

**Shai Hasarfaty** Yanai Moyal

Security Researcher, Intel Corp.

## **Behind the Scenes of Intel Security and Manageability** Engine

## **Principal Security Research Engineer, Intel Corp.**





# Legal Disclaimer

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary, based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.

© Intel Corporation



## Scope Of This Talk blackhať JSA 2019

## Latest CSME 12 Firmware & Hardware on Intel 8<sup>th</sup> and 9<sup>th</sup> Gen Core Processor based platforms (code name Coffee Lake and Whiskey Lake)







## Architecture & Boot flow

- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



## What Is CSME? ik hat



## **CSME** is an embedded subsystem in Platform Controller Hub (PCH)

- Stands for Converged Security & Manageability Engine
- Standalone low power Intel processor with dedicated Hardware (HW)
- CSME is Root of Trust of the platform
  - Provides an isolated execution environment protected from host SW running on main CPU
  - Executes CSME Firmware (FW)

## What Is CSME? <u>èkhat</u> 5A 2019



## **CSME** serves 3 main platform roles

## Chassis

- Secure boot of the platform
- Overclocking
- Micro-code loading into PCH/CPU HW engines

## Security

- Isolated & trusted execution of security services (TPM, DRM, DAL)
- Manageability
  - Platform management over out of band network (Intel AMT)



## CSME HW Overview & Capabilities bláckhať JSA 2019



- Manageability Devices: used for manageability and redirection (USB-R, IDE-R, KT, KVM etc.)
- Protected Real Time Clock: used for monotonic counters (anti-replay protection) and as protected time

- **CPU:** Intel 32 bits processor (i486) supporting rings, segmentation and MMU for page management
- **SRAM:** Isolated RAM (~1.5 MB) from host ullet
- **ROM:** HW root of trust of CSME Firmware
- **System Agent:** Allows CPU to securely access SRAM and enforce access control to SRAM from internal/external devices by using IOMMU (i.e. control DMA access)
- OCS (Offload & Cryptography) **Subsystem):** Crypto HW accelerator with DMA engine and Secure Key Storage (SKS)
- **Gasket:** interface to PCH fabric & CSME IO devices (TPM, HECI etc.)

## PCH Hardware Used By CSME

## DRNG

PRTC

- Generates non-deterministic random numbers
- Compliant to NIST SP800-90A, B and C
- Fuses 2 types
  - Intel PCH Manufacturing Fuses set by Intel before shipment to manufacturers
    - CSME configurations: which Intel CSME signing keys enabled, production silicon etc.
    - CSME security keys unique per chip and encrypted using CSME HW key
  - In Field Programmable Fuses (FPF) set by manufacturers before shipment to endusers
    - Manufacturers' secure settings: public key, Intel Boot Guard policy etc.
    - CSME FW Anti-Rollback Security Version Number (ARB SVN)
- DFX (debug)
  - Control CSME & other PCH micro-controllers debug interface (JTAG)
  - In debug (JTAG open), keys in fuses and secrets in NVM are not available & CSME SRAM is zeroed





# blackhat CSME Role In Platform Boot





## CSME ROM **TERNEL**



- ROM is part of PCH HW with no patch mechanism after HW tape-in
  - ROM bypass disabled by Intel manufacturing fuse on production stepping
- Main responsibilities
  - Moves CSME CPU to protected mode & enable paging and segmentation
  - Generates CSME FW keys using chipset key and RBE Security Version Number (TCB ŠVN)
  - Loads, authenticates and executes IDLM (debug module) / RBE
    - Hashes of public keys embedded in ROM
    - Intel manufacturing fuse indicates which public key is enabled (debug signing key is disabled on production)

## Key Derivation By ROM bláckhať USA 2019





### 3. Derivation of CSME FW Key

## HW Secure Key Storage blackhat USA 2019



SKS Privilege Level

### HW SKS:

- FW can only use keys
- Secure Mode
- control on SKS slot



## Protect CSME root keys during runtime.

### Every SKS slot has set of attributes

 Result of AES-CBC decrypt and HMAC using the key in this slot can be stored in SKS only

## - Privilege Level: used for HW access

- The key in this slot is accessible if SKS slot privilege level is >= SKS privilege level

