>>So, this talk is titled untrustworthy hardware and how to fix it. But due to the destination of the project I think it would be better titled 'Seeking Hardware Transparency'. Uh, I'd like to thank the contributors that made this happen, so uh, some of the channels on Freedom were very helpful. Some of the people in the open risk community really helped make this happen as well as propeller guy who worked on the propeller, uh, IO interface that we have. Before get we started I'd like to speak a bit on what I do like in the, uh, computer community. Uh, that is the fact that we are not relying on closed source black box and known weak algorithms anymore. We have, uh, trusted free and open source, uh, crypto algorithms that are heavily scrutinized and readily available and widely deployed. So for this talk I'd like for you to forget about software for a bit - I don't want to think about any of these but I do want you to still think about security. So, where do we go from here? Uh, right below software, uh, this is drawn on just about every, uh, computer system we've got firmware and that sits below the software and interfaces with the hardware and firmware is almost exclusively closed sourced and controls almost all hardware devices and functions Uh, and due to its low level nature, uh, this firmware is persist across, uh, OS installations if, uh, we ever have, uh, we ever have malicious installations. There's a lot of research in this space and I'm not an expert on it but I encourage you to check out some of the Def Con talks on it because they really go into some of the details there. Uh, below that, uh, we have hardware and that is where we're going to be spending a lot of our time. Uh, hardware is almost always absolutely trusted because it's where you run your computations. Unfortunately though, groups like the NSA and other nation states have been caught attacking this space. 




So, we have seen, uh, the NSA attacking Cisco system. We have the DOD considered about rival nations states backdooring their hardware. Even Apple is suspecting that some of their server shipments now are backdoored so they're actually looking to get back into the server space. Uh, I think somebody's on the internet said it best 'if the their hardware is compromised their whole machine is compromised'. Now, just as an example, we've probably seen this slide a few times before, uh, the NSA is unpacking, uh, Cisco shipments and they're implanting them with, uhm, rogue hardware devices. So, hardware backdooring is very real and it is  a concern that we need to look at going forward. One thing that really concerns me is, uh, Intel management engine. So, this technology is found on just about every Intel system in the last ten years - it's not  a straight up back door but it does pose significant threats. So, management engine is actually a dedicated logic device that sits on your CPU or on your chip-set depending on what, uh, architecture you have. And controls a whole bunch, uh, special features on the system. It's got system access at the lowest level it's got network access, it's actually got it's own IP address and MAC address to handle everything. Uh, it remains functional in the background even if the system is off. It actually runs on standby power - so, if any of you are familiar with lights out management on servers, it's like that but you can't control it and you can't disable it and you can't turn it off. 


Uh, this may sound like a server feature of course when I mention lights out management but as we can see in some of Intel's product slides this shows up on high-end desktops, it shows up on desktops; it shows up up in some of their 03:15  tablets but I can't confirm that. Before we go further though I think it would be good to cover what Intel management engine actually is. So, most of this information comes from poorly secured FTP servers. Uh, it runs through an x-real time operating system which you probably haven't heard of -it's closed source and proprietary of course. It has it's own MAC address and IP address for out of band features as I've mentioned. Uh, some of the code is found in, uh, inaccessible on chip ROMS so you'd have to decap them somehow to access them. Other, uh, parts of the firmware are found on the motherboard itself in the system firmware. That's what makes it hard to install libreboot on modern laptops. Uh, it uses compression and encoding to throat reverse engineering, uh, and it's found all sorts of system architectures so the actual management engine itself, uh, varies between platforms. IT's very hard to figure out exactly what's going on because Intel's very secretive about it. But it's, uh, been documented, uh, using arch which is very popular in embedded space. Uh, some of them use spark V8, why, why some celeron chips are in intel processors is beyond me. 


Uh, Hacker Day summarized it best - in short, Intel management engine is a reversed engineer's worst nightmare. Uh, I like this slide.


