE, the cheap and expensive one. The big difference in the upper left

  • corner is an extra chip that's a USB‑ 3 chip. You want USB 3 on your very slow network storage

  • device. The way it's connected is PCI express. If you see on this one, the purple wires on

  • the left hand side, those are my PCI express lanes. I have TX and Rx pairs and then I've got a

  • clock line. He took it with my phone through my magnifying glass, but you see on the left

  • we have a couple tiny little resistors that have it over it. Can you see it? You can't? Oh,

  • no. You can. So you see right there, there's a couple resistors because the resistance

  • loaders, you have to put on the clock lines, and over here's they're still very small, but

  • you see that little brown spot right there and there? Those are capacitors that are soldered to

  • the tip of USB connector and then the wire is soldered to the other edges side. It looks

  • pretty fancy. But a year and a half ago I sucked at soldering and still do. You find a friend

  • who can do it. Thanks, Kenny. He's not here, but you know. Those of you who know Kenny, he

  • does good work. Again, that goes out to a USB connector, which is the same Pen out as this chain

  • again. So my plan there is to get it working and see if I can compile those drivers for ARM

  • instead. So introducing SLOTSCREAMER. This is where we get into the NSA Playset side of

  • things. It reset our timer. Oh, its 2:16. We're good. Introducing SLOTSCREAMER, its in

  • all CAPS because it's cool to have things in all CAPS. I've had some critiquing because the

  • name sounds too good, it's not random and silly enough for NSA Playset because it actually is a

  • device that goes in a slot. I apologize. Again, I mentioned before I didn't do a lot of

  • research or citation, but I was at Black Hat and I saw this awesome slide which was from

  • Steven Weiss talking about protecting date in-use from firmware and physical attacks,

  • which is kind of what we're about to do. I figured I'd throw his slide in here. Thank you to

  • all of these people for all the work they have done, because I wouldn't have done this if it

  • wasn't done before me including all the citations. So it's also really cool to go into someone

  • else's talk and see my name on it. Whoo. This is my first time talking at DEF CON. (  Applause 

  • ) >> It's Miles' first time, too. I'm glad we could have our first time together Miles. ( 

  • Applause  ) >> A lot of people are playing with this doing these PCI Express attacks, but a

  • lot of them are using FPGAs. FPGAs are expensive and they're difficult and they're hard and

  • you have to download like 28 bytes of software to get them working. Which who cares about

  • that software stuff. So I looked around and found this cool it'll ASIC. It's a PLX technology.

  • It's a USB 3380 its aPCItoUSB bridge that works. It's a USB device port. You can plug it

  • into your system and load drivers and make it look like a mass storage control. You can

  • use this configure differently and make a PCI express device work over the USB. You can have

  • an attached graphics adapter, right? Right? This is a block diagram, one side you have PCI

  • Express, the other side you have USB. That's all there is to it. You know, every chip that is

  • configurable is configurable in ways they didn't intend, so that's what I did. They have

  • this PCI out end point. An endpoint is something that shows up from USB, so from USB  ‑ ‑

  • I'm going really fast, aren't I? Am I going too fast? I apologize. >> We have a lot of

  • slides. >> We're on 49 of 92. Okay. We're actually going a little fast. Let's slow down.

  • PCI out. Okay. It's actually good, because I thought we wouldn't have enough time, and I

  • was going to tell them to go away. Since he came at the right time. How is it going? >> Good.

  • >> What's all this? >> We heard this track was going a little bit fast, so we thought we would

  • mellow it out a bit. That's why we're here. How are they doing? (  Cheers and applause  ) >> I

  • guess they really want you to slow down. The slides are a bit of an eyechart, although when

  • you had the picture of the device up, the board. I got the detail on that. >> All right.

  • New speakers to DEF CON. >> Cheers. (  Applause  ) >> I did that for all of you. Hold on.

