DEF CON 22 - Joe FitzPatrick和Miles Crabill - NSA Playset:PCIe (DEF CON 22 - Joe FitzPatrick and Miles Crabill - NSA Playset: PCIe)

Subtitles section Play video

A couple of guys are here. I want to stand in front of you and talk about the PCI express.
Joe and Miles, give them a round of applause. ( Applause ) >> Hey, how's it going? Ok, who
here went to Mike Osman's RF Reflectors NSA Playset Talk? Ok, who went to Josh Jatko and Teddy
Reed's ITC Implant Talk? Who went to Dean Anlooki's GSM talk? Okay. Who here bought any NSA
Playset kit from Vendor Village? You don't have to say if your employer sent you to buy one for
research purposes, you know. So this is Stupid PCIe Tricks featuring NSA Playset PCIe. It
didn't really start out as an NSA Playset talk, but it fights right in because this is a
capability that they've got to have. It's got to be on one of the pages rejected or missing.
I'm Joe Fitzpatrick. I have an electrical engineering education with focus on CS and Infosec. I
spent eight years doing security research, speed debut and tool development for CPUs including
hardware pen testing of CPUs and security training for functional validators worldwide. I also
teach a really cool class, software exploitation via hardware hacking, aka SEx via
HEx, so if any of you are interested, you should google look for that. It's somewhat
safe. It's work safe. And our mandatory meeting, "if Joe Fitz, he sitz". If you missed the hot
tub at Tour Camp, you should go next time. It runs in two years. >> I'm Miles Crabill, I'm a
current student and hardware Newbie, but interested in computer science and met up with
Joe last year and have been working with him on the last couple months on this NSA
Playset PCIe stuff. I didn't come in with much hardware experience SP and I've pretty
much been learning as I went. It's been a great time. So I couldn't show this, of course.
>> Miles has been great because he makes it all look presentable. I'm a hardware guy
and not a coder. So a slight disclaimer, I didn't do really good research, I didn't cite a
lot of people, but there are tons of people who have done PCIe work and other stuff so,
the difference is in line with the NSA Playset goals, we try to make it accessible and
inexpensive. We want any 10 years olds to start doing DAM attacks and memory jumps and
lock screen bypasses. Miles will give us the run-down of what the heck is PCIe, because even
though you might know it, you may not know the next layer in detail. >> Okay. So what is
PCIe? Well, the answer is that PCIe is PCI extending on this old specification. It's been
around forever. It's for fast IO, right? If you have a video card or something like that,
network card, sound card, anything really that goes in an extension, it'll probably on
your motherboard, whether you're on a laptop, desktop, most modern computers use PCI and so
this is how you get fast stuff going on the hardware level. So there are also things that don't
match up. As you see here, they don't look exactly the same. However, PCIe is backwards
compatible with PCI and PTIX. On the lower level you have packets that are being transmitted
across lanes, and so a lane is four wires. When you see on a PCI card something like XX 4 or
X 16, that's the number of lanes and it corresponds to throughput, so the amount of
data you're able to transfer. Most video use X 16, because they're transferring a lot of
data. PCI enables DAM access. So PCI hierarchy. The root complex is the highest node in the
hierarchy and pretty much everything else descends from there. You see the switch
connected to the root complex, and PCI devices will connect to the switch and other PCI devices
can be connected to other PCI devices so you get a whole mess when you try underwriting this
stuff. So switching. This is the inside of the switch. From the upstream you have the bus, and
then you have these virtual PCI to PCI bridges, and then these actually interface with the real
devices that you have connected, the real PCI devices. So the layers of PCI building up from
the bottom, you have RxTX on the physical layer of things, the logical side and electrical side
data and then up to the transaction where you're actually working with packets. I
don't know how well you can see this, but this is the actual PCI spec stuff in the top like
device I.D. and vendor I.D. is how you would identify a device. So diving into that we have
LSPCI output, just checking out a specific device. You can see this highlighted area is the
vendor I.D. of a device, and so you can see this highlighted area is the vendor ID of the
device and so this is how you would check the manufacturer. They all have codes associated
and then this would be the device I.D. so this is like per a specific product or family of
products. Then the revision, so you can see that all of this is just right in these bytes that
you can access through LSPCI. And this is your class. Device class. Yes. So you can see that
this is a PCI bridge that's 0604. It's just the code that's assigned to this type of device.