[laughter]
If it's not a backdoor already it's waiting to be a backdoor. And I think if you've paid attention to the, some of the hardware security space in the last year, uh, it's getting closer to that everyday. Uh, it is effectively the perfect hardware backdoor, in fact, because it's built for IT infrastructure to manage, uh, laptops and hardware in the field and do, uh, updates and repairs to systems without having to reinstall the operating system or work at the operating system level. As i mentioned earlier, it's found in all Intel systems from about 2008 to 2009 and the worst part is, even though you bought your CPU, you paid your money for it and it belongs to you.


You don't control it - you can't disable this. It's like I have this hardware platform but I don't have control over it. And that was really one of the inspirations for this talk. I was tired of seeing hardware where I, I owned it and I was running my code, I was running my open source software on it but I couldn't control the system. Uh, some of you may be thinking about Intel's competitor AMD which has significantly less market share currently, unfortunately. 


They also have a similar technology called 'Trustzone' slash, uh 'security platform processor.' But, uh, given that they haven't made CPUs recently until Zen, uh, this technology has not been well documented or researched. Before we go on to the solution though - it's always fun to go over some hypotheticals. So, we're gonna go do a little bit of speculation - what's the worst we can do to hardware? So, what about nation states? These people are always fun because they have tons and tons of money. Uh, hardware backdooring is viewed as a threat by nation states. They see other nation states as a threat so the DOD is actually looking at bringing, at bringing chip fabrication back to the US for some of their work because they wanna know that the chips that run their systems are secure. Uh, nation states of course could backdoor, uh, product manufacturing with switched additional components. They actually attack, generally, the shipping stage of, uh, delivering the product but they could also attack them at the manufacturing depending on the situation. Uh, as I mentioned, CPUs chipsets, uh, you know, face cards, ROMS - they could all be backdoored if they wanted. I think what highlights this best is there's a piece of hardware that the NSA created that's  called 'Flux bab' that is built for one specific server that is implanted while in shipment. If the NSA is willing to make a custom chip to attack hardware - why aren't they attacking the fabrication centre? So, you may think - oh but it's too hard! Well it's not, uh, university of Michigan in their paper, uh, 'A2 analog malicious hardware' have documented it's all too easy for a single employee to backdoor a chip in the fabrication centre. So there's a slide from them talking about their A2 trigger that that cause all kinds of security concerns if implanted. Uh, there's some great articles on that, uh, paper if you're interested in more. So, it's, I believe it's entirely possible for a nation state to accomplishment lead to widespread, uh, total compromise with, while being virtually undetectable. If you can't trust the manufacturer what are you gonna do? So, I was looking at all this It was actually, uh, it was before the Intel management exploits that happened this year. I believe it was a Hacker Day article where they were summarizing Intel management engine and I didn't like the statement. Of course they were saying, you know, it was very nasty. But the end of the article, uh, was this is in every desktop you've got in your system and you're screwed because you can't do anything about it and I didn't think that was very fun. I wanted to do something else so I started looking around. 


So, of course when you start looking at open source hardware, well, you're gonna see, open source hardware; you're gonna see libreboot; uh, you're gonna see stuff like the Novena hacker laptop, which are very cool. But a lot of these systems still require blobs - so these are precompiled pieces of code that you can't inspect. They're basically closed source software - they run on system and off course these, all these platforms still require you to use closed source silicon so you don't know what's under that little plastic package still. As I said this still lead to users trusting the chips. So I really like all these projects. They're really cool. Uhm, I wanted to look into a hacker laptop but their expensive.


Uh, but I wanted to see what could be done for a piece of my private computation for critical situations and what could be done for downright paranoid users like me.


