0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/745 Thanks! 1 00:00:13,620 --> 00:00:15,569 Imagine you're running a p.l.c. 2 00:00:15,570 --> 00:00:17,849 in your industry application 3 00:00:17,850 --> 00:00:18,850 and. 4 00:00:19,720 --> 00:00:21,190 Some attacker comes along, 5 00:00:22,690 --> 00:00:25,629 twiddles a bit with your Eyo controller 6 00:00:25,630 --> 00:00:27,969 and you have no chance of noticing 7 00:00:27,970 --> 00:00:30,459 anything, this 8 00:00:30,460 --> 00:00:33,009 sounds a bit like a bad horror story, 9 00:00:33,010 --> 00:00:35,079 but our next speakers will tell you that 10 00:00:35,080 --> 00:00:37,179 this is not just a story, it's real. 11 00:00:38,410 --> 00:00:40,569 Please give a warm round of applause to 12 00:00:40,570 --> 00:00:42,189 Ali, Abbassi and Majid. 13 00:00:50,280 --> 00:00:51,719 Thanks. 14 00:00:51,720 --> 00:00:52,720 Hi, everybody. 15 00:00:53,490 --> 00:00:56,129 Welcome to our talk about this 16 00:00:56,130 --> 00:00:58,419 modification program where you control 17 00:00:58,420 --> 00:01:00,869 your pain control attack. 18 00:01:00,870 --> 00:01:03,389 My name is Ali Velshi and I am a student 19 00:01:03,390 --> 00:01:05,699 at Distributed and Embedded Systems 20 00:01:05,700 --> 00:01:07,559 Security Group at the University of 21 00:01:07,560 --> 00:01:10,049 Toronto in the Netherlands and 22 00:01:10,050 --> 00:01:12,149 visiting researcher, chair of 23 00:01:12,150 --> 00:01:14,459 System Security of University Baucom 24 00:01:14,460 --> 00:01:15,689 in Germany right now. 25 00:01:15,690 --> 00:01:18,059 And my colleague and I imagine 26 00:01:18,060 --> 00:01:20,969 I'm a research and development engineer. 27 00:01:20,970 --> 00:01:22,739 I studied computer science and I have my 28 00:01:22,740 --> 00:01:24,959 master's in artificial intelligence. 29 00:01:24,960 --> 00:01:26,549 My main area of research is reverse 30 00:01:26,550 --> 00:01:28,829 engineering and I involved in 31 00:01:28,830 --> 00:01:30,749 system level security of the places in 32 00:01:30,750 --> 00:01:32,849 Scotland that works with Alien lately. 33 00:01:34,110 --> 00:01:35,489 All right. 34 00:01:35,490 --> 00:01:38,159 Actually, when I was in 35 00:01:38,160 --> 00:01:40,349 it came here, I saw this 36 00:01:40,350 --> 00:01:42,509 picture which was 37 00:01:42,510 --> 00:01:44,489 saying, choose your site after trying 38 00:01:44,490 --> 00:01:46,980 this. I have to say I choose klop matter. 39 00:01:51,990 --> 00:01:54,929 OK, so 40 00:01:54,930 --> 00:01:56,519 first we start with giving you a 41 00:01:56,520 --> 00:01:59,549 background on process control 42 00:01:59,550 --> 00:02:02,039 and some other background 43 00:02:02,040 --> 00:02:04,139 on existing active attacks 44 00:02:04,140 --> 00:02:06,599 and defenses against policies. 45 00:02:06,600 --> 00:02:08,159 This is very essential for our attack 46 00:02:08,160 --> 00:02:10,409 because it described why describe why 47 00:02:10,410 --> 00:02:12,239 we are doing our attack then. 48 00:02:12,240 --> 00:02:13,889 It makes sense when you are assuming that 49 00:02:13,890 --> 00:02:15,260 you have active defenses. 50 00:02:16,710 --> 00:02:18,869 We will also look at 51 00:02:18,870 --> 00:02:21,359 which one of these defenses, generally 52 00:02:21,360 --> 00:02:23,139 foreign military, can be applied for 53 00:02:23,140 --> 00:02:24,140 pauses. 54 00:02:25,260 --> 00:02:27,389 Then we will give you the core 55 00:02:27,390 --> 00:02:29,309 part, the background and pin control. 56 00:02:29,310 --> 00:02:31,439 And what is 57 00:02:31,440 --> 00:02:33,239 the problem with it being control? 58 00:02:33,240 --> 00:02:35,309 We introduce our rootkit variant of 59 00:02:35,310 --> 00:02:37,439 our attack and nonracist variants 60 00:02:37,440 --> 00:02:39,749 and will have some demos for videos 61 00:02:39,750 --> 00:02:43,259 actually and discussions. 62 00:02:43,260 --> 00:02:45,569 So again, before 63 00:02:45,570 --> 00:02:47,609 we start, because there was lots of media 64 00:02:47,610 --> 00:02:49,979 hype about our works, I want to clarify 65 00:02:49,980 --> 00:02:52,319 things that what is this talk 66 00:02:52,320 --> 00:02:52,829 about? 67 00:02:52,830 --> 00:02:54,989 First of all, we only want to 68 00:02:54,990 --> 00:02:57,899 uncover existing design flaws in places 69 00:02:57,900 --> 00:03:00,149 and we believe that that can 70 00:03:00,150 --> 00:03:02,639 be used in future by attackers, assuming 71 00:03:02,640 --> 00:03:04,509 that you have active defenses within the 72 00:03:04,510 --> 00:03:05,510 parties. 73 00:03:06,120 --> 00:03:08,249 And of course, 74 00:03:08,250 --> 00:03:09,899 this is not a new generation of a 75 00:03:09,900 --> 00:03:10,900 Stuxnet. 76 00:03:12,180 --> 00:03:13,859 So we are not going to unveil any fully 77 00:03:13,860 --> 00:03:16,079 functional rootkit, just a single like 78 00:03:16,080 --> 00:03:17,489 a single binary that you can run it 79 00:03:17,490 --> 00:03:18,809 everywhere, no matter what is the 80 00:03:18,810 --> 00:03:20,490 operating system or underlying 81 00:03:21,630 --> 00:03:23,489 architecture of a device. 82 00:03:23,490 --> 00:03:25,319 This is also not about any exploitation 83 00:03:25,320 --> 00:03:27,239 technique or any vulnerability discovery 84 00:03:27,240 --> 00:03:28,229 technique. 85 00:03:28,230 --> 00:03:30,149 And also we are not going to mention any 86 00:03:30,150 --> 00:03:31,049 vendor name. 87 00:03:31,050 --> 00:03:33,210 So no names and shames. 88 00:03:34,530 --> 00:03:36,119 First of all, we are going to start to 89 00:03:36,120 --> 00:03:38,429 give you an basic overview about 90 00:03:38,430 --> 00:03:40,919 industrial control system networks. 91 00:03:40,920 --> 00:03:43,079 So generally 92 00:03:43,080 --> 00:03:45,359 iciest networks consists of three main 93 00:03:45,360 --> 00:03:46,289 part. 94 00:03:46,290 --> 00:03:49,019 The first one is the technology. 95 00:03:49,020 --> 00:03:50,879 This is your corporate line where you 96 00:03:50,880 --> 00:03:52,799 have the active directory, your mail 97 00:03:52,800 --> 00:03:54,899 server, the file sharing server. 98 00:03:54,900 --> 00:03:57,119 And this is in this area of the network 99 00:03:57,120 --> 00:03:59,279 that you have. The workstation is 100 00:03:59,280 --> 00:04:01,049 where the users are surfing the web, 101 00:04:01,050 --> 00:04:03,379 downloading files and executing them. 102 00:04:03,380 --> 00:04:05,669 And then the next part is operational 103 00:04:05,670 --> 00:04:07,109 technology or Ötzi. 104 00:04:07,110 --> 00:04:09,329 This is our Escada network part. 105 00:04:09,330 --> 00:04:11,189 This is where we have the Scotter systems 106 00:04:11,190 --> 00:04:12,679 and the places. 107 00:04:12,680 --> 00:04:13,949 And finally, we have the physical 108 00:04:13,950 --> 00:04:15,329 application layer. 109 00:04:15,330 --> 00:04:17,699 This is where we have like 110 00:04:17,700 --> 00:04:19,648 our physical elements of our network, 111 00:04:19,649 --> 00:04:22,709 like the sensors, the gates, the valves, 112 00:04:22,710 --> 00:04:25,289 the valves and the ports. 113 00:04:25,290 --> 00:04:27,419 And it's interesting to note that this is 114 00:04:27,420 --> 00:04:29,489 this part of network is controlled and 115 00:04:29,490 --> 00:04:31,859 monitored by the operational technology, 116 00:04:31,860 --> 00:04:34,049 actually by the network part. 117 00:04:35,490 --> 00:04:38,039 And when the attacker trying to attack 118 00:04:38,040 --> 00:04:40,199 an industrial network, the final 119 00:04:40,200 --> 00:04:42,359 goal could be to affect and 120 00:04:42,360 --> 00:04:45,149 cause damage to the physical application 121 00:04:45,150 --> 00:04:47,669 to get a better understanding 122 00:04:47,670 --> 00:04:49,169 of this kind of attack. 123 00:04:49,170 --> 00:04:51,119 It's important to understand the process 124 00:04:51,120 --> 00:04:52,120 control. 125 00:04:52,920 --> 00:04:55,409 Um, one of the simplest 126 00:04:55,410 --> 00:04:57,509 example of the process control could be 127 00:04:57,510 --> 00:04:58,529 a thermostat. 128 00:04:58,530 --> 00:05:00,959 So back into the old days 129 00:05:00,960 --> 00:05:03,719 when you wanted to increase or decrease 130 00:05:03,720 --> 00:05:05,339 the temperature of your room, you should 131 00:05:05,340 --> 00:05:06,539 do it manually. 132 00:05:06,540 --> 00:05:08,669 But this is you can you can you can get 133 00:05:08,670 --> 00:05:10,919 a thermostat, configure it, wants 134 00:05:10,920 --> 00:05:12,269 to your desired value. 135 00:05:12,270 --> 00:05:13,829 And then it's the thermostat that will do 136 00:05:13,830 --> 00:05:15,449 the job for you to increase or decrease 137 00:05:15,450 --> 00:05:16,679 the temperature, 138 00:05:18,030 --> 00:05:20,309 the control loop and the thermostat start 139 00:05:20,310 --> 00:05:22,679 by reading a value from a temperature 140 00:05:22,680 --> 00:05:24,809 sensor. This value then goes an input to 141 00:05:24,810 --> 00:05:26,459 the control system. 142 00:05:26,460 --> 00:05:28,289 And this is in this particular part. 143 00:05:28,290 --> 00:05:29,549 But the thermostat going to make a 144 00:05:29,550 --> 00:05:31,949 decision about what to do next, 145 00:05:31,950 --> 00:05:33,959 like what to increase or decrease the 146 00:05:33,960 --> 00:05:34,919 temperature. 147 00:05:34,920 --> 00:05:37,139 And then the result of this 148 00:05:37,140 --> 00:05:38,729 going as a command to your physical 149 00:05:38,730 --> 00:05:40,379 process, which could be your heating 150 00:05:40,380 --> 00:05:41,279 system. 151 00:05:41,280 --> 00:05:43,619 And this loop will continue 152 00:05:43,620 --> 00:05:44,620 over and over. 153 00:05:46,530 --> 00:05:48,629 The things are like 154 00:05:48,630 --> 00:05:50,609 in the larger scale, the things are much 155 00:05:50,610 --> 00:05:52,799 more complex than a simple thermostat. 156 00:05:52,800 --> 00:05:55,469 So that's why we're using the LCD. 157 00:05:55,470 --> 00:05:57,809 The p.l.c. or programable programable 158 00:05:57,810 --> 00:06:00,029 logic controller is one 159 00:06:00,030 --> 00:06:02,039 of the main components of every iciest 160 00:06:02,040 --> 00:06:03,040 network. 161 00:06:03,630 --> 00:06:05,849 The policies are simply embedded 162 00:06:05,850 --> 00:06:07,739 devices, running a real time operating 163 00:06:07,740 --> 00:06:10,289 operating system, and they're programed 164 00:06:10,290 --> 00:06:11,489 using logic. 165 00:06:11,490 --> 00:06:13,019 So the logic. 166 00:06:13,020 --> 00:06:14,939 So the logic is simply a program that 167 00:06:14,940 --> 00:06:15,899 appeals p.l.c. 168 00:06:15,900 --> 00:06:17,909 executes and it will make the p.l.c. 169 00:06:17,910 --> 00:06:19,889 to actually do something else. 170 00:06:19,890 --> 00:06:21,509 It will define the rules that what the 171 00:06:21,510 --> 00:06:23,160 policy should or should not do. 172 00:06:24,840 --> 00:06:26,489 And as you can see, if you make a few 173 00:06:26,490 --> 00:06:29,039 simple example about the logic is like 174 00:06:29,040 --> 00:06:31,199 if the input from, uh, from the from 175 00:06:31,200 --> 00:06:33,599 the AI 01 and the input 176 00:06:33,600 --> 00:06:35,609 of two on a label or something, then it 177 00:06:35,610 --> 00:06:38,069 will update some output on politics 178 00:06:38,070 --> 00:06:39,120 and the other examples. 179 00:06:40,930 --> 00:06:43,359 So let's take a look and how APRC 180 00:06:43,360 --> 00:06:45,309 with logic can we are going to stick it 181 00:06:45,310 --> 00:06:47,739 still with our team, for example, 182 00:06:47,740 --> 00:06:50,109 so we have a silver temperature 183 00:06:50,110 --> 00:06:52,599 sensor and, uh, 184 00:06:52,600 --> 00:06:54,159 the p.l.c. actually the logic inside the 185 00:06:54,160 --> 00:06:56,349 p.l.c. is read a value from 186 00:06:56,350 --> 00:06:57,849 it, from the sensor. 187 00:06:57,850 --> 00:07:00,129 It will make a decision based on the 188 00:07:00,130 --> 00:07:01,209 on that input. 189 00:07:01,210 --> 00:07:03,399 And as a result, it will update 190 00:07:03,400 --> 00:07:05,529 some output to the physical IO. 191 00:07:08,590 --> 00:07:09,590 But, you know, 192 00:07:10,820 --> 00:07:13,299 some of small changes in the temperature 193 00:07:13,300 --> 00:07:15,669 of your room may not make any problem 194 00:07:15,670 --> 00:07:17,979 to you, but this a small change could 195 00:07:17,980 --> 00:07:19,959 could pose a real threat, could could be 196 00:07:19,960 --> 00:07:22,209 really dangerous into industrial 197 00:07:22,210 --> 00:07:23,259 network. That's why 198 00:07:24,730 --> 00:07:26,829 we are using the control algorithms. 199 00:07:26,830 --> 00:07:28,989 This kind of algorithm is to to 200 00:07:28,990 --> 00:07:31,389 calculate the risk of some operation. 201 00:07:31,390 --> 00:07:33,279 For example, let's imagine that if in 202 00:07:33,280 --> 00:07:34,629 your logic, you have a defined at a 203 00:07:34,630 --> 00:07:37,119 temperature should not go higher than 20. 204 00:07:37,120 --> 00:07:38,979 And if in the last iteration of the 205 00:07:38,980 --> 00:07:40,779 control loop, the temperature is 206 00:07:40,780 --> 00:07:43,089 something like nineteen ninety five 207 00:07:43,090 --> 00:07:44,709 here by this kind of algorithm, for 208 00:07:44,710 --> 00:07:46,149 example, espied, we are going to 209 00:07:46,150 --> 00:07:48,429 calculate what what will happen 210 00:07:48,430 --> 00:07:51,109 if the loop turns once more and 211 00:07:51,110 --> 00:07:52,240 what and 212 00:07:53,560 --> 00:07:55,869 should we just halt the process right now 213 00:07:55,870 --> 00:07:57,969 or it's not really dangerous so we 214 00:07:57,970 --> 00:07:59,829 can let the loop to turn once more. 215 00:08:01,800 --> 00:08:03,929 OK, now that we have some basic 216 00:08:03,930 --> 00:08:06,119 understanding about the ISIS network, 217 00:08:06,120 --> 00:08:07,889 I'm going to give you some introduction 218 00:08:07,890 --> 00:08:10,049 about the attacks and defenses against 219 00:08:10,050 --> 00:08:11,050 embedded systems. 