## HW Secure Key Storage blackhat USA 2019



SKS Privilege Level

### HW SKS:

- Protect CSME root keys during runtime. FW can only use keys
- Every SKS slot has set of attributes
- Secure Mode
  - Result of AES-CBC decrypt and HMAC using the key in this slot can be stored in SKS only
- control on SKS slot
  - The key in this slot is accessible if SKS slot privilege level is >= SKS privilege level
- HW reset only



## - Privilege Level: used for HW access

## - Locked: key in this slot can be invalidated or replaced after CSME

## RBE (ROM Boot Extension) ekael



- Extends ROM functionality in FW (can be updated on field)
- Bootloader of CSME OS
- Main responsibilities
  - Performs HW based anti-rollback check on CSME FW
  - Performs early chassis job PMC patch
  - Loads, authenticates and executes CSME OS







### **CSME Secure Boot Flow** blackhat USA 2019



### Legend **ICV: Integrity Check Value**

| FW Ring0  | FW TCB  |  |
|-----------|---------|--|
| FW KIIIgu | Ring3   |  |
| HW Ring0  | FW OS   |  |
|           | Ring3   |  |
| FW App    | FW lib. |  |
| Ring3     | Ring3   |  |

Once all CSME modules have been loaded, Process Manager stores all CSME modules' ICVs and ICV key in ICV Blob Partition (IVBP) in SPI flash, encrypted, integrity and replay protected

time

## blackhat CSME Secure Boot Flow With ICV Blob USA 2019



### Legend ICV: Integrity Check Value

| FW Ring0  | FW TCB  |  |
|-----------|---------|--|
| FVV KINGU | Ring3   |  |
| HW Ring0  | FW OS   |  |
|           | Ring3   |  |
| FW App    | FW lib. |  |
| Ring3     | Ring3   |  |



time



- Architecture & Boot flow
- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



## CSME OS Main Security Principles ackhat

- Micro-Kernel OS based on Minix OS architecture
  - The micro-kernel is the only runtime component running at ring0. Application, Drivers and Services run at ring3
  - The micro-kernel implements the bare minimum required to implement an OS
- Minimal Trusted Compute Base (TCB)
  - Protects access to keys and HW (CSME assets)
  - Responsible for CSME FW code integrity at boot & runtime
  - Responsible for protection CSME modules from each other and their data in SPI flash
  - Enforces CSME modules' minimum privileges



# blackhat Micro Kernel (uKernel)



|   | •    | Main responsibilities                                                                                                                                                                                                                                                               |
|---|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|   |      | <ul> <li>Driver of the CPU</li> </ul>                                                                                                                                                                                                                                               |
| 3 |      | <ul> <li>Enforces code execution is from SRAM only</li> <li>Enforces process isolation using CPU rings and x86 segments</li> <li>Setups page attributes (RW and User bit). Enforcement done I</li> <li>Controls HW access via MMIO by ring3</li> <li>Driver of the IOMMU</li> </ul> |
|   | Boot | <ul> <li>Driver of the following</li> <li>Controls DMA access to SRAM</li> </ul>                                                                                                                                                                                                    |
|   | flow | <ul> <li>Support standard kernel service</li> <li>Inter-Process Communication (IPC)</li> <li>Processes &amp; threads management</li> <li>Interrupts and exceptions handling</li> </ul>                                                                                              |
| 0 |      | <ul> <li>Handle page replacement between SRAM and DRAM<br/>SRAM utilization</li> </ul>                                                                                                                                                                                              |
|   |      | <ul> <li>Evicted pages to DRAM are encrypted and integrity protected</li> </ul>                                                                                                                                                                                                     |



### ts by MMU

### M/SPI flash to save

## blackhat CSMETCBOS USA 2019



| Control   | Control     |
|-----------|-------------|
| access to | access to   |
| CSME OS   | Hardware    |
| services  | Than G ware |
|           | NL -        |
| No        | No          |
| No        | No          |
| Yes       | No          |
| No        | Minimal     |

## Bringup (BUP) CRAT 5A 2019



Support early platform boot and configuration





- Reduced its privileges starting CSME 12
  - Can't create CSME processes
  - No access to root keys and attestation keys
  - No access to crypto accelerator and DFX HW