And so enumeration, as I said before, it gets pretty messy because it's depth first,
traversal of the tree hierarchy and everything like switches and PCI‑ to‑ PCI bridges show up
multiple times. And so any kind of LSPCI VD output is just a headache to look out. It's huge.
So ‑ ‑ >> Okay. I'm back on. Routing PCIe. So we talked a little bit about what PCIe is
from a conceptual level. The fundamental difference is PCI was 32 bits in parallel, a big
flat parallel bus with multiple devices sitting on it. PCI express is this high‑ speed
serial with differential signaling. When you route high‑ speed signaling and high speed
differential signals you have some rules to follow, okay? If you wanted to make your own PCI
express device, you have to follow the step by step complicated mandatory and
inflexible rules to routing PCIE. For every single one of these. Number one, route your
pairs at roughly equal length. That's pretty much it. They made this spec to make it easier for
designing boards, because routing 32 lines in parallel along with the cloth, they have
to be equal lengths. That's a pain in the ass. They said ok, we'll do each pair on it's own,
TX pair and RX pair, and as long as each pair is the same length, the next line over can be a
different length, the next line over can be a different length, which works well when you have a
long card. It doesn't matter. All of that is taken care of by the physical layer of the PCIE.
There's some specs, right? You have to have board traces and 12 inches or less, cards are
supposed to be 13 1/2 total. 2 chips on one board supposed to be 15 inches. And if you follow
the rules, your board might work. If you don't follow these rules, it might still work. So
PCI express 1 X, the lowest common denominator, is 2.5GHz TX, 2.5GHz RX and 100MHz Clock.
That is a common clock and that's actually optional. The device can actually generate
it's own clock. It depends on the system and device. You can do it with the clock. But we'll
throw it in there, just for, you know, because we have room. If we wanted to make a table to
connect this, what do we need? We need something that can do high‑ speed, and PCI express
specifies actually like external cabling and it's really expensive. I don't like
expensive things, because I'm cheap. This is a cross‑ section of the USB 3 cable. If you look
inside, you've got the red and the black are ground to BCC, and the green and white are your old
school USB, USB 2.0 wires, right? Those are designed go up to 240 megabytes, right? That's
what USB megabyte was and that's plenty to carry our clock. You have the two level pockets, the
red, blue, and the purple and orange and those hold the high speed lanes and those go at 5
gigahertz. Right? So we have this cable we can get them for a couple of bucks at pretty much
any store and they carry exactly what they need, they carry 5 gigahertz, 5GHz and 500MHz.
That's actually more than we need. I threw together this little PCB. It looks like a PCIe
card. There's a dotted line in a middle. That's because I'm cheap again. And you can get a 5x5 cm
board for one price and I wanted two boards, but I didn't want to have to pay for two boards, so I
put them on the same board. Cut them in half if you want or use as is. You can see those red and
blue lines those are the top and bottom layers where I just connect the wires together and I
actually did a really bad job of this. You can do your own production stuff, do your own.
You can actually buy these premade from several manufacturers on eBay and all
express and other places in China, but that's no fun. So I made my own. This is what the
board looks like, and I have the cool silk solder mask, silver lettering because that's really
important when you make PCB to have your logo on there. I call it PEXternalizer. There's the
board cut in half at the other end and assembled on the populated board. They're a 1X
PCI express socket up there and the end looks kind of mundged up and molten, that's because I
just got my soldering iron and ran through that to open it up so I could put a 16 X card in.
Here's a quick screen shot basically. This PCI express wireless adapter in, and it's
connected and running, and I can connect to wireless networks. That's all well and good, but
that's old news. What else can we do? What devices can we add PCI express to that don't
generally have it? Have you seen this? Intel Galileo. It's an arduino board, but it actually
has a mini PCIe board on the back. What can you do with that? It's supposed to only work with
WiFi adapters, but that's no fun. Anybody can put a WiFi adapter in an arduino. Yeah,
make light flash. Oh, I'm not wearing that shirt. Oops. Makers make lights flahs. Hackers make
other people's lights flash. I made another version of the board, a mini‑ PCIE version.
