0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/912 Thanks! 1 00:00:15,220 --> 00:00:16,899 Hello again, good evening. 2 00:00:16,900 --> 00:00:19,029 For the last session on day three 3 00:00:19,030 --> 00:00:21,189 of the Congress, I'm really happy 4 00:00:21,190 --> 00:00:23,319 to see so many of you so 5 00:00:23,320 --> 00:00:25,899 interested in such a particular topic. 6 00:00:25,900 --> 00:00:28,779 But it might be really, really relevant 7 00:00:28,780 --> 00:00:31,239 for money in assessing 8 00:00:31,240 --> 00:00:32,709 our threat levels. 9 00:00:32,710 --> 00:00:34,899 So we 10 00:00:34,900 --> 00:00:37,089 will hear more about direct 11 00:00:37,090 --> 00:00:39,309 memory attacks and how they're still 12 00:00:39,310 --> 00:00:41,079 possible nowadays. 13 00:00:41,080 --> 00:00:43,449 Again, and all Friskies here 14 00:00:43,450 --> 00:00:45,729 to show you and to tell you 15 00:00:45,730 --> 00:00:48,579 more about what you should know about it. 16 00:00:48,580 --> 00:00:49,580 Thank you. 17 00:00:55,490 --> 00:00:57,899 Tonight, we're going to talk about public 18 00:00:57,900 --> 00:01:00,229 FPGA based direct memory access 19 00:01:00,230 --> 00:01:02,419 DMA attacking my name is 20 00:01:02,420 --> 00:01:04,068 Priscu and helping me with Vamoosed 21 00:01:04,069 --> 00:01:05,769 today. I have yet to, Naureen. 22 00:01:07,220 --> 00:01:09,139 I will start by briefly going through 23 00:01:09,140 --> 00:01:11,069 some background and previous work to be 24 00:01:11,070 --> 00:01:13,309 done in the area that will jump straight 25 00:01:13,310 --> 00:01:15,049 into the actual DMA attacking. 26 00:01:15,050 --> 00:01:17,299 I will try to do a live demo in which 27 00:01:17,300 --> 00:01:19,429 we will transmit and receive 28 00:01:19,430 --> 00:01:20,869 a section of their packets. 29 00:01:20,870 --> 00:01:23,089 We will dump memory at speeds 30 00:01:23,090 --> 00:01:26,149 up to 75 megabits per second. 31 00:01:26,150 --> 00:01:28,609 That will have a look at the actual FPGA 32 00:01:28,610 --> 00:01:30,589 design that I created. 33 00:01:30,590 --> 00:01:32,659 After that, we will go into some more 34 00:01:32,660 --> 00:01:34,279 advanced domain attacking. 35 00:01:34,280 --> 00:01:36,469 We will attack a vulnerable vanilla Linux 36 00:01:36,470 --> 00:01:38,659 system and a vulnerable a 37 00:01:39,980 --> 00:01:42,409 if you manage to get into a fight, 38 00:01:42,410 --> 00:01:44,599 you might also be able to compromise, 39 00:01:44,600 --> 00:01:46,879 secure both and then you can also 40 00:01:46,880 --> 00:01:49,189 compromise to not get booted operating 41 00:01:49,190 --> 00:01:51,529 system such as a Windows 42 00:01:51,530 --> 00:01:53,419 10 system running virtualization based 43 00:01:53,420 --> 00:01:54,420 security. 44 00:01:55,490 --> 00:01:57,409 And at the end, we will have a look at 45 00:01:57,410 --> 00:01:59,659 some future hardware that I'm really 46 00:01:59,660 --> 00:02:00,660 excited about. 47 00:02:02,480 --> 00:02:03,409 My name is Bill Frist. 48 00:02:03,410 --> 00:02:05,629 I'm employed in the financial sector 49 00:02:05,630 --> 00:02:06,769 in Stockholm, Sweden. 