Black Hat Sessions XII
advertisement
Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 | De Reehorst in Ede Black Hat Sessions XII INLICHTINGEN DIENSTEN SPIONAGE INLICHTINGEN DIENSTEN SPIONAGE PRIVACY PRIVACY GEORGANISEERD DOOR MADISON GURKHA www.blackhatsessions.com Your Security is Our Business omslag BHS_2014_01.indd 1 10-06-14 11:30 Spies and secure boot Job de Haas Riscure Security Lab Who am I … Job de Haas • Principal Security Analyst at Riscure • Testing security on: Set-top-boxes, mobile phones, smart cards, payment terminals, ADSL routers, VoIP modems, smart meters, airbag controllers, USB tokens, … • Before: Pentesting network security (since 1991) Riscure • Services: Security Test Lab • Product: Side Channel Tools • Full range testing: detailed hardware to white-box crypto and obfuscation Black Hat Sessions XII 2 Overview How we protect personal data • How we trust our systems • How the evil maid beats us • The end Black Hat Sessions XII 3 Where is our data? Black Hat Sessions XII 4 Username & password Black Hat Sessions XII 5 Mobile users need speed! Black Hat Sessions XII 6 Patterns are easier to remember Black Hat Sessions XII 7 Challenge response Black Hat Sessions XII 8 Also mobile Black Hat Sessions XII 9 Bypass!! Black Hat Sessions XII 10 Encryption is better Black Hat Sessions XII 11 Real encryption please! Black Hat Sessions XII 12 Phone encryption Black Hat Sessions XII 13 Full disk encryption Black Hat Sessions XII 14 Overview • How we protect personal data How we trust our systems • How the evil maid beats us • The end Black Hat Sessions XII 15 It’s mine! Black Hat Sessions XII 16 Was it tampered with? Black Hat Sessions XII 17 Was it tampered with? Black Hat Sessions XII 18 Black Hat Sessions XII 19 Secure boot! Wikipedia: In computing, booting (or booting up) is the initialization of a computerized system. Also called: Trusted boot or Verified boot Purpose: To start a system such that it can be trusted not to be tampered with. Black Hat Sessions XII 20 Secure boot everywhere Black Hat Sessions XII 21 Secure boot theory Internal boot ROM 1st stage boot loader KEY Verify signature Optional decrypt Nth stage boot loader Verify signature Optional decrypt Application Verify signature Optional decrypt • Root key internal • Chain of trust Black Hat Sessions XII 22 Secure boot challenges Internal boot ROM 1st sta boot lo • Who owns the key? • How to update code? KEY Verify signature Optional decrypt • How to protect the ROM? Black Hat Sessions XII 23 Alternative: TPM • Trusted Platform Module • Forward measurements TPM PCR: Platform Configuration Registers CRTM: Core Root of Trust for Measurement Black Hat Sessions XII 24 UEFI Unified Extensible Firmware Interface Replacement of legacy BIOS Advantages (Wikipedia) ▪ ability to boot from large disks (over 2 TB) with a GUID Partition Table (GPT) ▪ CPU-independent architecture ▪ CPU-independent drivers ▪ flexible pre-OS environment, including network capability ▪ modular design Introduces Secure Boot + TPM Black Hat Sessions XII 25 Our data is secure • We protect our data with encryption and passcodes • We trust our devices with secure boot and TPM All is well!!! Black Hat Sessions XII 26 Overview • How we protect personal data • How we trust our systems How the evil maid beats us • The end Black Hat Sessions XII 27 How can this be? • Why would an evil maid want my stuff? Attacker modelling • What can she do, my device is trusted! Breaking trust • How can she get it, it is encrypted! Stealing the key Black Hat Sessions XII 28 Attacker modelling • Access ▪ Remote ▪ Physical • Time ▪ Minutes ▪ Hours • Skills ▪ Script kiddie ▪ Professional ▪ State • Equipment ▪ Screwdriver ▪ Custom mod chips Black Hat Sessions XII 29 Grugq: attacker or target? Black Hat Sessions XII 30 Hotel safe before Black Hat Sessions XII 31 After… Black Hat Sessions XII 32 Challenge What can you do ▪ ▪ ▪ ▪ With physical access In 1 hour With professional skills Using tools for mainstream products Black Hat Sessions XII 33 Stealing the key Recipe for stealing the data and the key (requires: flaw in trust): 1. 2. 3. 4. 5. Open laptop (Clone the disk) Insert 1st malicious program Close laptop, leave Wait for owner to boot device: 6. 7. 8. 9. Ask for the password Decrypt the disk Modify it to start a 2nd malicious program Start the operating system + 2nd program: 10. Use network to send the key / password 11. 