220 00:08:12,940 --> 00:08:15,159 OK, so one of the simplest attacks 221 00:08:15,160 --> 00:08:16,269 against almost 222 00:08:17,620 --> 00:08:19,629 the whole season embedded devices is the 223 00:08:19,630 --> 00:08:21,489 authentication bypass. 224 00:08:21,490 --> 00:08:23,619 So dumb because it's the story of the 225 00:08:23,620 --> 00:08:26,109 default passwords that's so easy to 226 00:08:26,110 --> 00:08:28,449 to to change it, like to 227 00:08:28,450 --> 00:08:30,499 to to to be protected against it. 228 00:08:30,500 --> 00:08:32,229 But unfortunately, we're seeing it almost 229 00:08:32,230 --> 00:08:34,749 like it's it's really general. 230 00:08:34,750 --> 00:08:36,038 It's really common. 231 00:08:36,039 --> 00:08:38,769 Then we have the framework or logic 232 00:08:38,770 --> 00:08:41,749 modification when the attacker can take 233 00:08:41,750 --> 00:08:44,019 a fuller image due to some modification 234 00:08:44,020 --> 00:08:45,819 and then upload the malicious, uh, 235 00:08:45,820 --> 00:08:48,219 firmware to the device as well, 236 00:08:48,220 --> 00:08:50,169 that hackers can do the same thing with 237 00:08:50,170 --> 00:08:52,149 the logic. They can manipulate the logic 238 00:08:52,150 --> 00:08:53,709 and then upload the malicious logic to 239 00:08:53,710 --> 00:08:56,049 the devices. But the another class 240 00:08:56,050 --> 00:08:57,529 of attack. Here is the control flaw 241 00:08:57,530 --> 00:08:59,849 attacks which which exist 242 00:08:59,850 --> 00:09:02,319 since long time when the PCs and 243 00:09:02,320 --> 00:09:04,449 like the buffer overflow the remote 244 00:09:04,450 --> 00:09:06,519 code execution and or 245 00:09:06,520 --> 00:09:09,069 exist as well on embedded devices. 246 00:09:09,070 --> 00:09:11,259 And the last, but 247 00:09:11,260 --> 00:09:13,749 not least under attack is or the easiest 248 00:09:13,750 --> 00:09:15,549 malware is one of the good example. 249 00:09:15,550 --> 00:09:18,069 And this about this attack is like 250 00:09:18,070 --> 00:09:20,589 Stuxnet, where the malware 251 00:09:20,590 --> 00:09:22,989 trying to attack the Scotter software 252 00:09:22,990 --> 00:09:24,969 by installing some hoops and trying to 253 00:09:24,970 --> 00:09:26,380 manipulate the process that way. 254 00:09:28,060 --> 00:09:30,339 So to be protected against those attacks, 255 00:09:30,340 --> 00:09:32,889 we have some defensive solutions as well 256 00:09:32,890 --> 00:09:35,079 at the station or Marius's station is 257 00:09:35,080 --> 00:09:37,209 one of those solution in this 258 00:09:37,210 --> 00:09:39,309 technique. In this method, we are trying 259 00:09:39,310 --> 00:09:41,919 to check integrity of 260 00:09:41,920 --> 00:09:43,629 a state of the system, for example, the 261 00:09:43,630 --> 00:09:44,919 memory. 262 00:09:44,920 --> 00:09:46,479 Then we have the future integrity 263 00:09:46,480 --> 00:09:49,329 verification, which can be used 264 00:09:49,330 --> 00:09:51,729 for the logic as well, which before 265 00:09:51,730 --> 00:09:54,249 installing a new logic or new framework 266 00:09:54,250 --> 00:09:56,349 we are, the system should 267 00:09:56,350 --> 00:09:58,479 verify that the firmware or the logics 268 00:09:58,480 --> 00:09:59,919 are actually coming from a trusted 269 00:09:59,920 --> 00:10:01,209 source. 270 00:10:01,210 --> 00:10:02,679 And then we have more sophisticated 271 00:10:02,680 --> 00:10:03,979 protections. 272 00:10:03,980 --> 00:10:05,919 Actually, there are mostly hospital 273 00:10:05,920 --> 00:10:07,989 intrusion detection systems for 274 00:10:07,990 --> 00:10:09,709 detecting the hawks and control flow 275 00:10:09,710 --> 00:10:10,710 anomalies. 276 00:10:11,860 --> 00:10:14,019 So from all those defense, there are not 277 00:10:14,020 --> 00:10:15,549 all of those are actually applicable to 278 00:10:15,550 --> 00:10:17,709 the PLCC because 279 00:10:17,710 --> 00:10:19,389 the proposed solution should not require 280 00:10:19,390 --> 00:10:21,699 any hardware modification. 281 00:10:21,700 --> 00:10:23,799 And since we have a very limited amount 282 00:10:23,800 --> 00:10:25,929 of resource on these devices, so the 283 00:10:25,930 --> 00:10:27,849 proposed solution also not should not 284 00:10:27,850 --> 00:10:30,699 pose any extra overhead to the device. 285 00:10:30,700 --> 00:10:33,309 And because, like almost 286 00:10:33,310 --> 00:10:35,169 all of the already manufactured places 287 00:10:35,170 --> 00:10:37,689 are not supporting virtualization 288 00:10:37,690 --> 00:10:39,489 and based on what they are doing, it's 289 00:10:39,490 --> 00:10:41,649 very unlikely to 290 00:10:41,650 --> 00:10:43,209 see the virtualization support in the 291 00:10:43,210 --> 00:10:45,639 future manufacture pulses. 292 00:10:45,640 --> 00:10:47,739 So all the solutions which 293 00:10:47,740 --> 00:10:49,869 require the visualizations are eliminated 294 00:10:49,870 --> 00:10:50,870 as well. 295 00:10:51,880 --> 00:10:53,979 So here we can divide the defensive 296 00:10:53,980 --> 00:10:55,279 solutions in two category. 297 00:10:55,280 --> 00:10:57,339 The first and the first 298 00:10:57,340 --> 00:10:59,469 category we can put logic, checksum 299 00:10:59,470 --> 00:11:01,359 and firmware integrity verification as a 300 00:11:01,360 --> 00:11:03,489 trivial defense and 301 00:11:03,490 --> 00:11:05,259 we can put like we have. 302 00:11:05,260 --> 00:11:07,449 Another category is a hospital intrusion 303 00:11:07,450 --> 00:11:09,819 detection systems, which doppelgänger 304 00:11:09,820 --> 00:11:11,979 or arthroscope jars are two good 305 00:11:11,980 --> 00:11:13,210 example in this category. 306 00:11:14,710 --> 00:11:16,659 So we're going now we're going to take a 307 00:11:16,660 --> 00:11:19,029 deeper look at this to protect 308 00:11:19,030 --> 00:11:20,649 the doppelganger, actually use the 309 00:11:20,650 --> 00:11:23,559 attestation solution at station, 310 00:11:23,560 --> 00:11:25,869 which it takes a firmer 311 00:11:25,870 --> 00:11:28,009 image is a scan that 312 00:11:28,010 --> 00:11:30,069 firmware image for the exact same code, 313 00:11:30,070 --> 00:11:31,809 and it will randomly install some 314 00:11:31,810 --> 00:11:33,519 symbiotes or watch points. 315 00:11:33,520 --> 00:11:35,709 And at the wrong time, every 316 00:11:35,710 --> 00:11:37,799 every time that these 317 00:11:37,800 --> 00:11:40,029 watch points are hit, it will check 318 00:11:40,030 --> 00:11:42,009 integrity of the memory region. 319 00:11:42,010 --> 00:11:44,439 And as far as that, this check and 320 00:11:44,440 --> 00:11:46,239 the integrity of that memory is not 321 00:11:46,240 --> 00:11:48,309 changed. It will consider that everything 322 00:11:48,310 --> 00:11:49,310 is fine. 323 00:11:50,170 --> 00:11:52,269 Then we have the PJR, 324 00:11:52,270 --> 00:11:54,399 that Oscar PJR is a is a 325 00:11:54,400 --> 00:11:56,649 the defense against the control for 326 00:11:56,650 --> 00:11:57,650 anomalies. 327 00:11:58,330 --> 00:12:00,129 It has two different phases. 328 00:12:00,130 --> 00:12:02,499 In the first step, we're learning 329 00:12:02,500 --> 00:12:04,479 more to try to gather some information 330 00:12:04,480 --> 00:12:06,959 about the execution of the 331 00:12:06,960 --> 00:12:08,919 about the execution and like the function 332 00:12:08,920 --> 00:12:10,389 address, the function parameter is the 333 00:12:10,390 --> 00:12:11,349 return address. 334 00:12:11,350 --> 00:12:13,419 And so all of them in a TTL or 335 00:12:13,420 --> 00:12:15,579 trusted location list and later 336 00:12:15,580 --> 00:12:18,159 in the protection mode, it will 337 00:12:18,160 --> 00:12:20,559 actually compare all the runtime 338 00:12:20,560 --> 00:12:22,919 information against it is a static list. 339 00:12:22,920 --> 00:12:24,459 Exactly. 340 00:12:24,460 --> 00:12:26,259 And as for that, these two values are 341 00:12:26,260 --> 00:12:27,849 matching it to consider that everything 342 00:12:27,850 --> 00:12:28,850 is fine. 343 00:12:30,730 --> 00:12:31,730 So, uh. 344 00:12:32,730 --> 00:12:34,139 These two solutions lie to protect a 345 00:12:34,140 --> 00:12:36,299 device against cold cooking and data 346 00:12:36,300 --> 00:12:37,439 manipulation. 347 00:12:37,440 --> 00:12:39,329 But what's the difference? 348 00:12:39,330 --> 00:12:41,459 That's not all the rootkit 349 00:12:41,460 --> 00:12:43,679 or all the attacks is about to 350 00:12:43,680 --> 00:12:45,419 do with the modification in the codes or 351 00:12:45,420 --> 00:12:46,379 in the memory. 352 00:12:46,380 --> 00:12:48,479 For example, we use the bug registers 353 00:12:48,480 --> 00:12:50,909 to just blocking the access and 354 00:12:50,910 --> 00:12:52,919 monitor our hijacking access to some 355 00:12:52,920 --> 00:12:54,899 values into the memory Buzenberg 356 00:12:54,900 --> 00:12:56,999 registers. As I said, this technique has 357 00:12:57,000 --> 00:12:58,919 been documented in Fragged magazine by 358 00:12:58,920 --> 00:13:00,959 half that long ago. 359 00:13:00,960 --> 00:13:02,939 And, uh, well, if you're interested, you 360 00:13:02,940 --> 00:13:04,229 can go and take a look. 361 00:13:04,230 --> 00:13:05,339 It's really interesting. 362 00:13:06,810 --> 00:13:08,489 So Natalie going to give you some 363 00:13:09,840 --> 00:13:12,029 information about the PIN console and 364 00:13:12,030 --> 00:13:13,440 actually introducing our attack. 365 00:13:14,990 --> 00:13:17,399 OK, so 366 00:13:17,400 --> 00:13:19,529 you might ask why we gave you 367 00:13:19,530 --> 00:13:22,889 lots of background on active defenses 368 00:13:22,890 --> 00:13:24,959 against for the places 369 00:13:24,960 --> 00:13:27,149 is because our attack much more 370 00:13:27,150 --> 00:13:29,729 make sense when you consider 371 00:13:29,730 --> 00:13:32,429 you have active defenses within the PRC, 372 00:13:32,430 --> 00:13:34,739 which vendors right now are trying to 373 00:13:34,740 --> 00:13:37,469 push their 374 00:13:37,470 --> 00:13:40,139 products toward that I sing Precipices 375 00:13:40,140 --> 00:13:41,199 with active defenses. 376 00:13:41,200 --> 00:13:43,409 You would see it in 2020 or 377 00:13:43,410 --> 00:13:44,410 maybe earlier, so. 378 00:13:46,300 --> 00:13:48,029 So what is in control? 379 00:13:48,030 --> 00:13:50,059 Well, generally in control of control 380 00:13:50,060 --> 00:13:52,449 subsystem consists of two parts. 381 00:13:52,450 --> 00:13:54,549 First, multiplexing, 382 00:13:54,550 --> 00:13:56,769 which means that a single 383 00:13:56,770 --> 00:13:59,199 pin and I mean real pin 384 00:13:59,200 --> 00:14:02,289 in a Soucy or CPU 385 00:14:02,290 --> 00:14:04,689 can have multiple functionalities, 386 00:14:04,690 --> 00:14:07,089 which you can use it at once. 387 00:14:07,090 --> 00:14:08,619 You can only use one of those 388 00:14:08,620 --> 00:14:10,539 functionalities at once. 389 00:14:10,540 --> 00:14:12,909 And they do it because the 390 00:14:12,910 --> 00:14:15,819 chip vendor gives this disassociates 391 00:14:15,820 --> 00:14:18,069 to different other companies, for 392 00:14:18,070 --> 00:14:20,349 example, mobile like companies 393 00:14:20,350 --> 00:14:21,819 that the companies which make cell 394 00:14:21,820 --> 00:14:24,129 phones. But the chip developer 395 00:14:24,130 --> 00:14:25,239 is somebody else. 396 00:14:25,240 --> 00:14:27,369 So what they do is that they 397 00:14:27,370 --> 00:14:29,379 put several functionalities in different 398 00:14:29,380 --> 00:14:29,919 pins. 399 00:14:29,920 --> 00:14:32,709 So based on different requirements for 400 00:14:32,710 --> 00:14:34,899 different companies which are using 401 00:14:34,900 --> 00:14:36,399 it, they can 402 00:14:38,290 --> 00:14:40,389 it can be used literally for their 403 00:14:40,390 --> 00:14:42,579 own purposes, while you can have 404 00:14:42,580 --> 00:14:45,009 a general chip for different companies. 405 00:14:45,010 --> 00:14:46,989 And that's what they call a pin 406 00:14:46,990 --> 00:14:49,509 multiplexing. And it's like a complex 407 00:14:49,510 --> 00:14:50,739 chip designing and stuff. 408 00:14:50,740 --> 00:14:53,319 And not seeing 409 00:14:53,320 --> 00:14:55,419 in pin control is a 410 00:14:55,420 --> 00:14:57,699 pin configuration, which literally means 411 00:14:57,700 --> 00:14:59,849 that you are configuring digital 412 00:14:59,850 --> 00:15:01,989 all your pins and describing how 413 00:15:01,990 --> 00:15:03,219 they are going to be used. 414 00:15:03,220 --> 00:15:05,019 So is it an input screen or output 415 00:15:05,020 --> 00:15:06,789 screen? And remember that because we are 416 00:15:06,790 --> 00:15:08,529 going to use it a lot. 417 00:15:08,530 --> 00:15:10,779 So there are general rule about 418 00:15:10,780 --> 00:15:12,849 this. And again, you 419 00:15:12,850 --> 00:15:15,219 need to remember that before we 420 00:15:15,220 --> 00:15:16,389 move forward. 421 00:15:16,390 --> 00:15:18,549 Is that in an input pin 422 00:15:18,550 --> 00:15:20,319 or a pin, which you for example, you used 423 00:15:20,320 --> 00:15:22,599 to read values, you can only use 424 00:15:22,600 --> 00:15:24,899 it as a aderet, only 425 00:15:24,900 --> 00:15:27,129 pin. So it means that you can never write 426 00:15:27,130 --> 00:15:29,259 to a pin, which is described as 427 00:15:29,260 --> 00:15:30,339 input. 