50 00:02:06,770 --> 00:02:08,959 I previously presented my work at this 51 00:02:08,960 --> 00:02:10,909 conference in Stockholm and also at Def 52 00:02:10,910 --> 00:02:12,619 Con in Las Vegas. 53 00:02:12,620 --> 00:02:14,809 I'm the author of the Direct 54 00:02:14,810 --> 00:02:16,699 Memory Access Attack Toolkit, and it's 55 00:02:16,700 --> 00:02:18,439 just been, I hope, a project of mine 56 00:02:18,440 --> 00:02:19,339 since the start. 57 00:02:19,340 --> 00:02:22,069 And it's delays also 58 00:02:22,070 --> 00:02:23,659 need to point out that I'm giving this 59 00:02:23,660 --> 00:02:25,099 talk as an individual. 60 00:02:25,100 --> 00:02:27,259 My employer is not involved in any 61 00:02:27,260 --> 00:02:28,430 way whatsoever. 62 00:02:29,840 --> 00:02:32,209 I'm here today to represent PCI, 63 00:02:32,210 --> 00:02:34,379 FPGA, PCI, Leach 64 00:02:34,380 --> 00:02:36,709 FPGA is the combination between 65 00:02:36,710 --> 00:02:38,899 deciles SP six five 66 00:02:38,900 --> 00:02:41,149 devlopment board coupled with a 67 00:02:41,150 --> 00:02:43,309 forty six, a one USPI three. 68 00:02:43,310 --> 00:02:45,889 Add on board the 69 00:02:45,890 --> 00:02:48,079 express generation one one one-line 70 00:02:48,080 --> 00:02:50,479 site goes into the target computer 71 00:02:50,480 --> 00:02:52,279 or if you wish to call it the victim 72 00:02:52,280 --> 00:02:54,439 computer, the USB 73 00:02:54,440 --> 00:02:56,449 three side goes into the controller 74 00:02:56,450 --> 00:02:58,369 computer or if you wish to call it the 75 00:02:58,370 --> 00:03:00,199 attacker computer. 76 00:03:00,200 --> 00:03:02,299 Once both sites are connected, 77 00:03:02,300 --> 00:03:04,399 the controller computer is able to send 78 00:03:04,400 --> 00:03:06,469 PC Express from section layer packets 79 00:03:06,470 --> 00:03:09,109 over USPI onto the FPGA, 80 00:03:09,110 --> 00:03:11,239 which will then put them on PC Express 81 00:03:11,240 --> 00:03:13,189 of the target system. 82 00:03:13,190 --> 00:03:15,439 We can also read PC Express 83 00:03:15,440 --> 00:03:17,899 tailpiece this way from the target system 84 00:03:17,900 --> 00:03:19,609 and they will be forwarded on to the 85 00:03:19,610 --> 00:03:21,889 controller computer. 86 00:03:21,890 --> 00:03:24,049 The whole hardware setup as such is 87 00:03:24,050 --> 00:03:26,179 between five and six hundred dollars 88 00:03:26,180 --> 00:03:28,279 in total and with it you will be 89 00:03:28,280 --> 00:03:30,469 able to do DMA to both 90 00:03:30,470 --> 00:03:31,669 32 bit memory. 91 00:03:31,670 --> 00:03:34,009 Enter space below for JECT 92 00:03:34,010 --> 00:03:36,109 and 64 bit memory 93 00:03:36,110 --> 00:03:38,449 space above before objects. 94 00:03:38,450 --> 00:03:40,729 You will be able to do DMA at around 95 00:03:40,730 --> 00:03:42,940 75 megabits per second. 96 00:03:44,000 --> 00:03:46,249 Everything that I created is totally 97 00:03:46,250 --> 00:03:48,409 open source, but I'm using some 98 00:03:48,410 --> 00:03:50,389 vendor proprietary blob's in there, 99 00:03:50,390 --> 00:03:51,589 unfortunately. 