I'll show you pictures. We'll look over. I'll actually show you. Oh, whoa. So we've got here
a nice ‑ ‑ oh, there. It's upside graphics card backwards. We've got our Intel Galileo and
flip on the other side we have the mini PCIe card with the USB header. Again it's USB header
it's just USB header and cable because they're cheap. On the other end I have the populated
thingy‑ do which has a little power regulator on the end. We don't have the power supply and
cables and extra VGA to hook it up and show you, but basically we plug ‑ ‑ stay still. I'm
looking at the screen. Whoo! Anybody sick yet? Pop it in the slot. >> Oh, gosh. >> There we
go. So you got that, right? You got it. There we go. You have more than 12 inches. Yeah. Do
you think it still works? Yeah, it still works. And so here's a screen shot. Whoa, here we go.
Actually when we tried it out, we used a bigger graphics card because bigger is better, right?
So wired them up PCIe that tiny Arduino and that nice big burly graphics card hovering over it
and if we hook it and we look, I had to do a little bit of custom building of that, which is
annoying because of the software and I hate software. If you do all this PCIe, same tools as
before. It's on the Galileo board already. You see a whole bunch of 8086, 8086, 8086.
Anybody knows who vendor I.D. that is? All the way down at the bottom is the 10de. Who do you
think that might be? Invideos. So, ya know. Sneak it in there and put it Invidy with Intel in
bed a little longer. Here we go. I hooked you up to my full HD display, to say, hey, I have X
running. There's no keyboard input or anything like that, but at this point it's a software
problem and I'm a hardware guy. It's someone else's problem, right? So let's move on. The
other device I played around with, and I don't have it here to show off is not fully working
yet. This is a Pogoplug. It's a network storage device. It has an Ethernet port and USB port
and you plug it in. It shares it with the whole world. It doesn't tell you about that part. If we
look at two versions of the PCE, the cheap and expensive one. The big difference in the upper left
corner is an extra chip that's a USB‑ 3 chip. You want USB 3 on your very slow network storage
device. The way it's connected is PCI express. If you see on this one, the purple wires on
the left hand side, those are my PCI express lanes. I have TX and Rx pairs and then I've got a
clock line. He took it with my phone through my magnifying glass, but you see on the left
we have a couple tiny little resistors that have it over it. Can you see it? You can't? Oh,
no. You can. So you see right there, there's a couple resistors because the resistance
loaders, you have to put on the clock lines, and over here's they're still very small, but
you see that little brown spot right there and there? Those are capacitors that are soldered to
the tip of USB connector and then the wire is soldered to the other edges side. It looks
pretty fancy. But a year and a half ago I sucked at soldering and still do. You find a friend
who can do it. Thanks, Kenny. He's not here, but you know. Those of you who know Kenny, he
does good work. Again, that goes out to a USB connector, which is the same Pen out as this chain
again. So my plan there is to get it working and see if I can compile those drivers for ARM
instead. So introducing SLOTSCREAMER. This is where we get into the NSA Playset side of
things. It reset our timer. Oh, its 2:16. We're good. Introducing SLOTSCREAMER, its in
all CAPS because it's cool to have things in all CAPS. I've had some critiquing because the
name sounds too good, it's not random and silly enough for NSA Playset because it actually is a
device that goes in a slot. I apologize. Again, I mentioned before I didn't do a lot of
research or citation, but I was at Black Hat and I saw this awesome slide which was from
Steven Weiss talking about protecting date in-use from firmware and physical attacks,
which is kind of what we're about to do. I figured I'd throw his slide in here. Thank you to
all of these people for all the work they have done, because I wouldn't have done this if it
wasn't done before me including all the citations. So it's also really cool to go into someone
else's talk and see my name on it. Whoo. This is my first time talking at DEF CON. ( Applause
) >> It's Miles' first time, too. I'm glad we could have our first time together Miles. (
Applause ) >> A lot of people are playing with this doing these PCI Express attacks, but a
lot of them are using FPGAs. FPGAs are expensive and they're difficult and they're hard and
you have to download like 28 bytes of software to get them working. Which who cares about
that software stuff. So I looked around and found this cool it'll ASIC. It's a PLX technology.
It's a USB 3380 its aPCI‑ to‑ USB bridge that works. It's a USB device port. You can plug it
into your system and load drivers and make it look like a mass storage control. You can
use this configure differently and make a PCI express device work over the USB. You can have
an attached graphics adapter, right? Right? This is a block diagram, one side you have PCI
Express, the other side you have USB. That's all there is to it. You know, every chip that is
configurable is configurable in ways they didn't intend, so that's what I did. They have
this PCI out end point. An endpoint is something that shows up from USB, so from USB ‑ ‑
I'm going really fast, aren't I? Am I going too fast? I apologize. >> We have a lot of
slides. >> We're on 49 of 92. Okay. We're actually going a little fast. Let's slow down.