  • Thank you. Can I continue now? PCI out end point. This shows up on the USB side of things,

  • right? This is a packet format. We need to write a bunch of bytes for USB so this guy and

  • actually fills out what's called a PCI master control register and the PCI master address

  • register. What happens is when these registers get filled up, the chip, this guy, receives the

  • data from the USB side. He takes it into his little hardware stuff. Don't worry about it,

  • it's hardware. You guys wouldn't understand and he generates a PCI Express packet. Which goes

  • out over PCI Express to the root complex, the root complex processes it, does whatever you

  • want or whatever you told it to and sends back a response. Once we enabled it, so this comes out

  • of the spec, sorry for the eye chart, if we look down here we have this little end point

  • enabled bit. So you think something silly like this would be off by default. But look

  • actually oh, Others = 1, it's on by default. How convenient. This makes sense because if you look

  • at the drivers for this device, the standard Linux drivers for USB gadget events, which lets

  • you use it as a device port so you can turn your computer into a mass storage controller, they

  • have this little section where they explicitly disabled these dedicated end points. And I

  • think in another kernel version they have like, for security reasons, we need to disable

  • these end points, which is great. I like when I see things like that in documentation. I

  • talked to PLX service engineers asking about this. We don't do that. That's not what it's for.

  • We can try it and see if it works. Didn't really say what would happen if I turned it on

  • in this mode, but I heart undefined behavior. Is that sticker still on there? At least

  • it's not on my shirt. Thank you, Mike, for the shirt. Anyway. So let's enable it. We're still not

  • going too fast. I showed you the three registers here. If we look inside, this is the PCI master

  • control register. Basically what we do is we need to write bits that will end up in here and do

  • these things that it says and this bits 5 to 4 two bits, we can basically say, do a memory

  • read and memory write, or an IO read, an IO write or conf read or config write, or PCI express

  • message. Let me explain for a second what each of these are. Memory read/memory write is

  • exactly that. PCI express devices need to have the memory maps so they can read and write

  • to buffers in the main memory. So if you want to read some memory, we can do that. If we

  • want to write to memory, and we can do that. IO read and write, really nobody uses this anymore,

  • it's all legacy stuff, but we might as well try it because all of the Legacy stuff wasn't

  • tested as well as all of the new stuff. Configuration read and write, those are when we are

  • actually directly accessing PCI Express devices. So when you enable things on the graphic

  • cards you do a configuration write to a bunch of registers on the card. That's what maps to

  • the table of class codes and stuff Miles talked about briefly before. Another eye chart. This

  • is all well and good, but we need to have this device just work. We want to plug it in a

  • socket and have it do stuff. We don't want it to deal with loading drivers, because who is

  • going to load drivers to a fax machine? No one clicks on silly things, right? So we can modify

  • the firmware. Basically there's a little chip on the POX board. Where is my board? That will

  • hold configuration data, and when the chip turns on and powers up, it will read this

  • data and set the registers right. You think, okay, a lot of work put into this custom

  • firmware that I made, I've been talking all about it, you think I did a lot of work? I'm lazy.

  • It's these. How many bytes is that? That's it. That's the content of the E prompt. To

  • decode it for you to those that speak XXD. Basically I have two registers I wrote to. The first

  • register that 497000049, right, that's the content of the what ports to a register and I slap

  • the bit to enable USB. When the device turns on, first thing it does is enable USB. Second thing

  • I do is this E414BC16. That's the vendor ID and device I.D. of the Broadcom secured digital

  • card reader. Because it's a secured digital card readers everyone trusts them. If I tell

  • them I'm one of them, they'll turn everything on. They'll turn on bus master even if they don't

  • need to. That's pretty much all that I did to configure this chip to make it do my bidding.

  • So let's attack the PCIe. >> So as Joe said, who wants to load a driver? We have this whole

  • category of target side software where we have to make sure the target has all the stuff we need

  • to get the attack roll, but no, no, nothing. So on the attacker side, we actually do have some

  • stuff. So what we do is use high USB, which is a nice Python library for interacting with

  • devices over USB to interact with the PCI end points on the swat screen, the USB 3380. So

  • this is just a little snippet of code showing a dirty PCI memory read and write by PyUSB. At the

  • top you see read where we're actually making a packet to send and you can see this OXCF and

  • the F denotes the read, and down at the bottom here you see the 4F means that it's a write and

  • so now we have a demo. >> Well you  ‑ ‑ >> So you do the whole switches of screens here.

  • Basically we have this little device here. It's a Nook Intel makes them, they're tiny and

  • they compute. We hook up this device to a little board. It's upsidedown. >> Oh, no. It's

  • still on my screen. >> I stepped on the power strip. You're flaky power strip. I saw the light.