100 00:03:51,590 --> 00:03:53,749 So that's why the title of today's talk, 101 00:03:53,750 --> 00:03:55,550 it's public and not open 102 00:03:57,350 --> 00:03:59,689 if I compare DSP six so five 103 00:03:59,690 --> 00:04:01,939 as FPGA solution with the 104 00:04:01,940 --> 00:04:04,069 earlier hardware I use for DMA attacks, 105 00:04:04,070 --> 00:04:06,559 the USB thirty three 8pm, 106 00:04:06,560 --> 00:04:08,899 the USB thirty three eight was sold 107 00:04:08,900 --> 00:04:11,149 out earlier this year and 108 00:04:11,150 --> 00:04:13,219 the FPGA solution is 109 00:04:13,220 --> 00:04:15,019 a little bit more expensive. 110 00:04:15,020 --> 00:04:16,398 It's bulkier. 111 00:04:16,399 --> 00:04:18,469 It's also slower as is at 112 00:04:18,470 --> 00:04:20,599 the moment, but it's 113 00:04:20,600 --> 00:04:22,939 much more stable and 114 00:04:22,940 --> 00:04:25,279 you will be able to do 64 bit 115 00:04:25,280 --> 00:04:27,679 DMA memory addressing as 116 00:04:27,680 --> 00:04:28,399 well. 117 00:04:28,400 --> 00:04:30,649 And that means that you're able to access 118 00:04:30,650 --> 00:04:32,719 memory ABAB for Jig's as 119 00:04:32,720 --> 00:04:34,819 well as memory below for gigs. 120 00:04:34,820 --> 00:04:37,009 And this is a huge different 121 00:04:37,010 --> 00:04:39,199 compared to the old hardware that we were 122 00:04:39,200 --> 00:04:41,419 only able to access memory below for 123 00:04:41,420 --> 00:04:42,420 GICs with 124 00:04:43,790 --> 00:04:45,919 DMA attacks has been around since 125 00:04:45,920 --> 00:04:47,599 pretty much forever. 126 00:04:47,600 --> 00:04:49,939 I think you all heard of Inception. 127 00:04:49,940 --> 00:04:52,039 Awesome FireWire Demaine attacking 128 00:04:52,040 --> 00:04:54,199 Tool. If you haven't used it or heard 129 00:04:54,200 --> 00:04:56,389 of it, please look it up 130 00:04:56,390 --> 00:04:59,029 as a response to demon attacks. 131 00:04:59,030 --> 00:05:00,739 That's also a slow response to the 132 00:05:00,740 --> 00:05:02,659 growing need for virtualization of 133 00:05:02,660 --> 00:05:03,619 devices. 134 00:05:03,620 --> 00:05:06,229 CPU vendors introduce the IOM 135 00:05:06,230 --> 00:05:08,679 amuse or die around 136 00:05:08,680 --> 00:05:11,120 2008 and onwards. 137 00:05:12,230 --> 00:05:14,689 And if the amendments are used 138 00:05:14,690 --> 00:05:16,999 properly and by the Fermor 139 00:05:17,000 --> 00:05:19,159 and operating systems, they should be 140 00:05:19,160 --> 00:05:21,379 able to protect fully against DMA 141 00:05:21,380 --> 00:05:23,509 attacks, as we'll see today. 142 00:05:23,510 --> 00:05:25,729 That's not always that's not 143 00:05:25,730 --> 00:05:26,730 always the case. 144 00:05:28,370 --> 00:05:30,919 There's been lots of research in the day 145 00:05:30,920 --> 00:05:33,019 in the demand attacking 146 00:05:33,020 --> 00:05:34,939 space. I can't mention everyone here 147 00:05:34,940 --> 00:05:36,920 today. I thought I should mention 148 00:05:38,420 --> 00:05:40,639 the Camino's work, which is I 149 00:05:40,640 --> 00:05:42,919 don't hide it from the academic 150 00:05:42,920 --> 00:05:44,119 area. 151 00:05:44,120 --> 00:05:46,909 Data used for his PhD thesis 152 00:05:46,910 --> 00:05:49,189 and also snare and racing 153 00:05:49,190 --> 00:05:50,989 did a really awesome