Skip to main content

Hardware 1101: Intel SPI Analysis


OpenSecurityTraining2

About This Course

In the OST2 Arch4001: Intel Firmware Attack & Defense class, as we deep-dive into how an OS-resident attacker can attempt to rewrite the SPI flash chip where the UEFI BIOS lives, we stop our deep dive at the Intel Memory Mapped Input/Output (MMIO) interface. This is a special memory range containing registers, which if poked in just the right way, cause reads and writes to the SPI flash chip to "magically" happen. But wouldn't it be nice to see what's behind the magic?And sniff the actual SPI commands that are issued on the SPI bus by the Intel hardware to the SPI flash chip? In this workshop we go down to that level!


In this class we'll use a Saleae logic analyzer to connect to the SPI flash chip and see:

1) What flash transactions naturally occur at boot time, and how to graph that traffic to look for double-fetch vulnerabilities in firmware like [1].

2) How researchers have used their capability to watch x86 SPI traffic as a trigger reference for fault injection when targeting the AMD analog of the CSME (the Platform Security Processor) that runs before the main x86 to achieve SecureBoot [2]

3) How to visualize SPI accesses to detect TOCTOU attacks

4) What it looks like for SPI flash transactions to be occurring at the behest of the Intel Converged Security And Management Engine (CSME) at the same time as they're occurring for the main x86 CPU

5) What happens if we manually issue specific Intel MMIO interface commands from within Windows or a UEFI shell

6) A bit about how to read SPI flash part datasheets to interpret the traffic we're seeing in the logic analyzer. And how tools like the Dediprog have an engineering interface that allows sending arbitrary SPI commands, which can be helpful when you're trying to check your understanding of the datasheet.

7) What kind of commands are sent by a Dediprog SPI flash reader/writer behind the scenes when it attempts to identify a chip, and a possible workaround if it fails


[1] https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Toctou%20Attacks%20Against%20Secure%20Boot%20-%20Trammell%20Hudson%20&%20Peter%20Bosch.pdf

[2] https://github.com/PSPReverse/amd-sp-glitch

[3] https://github.com/ptresearch/IntelTXE-PoC

Requirements

You should ideally have already went through the MMIO SPI access section in Arch4001, but all of the class other than the MMIO section can be done without that.

You will also need a Saleae Pro-grade logic analyzer ($1000 and up).

Course Staff

Xeno's Pic!

Xeno Kovah

Xeno founded OpenSecurityTraining(1) in 2011 to share his and others' trainings more widely. He relaunched OpenSecurityTraining2 in 2021.

Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.

Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.

Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he collects speaker badges and has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, Defcon, CanSecWest, PacSec, Hardwear.io NL, Hack in the Box KUL/AMS/GSEC, H2HC, Microsoft BlueHat, Shmoocon, Hack.lu, NoHat, Hacktivity, HackFest, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"

Enroll