  • There we go. I have to reboot my Nook. Luckily it boots fast. Oh. I'm sorry. Please. I won't step

  • on it again. I promise. What time is it? 2:27. Are you ready in no. We need to unplug and

  • play it. That's not it. That is it. You just need to mirror your screens. I didn't recognize the

  • picture. It's not my desktop. I never got around to changing the default desktop anyway. That's

  • my fault. There you go. There we go. Patience, patience. So I'm using Python, and I'll stay away

  • from the power strip. I'll step back from here. Can you see that? It's backwards, isn't it?

  • >> Yeah. >> I'm sorry. It's a crypto challenge. So what I'm going to do is basically I wrote

  • this little sampler in init PCI and I'm going to hit enter and it actually worked. Whoohoo! So

  • it initialized the link from this PC to the hacker's hack device over PCI. It found two

  • endpoints 0x0e and 0x0e out. Those actually line up to what I showed you on the chart before.

  • I'm sure you all wrote those down. Then I'm going to read PCI and so I give it an address and

  • how many byes to read and right there and I just get a whole bunch of, it's Python software

  • you see, Fs and 0s and Bs and some strings and stuff. So yeah I just read memory. This is off

  • of this guy on PCI. Whoo. It's not the greatest demo, but you know, we're getting there. All

  • right. >> Okay. And so how many of you have heard of inception, not the movie? That's a few.

  • There's a cool utility that Carston wrote that exploits the DNA features of fire wire to

  • basically patch some  ‑ ‑ you might see here there's some selections that you can choose

  • to target with signatures. So it can identify based on the signatures certain operating

  • systems and inject code into it bringing it up. For example the OSX one makes all passwords

  • nothing. So what we have instead of inception, we have into PCIe, which is an extension that

  • we're  ‑ ‑ >> It's an anagram. >> I didn't know that. Yeah, so, we extended inception to PCIE

  • and we're still working on it. Ironing out bugs and that kind of thing, but that's the goal.

  • >> This is right from Carson's documentation. What we're doing is hopping through memory and

  • looking for the page that contains whatever authentication or password. You did a whole

  • process up in the password. Yes, you got it right and no you didn't at the very end. It has a

  • signature, which is listed as a chunk of memory data. It looks for that signature at a certain

  • offset in every 4k page. So it doesn't matter if you have ASLR or anything within a 4k page it

  • always ends up the same spot. Then you go and patch it, and the patch goes to offset.

  • Basically just change the jump to an up or something like that. You bypass, so when you type in

  • blah, blah, blah enter, no matter what blah, blah, blah is it lets you bypass the locked

  • screen. (  Applause  ) >> We didn't do the work there. Other people have been doing the

  • Spyware stuff for a long time. Don't clap. We just imported into this PCI Express interface,

  • which is great because you don't require drivers. Firewire require that the host offers

  • install drivers, and you're supposed to talk about this later on. >> So you see here the

  • chunk, which is actually the signature that you're trying to look for to identify in this

  • case OS X 2.9. So earlier this week Joe and I were in a hotel room taking dumps together. As

  • you can see from this little highlighted into PCIe business and all of the SLOTSCREAMERS on

  • the desk. I decided after taking all those dumps, Jason stool analysis, you've heard of

  • volatility is a cool analysis framework, so this is the demessage log of the attack

  • straight off of the victim. You can see my solarized color scheme there. So at the top you

  • can see the thunderbolt first being recognized when plugged in, and then some PCI

  • configuration going on. And I decided, hey SHTHS why not do more analysis because the

  • utility has all these nice scripts? This is just another dump. This is a MAC that we're

  • dumping apple dot something, something, something. And various other  ‑ ‑ >> I was

  • looking around for the files, and I find some of Miles' cookies in his dumps . >> Here

  • you can see, I don't know if its major version or minor version what it means, but I'm running

  • 10.9.4.6 OS X. I had the perfect amount of memory, 4 gigs, on this machine not for not

  • actually using things because these kind of attacks are a little limited because of PCIe

  • is at 32 bit addresses and so we can't actually go over the 4 gig over the threshold. However, if

  • you know what you're doing, 4 gigs is for our assessment. >> You know what thunderbolt is.