thunderbolt, 154 00:05:50,990 --> 00:05:53,389 attacking a DMA, attacking torque 155 00:05:53,390 --> 00:05:55,649 back into. Some 14 actually 156 00:05:55,650 --> 00:05:57,899 using the exact same hardware I'm using 157 00:05:57,900 --> 00:06:00,059 here today, DSB six of five 158 00:06:01,110 --> 00:06:03,239 and then just a couple of months 159 00:06:03,240 --> 00:06:05,309 ago, Dimitri Alexiou released 160 00:06:05,310 --> 00:06:07,769 what I know to be the first DMA 161 00:06:07,770 --> 00:06:09,869 attack focused FPGA bitstream 162 00:06:09,870 --> 00:06:12,209 into the public with his 163 00:06:12,210 --> 00:06:15,239 Express Do-It-Yourself tracking tool kit. 164 00:06:15,240 --> 00:06:17,459 Dimitri also supported my work with 165 00:06:17,460 --> 00:06:19,709 the PC Leach, and it also shared 166 00:06:19,710 --> 00:06:21,779 both at first binaries and 167 00:06:21,780 --> 00:06:23,639 some source code with me. 168 00:06:23,640 --> 00:06:25,769 And it really pushed me to actually get 169 00:06:25,770 --> 00:06:27,839 DSP six of five from the start and get 170 00:06:27,840 --> 00:06:28,859 going here. 171 00:06:28,860 --> 00:06:31,139 So really huge. Thanks to Dimitri. 172 00:06:31,140 --> 00:06:32,909 Without you, I wouldn't be here. 173 00:06:32,910 --> 00:06:33,910 Thank you. 174 00:06:37,680 --> 00:06:39,879 Pizza Express is based 175 00:06:39,880 --> 00:06:42,189 on its package based, the packets 176 00:06:42,190 --> 00:06:44,289 are called transaction layer packets, 177 00:06:44,290 --> 00:06:46,269 or tailpiece. 178 00:06:46,270 --> 00:06:48,489 They are dewormed based, 32 bit 179 00:06:48,490 --> 00:06:50,709 based. They usually consists of 180 00:06:50,710 --> 00:06:52,869 a header that are between three and 181 00:06:52,870 --> 00:06:55,299 four Devadas long and 182 00:06:56,410 --> 00:06:58,329 detailed piece kind of different types. 183 00:06:58,330 --> 00:07:00,849 For example, read memory, write memory, 184 00:07:00,850 --> 00:07:03,039 IO, configuration messages, 185 00:07:03,040 --> 00:07:04,569 completions and so on. 186 00:07:05,770 --> 00:07:07,869 That's focused on the DNA types here 187 00:07:07,870 --> 00:07:11,079 today. A memory read and write tailpiece. 188 00:07:11,080 --> 00:07:13,509 The 64 bit write 189 00:07:13,510 --> 00:07:15,189 is down on the left. 190 00:07:15,190 --> 00:07:17,529 It starts with which type of packet 191 00:07:17,530 --> 00:07:19,149 it is in the first debug. 192 00:07:19,150 --> 00:07:21,279 And then you also have the length of the 193 00:07:21,280 --> 00:07:23,739 data that you wish to write 194 00:07:23,740 --> 00:07:26,229 in number of these works. 195 00:07:26,230 --> 00:07:28,629 The second word contains the requester 196 00:07:28,630 --> 00:07:30,849 ID, which is the best number and device 197 00:07:30,850 --> 00:07:33,159 number of the actual device, 198 00:07:33,160 --> 00:07:34,160 something this 199 00:07:35,350 --> 00:07:37,629 packet. And then since we are doing 200 00:07:37,630 --> 00:07:39,129 a 64 bit. 201 00:07:39,130 --> 00:07:41,379 Right, that means that are writing to 64 202 00:07:41,380 --> 00:07:42,819 bit memory address space. 