428 00:15:30,340 --> 00:15:32,709 OK, so General. 429 00:15:32,710 --> 00:15:34,959 And if it's output pin, which means 430 00:15:34,960 --> 00:15:36,729 that you are controlling some devices 431 00:15:36,730 --> 00:15:39,009 with it, then you can, you can 432 00:15:39,010 --> 00:15:41,109 read tweets, read 433 00:15:41,110 --> 00:15:43,329 from it and write 434 00:15:43,330 --> 00:15:45,309 to it too. So it's like you can have both 435 00:15:45,310 --> 00:15:47,979 things in outputs in 436 00:15:47,980 --> 00:15:48,699 general. 437 00:15:48,700 --> 00:15:50,739 So for example, here is an example, 438 00:15:50,740 --> 00:15:53,199 because you can see we have a 24 439 00:15:53,200 --> 00:15:55,809 as inputs D.W. 440 00:15:55,810 --> 00:15:57,219 in and then we have a pin. 441 00:15:57,220 --> 00:15:59,319 Twenty two hours output or in 442 00:15:59,320 --> 00:16:01,689 the Dow you can see the same 443 00:16:01,690 --> 00:16:02,690 configuration. 444 00:16:04,690 --> 00:16:06,789 So now we have to know 445 00:16:06,790 --> 00:16:09,309 actually how actually p.l.c. 446 00:16:09,310 --> 00:16:11,499 interacting with these pins. 447 00:16:11,500 --> 00:16:13,569 And before I said I 448 00:16:13,570 --> 00:16:15,129 want to again, like just remind you 449 00:16:15,130 --> 00:16:17,359 again, like you said it, but like so 450 00:16:17,360 --> 00:16:19,029 say you have a main application which is 451 00:16:19,030 --> 00:16:21,099 called runtime. It's usually don't change 452 00:16:21,100 --> 00:16:22,719 except by frame or update. 453 00:16:22,720 --> 00:16:24,249 And then you have another part of the 454 00:16:24,250 --> 00:16:26,439 application which the operators 455 00:16:26,440 --> 00:16:28,539 in the power plants or in critical 456 00:16:28,540 --> 00:16:30,129 infrastructure program. 457 00:16:30,130 --> 00:16:32,230 And that's why you call a programable 458 00:16:34,030 --> 00:16:35,559 logic. It's a program which you, for 459 00:16:35,560 --> 00:16:37,749 example, describe if the temperature of 460 00:16:37,750 --> 00:16:40,059 the input plant is more than this, 461 00:16:40,060 --> 00:16:42,699 then do that. So that's like logic. 462 00:16:42,700 --> 00:16:44,649 So the p.l.c. runtime usually what will 463 00:16:44,650 --> 00:16:46,599 happen is that either the president's, 464 00:16:46,600 --> 00:16:48,729 which can be a driver that like mapping 465 00:16:48,730 --> 00:16:50,979 is eyewitness's for the physical memory 466 00:16:50,980 --> 00:16:51,999 and then interact with. 467 00:16:52,000 --> 00:16:54,219 But let's look at it in 468 00:16:54,220 --> 00:16:56,349 a more accurate way and 469 00:16:56,350 --> 00:16:58,389 why it is a problem, a problem which we 470 00:16:58,390 --> 00:17:00,160 call as a memory illusion. 471 00:17:01,330 --> 00:17:03,370 So let's assume that we have a long time 472 00:17:04,720 --> 00:17:06,729 running and we are in a in a in a real 473 00:17:06,730 --> 00:17:08,289 time operating system, a modern realtime 474 00:17:08,290 --> 00:17:10,009 operating system. And you have a physical 475 00:17:10,010 --> 00:17:11,559 your memory available. 476 00:17:11,560 --> 00:17:13,959 And then what will happen is that 477 00:17:13,960 --> 00:17:15,338 you're on time request or it can be a 478 00:17:15,339 --> 00:17:17,618 driver. That's its request 479 00:17:17,619 --> 00:17:19,809 for your memory of this physical 480 00:17:19,810 --> 00:17:21,519 physical memory, which is going to be 481 00:17:21,520 --> 00:17:22,899 used to be controlled. 482 00:17:24,000 --> 00:17:25,539 If you ask the operating system, an 483 00:17:25,540 --> 00:17:27,639 operating system mapped your memory 484 00:17:27,640 --> 00:17:29,619 in a visual or your memory. 485 00:17:30,770 --> 00:17:32,899 And then there is the operator 486 00:17:32,900 --> 00:17:34,309 who is programing the p.l.c. 487 00:17:34,310 --> 00:17:36,319 and say, OK, so I want you to do this and 488 00:17:36,320 --> 00:17:38,479 that and that, and it's upload 489 00:17:38,480 --> 00:17:40,489 it to the p.l.c. 490 00:17:40,490 --> 00:17:41,479 logic. 491 00:17:41,480 --> 00:17:42,019 Right. 492 00:17:42,020 --> 00:17:43,859 So, for example, in this example, we have 493 00:17:43,860 --> 00:17:46,459 the logic, which we say if 494 00:17:46,460 --> 00:17:48,080 24 is true, 495 00:17:49,250 --> 00:17:51,499 then every five seconds 496 00:17:52,670 --> 00:17:54,989 turn on and off the ping 497 00:17:54,990 --> 00:17:55,879 22. 498 00:17:55,880 --> 00:17:57,499 So here in this example, we can 499 00:17:57,500 --> 00:17:59,899 immediately notice that PIN twenty 500 00:17:59,900 --> 00:18:02,029 four is an input ping 501 00:18:02,030 --> 00:18:03,589 because we are always checking if it's 502 00:18:03,590 --> 00:18:06,009 true and we are updating 503 00:18:06,010 --> 00:18:08,539 ping 22, which means ping 22 is outwits 504 00:18:08,540 --> 00:18:10,319 ping. What will happen is that the p.l.c. 505 00:18:10,320 --> 00:18:12,829 runtime dense literally 506 00:18:12,830 --> 00:18:14,779 notice about this description and then 507 00:18:14,780 --> 00:18:17,089 request to change 508 00:18:17,090 --> 00:18:18,979 the state of the pins in a visually 509 00:18:18,980 --> 00:18:21,039 mapped IO in 510 00:18:21,040 --> 00:18:22,549 something we should call it, register a 511 00:18:22,550 --> 00:18:24,979 state register of this or see visually 512 00:18:24,980 --> 00:18:26,269 mapped out of course. 513 00:18:26,270 --> 00:18:28,439 So for exactly. Describe, say hey, ping 514 00:18:28,440 --> 00:18:30,649 24 is an input. 515 00:18:30,650 --> 00:18:32,449 So the state of it is zero, which means 516 00:18:32,450 --> 00:18:34,579 that the same pushpin and pin 517 00:18:34,580 --> 00:18:35,969 twenty two is output. 518 00:18:35,970 --> 00:18:38,119 So I write value for example, one, 519 00:18:38,120 --> 00:18:39,480 which means that the pin is output 520 00:18:40,790 --> 00:18:42,799 and then well this value will get written 521 00:18:42,800 --> 00:18:43,819 to the physical memory. 522 00:18:44,900 --> 00:18:46,999 And then based on our logic, 523 00:18:47,000 --> 00:18:49,399 we are going to read the values from 24, 524 00:18:49,400 --> 00:18:51,799 because if 24 is true, 525 00:18:51,800 --> 00:18:53,239 then we can continue with the PIN. 526 00:18:53,240 --> 00:18:54,799 Twenty two. 527 00:18:54,800 --> 00:18:56,779 So we will read it from visual and 528 00:18:56,780 --> 00:18:58,459 memory, but actually it's coming from the 529 00:18:58,460 --> 00:18:59,779 physical memory. 530 00:18:59,780 --> 00:19:02,209 And then every five seconds 531 00:19:02,210 --> 00:19:04,369 the runtime will request write 532 00:19:04,370 --> 00:19:06,649 the value zero or one 533 00:19:06,650 --> 00:19:08,539 to the visual on memory, which means that 534 00:19:08,540 --> 00:19:10,729 you are going to turn on and off 535 00:19:10,730 --> 00:19:12,240 something which is connected, let's say, 536 00:19:13,460 --> 00:19:16,069 every five seconds. So that's 537 00:19:16,070 --> 00:19:17,749 that's something that is happening every 538 00:19:17,750 --> 00:19:18,919 five seconds. 539 00:19:18,920 --> 00:19:20,269 And of course, the read happen all the 540 00:19:20,270 --> 00:19:21,270 time. 541 00:19:21,860 --> 00:19:24,109 But what is a problem with 542 00:19:24,110 --> 00:19:26,599 the control is that 543 00:19:26,600 --> 00:19:28,509 what if that's what we assume? 544 00:19:28,510 --> 00:19:30,920 What if there is an attacker who 545 00:19:32,090 --> 00:19:32,989 without p.l.c. 546 00:19:32,990 --> 00:19:35,929 knowing or you never know, 547 00:19:35,930 --> 00:19:37,999 just request normally that, hey, 548 00:19:38,000 --> 00:19:40,339 I have a new configuration for the PIN 549 00:19:40,340 --> 00:19:42,229 22, which I'm going to use. 550 00:19:42,230 --> 00:19:45,019 So now I change this state of the PIN 22 551 00:19:45,020 --> 00:19:47,219 from outputting to 552 00:19:47,220 --> 00:19:49,549 an input pin. So remember, PIN 22 553 00:19:49,550 --> 00:19:51,619 was out because you are writing to it 554 00:19:51,620 --> 00:19:53,809 every five seconds, but I am writing 555 00:19:53,810 --> 00:19:55,459 in a different register. 556 00:19:55,460 --> 00:19:57,529 So you register that pin 22 557 00:19:57,530 --> 00:19:59,839 from now on is an input. 558 00:19:59,840 --> 00:20:01,369 And of course this value gets returned to 559 00:20:01,370 --> 00:20:02,659 the Vitron memory. 560 00:20:02,660 --> 00:20:04,759 And then in a physical memory, 561 00:20:04,760 --> 00:20:06,439 what will happen next is interesting 562 00:20:06,440 --> 00:20:07,969 because the p.l.c. 563 00:20:07,970 --> 00:20:10,549 runtime then try to still 564 00:20:10,550 --> 00:20:12,079 assume that every five seconds you'd have 565 00:20:12,080 --> 00:20:14,059 to turn on and off the slide. 566 00:20:14,060 --> 00:20:15,109 Right. So it's a. 567 00:20:15,110 --> 00:20:16,099 Right. Right. 568 00:20:16,100 --> 00:20:18,289 011 every five seconds 569 00:20:18,290 --> 00:20:19,819 to the right register. 570 00:20:19,820 --> 00:20:21,019 So turn on and off. 571 00:20:22,070 --> 00:20:24,319 But what will happen is here's 572 00:20:24,320 --> 00:20:26,839 a core problem that. 573 00:20:26,840 --> 00:20:29,059 Well, you can't write to it. 574 00:20:29,060 --> 00:20:31,249 Do you remember the general rule, a 575 00:20:31,250 --> 00:20:33,919 pin which is imputes it can't 576 00:20:33,920 --> 00:20:35,429 you cannot write to it. 577 00:20:35,430 --> 00:20:38,119 OK, and the problem is that 578 00:20:38,120 --> 00:20:40,279 the CPU or the association, like 579 00:20:40,280 --> 00:20:42,049 almost all embedded system, they don't 580 00:20:42,050 --> 00:20:44,629 give you a feedback that, hey, 581 00:20:44,630 --> 00:20:45,829 you cannot write to it. 582 00:20:45,830 --> 00:20:48,559 So it's like everything looks fine. 583 00:20:48,560 --> 00:20:49,759 This is what we call it, the PIN 584 00:20:49,760 --> 00:20:51,589 configuration attack, because you you can 585 00:20:51,590 --> 00:20:52,759 just change the configuration. 586 00:20:52,760 --> 00:20:54,140 I will explain again later to. 587 00:20:55,250 --> 00:20:56,449 But let's change it. 588 00:20:56,450 --> 00:20:58,759 So we also have 589 00:20:58,760 --> 00:21:00,139 another register, which we call it 590 00:21:00,140 --> 00:21:01,789 multiplexing register. 591 00:21:01,790 --> 00:21:03,979 OK, so I just change 592 00:21:03,980 --> 00:21:05,929 the name of the, uh, like a state 593 00:21:05,930 --> 00:21:07,459 register to multiplexed register. 594 00:21:07,460 --> 00:21:08,779 And then what will happen is that I am 595 00:21:08,780 --> 00:21:11,149 going to say, hey, PIN 20, 596 00:21:11,150 --> 00:21:12,829 for example, let's say it was connected 597 00:21:12,830 --> 00:21:14,779 to a motor. So it's not a zero. 598 00:21:14,780 --> 00:21:15,780 It's a. 599 00:21:16,540 --> 00:21:18,729 I to support S.P.I or 600 00:21:18,730 --> 00:21:19,689 W.M. 601 00:21:19,690 --> 00:21:21,819 Port. OK, so let's say 602 00:21:21,820 --> 00:21:23,619 now I'm going to change it. 603 00:21:23,620 --> 00:21:25,329 So the logic is not anymore. 604 00:21:25,330 --> 00:21:26,889 Let's say we have a motor which we are 605 00:21:26,890 --> 00:21:27,969 controlling. 606 00:21:27,970 --> 00:21:29,739 What I am going to do as the attacker is 607 00:21:29,740 --> 00:21:31,869 that I am going to say, hey, 608 00:21:31,870 --> 00:21:34,299 multiplexed 22 609 00:21:34,300 --> 00:21:35,400 from out to sea or 610 00:21:36,970 --> 00:21:39,849 to a kill or something else. 611 00:21:39,850 --> 00:21:42,039 OK, and what 612 00:21:42,040 --> 00:21:44,199 will happen is that, well, 613 00:21:44,200 --> 00:21:46,029 these are all values. 614 00:21:46,030 --> 00:21:48,039 Doesn't matter here. 615 00:21:48,040 --> 00:21:49,339 Every five seconds p.l.c. 616 00:21:49,340 --> 00:21:51,900 runtime tries Dritz. 617 00:21:54,360 --> 00:21:57,479 But it can't, right, because, 618 00:21:57,480 --> 00:21:59,669 well, you're physically terminated 619 00:21:59,670 --> 00:22:01,589 the connection after you buy, 620 00:22:01,590 --> 00:22:03,809 multiplexing the pin, which was being 621 00:22:03,810 --> 00:22:04,979 used before. 622 00:22:04,980 --> 00:22:07,439 And that's a problem because let's 623 00:22:07,440 --> 00:22:09,599 let's let's give you an example, like 624 00:22:09,600 --> 00:22:11,259 a USB drive in windows. 625 00:22:11,260 --> 00:22:13,739 OK, so you are copying your files 626 00:22:13,740 --> 00:22:16,019 and then suddenly you take out your USB. 627 00:22:16,020 --> 00:22:17,429 What do you expect? 628 00:22:17,430 --> 00:22:19,739 There is error saying boom, like this 629 00:22:19,740 --> 00:22:21,299 device is not any more available. 630 00:22:21,300 --> 00:22:22,769 So you can't copy. 631 00:22:22,770 --> 00:22:25,169 What is happening now is that, 632 00:22:25,170 --> 00:22:26,699 for example, between multiplexing it 633 00:22:26,700 --> 00:22:28,919 specifically is that you're 634 00:22:28,920 --> 00:22:30,389 actually the audio is not any more 635 00:22:30,390 --> 00:22:32,129 available, but the visual memory of the 636 00:22:32,130 --> 00:22:33,509 audio is still available. 637 00:22:33,510 --> 00:22:35,459 So the operating system and the P.A. 638 00:22:35,460 --> 00:22:37,889 on time is still talking with you. 639 00:22:37,890 --> 00:22:39,689 But Disvalue cannot get the to the 640 00:22:39,690 --> 00:22:41,639 physical memory. But there is no feedback 641 00:22:41,640 --> 00:22:43,799 from the associate to tell the 642 00:22:43,800 --> 00:22:45,749 p.l.c. runtime or the operating system 643 00:22:45,750 --> 00:22:48,329 that, hey, this is not any more available 644 00:22:48,330 --> 00:22:50,789 and that's how the problem 645 00:22:50,790 --> 00:22:51,749 happens. 