Skip to content

Hardware Exploitation

links: Further Topics - Index


Ring -1, -2, -3

negative-rings.jpeg

os-rings.png

  • Ring -1: Hypervisor
    • ESX, HyperV, XEN, ...
  • Ring -2: SSM
    • System Management Mode
    • 16 bit mode
    • Handling of interrupts
  • Ring -3: Intel ME
    • Management Engine
    • Separate Microprocessor (!)
    • Works if your computer is off
    • Has TCP/IP stack
    • Minix OS
    • Access to Screen (KVM)
    • Intel AMT

Intel ME / AMT: a web-based control panel for remote access, operating independently of the operating system, works even when the system is turned off, as long as the platform is connected to a line power and a network cable \(\rightarrow\) a vulnerability in 2017 allowed to break into this web interface without authentication https://thehackernews.com/2017/05/intel-amt-vulnerability.html

Embedded Systems

  • Have their own CPU implementation, instruction set
  • May or may not have Exploit Mitigation
    • DEP (CPU+OS)
    • ASLR (OS)
    • Stack Canaries (compiler)
  • May or may not enable them by default
  • May or may not have to create your own ROP technique
  • Have to create your own shellcode

Attacking Hardware

RAM Attack: Rowhammer

The Rowhammer attack exploits a hardware vulnerability in DRAM where repeatedly accessing (hammering) a row of memory cells can cause bit flips in adjacent rows, potentially leading to unauthorized access or corruption of data. This phenomenon occurs because of the physical interference between closely packed memory cells, allowing attackers to alter memory contents without direct access.

Meltdown / Spectre

Meltdown and Spectre are security vulnerabilities that exploit speculative execution in modern CPUs to access and leak sensitive data from memory, bypassing traditional security boundaries. Meltdown allows unauthorized applications to read kernel memory, while Spectre tricks programs into accessing arbitrary memory locations by exploiting branch prediction and speculative execution.

RIDL / Fallout

RIDL (Rogue In-Flight Data Load) and Fallout are side-channel attacks that exploit microarchitectural flaws in Intel CPUs to leak sensitive data from internal CPU buffers. RIDL focuses on extracting data from various internal buffers during speculative execution, while Fallout specifically targets the Store Buffer to leak data, even across different security domains, potentially exposing passwords, encryption keys, and other sensitive information.

Pathfinder

The Pathfinder attack, revealed in May 2024, exploits vulnerabilities in Intel CPUs by manipulating branch predictor components, such as the Path History Register and Prediction History Tables, to leak sensitive data like AES encryption keys and images from libraries. This advanced side-channel attack builds on Spectre-style techniques, significantly increasing the potential attack surface and effectiveness.

Conclusion

  • X86 hardware has layers we cannot control and which are insecure
  • Most embedded platforms are very insecure
  • Our hardware itself is insecure
  • Nothing can be trusted

links: Further Topics - Index