203 00:07:42,820 --> 00:07:44,889 We need to represent that address into 204 00:07:44,890 --> 00:07:46,979 debauch. And then they have the data 205 00:07:46,980 --> 00:07:48,259 at the end. 206 00:07:48,260 --> 00:07:49,329 When we do have right. 207 00:07:49,330 --> 00:07:51,399 We post this message on to PC 208 00:07:51,400 --> 00:07:53,559 Express and we will trust that it will 209 00:07:53,560 --> 00:07:54,609 get rid of them. 210 00:07:54,610 --> 00:07:56,679 We won't get any acknowledgment back 211 00:07:56,680 --> 00:07:58,330 that it was successful or not. 212 00:07:59,560 --> 00:08:01,479 When we are doing our read, it looks 213 00:08:01,480 --> 00:08:02,439 pretty much the same. 214 00:08:02,440 --> 00:08:04,689 The packets, except it's a different 215 00:08:04,690 --> 00:08:06,159 type, of course, since we are doing it 216 00:08:06,160 --> 00:08:08,259 right here, we are doing a 32 217 00:08:08,260 --> 00:08:10,689 bit memory read and 218 00:08:10,690 --> 00:08:12,579 that wants to submit that one. 219 00:08:12,580 --> 00:08:14,859 You need to wait a short while 220 00:08:14,860 --> 00:08:16,899 and you will receive one or more 221 00:08:16,900 --> 00:08:19,179 completion piece back containing 222 00:08:19,180 --> 00:08:20,649 the actual data that you read. 223 00:08:22,510 --> 00:08:24,819 So let's do a demo, let's transmit 224 00:08:24,820 --> 00:08:27,099 the recipe transaction letter packets, 225 00:08:27,100 --> 00:08:29,109 let's enumerate the memory and let's dump 226 00:08:29,110 --> 00:08:30,069 the memory. 227 00:08:30,070 --> 00:08:31,779 If we switch over the image to the 228 00:08:31,780 --> 00:08:32,780 hardware here, 229 00:08:34,030 --> 00:08:36,308 the FPGA book and 230 00:08:36,309 --> 00:08:38,408 I have a victim system here, so 231 00:08:38,409 --> 00:08:40,749 let's insert our express card 232 00:08:40,750 --> 00:08:42,999 to a press adapter 233 00:08:43,000 --> 00:08:45,219 in the target computer and power 234 00:08:45,220 --> 00:08:46,869 on the FPGA. 235 00:08:46,870 --> 00:08:48,669 It's connected to my present our computer 236 00:08:48,670 --> 00:08:49,840 with USB here. 237 00:08:54,080 --> 00:08:56,059 If you switch back to my presentation. 238 00:09:00,160 --> 00:09:02,119 And here we have it from a slightly 239 00:09:02,120 --> 00:09:04,369 different angle, the harbor here 240 00:09:04,370 --> 00:09:05,690 we are trying to 241 00:09:06,950 --> 00:09:07,999 read something. 242 00:09:08,000 --> 00:09:10,279 We are going to read one word from 243 00:09:10,280 --> 00:09:12,379 64 bit address space. 244 00:09:12,380 --> 00:09:13,849 They are going to read from the address 245 00:09:13,850 --> 00:09:16,219 for Jig's, this address 246 00:09:16,220 --> 00:09:17,269 here. 247 00:09:17,270 --> 00:09:18,270 See what happens. 248 00:09:21,030 --> 00:09:23,679 Here we stand the retail 249 00:09:23,680 --> 00:09:26,159 people and we get a completion copy 250 00:09:26,160 --> 00:09:28,589 back and the completion of 251 00:09:28,590 --> 00:09:30,799 the first three works are 252 00:09:30,800 --> 00:09:32,999 the and they have the actual data that's 253 00:09:33,000 --> 00:09:34,000 already here. 254 00:09:35,130 --> 00:09:37,439 So let's do it right as well. 255 00:09:37,440 --> 00:09:38,440 Let's 256 00:09:39,690 --> 00:09:41,819 do a 64 bit memory right 257 00:09:41,820 --> 00:09:42,989 to the same address. 