646 00:22:51,750 --> 00:22:52,750 So I think 647 00:22:53,910 --> 00:22:56,129 we just show you a quick demo about 648 00:22:56,130 --> 00:22:57,779 how it's working. 649 00:22:57,780 --> 00:22:58,829 Obviously not cracking. 650 00:22:58,830 --> 00:23:00,039 Yeah, cool. 651 00:23:03,280 --> 00:23:05,180 From from beginning, 652 00:23:06,670 --> 00:23:07,670 yes, 653 00:23:09,200 --> 00:23:11,390 I was confused. 654 00:23:16,880 --> 00:23:19,669 So we have, for example, example process 655 00:23:19,670 --> 00:23:22,039 that we say, for example, in twenty five 656 00:23:22,040 --> 00:23:23,959 is the infamous nineteen twenty two. 657 00:23:23,960 --> 00:23:25,819 It's twenty three outputs. 658 00:23:25,820 --> 00:23:27,979 And every five seconds I want to turn on 659 00:23:27,980 --> 00:23:30,169 and off dead connected to PIN twenty 660 00:23:30,170 --> 00:23:32,329 three and you can see the 661 00:23:32,330 --> 00:23:34,399 turning on and off every five seconds. 662 00:23:34,400 --> 00:23:36,589 OK, we are using in real 663 00:23:36,590 --> 00:23:38,699 time being used in more than two hundred 664 00:23:38,700 --> 00:23:40,469 sixty seven dollars right now 665 00:23:41,540 --> 00:23:42,540 and 666 00:23:45,920 --> 00:23:46,920 yeah. 667 00:23:47,360 --> 00:23:49,489 So you can see the value get false 668 00:23:49,490 --> 00:23:51,919 to means it is off to value shows. 669 00:23:51,920 --> 00:23:53,659 True, it means that the light is on. 670 00:23:53,660 --> 00:23:55,759 So that is true and it is on and 671 00:23:55,760 --> 00:23:57,619 it's false and it is off. 672 00:23:57,620 --> 00:24:00,049 OK, and then what we are doing exactly 673 00:24:00,050 --> 00:24:00,979 what we describe now. 674 00:24:00,980 --> 00:24:03,499 So we are going to manipulate 675 00:24:03,500 --> 00:24:05,119 the configuration of the pin. 676 00:24:05,120 --> 00:24:06,710 When the pennies, for example, are 677 00:24:08,030 --> 00:24:10,909 outputs, we change it to inputs, 678 00:24:10,910 --> 00:24:12,859 but we don't want to change the process. 679 00:24:12,860 --> 00:24:14,929 But actual operations happening here, we 680 00:24:14,930 --> 00:24:16,999 just want to show you that there is no 681 00:24:17,000 --> 00:24:19,009 failure. There is no all your failure to 682 00:24:19,010 --> 00:24:20,359 feel sure on time doesn't fail. 683 00:24:20,360 --> 00:24:22,639 There is no or in the current 684 00:24:22,640 --> 00:24:24,839 debate going on, it's there is no oil at 685 00:24:24,840 --> 00:24:27,109 top. It's like everything looking 686 00:24:27,110 --> 00:24:28,110 fine. 687 00:24:34,210 --> 00:24:35,210 So, professor. 688 00:24:36,310 --> 00:24:37,310 Yeah, 689 00:24:38,970 --> 00:24:40,449 yeah, and that's an important thing, so 690 00:24:40,450 --> 00:24:42,639 we don't hook any functions 691 00:24:42,640 --> 00:24:44,739 in here because we assume that 692 00:24:44,740 --> 00:24:46,119 we have some active defenses. 693 00:24:50,750 --> 00:24:53,089 So you still have the turning on, 694 00:24:53,090 --> 00:24:55,309 on and off and 695 00:24:55,310 --> 00:24:57,019 what we are going to do right now, we are 696 00:24:57,020 --> 00:24:58,339 only blocking the operation. 697 00:24:58,340 --> 00:25:00,679 So we want to see every time you don't 698 00:25:00,680 --> 00:25:03,139 want to try to write to your pin. 699 00:25:03,140 --> 00:25:05,599 We change the state of the pean related 700 00:25:05,600 --> 00:25:07,669 to the LCD from output's 701 00:25:07,670 --> 00:25:09,769 to input. So the audio 702 00:25:09,770 --> 00:25:11,989 is only read only it's 703 00:25:11,990 --> 00:25:13,279 not anymore. 704 00:25:13,280 --> 00:25:16,069 You can't write to a pin anymore. 705 00:25:16,070 --> 00:25:18,079 And then you see that the second time I 706 00:25:18,080 --> 00:25:20,539 assume that everything's fine and nothing 707 00:25:20,540 --> 00:25:21,540 happens. 708 00:25:24,770 --> 00:25:26,959 In the next demo, we will show you 709 00:25:26,960 --> 00:25:28,759 later that actually we change the 710 00:25:28,760 --> 00:25:30,710 process, the actual process happening to. 711 00:25:34,910 --> 00:25:36,529 So here, for now, we just want to show 712 00:25:36,530 --> 00:25:38,059 you that we are intercepting the right 713 00:25:38,060 --> 00:25:40,309 operation of the of the wrong time 714 00:25:42,000 --> 00:25:45,109 every time he's trying to right 715 00:25:45,110 --> 00:25:46,110 to dial. 716 00:25:48,980 --> 00:25:50,599 And you can see it is not any more 717 00:25:50,600 --> 00:25:52,749 flashing, but the second 718 00:25:52,750 --> 00:25:53,759 time doesn't know about it. 719 00:25:53,760 --> 00:25:56,599 So once you can see 720 00:25:56,600 --> 00:25:58,939 me, switch now to the software, 721 00:25:58,940 --> 00:26:01,249 to the programmer station 722 00:26:01,250 --> 00:26:03,399 and then what we do here, if 723 00:26:03,400 --> 00:26:05,809 he is still saying through five, 724 00:26:05,810 --> 00:26:07,999 five seconds and then 725 00:26:08,000 --> 00:26:10,189 follows five seconds or for example, 726 00:26:10,190 --> 00:26:12,649 again, it's going through, 727 00:26:12,650 --> 00:26:14,929 but the light is not turning on anymore 728 00:26:14,930 --> 00:26:17,209 because we are actually changing 729 00:26:17,210 --> 00:26:19,099 the estate of the pin from it from 730 00:26:19,100 --> 00:26:20,959 outward to input every time p.l.c. 731 00:26:20,960 --> 00:26:22,009 runtime tries to 732 00:26:23,240 --> 00:26:24,240 write to its. 733 00:26:27,630 --> 00:26:29,490 All right, so 734 00:26:31,050 --> 00:26:32,159 that was the problem, actually, 735 00:26:33,240 --> 00:26:35,429 everybody at the beginning, you're 736 00:26:35,430 --> 00:26:37,859 assuming that there must be a termination 737 00:26:37,860 --> 00:26:39,629 or something because he's not available, 738 00:26:39,630 --> 00:26:41,399 for example, or the configuration. 739 00:26:41,400 --> 00:26:43,349 We change the configuration and there is 740 00:26:43,350 --> 00:26:45,479 some kind of order, but 741 00:26:45,480 --> 00:26:46,799 nothing happens. 742 00:26:46,800 --> 00:26:49,019 And I 743 00:26:49,020 --> 00:26:51,239 think the original problem is the 744 00:26:51,240 --> 00:26:53,399 no interrupt for configuration, 745 00:26:53,400 --> 00:26:55,919 first of all. So the runtime 746 00:26:55,920 --> 00:26:57,839 or the operating system knows that there 747 00:26:57,840 --> 00:26:59,849 is a change in the in the configuration 748 00:26:59,850 --> 00:27:02,099 of the PIN or multiplexing features. 749 00:27:02,100 --> 00:27:03,509 And a second problem is that there is no 750 00:27:03,510 --> 00:27:05,879 feedback after once there is a failure 751 00:27:05,880 --> 00:27:07,259 that, hey, you couldn't write to it. 752 00:27:07,260 --> 00:27:08,819 So so she doesn't tell you because 753 00:27:08,820 --> 00:27:10,649 there's no contract for you. 754 00:27:10,650 --> 00:27:12,839 And I don't know if 755 00:27:12,840 --> 00:27:14,519 it's possible to put in interrupt because 756 00:27:14,520 --> 00:27:15,520 it's very expensive. 757 00:27:16,730 --> 00:27:19,199 So what we did was that we we decided 758 00:27:19,200 --> 00:27:21,329 to create attack using spin control, 759 00:27:21,330 --> 00:27:23,159 attack, assuming that we have these kind 760 00:27:23,160 --> 00:27:25,379 of active defenses currently available 761 00:27:25,380 --> 00:27:26,849 for use. 762 00:27:26,850 --> 00:27:29,129 And we didn't want to do 763 00:27:29,130 --> 00:27:30,719 function hooking, for example, because, 764 00:27:30,720 --> 00:27:32,219 as Madjid said, we have some active 765 00:27:32,220 --> 00:27:34,379 protections such as 766 00:27:34,380 --> 00:27:36,629 PJR, which are looking actively for 767 00:27:36,630 --> 00:27:38,459 function, working within the party. 768 00:27:38,460 --> 00:27:40,439 OK, so and of course, we don't want to 769 00:27:40,440 --> 00:27:42,659 modify the executable contents 770 00:27:42,660 --> 00:27:44,939 of the PSC because some companies, 771 00:27:44,940 --> 00:27:47,429 for example, can enforce like attestation 772 00:27:47,430 --> 00:27:49,589 frameworks which verify the static part 773 00:27:49,590 --> 00:27:52,259 of the time that is not modified. 774 00:27:52,260 --> 00:27:54,389 And and again, we 775 00:27:54,390 --> 00:27:55,919 assume that you have other active 776 00:27:55,920 --> 00:27:57,599 defenses. For example, you have a logic 777 00:27:57,600 --> 00:27:59,799 checksums. So if somebody do 778 00:27:59,800 --> 00:28:01,559 the manipulation of the logic, we can 779 00:28:01,560 --> 00:28:02,560 detect it. 780 00:28:04,360 --> 00:28:06,429 That's how we have control attack, 781 00:28:06,430 --> 00:28:08,529 which is where we manipulate 782 00:28:08,530 --> 00:28:10,809 your configuration, which, for example, 783 00:28:10,810 --> 00:28:12,879 a configuration of the pins, if it's 784 00:28:12,880 --> 00:28:14,709 input or output, we call it being 785 00:28:14,710 --> 00:28:16,059 configuration attack. 786 00:28:16,060 --> 00:28:18,369 And in other way, we do 787 00:28:18,370 --> 00:28:20,319 pin multiplexing attack, which means that 788 00:28:20,320 --> 00:28:21,819 we are changing the multiplexing 789 00:28:21,820 --> 00:28:23,200 configuration after SASE. 790 00:28:24,280 --> 00:28:26,049 And of course, the US never knows about 791 00:28:26,050 --> 00:28:27,050 it. 792 00:28:27,730 --> 00:28:29,969 So we implemented in two variants, first 793 00:28:29,970 --> 00:28:32,499 for the rootkit required 794 00:28:32,500 --> 00:28:34,219 priviledge some knowledge of associate 795 00:28:34,220 --> 00:28:36,039 registers and the knowledge of mapping 796 00:28:36,040 --> 00:28:37,989 between our Europeans and the logic. 797 00:28:37,990 --> 00:28:40,689 And second variant was a as a 798 00:28:40,690 --> 00:28:41,690 Chilkoot. 799 00:28:43,100 --> 00:28:45,019 So how actually the attack works, so 800 00:28:45,020 --> 00:28:47,539 let's assume that we want to 801 00:28:47,540 --> 00:28:49,609 appeal here on time, trying to write 802 00:28:49,610 --> 00:28:51,019 to a specific point and we want to 803 00:28:51,020 --> 00:28:53,029 manipulate the values in a specific 804 00:28:53,030 --> 00:28:55,489 piece. So what we do is that 805 00:28:55,490 --> 00:28:56,930 we use it device producers 806 00:28:58,250 --> 00:29:00,469 and we put it visually, 807 00:29:00,470 --> 00:29:03,499 mapped IO into the debug register 808 00:29:03,500 --> 00:29:05,539 and then the second time tries to write 809 00:29:05,540 --> 00:29:07,969 to it. But because we already 810 00:29:07,970 --> 00:29:10,519 put it into the market, so we intercept 811 00:29:10,520 --> 00:29:12,499 the right operation, what we do is that 812 00:29:12,500 --> 00:29:14,179 we don't modify the right operation. 813 00:29:14,180 --> 00:29:16,279 We don't divert its execution flow 814 00:29:16,280 --> 00:29:17,299 or anything. 815 00:29:17,300 --> 00:29:19,219 What we do is that we just go to another 816 00:29:19,220 --> 00:29:21,889 register, which is a state register, 817 00:29:21,890 --> 00:29:24,589 and change the configuration of the pin, 818 00:29:24,590 --> 00:29:26,389 which is the second time we know he's 819 00:29:26,390 --> 00:29:27,769 going to write to it. 820 00:29:27,770 --> 00:29:29,839 We change it to the input machine and 821 00:29:29,840 --> 00:29:31,789 the runtime right to it. 822 00:29:31,790 --> 00:29:33,919 But it doesn't work because, well, 823 00:29:33,920 --> 00:29:36,529 you can't write it out input. 824 00:29:36,530 --> 00:29:38,029 And of course, for the read manipulation, 825 00:29:38,030 --> 00:29:39,319 what you can do is that you can actually, 826 00:29:39,320 --> 00:29:41,599 again, put of ideas 827 00:29:41,600 --> 00:29:43,309 into the research that we already mapped 828 00:29:43,310 --> 00:29:45,499 out you and then you can try 829 00:29:45,500 --> 00:29:48,169 to read it. We intercepted 830 00:29:48,170 --> 00:29:50,029 then what we do is that we change the pin 831 00:29:50,030 --> 00:29:51,919 from input to output. 832 00:29:51,920 --> 00:29:53,869 So it's like quite opposite. 833 00:29:53,870 --> 00:29:55,759 And then we write the value we want, you 834 00:29:55,760 --> 00:29:57,379 see. So for example, if you are reading 835 00:29:57,380 --> 00:29:59,779 a, I don't know, a temperature value, 836 00:29:59,780 --> 00:30:02,059 I'm just like going to change the value 837 00:30:02,060 --> 00:30:03,559 of the value I want you read. 838 00:30:03,560 --> 00:30:05,839 And and then I let 839 00:30:05,840 --> 00:30:06,799 you continue reading. 840 00:30:06,800 --> 00:30:08,179 And what will happen is that you read the 841 00:30:08,180 --> 00:30:10,249 value. I tell you not the actual value 842 00:30:10,250 --> 00:30:11,250 is happening. 843 00:30:12,380 --> 00:30:14,239 So for the next them, we're actually we 844 00:30:14,240 --> 00:30:16,579 have two other demos right 845 00:30:16,580 --> 00:30:19,329 now. Sure. And then there is a certain 846 00:30:19,330 --> 00:30:20,779 the fourth one. 847 00:30:20,780 --> 00:30:22,849 OK, so so what we have 848 00:30:22,850 --> 00:30:25,459 is that we have the same logic as we 849 00:30:25,460 --> 00:30:27,199 describe. So except that every for 850 00:30:27,200 --> 00:30:29,329 example, for second, we want to turn 851 00:30:29,330 --> 00:30:30,330 on and off. 852 00:30:31,280 --> 00:30:33,409 But this time we want to actually do 853 00:30:33,410 --> 00:30:35,629 the attack. So we want to change 854 00:30:35,630 --> 00:30:37,459 what's actually happening there. 