### CSME OS – Drivers and Services bláčkhať USA 2019



- Driver and Services are running at ring3
- Drivers have access only to HW they need to manage via Memory Mapped IO (MMIO)

| icls       | MCA (x2) | EventDisp | GDE      |
|------------|----------|-----------|----------|
| TCB-R      | Maestro  | MCTP      | TLS      |
| Sigma/EPID | Policy   | LoadMgr   | FWUpdate |
|            |          |           |          |
|            | HECI     | VDM       | WLAN     |
| PRTC       | Fuse     | SMBus     | USBR     |
| Power      | Storage  | IPC       | GPIO     |

Access to drivers and services are jointly • controlled by VFS & uKernel

Services: iCLS: Intel Capability License Server protocol Event Dispatcher: Publish system wide events MCA: Support manufacturing flows GDE: Display overlay used by AMT for user consent TCB-R: Support for EPID re-key over iCLS Maestro: Coordinate power state transitions MCTP: Implementation of DMTF MCTP protocol TLS: Standalone TLS stack (used by DAL) Sigma/EPID: SIGn and Message Authentication protocol using Intel EPID Policy: CSME features enable/disable LoadMgr: Authentication service and boot order FWUpdate: In-band FW Update Drivers:

PRTC: Protected Real Time Clock VDM: CPU and GFX Communications WLAN: AMT WLAN OOB driver over Clink IPC: IP to IP communication (PMC, ISH etc.) Fuse: FPF driver supporting read/write SMBus: SMBus/I2C interface USBR: AMT redirection (keyboard, mouse, storage) HECI: Host interface driver Storage: SPI driver and low level filesystem Power: Power management; PMC communication GPIO: GPIO configuration and usage

### **CSME** Applications bláckhať JSA 2019



- CSME applications are running at ring3
- CSME TCB ensure CSME applications are isolated from each others including their data kept in NVM

| Ring 3           |                        |                    |            |  |
|------------------|------------------------|--------------------|------------|--|
| AMT              |                        |                    |            |  |
| IP Loading       | DRMs                   | Hotham             | WAPPS      |  |
| ICC              | PTT (TPM)              | DAL                | RmtWake    |  |
| Services Drivers |                        |                    |            |  |
|                  |                        |                    |            |  |
| Crypto<br>Driver | Virtual File<br>System | Process<br>Manager | Bus Driver |  |
| Ring 0           |                        |                    |            |  |
| uKernel          |                        |                    |            |  |
|                  | UK                     | ernei              |            |  |
|                  | RBE (ROM E             | Boot Extensior     | 1)         |  |
|                  | ROM – HW               | Root of Trust      | t          |  |
|                  |                        |                    |            |  |

Applications: AMT: Manageability including network stack IP loading: ISH, Audio, Camera PAVP: PlayReady, Widevine, HDCP Hotham: Debug mailbox with SW WAPPS: AMT 3<sup>rd</sup> party storage ICC: Integrated Clock Configuration (overclocking) PTT: TPM 2.0 implementation DAL: Dynamic Intel signed applications loading RmtWake: Support for concurrent Wake On LAN



- Architecture & Boot flow
- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



## Hardening & Exploitation Mitigations

- Kernel (Ring0)
  - Kernel system call filtering
  - Applied stack protector for kernel
  - Data execution prevention
  - Activated Supervisor Mode Execution Prevention (SMEP)
  - Use CR0.Write.Protect
    - Prevent corruption of read only pages by kernel
  - ACL on Ring3 inter-process communication

### Hardening & Exploitation Mitigations **ckhat** 5A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations **ckhat** A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations ekhat A 2019

• Example of authorized IPC (Abstracted)



### Hardening & Exploitation Mitigations ekner $\Delta$ 2019

• Example of authorized IPC (Abstracted)



### Hardening & Exploitation Mitigations ekhat $\Delta$ 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations ekhel A 2019

• Example of authorized IPC (Abstracted)



### Hardening & Exploitation Mitigations ekhal A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations ekhai A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations ekhat A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations ekhai 5A 2019

• Example of authorized IPC (Abstracted)



## Hardening & Exploitation Mitigations èk nat 5A 2019

• Example of authorized IPC (Abstracted)



### Hardening & Exploitation Mitigations ckhat 5A 2019

Example of unauthorized IPC





• Exploitation mitigations in Ring3

### Hardening & Exploitation Mitigations RA A = -19

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)

# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.

# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.

grsecurity @grsecurity · Jun 26 Yeah, it seems like the XOR with retaddr was removed though after 1.21. For reference, it exists here: marc.info/?l=stackguard&... But then appears to be gone in all future versions: blackhat.com/presentations/... cs.purdue.edu/homes/xyzhang/... (discussing v2.0.1 lacking it, and 1.21 having it) 1]  $O_1$ М



# Hardening & Exploitation Mitigations ekhat

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.



# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - Regular Stack-Protector:

| LOCAL VAR  | Canary       | OLD EBP | RETURN | ARG<br>1 |
|------------|--------------|---------|--------|----------|
| Linear Buf | fer overflov | W       |        |          |
|            | Random       |         |        |          |



# Hardening & Exploitation Mitigations khat

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - Regular Stack-Protector:

| LOCAL VAR  | Canary      | OLD EBP | RETURN | ARG<br>1 |
|------------|-------------|---------|--------|----------|
| Linear Buf | fer overflo | W       |        |          |
|            | Random      |         |        |          |

Nonlinear Write will **bypass** stack protector



# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - Stack-Protector XORed with Return address:

| LOCAL VAR | Canary       | OLD EBP | RETURN | ARG |
|-----------|--------------|---------|--------|-----|
|           | =            |         |        | 1   |
|           | Random ^ Ret |         |        |     |
|           |              |         |        |     |



# Hardening & Exploitation Mitigations ka

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - Stack-Protector XORed with Return address:

| LOCAL VAR | Canary                         | OLD EBP | RETURN | ARG<br>1 |
|-----------|--------------------------------|---------|--------|----------|
|           | =<br><mark>Random ^ Ret</mark> |         |        |          |

 Attacker will now require to have stack/canary info leak or to leverage a data corruption (if possible)



# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity



| push | ebp                            |
|------|--------------------------------|
| mov  | ebp, esp                       |
| mov  | <pre>eax, [ebp+s.pFuncs]</pre> |
| mov  | edx, [ebp+memaccess]           |
| mov  | [ebp+s.pFuncs], edx            |
| pop  | ebp                            |
| mov  | eax, [ <mark>eax</mark> +1Ch]  |

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity



Exploitation mitigations in Ring3

eax, [ebp + CBFuncPtr]

mov

- Syslib context pointer moved to a read only page (not on stack anymore)
- Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
- SW Forward Edge Control Flow Integrity



pus mov mov mov mov pop mov

|    |    |    |    |             |    |    |    | 8Ъ       |
|----|----|----|----|-------------|----|----|----|----------|
| cc | CC | CC | CC | 83          | ec | 0c | dd | 14       |
| 00 | 00 | 83 | c4 | 0c          | с3 | 8d | 54 | 24       |
| 3с | 24 | 74 | 50 | 66          | 81 | 3c | 24 | 7f       |
| 19 | ff | 9Ъ | df | еO          | 9e | 7a | 1d | 83<br>8d |
| С  | ff | ff | ba | 12          | 00 | 00 | 00 | 8d       |
| ff | db | 2d | 94 | e6          | 90 | 7c | d9 | с9       |
| 19 | d9 | ff | eb | $^{\rm cd}$ | e8 | 05 | fc | ff       |
| 2  | 83 | 7c | 24 | 08          | 00 | 75 | eb | dd       |
|    |    |    |    |             |    |    |    | 7c       |

| sh | ebp                                         |
|----|---------------------------------------------|
| v  | ebp, esp                                    |
| v  | <pre>eax, [ebp+s.pFuncs]</pre>              |
| v  | edx, [ebp+memaccess]                        |
| v  | [ebp+s.pFuncs], edx                         |
| p  | ebp                                         |
| v  | <mark>eax</mark> , [ <mark>eax</mark> +1Ch] |

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.



| SII | que                                         |
|-----|---------------------------------------------|
| v   | ebp, esp                                    |
| v   | <pre>eax, [ebp+s.pFuncs]</pre>              |
| v   | edx, [ebp+memaccess]                        |
| v   | [ebp+s.pFuncs], edx                         |
| p   | ebp                                         |
| v   | <mark>eax</mark> , [ <mark>eax</mark> +1Ch] |