258 00:09:42,990 --> 00:09:46,039 Let's do a two 259 00:09:46,040 --> 00:09:48,329 to three word long, right to 260 00:09:48,330 --> 00:09:50,759 the very same address 261 00:09:50,760 --> 00:09:52,320 with this item 262 00:09:53,520 --> 00:09:55,379 and see if we can overwrite that previous 263 00:09:55,380 --> 00:09:56,910 data with that. 264 00:09:58,860 --> 00:10:00,809 And since we are doing it right, we won't 265 00:10:00,810 --> 00:10:02,069 get an answer back. 266 00:10:02,070 --> 00:10:04,739 No completions or anything like that. 267 00:10:04,740 --> 00:10:06,989 But we can try to read 268 00:10:06,990 --> 00:10:09,119 the memory back to see what happens 269 00:10:09,120 --> 00:10:11,099 if the project was successful. 270 00:10:11,100 --> 00:10:13,379 Let's try to read 30 DB works 271 00:10:13,380 --> 00:10:15,629 this time from the very 272 00:10:15,630 --> 00:10:16,630 same address. 273 00:10:20,100 --> 00:10:22,679 Here we see that we get the completions 274 00:10:22,680 --> 00:10:25,049 back in two different completions 275 00:10:25,050 --> 00:10:27,719 and if you check in the beginning 276 00:10:27,720 --> 00:10:29,549 is that you see that the previous red 277 00:10:29,550 --> 00:10:31,919 data is now our return with our 278 00:10:31,920 --> 00:10:32,920 new data here. 279 00:10:35,490 --> 00:10:37,769 We can also enumerate the memory 280 00:10:37,770 --> 00:10:38,770 of the target system. 281 00:10:42,220 --> 00:10:43,989 Since we don't know how much memory it's 282 00:10:43,990 --> 00:10:46,059 in this computer, we need to check it out 283 00:10:46,060 --> 00:10:48,309 and we can do this by reading 284 00:10:48,310 --> 00:10:50,619 a tiny portion of every page 285 00:10:50,620 --> 00:10:52,959 that we are able to read and 286 00:10:54,340 --> 00:10:55,869 see how much memory there is in this 287 00:10:55,870 --> 00:10:58,239 computer and 288 00:10:58,240 --> 00:10:59,259 physical memory address. 289 00:10:59,260 --> 00:11:01,449 Space in a modern day computer is not 290 00:11:01,450 --> 00:11:04,209 one big contiguous chunk of memory. 291 00:11:04,210 --> 00:11:06,579 You have physical memory in there and 292 00:11:06,580 --> 00:11:08,559 you also have like holes in memory in 293 00:11:08,560 --> 00:11:09,879 which there are nothing. 294 00:11:09,880 --> 00:11:11,919 You have memory devices. 295 00:11:11,920 --> 00:11:13,699 You can have unreadable memory, such as 296 00:11:13,700 --> 00:11:15,309 system management memories. 297 00:11:15,310 --> 00:11:18,129 Well, here we see that the red 298 00:11:18,130 --> 00:11:20,259 dots seems to be failing after slightly 299 00:11:20,260 --> 00:11:22,029 more than a jigsaw here. 300 00:11:22,030 --> 00:11:24,429 It's probably not a good system. 301 00:11:24,430 --> 00:11:26,049 So let's try to dump the memory. 302 00:11:29,280 --> 00:11:30,749 Dumping memory takes a while. 303 00:11:30,750 --> 00:11:33,149 So let's go back to the presentation. 304 00:11:39,320 --> 00:11:41,389 These are all expressive form 305 00:11:41,390 --> 00:11:42,439 factors. 