855 00:30:37,460 --> 00:30:39,259 So it's not just blocking something. 856 00:30:39,260 --> 00:30:41,119 We want to actually change it the same 857 00:30:41,120 --> 00:30:43,529 way as described in the previous page. 858 00:30:43,530 --> 00:30:45,689 So we have a we have 859 00:30:45,690 --> 00:30:47,839 a lead which is connected to a pin, and 860 00:30:47,840 --> 00:30:49,909 then we want to turn on and off it every 861 00:30:49,910 --> 00:30:52,129 force again. But me as an attacker, 862 00:30:52,130 --> 00:30:54,049 I don't want it every four seconds 863 00:30:54,050 --> 00:30:56,509 because I want to do it every one second. 864 00:30:56,510 --> 00:30:57,949 OK, so now 865 00:30:59,330 --> 00:31:00,709 this was the logic we are going to use 866 00:31:00,710 --> 00:31:02,899 for the next demo. 867 00:31:02,900 --> 00:31:04,699 And then there was some people were 868 00:31:04,700 --> 00:31:06,889 saying that, well, what you implemented 869 00:31:06,890 --> 00:31:09,079 was not in a real 870 00:31:09,080 --> 00:31:10,969 policy because you were you were doing 871 00:31:10,970 --> 00:31:13,109 the sauces from the Raspberry Pi VCM 872 00:31:13,110 --> 00:31:15,289 28 36 to 873 00:31:15,290 --> 00:31:17,509 to do that attack using 874 00:31:17,510 --> 00:31:19,939 runtime. So maybe in the actual 875 00:31:19,940 --> 00:31:22,009 PLCC difference. So because 876 00:31:22,010 --> 00:31:24,169 we wanted to answer that, we actually 877 00:31:24,170 --> 00:31:26,389 implemented it as well. 878 00:31:26,390 --> 00:31:27,439 So it's like a logic. 879 00:31:27,440 --> 00:31:30,199 We have a real p.l.c.. 880 00:31:30,200 --> 00:31:32,449 We just, I think Cobert name and stuff, 881 00:31:32,450 --> 00:31:34,549 but smart people will find what 882 00:31:34,550 --> 00:31:35,629 is it? 883 00:31:35,630 --> 00:31:38,269 So this was the first 884 00:31:38,270 --> 00:31:40,009 test that we have which saw a video of 885 00:31:40,010 --> 00:31:41,209 it, and this was the second 886 00:31:42,530 --> 00:31:43,530 p.l.c. 887 00:31:44,600 --> 00:31:45,600 event, you know. 888 00:31:46,680 --> 00:31:48,979 Yeah. So so so 889 00:31:48,980 --> 00:31:50,479 in the next demo, we are actually 890 00:31:50,480 --> 00:31:52,579 changing the actual physical 891 00:31:52,580 --> 00:31:53,779 process without p.l.c. 892 00:31:53,780 --> 00:31:54,780 runtime notes. 893 00:31:58,940 --> 00:32:01,219 All right, so what we have is that every 894 00:32:01,220 --> 00:32:03,379 four seconds we are turning on and off 895 00:32:03,380 --> 00:32:05,449 the air so you can see through there 896 00:32:05,450 --> 00:32:07,399 and then the light is on. 897 00:32:07,400 --> 00:32:09,769 So through hell it is on and false 898 00:32:09,770 --> 00:32:11,779 means it is off. 899 00:32:11,780 --> 00:32:13,909 And then we execute our attack and 900 00:32:13,910 --> 00:32:16,789 we are now changing the process. 901 00:32:16,790 --> 00:32:19,219 What is happening there is that is still 902 00:32:19,220 --> 00:32:21,449 runtime, assuming that is true for first 903 00:32:21,450 --> 00:32:23,659 account for second and fourth, second 904 00:32:23,660 --> 00:32:24,949 thoughts, but actually is not happening, 905 00:32:24,950 --> 00:32:26,899 the physical process and the operator 906 00:32:26,900 --> 00:32:28,339 when they are seeing it. 907 00:32:28,340 --> 00:32:30,409 So assuming that an industrial plants, 908 00:32:30,410 --> 00:32:32,149 what is happening is look like the black 909 00:32:32,150 --> 00:32:33,770 cat movie is more complex. 910 00:32:35,870 --> 00:32:38,239 So the next 911 00:32:38,240 --> 00:32:40,699 video will see as well 912 00:32:40,700 --> 00:32:42,199 just cover the names and every word, the 913 00:32:42,200 --> 00:32:44,359 name of the event, 914 00:32:44,360 --> 00:32:47,239 uh, and 915 00:32:47,240 --> 00:32:49,369 what we do is that, uh, so 916 00:32:49,370 --> 00:32:51,439 we are turning on and off early 917 00:32:51,440 --> 00:32:53,029 so you can see every every two, three 918 00:32:53,030 --> 00:32:54,309 seconds we are changing. 919 00:32:54,310 --> 00:32:56,479 We had to put a thing on the screen, 920 00:32:56,480 --> 00:32:57,559 too. 921 00:32:57,560 --> 00:32:58,560 And 922 00:32:59,900 --> 00:33:00,900 so. 923 00:33:01,370 --> 00:33:03,439 Yeah, so can see this 924 00:33:03,440 --> 00:33:05,629 on and off and then we kick 925 00:33:05,630 --> 00:33:06,499 in our attack. 926 00:33:06,500 --> 00:33:08,599 Look, this one this implementation 927 00:33:08,600 --> 00:33:10,489 is not is a non rootkit variant. 928 00:33:10,490 --> 00:33:12,530 So we are actually not using 929 00:33:13,880 --> 00:33:15,799 channel access or anything else. 930 00:33:15,800 --> 00:33:17,419 We are just actually from userspace. 931 00:33:17,420 --> 00:33:18,650 We are executing this Safak. 932 00:33:19,710 --> 00:33:21,989 Thanks for Andrew, if you are watching 933 00:33:21,990 --> 00:33:24,149 that, he made this video for 934 00:33:24,150 --> 00:33:26,609 us, so 935 00:33:26,610 --> 00:33:28,739 we are it takes some second to kick 936 00:33:28,740 --> 00:33:29,449 in the attack. 937 00:33:29,450 --> 00:33:31,169 So then, for example, we make decisions. 938 00:33:31,170 --> 00:33:33,629 We want to turn after al Qaeda without 939 00:33:33,630 --> 00:33:35,159 p.l.c.. One time knows about it. 940 00:33:35,160 --> 00:33:36,599 OK, so you're on time. 941 00:33:36,600 --> 00:33:38,459 You can see the true value there and 942 00:33:38,460 --> 00:33:40,829 false value. But actually, I decided 943 00:33:40,830 --> 00:33:42,419 that you have to be a stop. 944 00:33:42,420 --> 00:33:44,799 So the ability to stop is not turning on. 945 00:33:44,800 --> 00:33:47,339 OK, now I decide that al Qaeda can blink, 946 00:33:47,340 --> 00:33:49,439 then it can blink and then I decide no 947 00:33:49,440 --> 00:33:51,089 stop anymore. But the value is through 948 00:33:51,090 --> 00:33:53,369 there. But then it is not true. 949 00:33:53,370 --> 00:33:55,679 OK, so it's like every time I 950 00:33:55,680 --> 00:33:58,019 make a decision to stop 951 00:33:58,020 --> 00:34:00,439 them from doing whatever it 952 00:34:00,440 --> 00:34:03,089 is doing without the application 953 00:34:03,090 --> 00:34:04,880 and the US knows about it and. 954 00:34:05,940 --> 00:34:06,940 Yeah. So that's. 955 00:34:08,260 --> 00:34:09,189 How is working? 956 00:34:09,190 --> 00:34:10,988 I have to drink this thing that I don't 957 00:34:10,989 --> 00:34:11,989 like. 958 00:34:19,090 --> 00:34:20,439 And there is no you your failure or 959 00:34:20,440 --> 00:34:22,509 anything happening here, so there is 960 00:34:22,510 --> 00:34:23,949 in the light, you don't find anything. 961 00:34:25,370 --> 00:34:27,468 You just decide that you must stop 962 00:34:27,469 --> 00:34:28,819 even if the pills you're on time, 963 00:34:28,820 --> 00:34:30,948 assuming that is true, Ali is 964 00:34:30,949 --> 00:34:33,109 not on, but because we make 965 00:34:33,110 --> 00:34:34,879 a decision that there must be a stop, 966 00:34:34,880 --> 00:34:35,959 it's to stop. 967 00:34:35,960 --> 00:34:38,149 So it's like so the problem 968 00:34:38,150 --> 00:34:40,698 is that what actual operators 969 00:34:40,699 --> 00:34:42,948 see in the physical plant 970 00:34:42,949 --> 00:34:45,289 is completely different with what's 971 00:34:45,290 --> 00:34:47,269 actually happening. 972 00:34:47,270 --> 00:34:48,769 OK, and that's a problem. 973 00:34:48,770 --> 00:34:50,749 That's that's a core problem here, that 974 00:34:50,750 --> 00:34:52,819 they operate or see something else, but 975 00:34:52,820 --> 00:34:54,799 actual physical process will be something 976 00:34:54,800 --> 00:34:55,800 different you want. 977 00:34:56,780 --> 00:34:58,999 So I did another presentation 978 00:34:59,000 --> 00:35:01,579 yesterday about the security and how good 979 00:35:01,580 --> 00:35:03,649 the devices are in the 980 00:35:03,650 --> 00:35:05,749 terms of the mitigations and 981 00:35:05,750 --> 00:35:07,639 randomize numbers. 982 00:35:07,640 --> 00:35:10,249 During our research, we analyzed, um, 983 00:35:10,250 --> 00:35:12,019 uh, different, uh, different binaries 984 00:35:12,020 --> 00:35:13,289 from different vendors. 985 00:35:13,290 --> 00:35:15,419 And this one user, uh, weren't 986 00:35:15,420 --> 00:35:17,089 protected, not with the exploit 987 00:35:17,090 --> 00:35:19,379 medications, at least not correctly and 988 00:35:19,380 --> 00:35:21,649 not not against, uh, static or dynamic 989 00:35:21,650 --> 00:35:22,669 analysis. 990 00:35:22,670 --> 00:35:24,709 But a lot of the renderer has it was 991 00:35:24,710 --> 00:35:26,809 quite surprising for us to see that the 992 00:35:26,810 --> 00:35:28,729 binary was protected against a static 993 00:35:28,730 --> 00:35:31,189 analysis. And it was you know, it was 994 00:35:31,190 --> 00:35:33,859 simply a very simple technique that 995 00:35:33,860 --> 00:35:35,719 like 99 percent of the file was fact. 996 00:35:35,720 --> 00:35:37,879 And it was just a few functions, simple 997 00:35:37,880 --> 00:35:39,519 loop that was unpacking the violence in 998 00:35:39,520 --> 00:35:40,880 memory and do the final jump, 999 00:35:42,110 --> 00:35:44,449 the same render use and symbol simple 1000 00:35:44,450 --> 00:35:46,219 on to the banking trick as well. 1001 00:35:46,220 --> 00:35:48,079 This apparent process of attaching to the 1002 00:35:48,080 --> 00:35:50,179 trial process to to block 1003 00:35:50,180 --> 00:35:52,249 the other debuggers, to attach, to 1004 00:35:52,250 --> 00:35:54,499 attach. Actually, these are not 1005 00:35:54,500 --> 00:35:55,459 really new techniques. 1006 00:35:55,460 --> 00:35:57,799 There are many bypasses are already 1007 00:35:57,800 --> 00:35:59,149 available on the Internet. 1008 00:35:59,150 --> 00:36:00,769 But it was quite surprising for us to see 1009 00:36:00,770 --> 00:36:03,229 them on the C section, 1010 00:36:03,230 --> 00:36:05,359 um, during our 1011 00:36:05,360 --> 00:36:07,639 our research, because we knew 1012 00:36:07,640 --> 00:36:09,619 after after a while we knew what what 1013 00:36:09,620 --> 00:36:11,479 kind of information we are looking for. 1014 00:36:11,480 --> 00:36:14,059 So we decided to use esterase. 1015 00:36:14,060 --> 00:36:16,159 And the only challenge we had using 1016 00:36:16,160 --> 00:36:18,739 asterisked was that because we had really 1017 00:36:18,740 --> 00:36:20,989 limited amount of resource on the 1018 00:36:20,990 --> 00:36:23,389 on the pulses and Osiris was generating 1019 00:36:23,390 --> 00:36:25,669 huge amount of output, we wasn't able 1020 00:36:25,670 --> 00:36:26,629 to handle that output. 1021 00:36:26,630 --> 00:36:27,709 And at the p.l.c. 1022 00:36:27,710 --> 00:36:30,559 was crashing like simply. 1023 00:36:30,560 --> 00:36:31,969 So what we did, we use a slightly 1024 00:36:31,970 --> 00:36:33,919 modified version of history to just 1025 00:36:33,920 --> 00:36:36,050 gather the information that we need. 1026 00:36:37,370 --> 00:36:38,689 And it was easy to exploit those 1027 00:36:38,690 --> 00:36:40,199 information as well. 1028 00:36:40,200 --> 00:36:42,499 So if you remember that 1029 00:36:42,500 --> 00:36:44,659 those two protection that I 1030 00:36:44,660 --> 00:36:46,219 introduced in the beginning of this 1031 00:36:46,220 --> 00:36:47,220 presentation, 1032 00:36:49,130 --> 00:36:51,949 those protection like the others are, um, 1033 00:36:51,950 --> 00:36:54,379 are there are some ways to bypass 1034 00:36:54,380 --> 00:36:56,509 them, like because Doppelganger 1035 00:36:56,510 --> 00:36:58,819 is not, uh, not 1036 00:36:58,820 --> 00:37:00,769 monitoring the dynamic memory. 1037 00:37:00,770 --> 00:37:02,719 So if you're you have any any malicious 1038 00:37:02,720 --> 00:37:04,699 code which loaded dynamically the dubal 1039 00:37:04,700 --> 00:37:05,779 gangers evaded. 1040 00:37:05,780 --> 00:37:08,089 And because Itescu PJR actually 1041 00:37:08,090 --> 00:37:10,069 comparing the runtime information against 1042 00:37:10,070 --> 00:37:12,319 a static list, which it was gathered 1043 00:37:12,320 --> 00:37:14,479 at the learning mode, and if 1044 00:37:14,480 --> 00:37:16,129 there is a there is a attack in some part 1045 00:37:16,130 --> 00:37:17,629 of the the system which was in the 1046 00:37:17,630 --> 00:37:19,759 monitor in the first step, so we 1047 00:37:19,760 --> 00:37:22,399 can evade the PJR as well. 1048 00:37:22,400 --> 00:37:24,499 And again, in our attack, 1049 00:37:24,500 --> 00:37:26,659 we do not modify any firmware 1050 00:37:26,660 --> 00:37:28,189 or any logic. 1051 00:37:28,190 --> 00:37:30,289 So now I'm going to tell us about 1052 00:37:30,290 --> 00:37:31,759 the overhead of our attack. 1053 00:37:31,760 --> 00:37:34,219 Yeah. So with the 1054 00:37:34,220 --> 00:37:37,129 rootkit variance, this is the Grof 1055 00:37:37,130 --> 00:37:39,079 for the fluctuation after Iyall. 1056 00:37:39,080 --> 00:37:41,189 So how how much are your 1057 00:37:41,190 --> 00:37:42,949 fluctuate when you are doing the attack? 1058 00:37:42,950 --> 00:37:45,109 Of course we are doing it some extra work 1059 00:37:45,110 --> 00:37:47,059 in FLC so that there might be a 1060 00:37:47,060 --> 00:37:49,189 fluctuation after your and it's like, 1061 00:37:49,190 --> 00:37:51,289 uh, around 1062 00:37:51,290 --> 00:37:53,779 zero zero five 1063 00:37:53,780 --> 00:37:55,849 milliseconds extra or 1064 00:37:55,850 --> 00:37:57,449 like one millisecond extra. 