PCI out. Okay. It's actually good, because I thought we wouldn't have enough time, and I
was going to tell them to go away. Since he came at the right time. How is it going? >> Good.
>> What's all this? >> We heard this track was going a little bit fast, so we thought we would
mellow it out a bit. That's why we're here. How are they doing? ( Cheers and applause ) >> I
guess they really want you to slow down. The slides are a bit of an eye‑chart, although when
you had the picture of the device up, the board. I got the detail on that. >> All right.
New speakers to DEF CON. >> Cheers. ( Applause ) >> I did that for all of you. Hold on.
Thank you. Can I continue now? PCI out end point. This shows up on the USB side of things,
right? This is a packet format. We need to write a bunch of bytes for USB so this guy and
actually fills out what's called a PCI master control register and the PCI master address
register. What happens is when these registers get filled up, the chip, this guy, receives the
data from the USB side. He takes it into his little hardware stuff. Don't worry about it,
it's hardware. You guys wouldn't understand and he generates a PCI Express packet. Which goes
out over PCI Express to the root complex, the root complex processes it, does whatever you
want or whatever you told it to and sends back a response. Once we enabled it, so this comes out
of the spec, sorry for the eye chart, if we look down here we have this little end point
enabled bit. So you think something silly like this would be off by default. But look
actually oh, Others = 1, it's on by default. How convenient. This makes sense because if you look
at the drivers for this device, the standard Linux drivers for USB gadget events, which lets
you use it as a device port so you can turn your computer into a mass storage controller, they
have this little section where they explicitly disabled these dedicated end points. And I
think in another kernel version they have like, for security reasons, we need to disable
these end points, which is great. I like when I see things like that in documentation. I
talked to PLX service engineers asking about this. We don't do that. That's not what it's for.
We can try it and see if it works. Didn't really say what would happen if I turned it on
in this mode, but I heart undefined behavior. Is that sticker still on there? At least
it's not on my shirt. Thank you, Mike, for the shirt. Anyway. So let's enable it. We're still not
going too fast. I showed you the three registers here. If we look inside, this is the PCI master
control register. Basically what we do is we need to write bits that will end up in here and do
these things that it says and this bits 5 to 4 two bits, we can basically say, do a memory
read and memory write, or an IO read, an IO write or conf read or config write, or PCI express
message. Let me explain for a second what each of these are. Memory read/memory write is
exactly that. PCI express devices need to have the memory maps so they can read and write
to buffers in the main memory. So if you want to read some memory, we can do that. If we
want to write to memory, and we can do that. IO read and write, really nobody uses this anymore,
it's all legacy stuff, but we might as well try it because all of the Legacy stuff wasn't
tested as well as all of the new stuff. Configuration read and write, those are when we are
actually directly accessing PCI Express devices. So when you enable things on the graphic
cards you do a configuration write to a bunch of registers on the card. That's what maps to
the table of class codes and stuff Miles talked about briefly before. Another eye chart. This
is all well and good, but we need to have this device just work. We want to plug it in a
socket and have it do stuff. We don't want it to deal with loading drivers, because who is
going to load drivers to a fax machine? No one clicks on silly things, right? So we can modify
the firmware. Basically there's a little chip on the POX board. Where is my board? That will
hold configuration data, and when the chip turns on and powers up, it will read this
data and set the registers right. You think, okay, a lot of work put into this custom
firmware that I made, I've been talking all about it, you think I did a lot of work? I'm lazy.
It's these. How many bytes is that? That's it. That's the content of the E prompt. To
decode it for you to those that speak XXD. Basically I have two registers I wrote to. The first
register that 497000049, right, that's the content of the what ports to a register and I slap
the bit to enable USB. When the device turns on, first thing it does is enable USB. Second thing
I do is this E414BC16. That's the vendor ID and device I.D. of the Broadcom secured digital
card reader. Because it's a secured digital card readers everyone trusts them. If I tell
them I'm one of them, they'll turn everything on. They'll turn on bus master even if they don't
need to. That's pretty much all that I did to configure this chip to make it do my bidding.