  • It's fun stuff. It's basically PCI Express out of your system. Kind of that whole USB crap, but

  • without the sketching boards and stuff. When you have Thunderbolt, you have two chips,

  • and it's straight from the thunderbolt device programming guide, and you have a chip

  • inside your Macintosh and you have a chip on your device. The chip takes PCI Express in

  • display port in and they crunch it together into some other physical layer really fast to

  • transport mechanism, and the other side extracts what it needs to, right? You can also

  • even pass the stuff through. You can connect a display port to something else, daisy chained

  • along the end or fun stuff like that. Of course, we try to plug our device into the PCI express

  • thunderbolt enclosure, and in line with the NSA Playset, we decided to give that a new name.

  • So HALIBUTDUGOUT is the slotscreamer when inserted into a thunderbolt enclosure. And

  • you'll see the little logo for Great Scott Gadgets, he's awesome, he sent me a bunch of

  • hardware when he heard what I was working on and that kind of motivated me to keep working on

  • this. Thank you, Mike. So I'm forgetting what's next. In my mind there's a gap here. Again,

  • we talk about DMI. People have showed off the DMI for a long time and they're inaccessible

  • they didn't give full disclosure on exactly how to do it all or the code for the FPJ or anything

  • like that. So in line with the NSA Playset, there's a little page, click on there. We have

  • all of the utilities and firmware available for you to download and do this yourself.

  • The hardware itself is this  ‑ ‑ right now I'm using a reference board, and you don't even have

  • to solder to make it work, right? You buy the reference board from a sketchy company in

  • China, H.W. tools.net. I sent thousands of dollars and they sent me cards and they're pretty

  • reliable. And I've talked to their tech support a few times. They're pretty good with that.

  • That's a device on there. Its got the chip on there. Instead of that, there's a little bit of

  • hardware hacking. You have to find a jumper. Do you remember what jumpers are? You have to

  • put it over the first set of pins to connect the E prong with that chip right there. And then

  • you have to go and flash it yourself. We sold a bunch of these in the vendor area

  • yesterday all preflashed and ready to go for all of you wants to go back to the undisclosed

  • employers to show off what you learned at DEF CON. All the software is on the NSA play set

  • get DAIB hub. We put it all up there, did you make it all private? It will be up there

  • very soon, but now that we've got all of you basically enabled to dump people's memories and

  • check out their dumps and modify and do all that stuff, what could be done to fix this,

  • right? Part of the NSA Playset mission is like ok state actor has had this capability for a

  • long time. Forensics has had this ability. Now that all of you have this ability, maybe

  • they'll actually fix it. I started with an antiApple, antiThunderbolt slant to this,

  • but it actually came out pretty good. In Linux, if you look for this Bus Master enable bit, any

  • device plug in the system gets Bus Master enabled turned on. Welcome to the show. What memory

  • would you like? There really isn't a software remediation for this, right? You can't just not

  • load the Fire wire drivers like you could with the regular inception attack. You can use an

  • IOMMU. Are you familiar with virtualization? How about virtualization of hardware?

  • Virtualization on the left, you just have software VMs that run a code and interfaced with an

  • extraction layer. On the other side you've got  ‑ ‑ whether you use BTD or an IOMMU of some

  • sort, where you can actually assign a device to a specific software VM, you can actually

  • have two graphic cards plugged into your system, each running native drivers in a separate VM

  • and no one knows the difference. All that memory DMA access is remapped. If you configure a BTD

  • write like Apple does 10.8.2 on IP version they actually configure BT later, unless you

  • change the argument and turn BT off, which is good for a demonstration. You can go and

  • modify memory. Why those limitations? Why haven't they rolled them back to IP bridge?

  • Any system with thunderbolts should have BTD on to protect you against certain things. Any

  • system that has an express card. Any system you leave anywhere you don't see that someone can

  • open it up and pop a card in. You should be careful. Your operating system vendor should

  • be writing and providing this stuff by default. It's just important. Until then what

  • solution do we have? Abstinence, right. Miles would ever plug into sketchy into your display

  • port/Thunderbolt port? >> Of course not. >> What's plugged in there right now? >> It's just a

  • VGA cable. >> Where does it go? What's this? Oh, oh. >> Whoops. >> I have the power cord out,

  • too. We have five minutes. Okay. So yeah, yeah. Miles plugged in this little cable that looks

  • pretty simple. It's like one of those stupid $30 Apple adapters. But actually we look at the

  • other end and its really just a thunderbolt cable going to the thunderbolt enclosure attached

  • to an adapter. So this is how you could basically one of these yourself. We call this

  • ALLOYVIPER. We need a new name, because it's a cosmetic change to commercial products. So  ‑ ‑

  • actually this one has a list price of 300,000, maybe a little less if you buy them in bulk.