1065 00:37:57,450 --> 00:37:59,659 Uh, but 1066 00:37:59,660 --> 00:38:01,579 the thing is that the fluctuation of our. 1067 00:38:01,580 --> 00:38:03,889 You're surprising then I don't know why 1068 00:38:03,890 --> 00:38:05,419 is less than actual 1069 00:38:06,470 --> 00:38:08,879 sit on time. And that's 1070 00:38:08,880 --> 00:38:09,880 we. 1071 00:38:11,090 --> 00:38:13,429 And so we evaluated 1072 00:38:13,430 --> 00:38:15,529 the overhead of our attack and 1073 00:38:15,530 --> 00:38:17,659 it was not good, especially for rate 1074 00:38:17,660 --> 00:38:19,939 manipulation, because we wanted not 1075 00:38:19,940 --> 00:38:21,649 only change the operation, what we wanted 1076 00:38:21,650 --> 00:38:23,809 to also operate or never see 1077 00:38:23,810 --> 00:38:24,889 what's happening. 1078 00:38:24,890 --> 00:38:27,049 OK, so we wanted to because, well, 1079 00:38:27,050 --> 00:38:28,579 you know, in a process, it's like a 1080 00:38:28,580 --> 00:38:29,629 closed loop control. 1081 00:38:29,630 --> 00:38:31,249 So it's like once you change something 1082 00:38:31,250 --> 00:38:33,919 there, the inputs which is coming back 1083 00:38:33,920 --> 00:38:35,689 is changed to so we didn't want to 1084 00:38:35,690 --> 00:38:38,029 operate or seats, so we were doing the 1085 00:38:38,030 --> 00:38:39,049 manipulation. 1086 00:38:39,050 --> 00:38:41,119 But but the manipulation, especially 1087 00:38:41,120 --> 00:38:43,459 for manipulation, was not acceptable. 1088 00:38:43,460 --> 00:38:45,679 It was like a 22, 23 percent 1089 00:38:45,680 --> 00:38:47,749 overhead and that was too much for us. 1090 00:38:47,750 --> 00:38:49,969 So what we did 1091 00:38:49,970 --> 00:38:52,039 was that we talked about why we 1092 00:38:52,040 --> 00:38:54,259 don't do it without having roots, 1093 00:38:54,260 --> 00:38:56,029 without using the registries, because 1094 00:38:56,030 --> 00:38:58,189 that was like expensive. 1095 00:38:58,190 --> 00:39:00,619 So that's why we 1096 00:39:00,620 --> 00:39:02,749 implemented a second variant of our tax 1097 00:39:02,750 --> 00:39:05,089 of what we did was that we talked 1098 00:39:05,090 --> 00:39:06,349 about OK, here on time. 1099 00:39:06,350 --> 00:39:07,699 Once it received the logic, it's 1100 00:39:07,700 --> 00:39:09,769 configured it or like it's 1101 00:39:09,770 --> 00:39:12,289 describing lots of lots of things 1102 00:39:12,290 --> 00:39:13,259 for its operation. 1103 00:39:13,260 --> 00:39:15,779 So why not? We just use the privilege of 1104 00:39:15,780 --> 00:39:17,209 runtime and do the same. 1105 00:39:17,210 --> 00:39:18,709 And we did it. And it's overheads like 1106 00:39:18,710 --> 00:39:19,789 below one percent. 1107 00:39:19,790 --> 00:39:21,589 We can either remapped your or use 1108 00:39:21,590 --> 00:39:23,719 already mapped addresses and work 1109 00:39:23,720 --> 00:39:25,849 out the code you can actually use in any 1110 00:39:25,850 --> 00:39:27,959 standard, uh, like 1111 00:39:27,960 --> 00:39:30,049 CSFs or like Dev memoires 1112 00:39:30,050 --> 00:39:32,269 device driver request to actually, uh, 1113 00:39:32,270 --> 00:39:33,270 change the. 1114 00:39:35,430 --> 00:39:36,989 The configuration of attack and how it's 1115 00:39:36,990 --> 00:39:38,519 working and especially the most important 1116 00:39:38,520 --> 00:39:40,229 thing is something the difference with 1117 00:39:40,230 --> 00:39:41,849 the previous attack, with the rootkit, is 1118 00:39:41,850 --> 00:39:43,979 that the only the only thing you need is 1119 00:39:43,980 --> 00:39:45,839 that you need to find it, something we 1120 00:39:45,840 --> 00:39:47,339 call it reference the starting time. 1121 00:39:47,340 --> 00:39:49,289 So let's assume that we are turning on 1122 00:39:49,290 --> 00:39:52,019 and off a simple process like Leidy 1123 00:39:52,020 --> 00:39:53,219 every five seconds. 1124 00:39:54,330 --> 00:39:57,029 But what we want is that 1125 00:39:57,030 --> 00:39:59,129 we have to know from which five 1126 00:39:59,130 --> 00:40:01,439 seconds is like from which point is five 1127 00:40:01,440 --> 00:40:02,659 seconds starts. 1128 00:40:02,660 --> 00:40:04,799 OK, so I know that if it's a start, it is 1129 00:40:04,800 --> 00:40:06,479 every five seconds doing, but at which 1130 00:40:06,480 --> 00:40:09,119 moment this five seconds happening. 1131 00:40:09,120 --> 00:40:11,099 So that's something that you have to read 1132 00:40:11,100 --> 00:40:11,999 for some seconds. 1133 00:40:12,000 --> 00:40:14,129 The the the Europeans 1134 00:40:14,130 --> 00:40:16,379 and then knows how what 1135 00:40:16,380 --> 00:40:18,449 what is this delay or at which 1136 00:40:18,450 --> 00:40:20,249 certain exact time is happening. 1137 00:40:20,250 --> 00:40:22,109 And then once you found it, actually the 1138 00:40:22,110 --> 00:40:24,419 work is almost seamless or you just set 1139 00:40:24,420 --> 00:40:26,209 the pin to the input mode. 1140 00:40:26,210 --> 00:40:28,789 Right. Get ignored and then you 1141 00:40:28,790 --> 00:40:29,279 you're on time. 1142 00:40:29,280 --> 00:40:32,189 Right to it rarely fail. 1143 00:40:32,190 --> 00:40:33,869 And then we change back. 1144 00:40:33,870 --> 00:40:35,969 It's pin to something else and then we 1145 00:40:35,970 --> 00:40:38,249 write the value which we want. 1146 00:40:38,250 --> 00:40:40,049 It's similar to the to the right values 1147 00:40:40,050 --> 00:40:42,029 too. So we find a reference starting 1148 00:40:42,030 --> 00:40:44,459 time. We set up into the output mode, 1149 00:40:44,460 --> 00:40:46,499 then we write our what we want and then 1150 00:40:46,500 --> 00:40:49,679 you time read the value we give to them. 1151 00:40:49,680 --> 00:40:51,899 And so so far all of the things 1152 00:40:51,900 --> 00:40:54,149 we said was about digital stuff. 1153 00:40:54,150 --> 00:40:56,549 Right. And almost all of them about 1154 00:40:56,550 --> 00:40:57,629 configuration. 1155 00:40:57,630 --> 00:41:00,119 So the question is, what about 1156 00:41:00,120 --> 00:41:02,039 analogous stuff and what about PIN 1157 00:41:02,040 --> 00:41:04,109 multiplexing, which we physically 1158 00:41:04,110 --> 00:41:05,219 terminate the connection. 1159 00:41:05,220 --> 00:41:07,469 So actually we can actually use it for 1160 00:41:07,470 --> 00:41:09,059 analog manipulation. 1161 00:41:09,060 --> 00:41:10,109 Very good. 1162 00:41:10,110 --> 00:41:11,309 So we can actually use the PIN 1163 00:41:11,310 --> 00:41:12,570 multiplexing attack to 1164 00:41:14,430 --> 00:41:17,099 manipulate the entire analog memory 1165 00:41:17,100 --> 00:41:19,499 and suddenly make it unavailable 1166 00:41:19,500 --> 00:41:21,779 for the for the second time 1167 00:41:21,780 --> 00:41:22,829 or the driver. 1168 00:41:22,830 --> 00:41:24,959 And then later we'll 1169 00:41:24,960 --> 00:41:26,609 return it back to the control so you can 1170 00:41:26,610 --> 00:41:28,199 do it. That's one of the things you can 1171 00:41:28,200 --> 00:41:30,509 do or you can just be very intrusive 1172 00:41:30,510 --> 00:41:33,179 and change to the program counter 1173 00:41:33,180 --> 00:41:35,759 to Vellis intrusive, but 1174 00:41:35,760 --> 00:41:37,739 you can change the program counter to 1175 00:41:37,740 --> 00:41:39,210 jump from the right operation. 1176 00:41:40,260 --> 00:41:42,479 But generally the analog 1177 00:41:42,480 --> 00:41:44,189 audio is almost the same as physical 1178 00:41:45,210 --> 00:41:47,039 digital. So it's except that you have 1179 00:41:47,040 --> 00:41:49,469 multiple bits to 1180 00:41:49,470 --> 00:41:50,189 modify. 1181 00:41:50,190 --> 00:41:52,439 So now we have our last demo, 1182 00:41:53,820 --> 00:41:56,309 which is analog manipulation 1183 00:41:56,310 --> 00:41:58,379 of a motor and 1184 00:41:58,380 --> 00:41:59,099 we are doing it. 1185 00:41:59,100 --> 00:42:01,149 We are multiplexing attack. 1186 00:42:01,150 --> 00:42:02,699 Have to go very slowly. 1187 00:42:02,700 --> 00:42:04,979 Just stop it one second, 1188 00:42:04,980 --> 00:42:07,229 because so it is a motor 1189 00:42:07,230 --> 00:42:09,389 which is rotating every like 1190 00:42:09,390 --> 00:42:10,499 some seconds. Right. 1191 00:42:10,500 --> 00:42:12,569 And so 1192 00:42:12,570 --> 00:42:14,819 here this value here you see 1193 00:42:14,820 --> 00:42:16,349 the minus zero point 1194 00:42:17,700 --> 00:42:19,589 zero three two nine. 1195 00:42:19,590 --> 00:42:22,049 And if you look at this value, it's going 1196 00:42:22,050 --> 00:42:23,639 high and then go low. 1197 00:42:23,640 --> 00:42:25,529 This is a serious wave, which we have. 1198 00:42:25,530 --> 00:42:27,509 So it's like it's going high and then 1199 00:42:27,510 --> 00:42:28,589 it's going low. Right. 1200 00:42:28,590 --> 00:42:30,719 So it's showing us that's how 1201 00:42:30,720 --> 00:42:32,789 we are actually controlling the motor and 1202 00:42:32,790 --> 00:42:34,349 how the motor is actually working and 1203 00:42:34,350 --> 00:42:35,849 rotating based on that. 1204 00:42:35,850 --> 00:42:37,829 So now we are kicking our attack, yappin, 1205 00:42:37,830 --> 00:42:38,729 multiplexing. 1206 00:42:38,730 --> 00:42:40,859 What we do is that we we decide 1207 00:42:40,860 --> 00:42:42,420 to stop the motor whenever we want. 1208 00:42:43,660 --> 00:42:45,969 In analog data and 1209 00:42:47,110 --> 00:42:49,179 we kick in our loader 1210 00:42:49,180 --> 00:42:51,309 and then what will happen is that we 1211 00:42:51,310 --> 00:42:52,809 stop the motor, but it's still what you 1212 00:42:52,810 --> 00:42:55,359 see there is actually 1213 00:42:55,360 --> 00:42:57,339 the motor is moving forward and backward. 1214 00:42:57,340 --> 00:42:59,079 But actually it's not the case because 1215 00:42:59,080 --> 00:43:00,519 the motor is not moving forward and 1216 00:43:00,520 --> 00:43:01,929 backward. As you can see, mortuary's is 1217 00:43:01,930 --> 00:43:02,329 stopped. 1218 00:43:02,330 --> 00:43:04,889 So let's go back a little bit. 1219 00:43:04,890 --> 00:43:07,559 You're so again, 1220 00:43:07,560 --> 00:43:10,199 the water is moving below that attack, 1221 00:43:10,200 --> 00:43:12,479 water is stopped from working, but their 1222 00:43:12,480 --> 00:43:14,669 values are still saying that the water is 1223 00:43:14,670 --> 00:43:16,199 moving forward and backward. 1224 00:43:16,200 --> 00:43:18,449 But actually, water is not moving forward 1225 00:43:18,450 --> 00:43:19,769 and backward because actually we 1226 00:43:19,770 --> 00:43:22,409 multiplexed the pin, the physically 1227 00:43:22,410 --> 00:43:23,579 terminate it. 1228 00:43:23,580 --> 00:43:25,419 But the runtime, there is no aerial 1229 00:43:25,420 --> 00:43:25,919 failure. 1230 00:43:25,920 --> 00:43:28,409 There is nothing from the driver ever 1231 00:43:29,430 --> 00:43:30,509 crazy. 1232 00:43:30,510 --> 00:43:31,510 So. 1233 00:43:34,450 --> 00:43:36,579 There might be other possibilities about 1234 00:43:36,580 --> 00:43:38,769 attacks or some other smart 1235 00:43:38,770 --> 00:43:41,559 people can look at it that like, 1236 00:43:41,560 --> 00:43:43,119 for example, pull up and pull down 1237 00:43:43,120 --> 00:43:43,719 resisters. 1238 00:43:43,720 --> 00:43:45,699 It's worth looking at them. 1239 00:43:45,700 --> 00:43:46,809 What if we disable them? 1240 00:43:46,810 --> 00:43:49,119 And is it possible that somebody remotely 1241 00:43:49,120 --> 00:43:50,739 changed the values of the of your 1242 00:43:50,740 --> 00:43:51,879 electromagnetic field? 1243 00:43:51,880 --> 00:43:53,409 I don't know, you know, what happened 1244 00:43:53,410 --> 00:43:55,149 down there. Search and rescue service. 1245 00:43:55,150 --> 00:43:57,399 You want to filter the noises 1246 00:43:57,400 --> 00:43:58,659 coming from the environment, 1247 00:44:00,190 --> 00:44:02,349 but you can actually index 1248 00:44:02,350 --> 00:44:04,059 or disable them. 1249 00:44:04,060 --> 00:44:05,529 I don't know why they put this 1250 00:44:05,530 --> 00:44:06,530 functionality, but 1251 00:44:08,050 --> 00:44:10,299 overall, what we believe 1252 00:44:10,300 --> 00:44:13,119 is that you can, again, 1253 00:44:13,120 --> 00:44:15,189 cannot trust your inputs even if it's 1254 00:44:15,190 --> 00:44:17,979 coming from dial. 1255 00:44:17,980 --> 00:44:18,980 And 1256 00:44:20,200 --> 00:44:22,299 what we believe now is that for now, 1257 00:44:22,300 --> 00:44:23,300 actually, to be honest, 1258 00:44:24,460 --> 00:44:26,529 I think it doesn't make sense to do our 1259 00:44:26,530 --> 00:44:27,530 attack. 1260 00:44:28,210 --> 00:44:29,619 You know why? 1261 00:44:29,620 --> 00:44:31,779 Because, well, they are so, 1262 00:44:31,780 --> 00:44:33,849 so much simpler things to do 1263 00:44:33,850 --> 00:44:35,949 right now, which there are lots 1264 00:44:35,950 --> 00:44:38,199 of vulnerable places which 1265 00:44:38,200 --> 00:44:40,689 do not have, like, basic stuff 1266 00:44:40,690 --> 00:44:43,059 like like, I don't know, like having 1267 00:44:43,060 --> 00:44:45,519 not having Back-Door passport 1268 00:44:45,520 --> 00:44:47,679 or like there is 1269 00:44:47,680 --> 00:44:49,749 no attestation frameworks for for 1270 00:44:49,750 --> 00:44:51,849 executable part of the memory. 