So let's attack the PCIe. >> So as Joe said, who wants to load a driver? We have this whole
category of target side software where we have to make sure the target has all the stuff we need
to get the attack roll, but no, no, nothing. So on the attacker side, we actually do have some
stuff. So what we do is use high USB, which is a nice Python library for interacting with
devices over USB to interact with the PCI end points on the swat screen, the USB 3380. So
this is just a little snippet of code showing a dirty PCI memory read and write by PyUSB. At the
top you see read where we're actually making a packet to send and you can see this OXCF and
the F denotes the read, and down at the bottom here you see the 4F means that it's a write and
so now we have a demo. >> Well you ‑ ‑ >> So you do the whole switches of screens here.
Basically we have this little device here. It's a Nook Intel makes them, they're tiny and
they compute. We hook up this device to a little board. It's upside‑ down. >> Oh, no. It's
still on my screen. >> I stepped on the power strip. You're flaky power strip. I saw the light.
There we go. I have to reboot my Nook. Luckily it boots fast. Oh. I'm sorry. Please. I won't step
on it again. I promise. What time is it? 2:27. Are you ready in no. We need to unplug and
play it. That's not it. That is it. You just need to mirror your screens. I didn't recognize the
picture. It's not my desktop. I never got around to changing the default desktop anyway. That's
my fault. There you go. There we go. Patience, patience. So I'm using Python, and I'll stay away
from the power strip. I'll step back from here. Can you see that? It's backwards, isn't it?
>> Yeah. >> I'm sorry. It's a crypto challenge. So what I'm going to do is basically I wrote
this little sampler in init PCI and I'm going to hit enter and it actually worked. Whoohoo! So
it initialized the link from this PC to the hacker's hack device over PCI. It found two
endpoints 0x0e and 0x0e out. Those actually line up to what I showed you on the chart before.
I'm sure you all wrote those down. Then I'm going to read PCI and so I give it an address and
how many byes to read and right there and I just get a whole bunch of, it's Python software
you see, Fs and 0s and Bs and some strings and stuff. So yeah I just read memory. This is off
of this guy on PCI. Whoo. It's not the greatest demo, but you know, we're getting there. All
right. >> Okay. And so how many of you have heard of inception, not the movie? That's a few.
There's a cool utility that Carston wrote that exploits the DNA features of fire wire to
basically patch some ‑ ‑ you might see here there's some selections that you can choose
to target with signatures. So it can identify based on the signatures certain operating
systems and inject code into it bringing it up. For example the OSX one makes all passwords
nothing. So what we have instead of inception, we have into PCIe, which is an extension that
we're ‑ ‑ >> It's an anagram. >> I didn't know that. Yeah, so, we extended inception to PCIE
and we're still working on it. Ironing out bugs and that kind of thing, but that's the goal.
>> This is right from Carson's documentation. What we're doing is hopping through memory and
looking for the page that contains whatever authentication or password. You did a whole
process up in the password. Yes, you got it right and no you didn't at the very end. It has a
signature, which is listed as a chunk of memory data. It looks for that signature at a certain
offset in every 4k page. So it doesn't matter if you have ASLR or anything within a 4k page it
always ends up the same spot. Then you go and patch it, and the patch goes to offset.
Basically just change the jump to an up or something like that. You bypass, so when you type in
blah, blah, blah enter, no matter what blah, blah, blah is it lets you bypass the locked
screen. ( Applause ) >> We didn't do the work there. Other people have been doing the
Spyware stuff for a long time. Don't clap. We just imported into this PCI Express interface,
which is great because you don't require drivers. Firewire require that the host offers
install drivers, and you're supposed to talk about this later on. >> So you see here the
chunk, which is actually the signature that you're trying to look for to identify in this
case OS X 2.9. So earlier this week Joe and I were in a hotel room taking dumps together. As
you can see from this little highlighted into PCIe business and all of the SLOTSCREAMERS on
the desk. I decided after taking all those dumps, Jason stool analysis, you've heard of
volatility is a cool analysis framework, so this is the demessage log of the attack
straight off of the victim. You can see my solarized color scheme there. So at the top you
can see the thunderbolt first being recognized when plugged in, and then some PCI
configuration going on. And I decided, hey SHTHS why not do more analysis because the
utility has all these nice scripts? This is just another dump. This is a MAC that we're
dumping apple dot something, something, something. And various other ‑ ‑ >> I was
looking around for the files, and I find some of Miles' cookies in his dumps . >> Here
you can see, I don't know if its major version or minor version what it means, but I'm running
10.9.4.6 OS X. I had the perfect amount of memory, 4 gigs, on this machine not for not
actually using things because these kind of attacks are a little limited because of PCIe
is at 32 bit addresses and so we can't actually go over the 4 gig over the threshold. However, if
you know what you're doing, 4 gigs is for our assessment. >> You know what thunderbolt is.