  • It's actally pretty pricey because one cable alone is 50 bucks. So you take one of these

  • Thunderbolt cables and you go to radio shack and GED get one of these module telephone Jack and

  • use these little metal thingies. Thank you. I can push buttons now. You can get heat shrink

  • tubing, open everything up and thread your thunderbolt cable through that. Close it up, get

  • your heat shrink tubing, thread the Thunderbolt cable through that. Put the metal enclosure on

  • the end, and that's pretty much it. You basically say here, I already got an adapter for you.

  • Thanks for presenting. My apology to Joe Grand. You were here last. My apology to Miles,

  • that dump I did was actually not your Nook. I didn't find any cookies in your dump, though.

  • And basically on the other end, you put a standard adapter, look, I'm using the laser

  • pointer on the screen. I apologize. Right here I can point at this one. Is this

  • better? This is a screen that was used on the corner and draws it on the projector. It's the

  • disclosure. Pay no attention to the man behind the curtain. When you plug this in, it defines the

  • display port to the adapter on the other end and It just passes it through. That's what we've

  • been presenting the whole time. That's why it stopped when I stepped on the power cable.

  • Sorry. I thought I almost blew the cover. So some acknowledgements, this is an

  • incomplete list. Thanks for all the NSA Playset Crew for working together on some awesome talks

  • and working together getting things up there and running. Carsten for his work on

  • inception again he built inception based on many many prior works before his. Again

  • Great Scott Gadgets, thank you motivating me to get it started. Thanks for Dean for telling me,

  • you haven't submitted that to DEF CON yet? I'm like oh I haven't done any work on it yet.

  • Just submit it. You'll get it done. Don't worry. Snare and Sam did a talk just last year using

  • FPGA board, which is basically the exact same thing as this, but you know. It's expensive.

  • And everyone else who I forgot to. And Miles for fixing my ugly software code. So any questions?

  • Applause  ) What's your question? (  Inaudible question  ) >> Did you have a question?

  • Yes? (  Inaudible question  ) >> I don't know anything about the mitigation in Windows 8.1. So

  • the questions are what mitigations are built into Windows 8.1. I don't know. I

  • haven't tried it yet. I haven't tried it with 8.1 before. You want an NSA Playset pin. I'm

  • sorry. >> Anybody that has questions can come to the microphone right here so

  • everybody can hear the question as well. Thank you. >> It doesn't matter what operating

  • system they're running or anything because you don't need any drivers? You just go ahead

  • and plug and play? >> Yeah. No drivers needed unless you've got to figure something out in those

  • Mac versions that we mentioned. >> Is it 4 gigs? Because why isn't it 2 gigs? >> Why 4 gigs?

  • PCIe has 32 bit DMA natively. That's just... >> Can you offset? >> You can offset it.

  • You need to change the DMA offset register which requires some device side drivers or

  • software. Again, you have access to the 40 bits of memory. You can do it with memory and a lot

  • of stuff there and inject whatever code you want and do fun stuff. >> Thanks for doing

  • this. >> We have time for two more questions. >> Did you look into USB DMA 3. >> It will

  • require drivers, though. >> I don't know. Most likely. I don't know. >> I'm more interested in

  • the  ‑ ‑ running the VMs with certain PCIe. Is the information you presented going to be up on

  • your website? >> I'm sorry. I can't really hear everything. >> I'm looking for the information

  • on building external PCIe connected to virtual machines. Have you discussed that a little

  • bit? >> Using the  ‑ ‑ >> Yes. >> Let me just make an announcement. Somebody dropped

  • their iPhone in this section. Everybody please check and make sure you have your iPhone on you

  • if you have such a device. >> I work in building a virtual machine connecting external

  • PCIe. The information you presented, will they be up on the website? >> I'm sorry. I

  • thought  ‑ ‑ I can't hear what you are saying. I'm sorry. Yeah. (  Inaudible question  ) >>

  • We'll talk offline. He wanted to know how to connect external devices to a virtual machine

  • with PCIe. I think we have one more moment. I guess not. No more questions? Okay. ( 

  • Applause  )

A couple of guys are here. I want to stand in front of you and talk about the PCI express.

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it