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
- SW Forward Edge Control Flow Integrity 24 10 00 00 00 0 ff CC CC C 00 e8 Od t t ff ff 52 9b d9 7c ei 7c UU 7c e9 [ebp + CBFuncPtr] eax, mov e0 9e 7a dd 1b a9 ff ff 0f 00 75 eax mov ecx, 2d 68 e0 97 7c b8 01 , [ecx - 4] ecx mov dec ecx end #compare with endbr32-1 to create "cmp" without endbr32 bytecode pus ecx, OFB1E0FF2h #endbr32 = f3 Of 1e fb mov cmpmov

|     |    |     |    | 89          |    |    |    |    |
|-----|----|-----|----|-------------|----|----|----|----|
| 00  | 00 | 83  | c4 | 83<br>0c    | с3 | 8d | 54 | 24 |
| 19  | ff | 9Ъ  | df | 66<br>e0    | 9e | 7a | 1d | 83 |
| tc  | ff | ff  | bа | 12<br>e6    | 00 | 00 | 00 | 8d |
| 19  | d9 | ff  | eb | $^{\rm cd}$ | e8 | 05 | fc |    |
|     |    |     |    | 3d          |    |    |    |    |
| lbr | 32 |     |    |             |    |    |    |    |
| sh  |    | ebj | p  |             |    |    |    |    |
|     |    | - 1 | _  |             |    |    |    |    |

| pusn | qae                            |
|------|--------------------------------|
| mov  | ebp, esp                       |
| mov  | <pre>eax, [ebp+s.pFuncs]</pre> |
| mov  | edx, [ebp+memaccess]           |
| mov  | [ebp+s.pFuncs], edx            |
| pop  | ebp                            |
| mov  | eax, [ <mark>eax</mark> +1Ch]  |

### Hardening & Exploitation Mitigations GRA JSA 2019

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity



| ff<br>ff<br>21<br>7c<br>7c<br>e0<br>ff | <br>ff<br>e8<br>52<br>e7<br>0f<br>9f<br>7a<br>0f | CC<br>0d<br>9b<br>90<br>85<br>fc<br>f8<br>00 | CC<br>00<br>d9<br>7c<br>a2<br>ff<br>dd<br>75 | CC<br>00<br>3C<br>d9<br>ff<br>d9<br>f2 | CC<br>00<br>24<br>ff<br>db<br>d9<br>83 | CC<br>83<br>74<br>9b<br>ff<br>2d<br>ff<br>7c | CC<br>C4<br>50<br>df<br>94<br>eb<br>24 | 83<br>0c<br>66<br>e0<br>12<br>e6<br>cd<br>08 | ec<br>c3<br>81<br>9e<br>00<br>90<br>e8<br>00 | 0c<br>8d<br>3c<br>7a<br>00<br>7c<br>05<br>75 | dd<br>54<br>24<br>1d<br>00<br>d9<br>fc<br>eb | 14<br>24<br>7f<br>83<br>8d<br>c9<br>ff<br>dd |
|----------------------------------------|--------------------------------------------------|----------------------------------------------|----------------------------------------------|----------------------------------------|----------------------------------------|----------------------------------------------|----------------------------------------|----------------------------------------------|----------------------------------------------|----------------------------------------------|----------------------------------------------|----------------------------------------------|
|                                        |                                                  |                                              | - pı                                         | ndbr<br>ush                            |                                        | ebj                                          | -                                      | -50                                          |                                              |                                              |                                              |                                              |

| SII | que                                         |
|-----|---------------------------------------------|
| v   | ebp, esp                                    |
| v   | <pre>eax, [ebp+s.pFuncs]</pre>              |
| v   | edx, [ebp+memaccess]                        |
| v   | [ebp+s.pFuncs], edx                         |
| p   | ebp                                         |
| v   | <mark>eax</mark> , [ <mark>eax</mark> +1Ch] |

# Hardening & Exploitation Mitigations k nat

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity
  - Heap protections

# Hardening & Exploitation Mitigations

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity
  - Heap protections
    - Double free protection
    - Malloc of zero size return NULL
    - Cookie protection enforced during free of an allocated\busy chunk
      - A Marker surround every Busy Block
      - Value of random "Cookie" field in the Marker is compared with the original Cookie value. Mismatch is handled as an overflow attack (or bug).