306 00:11:42,440 --> 00:11:44,839 You have the standard PC Express card, 307 00:11:44,840 --> 00:11:46,669 I see it all now to the lower left, you 308 00:11:46,670 --> 00:11:48,259 have the mini Pizza Express that goes 309 00:11:48,260 --> 00:11:50,349 pretty much behind the back of 310 00:11:50,350 --> 00:11:52,069 the laptop. You have the express card 311 00:11:52,070 --> 00:11:53,469 that I use here today. 312 00:11:53,470 --> 00:11:56,209 Thunderbolt also carries to express 313 00:11:56,210 --> 00:11:58,789 Thunderbolt three is most often combined 314 00:11:58,790 --> 00:12:01,369 with the USB connector nowadays. 315 00:12:01,370 --> 00:12:03,259 And then you have the different M2 key 316 00:12:03,260 --> 00:12:05,389 form factors. For example, M2 Khiyam 317 00:12:05,390 --> 00:12:07,189 is really common for MBM. 318 00:12:07,190 --> 00:12:08,190 It drives. 319 00:12:10,680 --> 00:12:12,569 Here is the actual FPGA design that I 320 00:12:12,570 --> 00:12:14,679 created, it's rather simplistic. 321 00:12:16,020 --> 00:12:18,479 You have a block that 322 00:12:18,480 --> 00:12:20,609 receives and transmit data over 323 00:12:20,610 --> 00:12:23,189 a 32 bit data connection from the USB 324 00:12:23,190 --> 00:12:25,619 33 and the USB 325 00:12:25,620 --> 00:12:28,799 56, a one hardware. 326 00:12:28,800 --> 00:12:31,079 And then you have the 327 00:12:31,080 --> 00:12:33,209 silence press corps on the 328 00:12:33,210 --> 00:12:35,489 other side that handles the actual 329 00:12:35,490 --> 00:12:37,020 piece to express communication. 330 00:12:39,320 --> 00:12:42,079 Everything in yellow here or Xilinx 331 00:12:42,080 --> 00:12:44,209 IP blocks or IP course, and they 332 00:12:44,210 --> 00:12:46,809 are not like open source, so it's 333 00:12:46,810 --> 00:12:49,099 a bunch of proprietary stuff and 334 00:12:49,100 --> 00:12:51,199 everything in green here is stuff that 335 00:12:51,200 --> 00:12:53,389 I created there. So it's totally open 336 00:12:53,390 --> 00:12:55,939 source and it's found on my GitHub 337 00:12:55,940 --> 00:12:58,399 where we received some data from 338 00:12:58,400 --> 00:13:00,739 over the USB connector, the connection 339 00:13:00,740 --> 00:13:03,139 from the controller computer, 340 00:13:03,140 --> 00:13:04,969 and then they actually received some data 341 00:13:04,970 --> 00:13:07,069 and some metadata because we 342 00:13:07,070 --> 00:13:09,169 know we need to know what kind of 343 00:13:09,170 --> 00:13:11,329 data we are receiving, if the data is 344 00:13:11,330 --> 00:13:13,449 a part of a transaction layer packet 345 00:13:13,450 --> 00:13:15,829 until they put it on the first 346 00:13:15,830 --> 00:13:16,909 out first queue. 347 00:13:16,910 --> 00:13:19,219 And if I took you for your piece, 348 00:13:19,220 --> 00:13:21,139 if it's some other kind of data, for 349 00:13:21,140 --> 00:13:22,969 example, internal loop back the back 350 00:13:22,970 --> 00:13:25,549 data, we put it on an internal 351 00:13:25,550 --> 00:13:27,919 loop back FIFA, for example. 352 00:13:27,920 --> 00:13:29,510 If you do some put the 353 00:13:30,560 --> 00:13:33,439 data of the tail piece on the top, FIFA, 354 00:13:33,440 --> 00:13:36,109 we transmitted to deep sailing's 355 00:13:36,110 --> 00:13:37,939 press corps and that one will take care 356 00:13:37,940 --> 00:13:39,289 of everything practicals. 