It's fun stuff. It's basically PCI Express out of your system. Kind of that whole USB crap, but
without the sketching boards and stuff. When you have Thunderbolt, you have two chips,
and it's straight from the thunderbolt device programming guide, and you have a chip
inside your Macintosh and you have a chip on your device. The chip takes PCI Express in
display port in and they crunch it together into some other physical layer really fast to
transport mechanism, and the other side extracts what it needs to, right? You can also
even pass the stuff through. You can connect a display port to something else, daisy chained
along the end or fun stuff like that. Of course, we try to plug our device into the PCI express
thunderbolt enclosure, and in line with the NSA Playset, we decided to give that a new name.
So HALIBUTDUGOUT is the slotscreamer when inserted into a thunderbolt enclosure. And
you'll see the little logo for Great Scott Gadgets, he's awesome, he sent me a bunch of
hardware when he heard what I was working on and that kind of motivated me to keep working on
this. Thank you, Mike. So I'm forgetting what's next. In my mind there's a gap here. Again,
we talk about DMI. People have showed off the DMI for a long time and they're inaccessible
they didn't give full disclosure on exactly how to do it all or the code for the FPJ or anything
like that. So in line with the NSA Playset, there's a little page, click on there. We have
all of the utilities and firmware available for you to download and do this yourself.
The hardware itself is this ‑ ‑ right now I'm using a reference board, and you don't even have
to solder to make it work, right? You buy the reference board from a sketchy company in
China, H.W. tools.net. I sent thousands of dollars and they sent me cards and they're pretty
reliable. And I've talked to their tech support a few times. They're pretty good with that.
That's a device on there. Its got the chip on there. Instead of that, there's a little bit of
hardware hacking. You have to find a jumper. Do you remember what jumpers are? You have to
put it over the first set of pins to connect the E prong with that chip right there. And then
you have to go and flash it yourself. We sold a bunch of these in the vendor area
yesterday all preflashed and ready to go for all of you wants to go back to the undisclosed
employers to show off what you learned at DEF CON. All the software is on the NSA play set
get DAIB hub. We put it all up there, did you make it all private? It will be up there
very soon, but now that we've got all of you basically enabled to dump people's memories and
check out their dumps and modify and do all that stuff, what could be done to fix this,
right? Part of the NSA Playset mission is like ok state actor has had this capability for a
long time. Forensics has had this ability. Now that all of you have this ability, maybe
they'll actually fix it. I started with an anti‑ Apple, anti‑ Thunderbolt slant to this,
but it actually came out pretty good. In Linux, if you look for this Bus Master enable bit, any
device plug in the system gets Bus Master enabled turned on. Welcome to the show. What memory
would you like? There really isn't a software remediation for this, right? You can't just not
load the Fire wire drivers like you could with the regular inception attack. You can use an
IOMMU. Are you familiar with virtualization? How about virtualization of hardware?
Virtualization on the left, you just have software VMs that run a code and interfaced with an
extraction layer. On the other side you've got ‑ ‑ whether you use BTD or an IOMMU of some
sort, where you can actually assign a device to a specific software VM, you can actually
have two graphic cards plugged into your system, each running native drivers in a separate VM
and no one knows the difference. All that memory DMA access is remapped. If you configure a BTD
write like Apple does 10.8.2 on IP version they actually configure BT later, unless you
change the argument and turn BT off, which is good for a demonstration. You can go and
modify memory. Why those limitations? Why haven't they rolled them back to IP bridge?