# Hardening & Exploitation Mitigations k nat

- Exploitation mitigations in Ring3
  - Syslib context pointer moved to a read only page (not on stack anymore)
  - Return Control Flow Integrity via modified Stack Canary "XOR-RET-ALL" on the majority of the Ring3 functions.
  - SW Forward Edge Control Flow Integrity
  - Heap protections
  - Data execution prevention

### CSME Security Development Lifecycle blackhat USA 2019

# **CSME** Security Development Lifecycle

Applying Security Development Lifecycle (SDL) through the CSME development phases

- Security Architecture and Design Review
  - Threat analysis
  - Challenging FW design results into product changes
- Security Code Review
  - Manual and Static Code Analysis (SCA) tools
- Penetration testing
  - Manual
  - Automation

### CSME Security Validation Technologies <u>èkhat</u> $\mathbf{b}$ USA 2019

Using latest industry techniques on silicon

### **CSME** Security Validation Technologies **čkh**ať USA 2019

- Using latest industry techniques on silicon
  - Address Sanitization

# **CSME** Security Validation Technologies

- Using latest industry techniques on silicon
  - Address Sanitization
    - Doesn't work out of the box since requires glibc
    - Sanitizer requires 8 bytes aligned memory and CSME a 4 bytes aligned memory
    - Sanitizer write to a "shadow" memory at a fixed address of "0x2000000"
    - Making the code too big won't fit into flash or won't fit into SRAM

## **CSME** Security Validation Technologies ackhat

- Using latest industry techniques on silicon
  - Address Sanitization
    - Doesn't work out of the box since requires glibc.
      - Fixed it by creating stub functions that are missing and implement them
    - Sanitizer requires 8 bytes aligned memory and CSME a 4 bytes aligned memory
      - Each time we enter a "error function" make sure is it in a 4 byte aligned memory and validate that address with the "shadow" if it's an issue or not
      - Using: "-fsanitize-recover=address" so calling code path won't change
    - Sanitizer write to a "shadow" memory at a fixed address of "0x2000000"
      - Patch GCC to make it accept "-fsanitize=kernel-address" by removing "SANITIZE\_KERNEL\_ADDRESS" in "opts-global.c"
      - Was asked many times but none done it as a feature in GCC:
        - <u>https://groups.google.com/forum/#!topic/address-sanitizer/ZLI4un1NyoE</u>
    - Making the code too big won't fit into flash or won't fit into SRAM
      - Apply only on a single process and not on the entire system at once.

### **CSME Security Validation Technologies ckh**at 15A 2019

- Using latest industry techniques on silicon
  - Address Sanitization

### **CSME Security Validation Technologies** ISA 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided

### CSME Security Validation Technologies JSA 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic

### **CSME Security Validation Technologies** ekhai JSA 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic

Issue #1: BitMap size

# **blackhat** CSME Security Validation Technologies

- Using latest industry techniques on silicon
  - Address Sanitization V
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic

Issue #1: BitMap size

/\* Map size for the traced binary (2^MAP\_SIZE\_POW2). Must be greater than 2; you probably want to keep it under 18 or so for performance reasons (adjusting AFL\_INST\_RATIO when compiling is probably a better way to solve problems with complex programs). You need to recompile the target binary after changing this - otherwise, SEGVs may ensue. \*/

16

#define MAP\_SIZE\_POW2

### **CSME Security Validation Technologies** ekhai SA 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic

Issue #2: Memory pipe for getting test feedback

## **CSME** Security Validation Technologies ekhat

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic

Issue #2: Memory pipe for getting test feedback

- Easy to solve by calling a test firmware API (not exist in production) to get the internal array that hold all feedback
- Modify AFL instrumentation to set the global BITMAP array inside of the FW

### **CSME** Security Validation Technologies ackhat 15A 2019

## Using latest industry techniques on silicon

- Address Sanitization
- Fuzzing with Coverage guided
  - Based on AFL Fuzzer logic





### **CSME** Security Validation Technologies ackhať 15A 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided
    - Based on AFL Fuzzer logic