What can I do in this situation? 
Uhm, can I build a cost effective low-level solution that offers maximum transparency. So, on our system, I, uh, I have Linux running on an FPGA along with some other chips so I know exactly what my CPU is doing. Which, so, so for those of you who aren't familiar with FPGAs  - these are very special pieces of silicon. They're used by companies to make new chips. They are effectively blank slates of logic - so, if I write, uh, software in a hard description language which is what you program these in and then I synthesize them with a bitstream generator I get a very special piece of code that I can load onto this board which configures one specific type of chip and very specific  way so that emulates the hardware device that I have designed.The hardware description language is the easiest to program these FPGAs are also what most companies use for actual chip fabrication nowadays. Uh, as I've mentioned earlier they're, right now, these FPGAs are used for the chip prototype but sometimes the're also used in special hardware applications where it's just not economic to fabricate chips themselves. So, we offer a lot of, uh, opportunities for hobbyists who want to design their own chips and they also offer people like me the opportunity to build a system where I know everything that's going on. Because I effectively have a processor running on there that acts just like true silicon at  a reduced clock rate of course. But I can do all my computation there so our, our, our alternative is built on a cryptographic use case because that's about all I can do with this system. It runs good in Linux as I mentioned earlier. Uh, you can see the, the block diagram of that, uh, board over there. That's the DEO nano that we're using to run the software right now. Uh, it's fully open-sourced hardware and software - right down to the chip designs that both major components. Although the board is not actually open-source hardware on the DEO nano side, I'm just talking about the chip there. Uh, we're using the parallax propeller for IO so the parallax propeller acts as a terminal emulator similar to, uh, an older serial terminal. Uh, and the we have the OpenRisc CPU design - the MOR1KX 68 with CPU running on it, FPGA, uh, running the OS, uh,  operating system. So, we took the open ware CPU standard we built a system around it so it's go Jtag, it's got UR, it's got an SDram but, it's a fully functional processor. We've got a block diagram to explain this. So, we've got the open risk MOR1KX open source CPU that's hooked up to FPGA ROM and then it's got the Jtag interface there. We're gonna add a paralyzed propeller over 1 1 5 200 bot serial and that's hooked up to the propeller ROM where it stores the spin code so that's it's native language that the propeller understands.


 You may be familiar with the propeller actually because that was used on any of the Def Con badges in previous years. I believe the Def Con 20 and the Def Con 22 badge both used the parallax propeller. And then to actually interact with the system where you have the keyboard over PS2, uh and a TFT LCD over SPI. 
[cough] So, Linux is, uh, image is built with most tool chains available for open risk. Uh, openADK actually makes the really nice because you can download it and run make menuconfig and it's basically a smorgasbord  where you can choose all your Linux tools and, uh, pick your architecture and it just builds the Linux image for you very nicely. You can even do some compression with it. Uh, we're loading it with open on chip debugger and gnu debugger. That propeller is programmed spin and it's using prop-loader of course to load it which is an open source tool and running open spin. And then the FPGA is programmed with the 'dot SOF' open risk image which generated using fuse SOC and that's loaded onto the board using Intel Core, Intel acquired Altera a while back. So, now on to the results, the results are a bit complicated - so we have the final product here.  Uh, in the upper right kind of middle of the, uh, first picture there. You can see the DEO nano under those two fans. We have the parallax propeller, the fans are providing some down draft airflow to cool the thing off. So, they look cool, I like fans. Uh, and I've got two batteries in there to power the thing that are a but overkill they use those to also get fun through TSA. 
This device does not look suspicious at all.
[laughter]  
We've got, uh, two power controllers there so that's making sure the batteries don't blow up which is very important. On the picture on the right there you can see some of the cabling so that's actually the wiring for the TFT LCD and uh, little wire at the top is the, uhm, serial output of the, uh, DEO nano board. So, this is where it gets a bit weird. So, it worked great but it actually does work now. Right before Def Con this was the morning before I flew out the board all of a sudden was giving me a, some sort of strange error code. Error code 87 - can't scan Jtag chains. That doesn't look good. Let's go to Intel, uh, `let's see. They want me to buy a new USB blaster cable, if you look back here, uh, the USB blaster is actually on the board so they're asking me to buy another board. Turns out when you're flying out that morning you can't exactly get a DEO nano FPGA board. 