2nd program hides tracks or backdoor Black Hat Sessions XII 34 Trust in detail: ROM • Internal ROM in PC: serial Flash • Programmable internal and externally Internal boot ROM 1st stage boot loader KEY Verify signature Optional decrypt Verify signature Optional decryp Black Hat Sessions XII 35 Serial Flash protection Intel provides two SPI Flash protection methods: 1. BIOS_CNTL ▪ BIOS Lock Enable ▪ BIOS Write Enable ▪ System Management Mode (SMM) protection of BIOS Write Enable 2. Protected Range Register for SPI Flash protection Must be configured on each boot Black Hat Sessions XII 36 Serial Flash protection flaws • Many BIOS vendors do not set BIOS Lock Enable • Most BIOS vendors do not set Range Protections • BIOS update routines contain vulnerabilities: ▪ SPI flash access • Only BIOS Lock Enable: any SMM bug breaks security Copernicus tool shows BIOS protections http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicusquestion-your-assumptions-about Black Hat Sessions XII 37 TPM Measurements Initial startup FW at CPU reset vector PCR[0 ] ← CRTM, UEFI Firmware, PEI/DXE [BIOS] UEFI Boot and Runtime Services, Embedded EFI OROMs SMI Handlers, Static ACPI Tables PCR[1 ] ← SMBIOS, ACPI Tables, Platform Configuration Data PCR[2 ] ← EFI Drivers from Expansion Cards [Option ROMs] PCR[3 ] ← [Option ROM Data and Configuration] PCR[4 ] ← UEFI OS Loader, UEFI Applications [MBR] PCR[5 ] ← EFI Variables, GUID Partition Table [MBR Partition Table] PCR[6 ] ← State Transitions and Wake Events PCR[7 ] ← UEFI Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8 ] ← TPM Aware OS specific hashes [NTFS Boot Sector] PCR[9 ] ← TPM Aware OS specific hashes [NTFS Boot Block] PCR[10] ← [Boot Manager] PCR[11] ← BitLocker Access Control Black Hat Sessions XII From: Evil Maid Just Got Angrier, Yuriy Bulygin 38 Real TPM measurement Black Hat Sessions XII From: BIOS Chronomancy: Fixing the Core Root of Trust for Measurement, John Butterworth et al 39 How bad is it? • BIOS/FW Exploits (BH USA 07, PoC 2007, BH USA 09, DEFCON 16) • BIOS/FW Rootkits (BH EU 06, BH DC 07, Phrack66) • SMM Exploits (CSW 2006, Phrack65, Phrack66, BH USA 08, bugtraq, CSW 2009) • Mebromi malware • (U)EFI Bootkits (BH USA 2012 @snare, SaferBytes 2012 Andrea Allievi, HITB 2013) • Intel/McAfee - Evil Maid Just Got Angrier (CSW 2013) • Intel/McAfee – “A Tale of One Software Bypass of Windows 8 Secure Boot” (BlackHat 2013) • MITRE - Xeno Kovah, John Butterworth, Corey Kallenberg - “BIOS Security” (NoSuchCon 2013, BlackHat 2013, Hack.lu 2013) • MITRE - Xeno Kovah - “Defeating Signed BIOS Enforcement” (PacSec 2013) • ANSSI - Pierre Chifflier – “UEFI and PCI BootKist” (PacSec 2013) • Dragos Ruiu - “Meet ‘badBIOS’ the mysterious Mac and PC malware that jumps airgaps (#badBios) • Kaspersky Lab / Absolute Software • Microsoft Technical Advisory 2871690 • Intel Security/MITRE - All Your Boot Are Belong To Us (CanSecWest 2014) • Upcoming: MITRE - Setup for Failure (Syscan 2014) Black Hat Sessions XII From: Platform Security Assessment with CHIPSEC, Intel 40 What should be done? Black Hat Sessions XII From: Platform Security Assessment with CHIPSEC, Intel 41 What now? More tooling: Platform Security Assessment with CHIPSEC from Intel https://github.com/chipsec/chipsec Copernicus 2: secure measurements from MITRE http://www.mitre.org/publications/technicalpapers/copernicus-2-senter-the-dragon UEFI Analysis Framework Subzero https://github.com/theopolis/subzero Black Hat Sessions XII 42 More guidance • NIST guidelines (also for servers) • Vendor specific (pre-) boot guidelines • TPM/Bitlocker best practices Black Hat Sessions XII 43 Fault attacks! • Even perfect code is not perfect • Fault attacks manipulate the device physically ▪ ▪ ▪ ▪ Voltage glitches Clock glitches Electro Magnetic pulses Laser pulses Black Hat Sessions XII 44 EM-FI Transient Probe Black Hat Sessions XII 45 Research probes The EM-Probes from left to right: Probe 1, 2.3, 2.4, 2.5, 3, and 4 Black Hat Sessions XII Probe Name Description Probe 1 Horizontal coil, 4mm diameter, ferrite core Probe 2.3 Vertical coil, 3mm diameter, no core Probe 2.4 Vertical coil, 4mm diameter, no core Probe 2.5 Vertical coil, 5mm diameter, no core Probe 3 Horizontal coil, 4mm diameter, EP5 ferrite core Probe 4 Vertical coil, 4mm diameter, ferrite core 46 Is it a real attack? • Slot machine EMP jammer Black Hat Sessions XII 47 Slot machine EMP jamming http://www.youtube.com/watch?v=dew0KD_-ypw Black Hat Sessions XII 48 EM FI Troopers14 19 March 2014 49 Ideal secure device checklist All BIOS protections turned on (serial flash) BIOS enforces authenticated updates UEFI secure boot checks all signatures TPM measurements (configured with coverage) Authentication with password + removable token TPM unseals disk encryption key Full disk encryption applied with key Black Hat Sessions XII 50 Parting thoughts Data security depends heavily on system trust What is your attacker model? Default system trust is low! Acceptable system trust (secure boot) is really hard Black Hat Sessions XII 51 Contact: Job de Haas dehaas@riscure.com Principal Security Analyst Riscure Security Lab Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA 94105 USA Phone: +1 650 646 99 79 www.riscure.com inforequest@riscure.com