Any system with thunderbolts should have BTD on to protect you against certain things. Any
system that has an express card. Any system you leave anywhere you don't see that someone can
open it up and pop a card in. You should be careful. Your operating system vendor should
be writing and providing this stuff by default. It's just important. Until then what
solution do we have? Abstinence, right. Miles would ever plug into sketchy into your display
port/Thunderbolt port? >> Of course not. >> What's plugged in there right now? >> It's just a
VGA cable. >> Where does it go? What's this? Oh, oh. >> Whoops. >> I have the power cord out,
too. We have five minutes. Okay. So yeah, yeah. Miles plugged in this little cable that looks
pretty simple. It's like one of those stupid $30 Apple adapters. But actually we look at the
other end and its really just a thunderbolt cable going to the thunderbolt enclosure attached
to an adapter. So this is how you could basically one of these yourself. We call this
ALLOYVIPER. We need a new name, because it's a cosmetic change to commercial products. So ‑ ‑
actually this one has a list price of 300,000, maybe a little less if you buy them in bulk.
It's actally pretty pricey because one cable alone is 50 bucks. So you take one of these
Thunderbolt cables and you go to radio shack and GED get one of these module telephone Jack and
use these little metal thingies. Thank you. I can push buttons now. You can get heat shrink
tubing, open everything up and thread your thunderbolt cable through that. Close it up, get
your heat shrink tubing, thread the Thunderbolt cable through that. Put the metal enclosure on
the end, and that's pretty much it. You basically say here, I already got an adapter for you.
Thanks for presenting. My apology to Joe Grand. You were here last. My apology to Miles,
that dump I did was actually not your Nook. I didn't find any cookies in your dump, though.
And basically on the other end, you put a standard adapter, look, I'm using the laser
pointer on the screen. I apologize. Right here I can point at this one. Is this
better? This is a screen that was used on the corner and draws it on the projector. It's the
disclosure. Pay no attention to the man behind the curtain. When you plug this in, it defines the
display port to the adapter on the other end and It just passes it through. That's what we've
been presenting the whole time. That's why it stopped when I stepped on the power cable.
Sorry. I thought I almost blew the cover. So some acknowledgements, this is an
incomplete list. Thanks for all the NSA Playset Crew for working together on some awesome talks
and working together getting things up there and running. Carsten for his work on
inception again he built inception based on many many prior works before his. Again
Great Scott Gadgets, thank you motivating me to get it started. Thanks for Dean for telling me,
you haven't submitted that to DEF CON yet? I'm like oh I haven't done any work on it yet.
Just submit it. You'll get it done. Don't worry. Snare and Sam did a talk just last year using
FPGA board, which is basically the exact same thing as this, but you know. It's expensive.
And everyone else who I forgot to. And Miles for fixing my ugly software code. So any questions?
( Applause ) What's your question? ( Inaudible question ) >> Did you have a question?
Yes? ( Inaudible question ) >> I don't know anything about the mitigation in Windows 8.1. So
the questions are what mitigations are built into Windows 8.1. I don't know. I
haven't tried it yet. I haven't tried it with 8.1 before. You want an NSA Playset pin. I'm
sorry. >> Anybody that has questions can come to the microphone right here so
everybody can hear the question as well. Thank you. >> It doesn't matter what operating
system they're running or anything because you don't need any drivers? You just go ahead
and plug and play? >> Yeah. No drivers needed unless you've got to figure something out in those
Mac versions that we mentioned. >> Is it 4 gigs? Because why isn't it 2 gigs? >> Why 4 gigs?
PCIe has 32 bit DMA natively. That's just... >> Can you offset? >> You can offset it.
You need to change the DMA offset register which requires some device side drivers or
software. Again, you have access to the 40 bits of memory. You can do it with memory and a lot
of stuff there and inject whatever code you want and do fun stuff. >> Thanks for doing
this. >> We have time for two more questions. >> Did you look into USB DMA 3. >> It will
require drivers, though. >> I don't know. Most likely. I don't know. >> I'm more interested in
the ‑ ‑ running the VMs with certain PCIe. Is the information you presented going to be up on
your website? >> I'm sorry. I can't really hear everything. >> I'm looking for the information
on building external PCIe connected to virtual machines. Have you discussed that a little
bit? >> Using the ‑ ‑ >> Yes. >> Let me just make an announcement. Somebody dropped
their iPhone in this section. Everybody please check and make sure you have your iPhone on you
if you have such a device. >> I work in building a virtual machine connecting external
PCIe. The information you presented, will they be up on the website? >> I'm sorry. I
thought ‑ ‑ I can't hear what you are saying. I'm sorry. Yeah. ( Inaudible question ) >>
We'll talk offline. He wanted to know how to connect external devices to a virtual machine
with PCIe. I think we have one more moment. I guess not. No more questions? Okay. (
Applause )