1271 00:44:51,850 --> 00:44:53,679 But the vendors right now, as we are 1272 00:44:53,680 --> 00:44:55,269 speaking, they are actually moving to our 1273 00:44:55,270 --> 00:44:57,399 debt. And our talk is not about 1274 00:44:57,400 --> 00:44:59,469 today. It's about once 1275 00:44:59,470 --> 00:45:01,479 they are deploying, seeing probably in 1276 00:45:01,480 --> 00:45:03,489 2020, then. 1277 00:45:04,690 --> 00:45:06,820 This is this attack makes sense for the. 1278 00:45:08,150 --> 00:45:10,609 And so for now, fixing 1279 00:45:10,610 --> 00:45:12,829 these problems, and I think it's easy 1280 00:45:12,830 --> 00:45:14,929 for the vendors to fix this problem, so 1281 00:45:14,930 --> 00:45:17,239 having not having the past for 1282 00:45:17,240 --> 00:45:19,429 having proper logic checks on or 1283 00:45:19,430 --> 00:45:21,259 like having some kind of attestation for 1284 00:45:21,260 --> 00:45:23,119 verifying the integrity of the suit on 1285 00:45:23,120 --> 00:45:24,120 time. 1286 00:45:24,440 --> 00:45:26,779 But once these things 1287 00:45:26,780 --> 00:45:28,939 are gone, then the next step 1288 00:45:28,940 --> 00:45:31,039 for attacker is actually modifying the 1289 00:45:31,040 --> 00:45:33,439 logic or on time like 1290 00:45:33,440 --> 00:45:35,599 like without talking functions, which 1291 00:45:35,600 --> 00:45:37,529 is very typical in malware. 1292 00:45:37,530 --> 00:45:39,739 So that's why every time when you have 1293 00:45:39,740 --> 00:45:42,139 like more complex and more complex 1294 00:45:42,140 --> 00:45:44,659 or less more active defenses 1295 00:45:44,660 --> 00:45:46,879 in one layer, attackers go to another 1296 00:45:46,880 --> 00:45:48,799 layer. And I think our attack is in 1297 00:45:48,800 --> 00:45:49,800 another layer. 1298 00:45:51,750 --> 00:45:53,879 And so at a conclusion, 1299 00:45:53,880 --> 00:45:56,009 I think you really need to 1300 00:45:56,010 --> 00:45:58,079 focus on system level security of control 1301 00:45:58,080 --> 00:46:00,149 devices in future because more 1302 00:46:00,150 --> 00:46:02,459 sophisticated techniques comes. 1303 00:46:03,680 --> 00:46:05,599 Because right now, we don't have very 1304 00:46:05,600 --> 00:46:07,879 good defenses, doesn't mean that once 1305 00:46:07,880 --> 00:46:10,459 we have them that don't introduce 1306 00:46:10,460 --> 00:46:11,509 something new. 1307 00:46:11,510 --> 00:46:13,389 It's always a cat and mouse game. 1308 00:46:14,510 --> 00:46:16,819 And so that Pinkwater 1309 00:46:16,820 --> 00:46:18,079 attack is just an example of such 1310 00:46:18,080 --> 00:46:18,409 attacks. 1311 00:46:18,410 --> 00:46:20,539 And and I think that 1312 00:46:20,540 --> 00:46:22,429 originally it's caused by lack of 1313 00:46:22,430 --> 00:46:23,709 interoperable configuration. 1314 00:46:23,710 --> 00:46:25,279 You, sir, and can have actually 1315 00:46:25,280 --> 00:46:27,179 significant consequences in other control 1316 00:46:27,180 --> 00:46:29,419 devices such as IED or even issues. 1317 00:46:30,550 --> 00:46:31,879 And that's it. 1318 00:46:31,880 --> 00:46:33,649 You have a solution for us now? 1319 00:46:33,650 --> 00:46:35,719 Well, before being 1320 00:46:35,720 --> 00:46:37,789 as I said before being worried about 1321 00:46:37,790 --> 00:46:39,799 such this kind of attacks, it's better to 1322 00:46:39,800 --> 00:46:41,179 first change your default passwords. 1323 00:46:41,180 --> 00:46:42,180 Right. 1324 00:46:42,680 --> 00:46:45,589 And and then, 1325 00:46:45,590 --> 00:46:47,989 uh, it's actually 1326 00:46:47,990 --> 00:46:50,359 hard to to give a definitive solution 1327 00:46:50,360 --> 00:46:52,489 right now because she's having 1328 00:46:52,490 --> 00:46:54,079 a good solution against this kind of 1329 00:46:54,080 --> 00:46:56,359 attacks. Need, um, equal 1330 00:46:56,360 --> 00:46:58,639 collaboration from the 1331 00:46:58,640 --> 00:46:59,989 software vendors and the hardware 1332 00:46:59,990 --> 00:47:00,949 vendors. 1333 00:47:00,950 --> 00:47:02,479 But we can do some stuff to make it 1334 00:47:02,480 --> 00:47:04,639 harder, for example, during the 1335 00:47:04,640 --> 00:47:06,799 iOS operation and not letting letting 1336 00:47:06,800 --> 00:47:09,379 the unprivileged process to do directly 1337 00:47:09,380 --> 00:47:11,449 to the operations. 1338 00:47:11,450 --> 00:47:13,609 And we can also do monitor 1339 00:47:13,610 --> 00:47:15,739 to the eyeballs and the pins 1340 00:47:15,740 --> 00:47:17,839 for the anomalies, for example, in the 1341 00:47:17,840 --> 00:47:20,029 kernel. So we're doing this 1342 00:47:20,030 --> 00:47:22,279 kind of, uh, 1343 00:47:22,280 --> 00:47:24,289 stuff. We can reduce the attack surface. 1344 00:47:25,880 --> 00:47:28,309 And yeah, this is almost pretty about 1345 00:47:28,310 --> 00:47:29,419 our presentation. 1346 00:47:29,420 --> 00:47:30,739 If you're looking for more, you can 1347 00:47:30,740 --> 00:47:33,049 attack at our presentation and 1348 00:47:33,050 --> 00:47:35,349 digital S4 in 1349 00:47:35,350 --> 00:47:37,759 next year actually at Miami United 1350 00:47:37,760 --> 00:47:39,019 States. 1351 00:47:39,020 --> 00:47:41,269 And yeah, everything that has a beginning 1352 00:47:41,270 --> 00:47:42,199 has an end. 1353 00:47:42,200 --> 00:47:43,219 Thank you for attending. 1354 00:47:43,220 --> 00:47:45,129 And if there's any questions, you're 1355 00:47:45,130 --> 00:47:46,130 here. 1356 00:47:55,880 --> 00:47:57,979 Thank you, Ali and Majid, if you 1357 00:47:57,980 --> 00:47:59,719 have questions, please, to line up at the 1358 00:47:59,720 --> 00:48:01,879 four microphones here in the halls. 1359 00:48:01,880 --> 00:48:03,769 If you're leaving, please leave through 1360 00:48:03,770 --> 00:48:05,300 the front door and 1361 00:48:06,320 --> 00:48:07,939 leaving, please, only through the front 1362 00:48:07,940 --> 00:48:08,940 door. 1363 00:48:10,340 --> 00:48:12,589 We have one question from the microphone 1364 00:48:12,590 --> 00:48:13,590 up front. 1365 00:48:15,530 --> 00:48:17,689 Thank you for this interesting talk of 1366 00:48:17,690 --> 00:48:18,539 one question. 1367 00:48:18,540 --> 00:48:20,329 Excuse me. If you're leaving, please do 1368 00:48:20,330 --> 00:48:22,369 so quietly so we can still record the 1369 00:48:22,370 --> 00:48:23,370 questions. Thank you. 1370 00:48:24,590 --> 00:48:26,819 My question is, how do you execute 1371 00:48:26,820 --> 00:48:29,029 the code on the real policy to 1372 00:48:29,030 --> 00:48:31,699 write your multiplexing request 1373 00:48:31,700 --> 00:48:34,219 to manipulate the things to how to 1374 00:48:34,220 --> 00:48:35,929 get there and execute it? 1375 00:48:35,930 --> 00:48:37,909 So for multiplexing register, you still 1376 00:48:37,910 --> 00:48:39,589 need to access routes because 1377 00:48:39,590 --> 00:48:41,779 multiplexing is a requirements 1378 00:48:41,780 --> 00:48:43,879 that you need to have to 1379 00:48:43,880 --> 00:48:45,949 be in the cabinet. OK, so you can't do 1380 00:48:45,950 --> 00:48:48,039 the multiplexing attack without having 1381 00:48:48,040 --> 00:48:50,209 to Texas. OK, but for 1382 00:48:50,210 --> 00:48:52,519 the King configuration attack, 1383 00:48:52,520 --> 00:48:54,679 you can easily do that because lots 1384 00:48:54,680 --> 00:48:56,149 of these p.l.c. 1385 00:48:56,150 --> 00:48:58,249 they built, so let's say it 1386 00:48:58,250 --> 00:48:59,929 like that. So you have different are your 1387 00:48:59,930 --> 00:49:02,119 busses, which is connect to the 1388 00:49:02,120 --> 00:49:04,279 CIO and what they have, 1389 00:49:04,280 --> 00:49:06,379 they have different different 1390 00:49:06,380 --> 00:49:08,509 kind of like different kind 1391 00:49:08,510 --> 00:49:10,879 of busses which communicate 1392 00:49:10,880 --> 00:49:12,769 over this PIN configuration. 1393 00:49:12,770 --> 00:49:14,659 So it's like there is some other 1394 00:49:14,660 --> 00:49:17,239 abstraction layer built upon this 1395 00:49:17,240 --> 00:49:18,199 concept. 1396 00:49:18,200 --> 00:49:19,939 So what you do is that, for example, you 1397 00:49:19,940 --> 00:49:22,099 can actually attack this abstraction 1398 00:49:22,100 --> 00:49:24,379 layer instead of attacking 1399 00:49:24,380 --> 00:49:26,239 directly to the to the to the 1400 00:49:26,240 --> 00:49:28,009 configuration of your which you can't do 1401 00:49:28,010 --> 00:49:29,989 it. And again, for PIN multiplexing you 1402 00:49:29,990 --> 00:49:32,059 can't do it, you need to taxes because 1403 00:49:32,060 --> 00:49:34,219 it's a requirement that 1404 00:49:34,220 --> 00:49:36,829 the colonel force you to do that so 1405 00:49:36,830 --> 00:49:38,419 well originally between multiplexing 1406 00:49:38,420 --> 00:49:40,369 happening at the time. 1407 00:49:40,370 --> 00:49:42,769 So it's like Yousry Bootloader does that. 1408 00:49:42,770 --> 00:49:44,689 But if you want to do it and nothing to 1409 00:49:44,690 --> 00:49:46,909 stop you, if you are in groups, then 1410 00:49:48,170 --> 00:49:50,389 then you need to abolish Texas for that. 1411 00:49:51,930 --> 00:49:53,369 We have another question from the 1412 00:49:53,370 --> 00:49:55,229 microphone in front here. 1413 00:49:55,230 --> 00:49:57,089 Hey, this is all very interesting. 1414 00:49:57,090 --> 00:49:58,979 In the case where you have root, it seems 1415 00:49:58,980 --> 00:50:00,839 like you'll you'll always be able to win. 1416 00:50:00,840 --> 00:50:02,859 But in the case where you're just using 1417 00:50:02,860 --> 00:50:05,189 Chalco and exploiting the application 1418 00:50:05,190 --> 00:50:07,349 process itself, it sounds like 1419 00:50:07,350 --> 00:50:09,479 you're Chalco is just calling a map 1420 00:50:09,480 --> 00:50:11,729 and kind of remapping the 1421 00:50:11,730 --> 00:50:13,110 memory itself in process. 1422 00:50:14,310 --> 00:50:16,229 So what do you what are you doing then? 1423 00:50:16,230 --> 00:50:17,789 No, we don't always do a remap, as I 1424 00:50:17,790 --> 00:50:19,529 said, for that answer. 1425 00:50:19,530 --> 00:50:21,749 So for actually for the demo, 1426 00:50:21,750 --> 00:50:23,939 which we have for actual p.l.c., 1427 00:50:23,940 --> 00:50:25,649 we don't do any mapping. 1428 00:50:25,650 --> 00:50:28,109 We actually we actually attacking 1429 00:50:28,110 --> 00:50:30,509 another communication which builds 1430 00:50:30,510 --> 00:50:32,639 upon the, 1431 00:50:32,640 --> 00:50:34,589 for example, ping control subsystem. 1432 00:50:34,590 --> 00:50:36,659 So we are not directly 1433 00:50:36,660 --> 00:50:39,149 targeting. We target other abstraction 1434 00:50:39,150 --> 00:50:41,279 layer over the 1435 00:50:41,280 --> 00:50:42,489 control subsystem. 1436 00:50:42,490 --> 00:50:44,249 So that's how you are doing it. 1437 00:50:44,250 --> 00:50:46,619 But as we said, 1438 00:50:46,620 --> 00:50:48,659 another other things you can do is that 1439 00:50:48,660 --> 00:50:51,569 you can actually exploit the mapping 1440 00:50:51,570 --> 00:50:53,669 already existing, already mapped all 1441 00:50:53,670 --> 00:50:55,889 your irises to try to do 1442 00:50:55,890 --> 00:50:57,359 your attack. 1443 00:50:57,360 --> 00:50:59,669 That's it. So is that specific to 1444 00:50:59,670 --> 00:51:01,409 the application itself, like it has its 1445 00:51:01,410 --> 00:51:03,509 own internal cue for these events and 1446 00:51:03,510 --> 00:51:05,729 you're just hijacking that internal cue 1447 00:51:05,730 --> 00:51:06,539 of the process? 1448 00:51:06,540 --> 00:51:08,969 Yes. So for for yes. 1449 00:51:08,970 --> 00:51:10,289 If you don't have to taxes. 1450 00:51:10,290 --> 00:51:12,509 Yes. But if you do have Texas, 1451 00:51:12,510 --> 00:51:13,769 then you can do other things. 1452 00:51:13,770 --> 00:51:16,229 And one thing which I heard a lot 1453 00:51:16,230 --> 00:51:18,359 and lots of people which legitimately 1454 00:51:18,360 --> 00:51:21,029 ask question is that if I have new taxes, 1455 00:51:21,030 --> 00:51:22,889 why would I want to do that? 1456 00:51:22,890 --> 00:51:24,009 Right. 1457 00:51:24,010 --> 00:51:26,219 I think the point is that because 1458 00:51:26,220 --> 00:51:28,199 you don't consider that we have active 1459 00:51:28,200 --> 00:51:29,099 defenses. 1460 00:51:29,100 --> 00:51:30,989 So once you have, for example, you have 1461 00:51:30,990 --> 00:51:33,269 some hulking, hulking protection 1462 00:51:33,270 --> 00:51:34,169 within the p.l.c. 1463 00:51:34,170 --> 00:51:36,449 cannon, OK, then 1464 00:51:36,450 --> 00:51:37,450 what you want to do? 1465 00:51:38,700 --> 00:51:40,319 What is your alternative? 1466 00:51:40,320 --> 00:51:42,299 OK, so then what we are saying is that, 1467 00:51:42,300 --> 00:51:44,069 OK, don't touch this. 1468 00:51:44,070 --> 00:51:46,349 Don't touch anything with the software. 1469 00:51:46,350 --> 00:51:48,389 What we go is that we just go and change 1470 00:51:48,390 --> 00:51:50,549 the configuration of the pincer and then 1471 00:51:50,550 --> 00:51:52,259 we can actually do achieve the same 1472 00:51:52,260 --> 00:51:54,329 thing, for example, as Stuxnet did, 1473 00:51:54,330 --> 00:51:56,459 OK, without actually exploiting the 1474 00:51:56,460 --> 00:51:58,919 software, but just going underlying 1475 00:51:58,920 --> 00:52:01,769 system and like just target you directly. 1476 00:52:01,770 --> 00:52:03,779 That's when our attack makes sense. 1477 00:52:03,780 --> 00:52:05,199 As we said several times. 1478 00:52:05,200 --> 00:52:07,079 Yes. If you have if you don't have 1479 00:52:07,080 --> 00:52:09,089 defenses, if you have a backdoor password 1480 00:52:09,090 --> 00:52:11,279 and no checksum, why would 1481 00:52:11,280 --> 00:52:13,679 you go through this painful 1482 00:52:13,680 --> 00:52:16,109 process to, I don't know, like 1483 00:52:16,110 --> 00:52:18,449 manipulating the S or C registers to 1484 00:52:18,450 --> 00:52:19,589 to do that. Right. 1485 00:52:19,590 --> 00:52:21,419 But once you have active defenses, then 1486 00:52:21,420 --> 00:52:23,489 it totally makes sense because 1487 00:52:23,490 --> 00:52:25,259 then it's like you are much more limited 1488 00:52:25,260 --> 00:52:26,309 to do you attack. 