Black Hat DC 2009: Joanna Rutkowska on Intel TXT flawsDate: Feb 20, 2009
In this Black Hat DC session excerpt, Joanna Rutkowska of the Invisible Things Lab, explains how she and researcher Rafal Wojtczuk found weaknesses in current Intel Trusted Execution Technology (TXT) implementations and how they can be exploited. Intel acknowledges that the bugs affect Intel mobile, desktop and server motherboards.The researchers plan to publish details of the bugs and exploits at the Black Hat USA conference at the end of July.
Read the full transcript from this video below:
Black Hat DC 2009: Joanna Rutkowska on Intel TXT flaws
Joanna Rutkowsa: Welcome everybody. My name is Joanna Rutkowsa;
this is Rafal Wojtczuk. We are going to present attacking Intel trust at execution technology
today. We are from Invisible Things Lab, which is a small consulting company.
So today, we are going to talk about four subjects.
First, about trusted execution technology and trusted computing. What it is? Why do we like to have it? Then, we're going to talk about attacking trusted execution technology. We're going to show you some working exploits. And we're going to talk about implementation bugs which turn out to be crucial in exploiting those TXT in preparing this attack. And finally, we're going to talk more about TXT design problem because our attack exploits both the implementation problem and the design problem.
So, let's start with a short introduction to trusted computing and trusted execution technology in particular. So, the basis for trusted computing is TPM trusted platform virtual chip which is a passive, I'm stressing the word passive, a passive I/O device, which used to be located on LPC bus. These days, it's usually located in part of the North Bridge, it's part of the chip set. Anyway, it has special registers which are called PCR registers which we're going to talk about in a minute.
The most interesting things it can do is sealing and unsealing and sometimes quoting. And we're going to discuss it in just a moment.
So, PCR registers. PCR registers are somewhat funny because one cannot directly write to a PCR register. One can only extend a PCR register. The extend operation is illustrated here with this equation. The whole idea about extending is that a single PCR can hold multiple results. We can send one, two, three, four measurements to PCR, and PCR will still contain a hash. This hash will be unique to the sequence of values that have been stored in a particular PCR.
And, of course, it's feasible to set PCR to some specific value that we would like to have. So, if we want to set PCR to RX 11,22,33,44 whatever, we cannot really do that.
What we can do, we can only start balancing PCR and see what its value will be. And, of course, if we extend PCR with something that then extended with something else, this is not equal to extend it with something else and then with something. So, this is used for sealing and unsealing operation. We have TPM chip and we have some subset of PCFs. I chose PCR 17, 18, 19 just because they plan an important role in trusted execution technology, which we're going to talk about later.
So, let's assume that some values have been stored in those two registers. Then, we can tell TPM to seal something in itself. For example Crypto key. And then, TPM will allow this value to be unsealed, to be extracted only when those PCR registers will match in values that have been given when the sealing operation took place.
And we're going to show you some light demos that basically use TPM seal and unseal programs. So, you see an example. Well, this is a piece of text. So, you want to seal a piece of text to a TPM or by a TPM. So, we just, I have a secret TPM sealed data, this is standard in. And we seal it to my secret blog file. And we say that we want to seal it to value of PCR 17, 18 and 19.
And then, assuming that in our system PCR registers are exactly the same as they were during the seal operation, we can unseal it. If for some reason PCR registers are different, have different values, the unseal operation fails. And seeing that we have a quote operation on PCN it can be used to secure you a part of the state of the PCR, which means the state of PCR registers.
The quote command generates another packet, generates a blog that is digitally signed with TPM internal key and contains the values of PCR registers. I can use only a set of those. So, what is it used for?
First use of TPM is static root of trust. Static root of trust in a measurement can be used to implement secured boot this way. We have a TPM chip, we have those PCR registers and we have a boot sequence. Boot sequence starts with a BIOS code booting. If you want to do this really securely, we want to have some piece of immutable code, some piece of BIOS code that is stored in ROM, in read-only memory, that cannot reflashed for security reasons. This little piece of BIOS code is sometimes called CRTM, core root of trust measurement.
So this piece of code, what it does first is measures itself. And what is in PCR 1? I forgot what is in PCR 1, you'll see a table just in a moment. What is more important is just in the next step, just before it hands the execution to BIOS flash which contains all the values that is reflashable, it first measures the BIOS. When I say measure, it means calculate the hash and code and we don't need ... [inaudible 07:25]. So, we calculate hash of the code of this BIOS, and before we pass execution to this code we start this measurement in PCR 0. For example, this is a convention. I can choose any PCR I want just by convention. You're going to see a little table on the right just in a moment that specifies which PCRs are used for what usually. So, these dotted lines are PCR extend operations.