# **blackhat** CSME Security Validation Technologies

Using latest industry techniques on silicon

- Address Sanitization V
- Fuzzing with Coverage guided
  - Based on AFL Fuzzer logic



### Instrumented Firmware

0x0002409f 0x000240a2

|     | <pre>mov ebx, dword [arg_18h] ; [ mov esi, dword [arg_ch] ; [@</pre>                                                                            |
|-----|-------------------------------------------------------------------------------------------------------------------------------------------------|
|     | test ebx, ebx                                                                                                                                   |
|     | je 0x240bc                                                                                                                                      |
| IF  | pushfd                                                                                                                                          |
|     | pushal                                                                                                                                          |
|     | push 0x18ba                                                                                                                                     |
|     | <pre>call sym.write_to_afl_bitmap</pre>                                                                                                         |
|     | add esp, 4                                                                                                                                      |
|     | popal                                                                                                                                           |
|     | popfd                                                                                                                                           |
|     |                                                                                                                                                 |
| СГ  | mov eax dword [ebx]                                                                                                                             |
| .SE | mov eax, dword [ebx]                                                                                                                            |
| SE  | pushfd                                                                                                                                          |
| .SE | pushfd<br>pushal                                                                                                                                |
| SE  | pushfd<br>pushal<br>push 0x18bb                                                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap<br>add esp, 4                                                                   |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal</pre>                                          |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd</pre>                                |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005<br/>push esi</pre> |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |

# **blackhat** CSME Security Validation Technologies

Using latest industry techniques on silicon

- Address Sanitization V
- Fuzzing with Coverage guided
  - Based on AFL Fuzzer logic



### Instrumented Firmware

0x0002409f 0x000240a2

|     | <pre>mov ebx, dword [arg_18h] ; [ mov esi, dword [arg_ch] ; [@</pre>                                                                            |
|-----|-------------------------------------------------------------------------------------------------------------------------------------------------|
|     | test ebx, ebx                                                                                                                                   |
|     | je 0x240bc                                                                                                                                      |
| IF  | pushfd                                                                                                                                          |
|     | pushal                                                                                                                                          |
|     | push 0x18ba                                                                                                                                     |
|     | <pre>call sym.write_to_afl_bitmap</pre>                                                                                                         |
|     | add esp, 4                                                                                                                                      |
|     | popal                                                                                                                                           |
|     | popfd                                                                                                                                           |
|     |                                                                                                                                                 |
| СГ  | mov eax dword [ebx]                                                                                                                             |
| .SE | mov eax, dword [ebx]                                                                                                                            |
| SE  | pushfd                                                                                                                                          |
| .SE | pushfd<br>pushal                                                                                                                                |
| SE  | pushfd<br>pushal<br>push 0x18bb                                                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap<br>add esp, 4                                                                   |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal</pre>                                          |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd</pre>                                |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005<br/>push esi</pre> |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |

# **blackhat** CSME Security Validation Technologies

Using latest industry techniques on silicon

- Address Sanitization V
- Fuzzing with Coverage guided
  - Based on AFL Fuzzer logic



### Instrumented Firmware

0x0002409f 0x000240a2

|     | <pre>mov ebx, dword [arg_18h] ; [ mov esi, dword [arg_ch] ; [@</pre>                                                                            |
|-----|-------------------------------------------------------------------------------------------------------------------------------------------------|
|     | test ebx, ebx                                                                                                                                   |
|     | je 0x240bc                                                                                                                                      |
| IF  | pushfd                                                                                                                                          |
|     | pushal                                                                                                                                          |
|     | push 0x18ba                                                                                                                                     |
|     | <pre>call sym.write_to_afl_bitmap</pre>                                                                                                         |
|     | add esp, 4                                                                                                                                      |
|     | popal                                                                                                                                           |
|     | popfd                                                                                                                                           |
|     |                                                                                                                                                 |
| СГ  | mov eax dword [ebx]                                                                                                                             |
| .SE | mov eax, dword [ebx]                                                                                                                            |
| SE  | pushfd                                                                                                                                          |
| .SE | pushfd<br>pushal                                                                                                                                |
| SE  | pushfd<br>pushal<br>push 0x18bb                                                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap                                                                                 |
| .SE | pushfd<br>pushal<br>push 0x18bb<br>call sym.write_to_afl_bitmap<br>add esp, 4                                                                   |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal</pre>                                          |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd</pre>                                |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005<br/>push esi</pre> |
| .SE | <pre>pushfd<br/>pushal<br/>push 0x18bb<br/>call sym.write_to_afl_bitmap<br/>add esp, 4<br/>popal<br/>popfd<br/>push 0x4b0005</pre>              |