1489 00:52:26,310 --> 00:52:27,869 Thank you, Erica. 1490 00:52:27,870 --> 00:52:29,849 We have a question from the Internet via 1491 00:52:29,850 --> 00:52:31,349 our signal angel. 1492 00:52:31,350 --> 00:52:33,149 Yeah. Crail from the I.R.S. 1493 00:52:33,150 --> 00:52:35,279 Ask if there's any evidence 1494 00:52:35,280 --> 00:52:37,169 of this sort of attack is being used in 1495 00:52:37,170 --> 00:52:38,999 the wild now? 1496 00:52:39,000 --> 00:52:40,289 I'm not sure. 1497 00:52:40,290 --> 00:52:41,249 I don't know. 1498 00:52:41,250 --> 00:52:43,050 Maybe in another Snowden. 1499 00:52:46,120 --> 00:52:48,209 We have a question from the microphone 1500 00:52:48,210 --> 00:52:50,219 in the rear over here. 1501 00:52:50,220 --> 00:52:51,959 Yeah. Did you see any changes in, for 1502 00:52:51,960 --> 00:52:53,919 example, Logitech boundaries scan or 1503 00:52:53,920 --> 00:52:55,449 where such things are not available? 1504 00:52:55,450 --> 00:52:58,409 The processor did I see 1505 00:52:58,410 --> 00:53:00,089 tech boundary scan. So basically checking 1506 00:53:00,090 --> 00:53:01,739 the status of all the pins around the 1507 00:53:01,740 --> 00:53:02,309 chip? 1508 00:53:02,310 --> 00:53:03,809 No, there is nothing. 1509 00:53:03,810 --> 00:53:05,549 But we actually doing that now as a 1510 00:53:05,550 --> 00:53:07,809 defense matter, a student and 1511 00:53:07,810 --> 00:53:09,959 the WHO is doing right now 1512 00:53:09,960 --> 00:53:11,249 this kind of stuff. 1513 00:53:11,250 --> 00:53:13,349 But, uh, no, we don't see such 1514 00:53:13,350 --> 00:53:16,079 a thing existing and currently 1515 00:53:16,080 --> 00:53:18,179 and systems or Artur's 1516 00:53:18,180 --> 00:53:20,639 or we need to ask 1517 00:53:20,640 --> 00:53:22,349 another question from the microphone in 1518 00:53:22,350 --> 00:53:23,189 the front. 1519 00:53:23,190 --> 00:53:25,979 I when I called my p.l.c., 1520 00:53:25,980 --> 00:53:28,049 is it viable to check 1521 00:53:28,050 --> 00:53:30,299 Deol mode or just ask myself, 1522 00:53:30,300 --> 00:53:32,459 so is this a viable defense for 1523 00:53:32,460 --> 00:53:35,279 AP? No, because that's not the only 1524 00:53:35,280 --> 00:53:36,659 the only way out. 1525 00:53:36,660 --> 00:53:38,729 So there are lots of ways the 1526 00:53:38,730 --> 00:53:40,919 attacker can at target the 1527 00:53:40,920 --> 00:53:41,909 are your configuration. 1528 00:53:41,910 --> 00:53:44,099 One of the things is that one 1529 00:53:44,100 --> 00:53:45,929 of the things you can do is that, for 1530 00:53:45,930 --> 00:53:48,359 example, check how, how, how, how 1531 00:53:48,360 --> 00:53:50,729 much or how often the configuration 1532 00:53:50,730 --> 00:53:52,379 of the pins are changing because in 1533 00:53:52,380 --> 00:53:54,509 actual physical prices in a p.l.c. 1534 00:53:54,510 --> 00:53:56,459 is not that much OK. 1535 00:53:56,460 --> 00:53:58,139 So if you have some kind of memory 1536 00:53:58,140 --> 00:54:00,059 foreigns you can start, which some 1537 00:54:00,060 --> 00:54:02,949 people, for example, Marziano here in our 1538 00:54:02,950 --> 00:54:03,899 toxifying. 1539 00:54:03,900 --> 00:54:05,999 So those kind of like 1540 00:54:06,000 --> 00:54:08,309 memory forensic projections you have, 1541 00:54:08,310 --> 00:54:10,109 you can actually spot that. 1542 00:54:10,110 --> 00:54:12,149 But what you spot is a pin configuration 1543 00:54:12,150 --> 00:54:13,559 attack. What what pin multiplexing 1544 00:54:13,560 --> 00:54:15,659 because pin multiplexing, you just change 1545 00:54:15,660 --> 00:54:17,159 a bit and that's it. 1546 00:54:17,160 --> 00:54:19,349 So it's just a zero to one, 1547 00:54:19,350 --> 00:54:22,679 OK, and then it's totally disconnected 1548 00:54:22,680 --> 00:54:24,719 and it's like very, very little thing you 1549 00:54:24,720 --> 00:54:26,429 can do actually to spot that. 1550 00:54:26,430 --> 00:54:28,559 So you have to have another defense for 1551 00:54:28,560 --> 00:54:29,909 PIN multiplexing. 1552 00:54:29,910 --> 00:54:32,009 And then what about, for example, if 1553 00:54:32,010 --> 00:54:33,599 that's accurate, for example, remapped, 1554 00:54:33,600 --> 00:54:35,189 are you so very you want to look now 1555 00:54:35,190 --> 00:54:37,259 because. Well, I can remapped 1556 00:54:37,260 --> 00:54:39,269 you again and then you have to hook the 1557 00:54:39,270 --> 00:54:41,019 functions which are, for example, 1558 00:54:41,020 --> 00:54:43,079 remapping your to to a spot 1559 00:54:43,080 --> 00:54:45,149 that future attacks that attack a 1560 00:54:45,150 --> 00:54:47,489 remapped or instead of having the ability 1561 00:54:47,490 --> 00:54:49,679 mapped IO. So there are lots of 1562 00:54:49,680 --> 00:54:52,219 more things, not just looking how 1563 00:54:52,220 --> 00:54:53,849 how much the configuration of the pins 1564 00:54:53,850 --> 00:54:55,979 change I don't think is enough. 1565 00:54:55,980 --> 00:54:58,049 And I think there must be some push 1566 00:54:58,050 --> 00:55:00,209 from there. So Sirena's for 1567 00:55:00,210 --> 00:55:01,799 having some interrupts, especially when 1568 00:55:01,800 --> 00:55:04,149 the are your fail and especially I see in 1569 00:55:04,150 --> 00:55:06,809 pin multiplexing is stuff because you 1570 00:55:06,810 --> 00:55:08,999 honestly I see it's very surprising that 1571 00:55:09,000 --> 00:55:11,069 the IO is not available and I think 1572 00:55:11,070 --> 00:55:12,959 it's not expensive for the chip vendors 1573 00:55:12,960 --> 00:55:14,699 to have at least a interop forefend 1574 00:55:14,700 --> 00:55:16,769 multiplexing because in the 1575 00:55:16,770 --> 00:55:19,079 pre multiplexing you physically 1576 00:55:19,080 --> 00:55:21,389 do not talk any more video, 1577 00:55:21,390 --> 00:55:23,489 but there is no feedback from 1578 00:55:23,490 --> 00:55:25,079 this or see you saying, hey, what you 1579 00:55:25,080 --> 00:55:27,179 requested to write to desire is 1580 00:55:27,180 --> 00:55:29,399 not available. And that's crazy, 1581 00:55:29,400 --> 00:55:30,400 I think. 1582 00:55:31,980 --> 00:55:33,440 Do we have any more questions? 1583 00:55:35,420 --> 00:55:37,409 There is a question coming up on the 1584 00:55:37,410 --> 00:55:38,489 front left microphone. 1585 00:55:39,930 --> 00:55:41,759 I'm wondering about that interrupt, 1586 00:55:41,760 --> 00:55:44,099 because how should the PIN function 1587 00:55:44,100 --> 00:55:46,319 controller know that if I switch 1588 00:55:46,320 --> 00:55:48,479 from KBIO to a squishy, 1589 00:55:48,480 --> 00:55:49,480 for example, 1590 00:55:50,700 --> 00:55:52,409 and that PIN remain silent because 1591 00:55:52,410 --> 00:55:54,609 there's no S.A.C. transaction going on, 1592 00:55:54,610 --> 00:55:56,159 how should the PIN function controller 1593 00:55:56,160 --> 00:55:57,719 decide if there's if it's the wrong 1594 00:55:57,720 --> 00:55:59,459 configuration or just a syllabus? 1595 00:55:59,460 --> 00:56:01,619 Yes, that's totally the 1596 00:56:01,620 --> 00:56:02,489 what should it feedback. 1597 00:56:02,490 --> 00:56:03,899 And who should be listening to that at 1598 00:56:03,900 --> 00:56:05,669 least can be, hey, the configuration 1599 00:56:05,670 --> 00:56:07,319 change now. 1600 00:56:07,320 --> 00:56:08,949 But there is no feedback even for that. 1601 00:56:08,950 --> 00:56:10,799 So like as we said before, there is two 1602 00:56:10,800 --> 00:56:12,659 problem in here. 1603 00:56:12,660 --> 00:56:14,369 First is that once the configuration 1604 00:56:14,370 --> 00:56:16,769 changes is nothing, there is nothing 1605 00:56:16,770 --> 00:56:18,419 that she tells you, hey, configuration 1606 00:56:18,420 --> 00:56:19,409 change. 1607 00:56:19,410 --> 00:56:21,299 OK, so that's one problem. 1608 00:56:21,300 --> 00:56:23,039 And second, is that OK, once the 1609 00:56:23,040 --> 00:56:24,959 configuration change and the operation 1610 00:56:24,960 --> 00:56:27,029 fail, there is no feedback telling you 1611 00:56:27,030 --> 00:56:29,829 that, hey, the operation failed. 1612 00:56:29,830 --> 00:56:32,019 OK, so at least 1613 00:56:32,020 --> 00:56:33,909 what they can do is that they can say 1614 00:56:33,910 --> 00:56:35,859 that the configuration changed, at least, 1615 00:56:35,860 --> 00:56:37,809 for example, the driver, or that the 1616 00:56:37,810 --> 00:56:40,299 software knows now that the configuration 1617 00:56:40,300 --> 00:56:42,219 is changed, which they don't. 1618 00:56:44,990 --> 00:56:46,729 Well, I wonder if you have root access, 1619 00:56:46,730 --> 00:56:48,859 you could probably made that 1620 00:56:48,860 --> 00:56:50,959 information obsolete anyhow. 1621 00:56:50,960 --> 00:56:51,960 Yeah. 1622 00:56:54,300 --> 00:56:56,429 Another question from the same microphone 1623 00:56:56,430 --> 00:56:58,949 and front, did you tried 1624 00:56:58,950 --> 00:57:01,019 using safety policies which 1625 00:57:01,020 --> 00:57:02,999 are for sealevel? 1626 00:57:03,000 --> 00:57:05,369 So I was required 1627 00:57:05,370 --> 00:57:07,799 to read back its value 1628 00:57:07,800 --> 00:57:08,939 on some point. 1629 00:57:08,940 --> 00:57:11,049 If it's, uh, 1630 00:57:11,050 --> 00:57:13,229 controlled Zarela, you have to feedbag 1631 00:57:13,230 --> 00:57:15,659 and p.l.c. know so 1632 00:57:15,660 --> 00:57:17,849 that through you might 1633 00:57:17,850 --> 00:57:19,619 have some penalties that they do that. 1634 00:57:19,620 --> 00:57:21,899 But it's still, for example, 1635 00:57:21,900 --> 00:57:23,999 for both pene multiplexing an 1636 00:57:24,000 --> 00:57:25,529 attack and pin configuration. 1637 00:57:25,530 --> 00:57:27,869 If that remapped are your what the 1638 00:57:27,870 --> 00:57:30,059 what the, for example, operator C 1639 00:57:30,060 --> 00:57:32,579 or the the X is a virtually 1640 00:57:32,580 --> 00:57:33,569 mapped IO. 1641 00:57:33,570 --> 00:57:36,029 So the second time actually doesn't fail 1642 00:57:36,030 --> 00:57:37,709 in writing to the visually mapped. 1643 00:57:37,710 --> 00:57:39,569 So it's it is successful. 1644 00:57:39,570 --> 00:57:41,849 Everything, the data in visual memory 1645 00:57:41,850 --> 00:57:42,999 is there. 1646 00:57:43,000 --> 00:57:45,179 OK, so once you check 1647 00:57:45,180 --> 00:57:46,079 it is true. 1648 00:57:46,080 --> 00:57:48,089 It is right. The values are right. 1649 00:57:48,090 --> 00:57:49,769 But what is happening is that in the 1650 00:57:49,770 --> 00:57:51,989 physical process, what the actual 1651 00:57:51,990 --> 00:57:54,419 value is there is not there because 1652 00:57:54,420 --> 00:57:56,669 in another register which the p.l.c. 1653 00:57:56,670 --> 00:57:59,129 such as sealevel sees that checking, 1654 00:57:59,130 --> 00:58:01,379 for example, we are checking 1655 00:58:01,380 --> 00:58:02,699 the configuration of Duilio. 1656 00:58:02,700 --> 00:58:04,019 They are checking actual value. 1657 00:58:04,020 --> 00:58:06,089 They return if we stay or not, 1658 00:58:06,090 --> 00:58:08,369 which is is there, but it's not 1659 00:58:08,370 --> 00:58:10,469 reflecting to the physical process. 1660 00:58:10,470 --> 00:58:12,689 That's why we call it in-memory illusion, 1661 00:58:12,690 --> 00:58:14,879 because what you see is not actually 1662 00:58:14,880 --> 00:58:16,529 is what is happening in the physical 1663 00:58:16,530 --> 00:58:19,399 world. OK, thank you. 1664 00:58:19,400 --> 00:58:21,679 We have another question from the I.R.S. 1665 00:58:21,680 --> 00:58:22,820 Why our signal angel? 1666 00:58:27,030 --> 00:58:29,229 But what we don't have 1667 00:58:29,230 --> 00:58:31,569 or do we, yeah, 1668 00:58:31,570 --> 00:58:33,689 maybe just 1669 00:58:33,690 --> 00:58:36,069 have an fun like phone and such, 1670 00:58:36,070 --> 00:58:37,070 but again. 1671 00:58:40,250 --> 00:58:41,250 Come again. 1672 00:58:43,870 --> 00:58:46,479 As you have to emulate a process, a 1673 00:58:46,480 --> 00:58:47,830 process of your. 1674 00:58:49,850 --> 00:58:51,589 APRC. 1675 00:58:51,590 --> 00:58:53,599 And that works only for a couple of 1676 00:58:53,600 --> 00:58:55,729 seconds. Is there any 1677 00:58:55,730 --> 00:58:57,829 way to 1678 00:58:57,830 --> 00:58:59,999 extrapolate right to the philosophy 1679 00:59:00,000 --> 00:59:02,239 program accelerator 1680 00:59:02,240 --> 00:59:03,240 program? 1681 00:59:03,890 --> 00:59:04,890 I don't get it. 1682 00:59:06,750 --> 00:59:09,109 I think he wants to know if you can dump 1683 00:59:09,110 --> 00:59:11,299 the actual penalty called running. 1684 00:59:11,300 --> 00:59:12,239 Yeah, you can. 1685 00:59:12,240 --> 00:59:14,209 But why would you do that? 1686 00:59:14,210 --> 00:59:16,009 And if you are Apte, I don't think it 1687 00:59:16,010 --> 00:59:18,439 makes sense. You are you're delivering 1688 00:59:18,440 --> 00:59:19,609 your final payload. 1689 00:59:19,610 --> 00:59:20,569 You don't want to. 1690 00:59:20,570 --> 00:59:22,849 If you're exfiltrate some data for us 1691 00:59:22,850 --> 00:59:25,099 as a recon, then yeah, you can do that. 1692 00:59:25,100 --> 00:59:26,959 And I don't think it's impossible, 1693 00:59:26,960 --> 00:59:29,059 especially with the recent trend that you 1694 00:59:29,060 --> 00:59:30,979 have in the places. 1695 00:59:30,980 --> 00:59:32,689 I think this year I think there was like 1696 00:59:32,690 --> 00:59:35,779 four or five in different places. 1697 00:59:35,780 --> 00:59:37,909 And yeah, then it's totally 1698 00:59:37,910 --> 00:59:39,980 possible to do that silently. 1699 00:59:42,840 --> 00:59:44,129 I think we're out of time. 1700 00:59:44,130 --> 00:59:46,429 Thank you very much, Ali Abassi Muthee.