But I had a backup video. So, on this if it's going to play properly. Come on! My bad... We have me holding a camera, looking at a screen, looking at the terminal output. This is a serial output running into xterm of the processor and it's gonna boot to a busybox console in a moment here. So we'll actually get to see the system running. It runs on the TFT LCD but for visibility I had it running back into my laptop. So, should get the busybox shell here and I'm now going to with one hand tie, catch prox CPU info so... Just give me time. It's, it's harder than it looks.
[laughter]
There we go - so you can see the open source CPU there and I'm just gonna halt the system.


Good. 


Done. So, FPGAs are no fun - turns out. Uh, the tools are massive - they are  like six gigabytes, uh, compressed to download. Uh, and they're not, no fun to work with because there's a whole lot of stuff you need to mess around with just to get the board up and running. So, uh, as a result of this project I put together a thing called 'Build Script' - I'm probably gonna change that name. Uh, that takes the suck out of FPGAs hopefully. So it downloads everything for you, hopefully. It loads the bit stream to the DEO nano after you've built it so it has a fuze SOC integration so it can use fuze SOC to, uh, build that image, uh, it can write gnu Linux to memory. So, you don't have to deal with openOCD or, uh, connecting over Telnet. Uh, it can program the propeller and it's gonna have a harder setup guide in a bit because there's actually very hard to find documentation of where the serial output was when you loaded the thing up properly. Uh, it's a fully interactive piece of software. All code of course; 3D models, uh, guides will be available shortly at that link which you can download, uh, from the Def Con torrent server with this talk. So, I don't think I got to this earlier but this is the actual physical device that I built for myself. So you can see everything on the back there - it's got nice blinky lights cause that's of course what's important. 


We all know that's what you're after. Uhm, and if I had a keyboard with me I would be able to plug into this thing and, and run it. Before we go - one more things - kind of broad headed there. AMD on Reddit recently has publicly stated they're strongly considering open sourcing their IME equivalent, uh, which is platform security processor slash trust zone. But unfortunately, and that was about three months ago and they haven't done anything since. But if they find it economically viable that would be really really nice. This is an ongoing project - this system is not the final state. This was built, uh, after school was over and about two months before Def Con. I wanna add some RF side channel hardening. Uh, the thing is already battery powered because there's, uh, if any of you are familiar with power based side power analysis for, uh, crypto attacks, they're very, very, very effective against FPGAs due to the design of the chip. So, I already addressed that by adding battery, battery power to this thing. So it's not running off the AC but I would also like to have it running off of a, or running with a RSA channel hardening as some sort of cage. 


Uhm, also look at increased system independency - you don't have to deal with all that programming stuff. 


You can, I wanna add Uboot but I haven't gotten there yet. Uh, if you're interested in this space, uh, you should check out some of this stuff. So I'm not expecting you to copy download links of course. As I said, go to the Def Con torrent server and get this talk.
[sneeze]
I've got stuff in here about firmware, uh, NSA shipment hijacking, uh, there's some stuff that came out last year with Windows golden keys where, uh, it kind undermines secure boot when they, when those keys got leaked. Uh, there's a lot of articles about Intel management engine and there's a lot of good information out there if you're interested  in what's running inside your system. Uh, that's all documented here along with that link to the A2, A2 analog malicious hardware paper. If you're interested in getting into open risk or any of the open source processor stuff that is on their, uhm, homepage - 'open risk dot i o'. Along with the, uh, other resources. Uh, before we go though I would like to make some comments that this device is not meant to be a silver bullet for all hardware concerns. This was a, uh, project I had built for myself because I didn't like the state of hardware. What I want you to get out of this talk is that there are some problems with hardware, uh, there are some problems that people aren't addressing. Uh, I would like more control over my processor and I think there are other people who would like that too.  And I think if we start talking about this maybe we could push this for more open source hardware and more system transparency.
Thank you.
[applause]
[cheering]