Overview

This course introduces and explores attacks on several different relatively accessible interfaces on x86 systems. Attendees will get hands-on experience implementing and deploying a number of low-cost hardware devices to enable access, privilege, and deception which is in some cases imperceptible from software.

The course has several modules. Each begins with an architectural overview of an interface, and follows with a series of labs for hands-on practice understanding, observing, interacting with, and exploiting the interface, finishing with either potentially exploitable crashes or directly to root shells.

Depending on allotted time, topic interest, and class pace, not all topics will be covered completely, but all materials are included for reference and individual practice.

Targets

This course targets an x86-based windows tablet and an x86-based development board. Together they are representative of a wide range of x86 platforms that span tablets, laptops, desktops, and servers. While there are many shared concepts and tools, the content of Applied Physical Attacks on Embedded Systems stands on its own and is more relevant to consumer electronics, medical devices, industrial control hardware, and mobile devices.

Length

2-5 days

Audience

This course is geared toward pen testers, developers and others with a security background who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. No hardware or electrical background is required. Computer architecture knowledge and low-level programming experience helpful but not required.

Format

20% lecture

70% Lab

10% discussion

Outline

  1. USB
    • Background: USB Architecture and background
    • Lab 1: Mapping out USB
    • Lab 2: Sniffing and Parsing USB
    • Lab 3: Simple Attack via USB
    • Lab 4: Stealthy Attack via USB
    • Lab 5: Fuzzing USB
    • Lab 6: Advanced USB Fuzzing
  2. BIOS and SPI
    • Background: Early Boot and SPI interface
    • SPI Lab 1: Accessing UEFI and BIOS from Software
    • SPI Lab 2: Sniffing and Parsing SPI
    • SPI Lab 3: Dumping SPI from Hardware
    • SPI Lab 4: Basic UEFI Image Analysis
  3. SMBUS
    • Background: Uses of SMBUS in x86 systems
    • SMBus Lab 1: Mapping out SMBUS or I2C
    • SMBus Lab 2: Sniffing and Parsing SMBus
    • SMBus Lab 3: Attacking SMBus as a Controller
    • SMBus Lab 4: Attacking SMBus as a Device
  4. PCIe
    • Background: PCIe Architecture and Topology
    • PCIe Lab 1: Mapping out PCIe from Software
    • PCIe Lab 2: Dumping and Analyzing Memory
    • PCIe Lab 3: Bypassing Authentication
    • PCIe Lab 4: Memory Aquisition
    • PCIe Lab 5: Kernel Implants
    • PCIe Lab 6: FPGA attack tools
    • PCIe Lab 7: Bypassing VTd on OSX, 3 ways
    • PCIe Lab 8: Adapting PCIe Interfaces
    • PCIe Lab 9: Tinkering with PCIe Characteristics
    • PCIe Lab 10: Tinkering with PCIe TLPs
  5. JTAG
    • Background: JTAG History and Purpose
    • JTAG Lab 1: Hardware and Software Setup
    • JTAG Lab 2: Escalating Privilege via Kernel
    • JTAG Lab 3: Escalating Privilege via a Process

Topics in development

  1. DRAM
    • Background: DRAM usage and physical constraints
    • DRAM Lab 1: Malicious SPD and Configuration
    • DRAM Lab 2: Rowhammer-style attacks
    • DRAM Lab 3: Low Cost Physical Aquisition
  2. SATA
    • Background: SATA Architecture
    • SATA Lab 1: Malicious Disk Firmware
    • SATA Lab 2: SATA MITM
    • SATA Lab 3: TBD