### **CSME** Security Validation Technologies SA 2019

- Using latest industry techniques on silicon
  - Address Sanitization
  - Fuzzing with Coverage guided

#BHUSA ♥@BLACK HAT EVENTS



- Architecture & Boot flow
- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



**#BHUSA Y@BLACK HAT EVENTS** 

# Customization During Manufacturing

- Features are configurable by manufacturers
  - Manageability support corporate / consumer
  - HW Anti-rollback support
  - Manufacturer public key for secure micro-code loading and Intel Boot Guard
  - Intel Boot Guard enable/disable & policy
  - PTT enable/disable
- End Of Manufacturing (EOM)
  - Required by manufacturers before shipping platforms to end-users
  - Write and lock manufacturers' settings into FPF and CSME data partition in SPI flash
  - Close SPI flash descriptor SPI controller enforces access control on BIOS, CSME and other SPI regions

#BHUSA 💆 @BLACK HAT EVENTS

# Post Manufacturing Configuration Knat

### Some CSME features can still be configured after EOM by endusers

- Manageability can be configured in BIOS menus
  - AMT out of band network interface enable/disable
  - AMT USB provisioning enable/disable
  - AMT Host Based Provisioning enable/disable
  - AMT redirection enable/disable

#BHUSA 🕊 @BLACK HAT EVENTS



- Architecture & Boot flow
- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



**#BHUSA Y@BLACK HAT EVENTS** 

## CSME FW Update & Recovery

CSME FW verifies digital signature and version of new CSME FW image before updating it in SPI flash on end-user system

- Two levels of CSME FW anti-rollback supported in CSME 12
  - 1. SW rollback to old CSME FW is prevented using Version Control Number (VCN)
  - 2. Physical rollback is prevented using Anti-Rollback (ARB) SVN
    - ARB SVN is kept in field programmable fuse (FPF)
    - Require manufacturer support
- Once FW update is done to a higher TCB SVN, CSME will perform data migration and initiate the re-creation of attestation keys (EPID and PTT Endorsement Key)

#BHUSA ♥@BLACK HAT EVENTS

### TCB Recovery & CSME Data Migration ackhat ISA 2019



- If not latest iCLS (Intel Capability Licensing Service) SW service is already used, update SW.
- Manufacturers update to new CSME FW with higher SVN. 2. At next boot, CSME FW performs CSME data migration from previous CSME storage key to new one derived by ROM.
- Intel iCLS SW service connects securely using Intel SIGMA 3. protocol over internet to Intel backend servers to complete TCB recovery and retrieve new EPID key and Intel certificate for new PTT Endorsement Key (TPM EK)
- 4. At some point, Intel revokes EPID keys and PTT EK (i.e. publish CRL on Intel server). Once revocation is done, Content Providers can halt streaming content to nonupdated systems

#BHUSA ₩@BLACK HAT EVENTS



- Architecture & Boot flow
- OS Security Principles & Internals
- Hardening & Mitigations
- Pre & Post Manufacturing
- Update & Recoverability
- Wrap-up



**#BHUSA Y@BLACK HAT EVENTS** 

# Wrap-up

- Secure design with defense In-depth
  - Secure boot and execution enforced by minimal TCB
  - Least privileges and process isolation
  - Exploitation mitigations
- Secure Update & Recovery
  - Secure FW update
  - FW and HW Anti-rollback
  - Data migration with online renewal of attestation keys (TCB Recovery)
- Evaluating Future Enhancements
  - Further reduce privileges
  - Adding ASLR support given CSME OS memory limitations
  - HW Control-Flow Enforcement Technology (CET) support in CSME CPU

# @BLACK HAT EVENTS







## Special thanks to CSME architecture, development, validation and security research teams for their contribution to this presentation



#BHUSA 🕊 @BLACK HAT EVENTS