357 00:13:40,400 --> 00:13:42,579 We receive data every 358 00:13:42,580 --> 00:13:44,719 piece from this tilings 359 00:13:44,720 --> 00:13:46,399 piece press corps as well. 360 00:13:46,400 --> 00:13:48,499 And since we have different 361 00:13:48,500 --> 00:13:50,539 five position that we wish to read data 362 00:13:50,540 --> 00:13:52,339 from as well, we need some much logic 363 00:13:52,340 --> 00:13:54,469 here. So much it into a stream that we 364 00:13:54,470 --> 00:13:56,749 can send back to the controller 365 00:13:56,750 --> 00:13:59,899 computer and actually everything 366 00:13:59,900 --> 00:14:02,179 like like formatting of the tailpiece. 367 00:14:02,180 --> 00:14:05,359 It's actually done in software on the 368 00:14:05,360 --> 00:14:06,349 controller computer. 369 00:14:06,350 --> 00:14:09,049 So this is a rather simplistic design, 370 00:14:09,050 --> 00:14:10,050 but it works. 371 00:14:11,480 --> 00:14:13,909 So let's jump into some more advanced 372 00:14:13,910 --> 00:14:15,439 Diamanti. 373 00:14:15,440 --> 00:14:17,419 Let's do a demo on that vulnerable 374 00:14:17,420 --> 00:14:19,549 vanilla Linux system that's locate 375 00:14:19,550 --> 00:14:21,919 and patch into the Linux kernel. 376 00:14:21,920 --> 00:14:24,289 And since the Linux 377 00:14:24,290 --> 00:14:26,149 kernel version for print it, I believe 378 00:14:26,150 --> 00:14:28,699 the kernel is fully randomized 379 00:14:28,700 --> 00:14:30,769 in physical memory address space, 380 00:14:30,770 --> 00:14:32,599 which means that it's very likely that it 381 00:14:32,600 --> 00:14:35,119 will end up above the four 382 00:14:35,120 --> 00:14:36,079 limit. 383 00:14:36,080 --> 00:14:38,449 And here FPGA hardware really 384 00:14:38,450 --> 00:14:40,519 shines compared to the older 385 00:14:40,520 --> 00:14:42,649 attack hardware that I used. 386 00:14:42,650 --> 00:14:45,079 So let's try to find an external 387 00:14:45,080 --> 00:14:47,119 patch into it that's mount the file 388 00:14:47,120 --> 00:14:48,860 system and unlock the computer. 389 00:14:52,580 --> 00:14:54,649 So here we have the Linux computer 390 00:14:54,650 --> 00:14:55,939 and see that the memory dump was 391 00:14:55,940 --> 00:14:57,829 successful. Here it's a little bit slower 392 00:14:57,830 --> 00:14:59,809 here today since I'm going to add USB 393 00:14:59,810 --> 00:15:02,209 hub, unfortunately, 394 00:15:02,210 --> 00:15:04,190 but the memory dump seems to have worked. 395 00:15:05,840 --> 00:15:07,909 We switched to the FPGA 396 00:15:07,910 --> 00:15:09,169 here image. 397 00:15:13,130 --> 00:15:14,529 OK. 398 00:15:14,530 --> 00:15:16,599 Yeah, let's try to log onto 399 00:15:16,600 --> 00:15:18,699 this computer, try to log on 400 00:15:18,700 --> 00:15:20,429 with the password of Cingular here. 401 00:15:24,480 --> 00:15:26,399 And it's the wrong password, it cannot 402 00:15:26,400 --> 00:15:28,889 get into the computer. 403 00:15:28,890 --> 00:15:30,210 So if we switch back 404 00:15:31,410 --> 00:15:33,569 to the presentation, we 405 00:15:33,570 --> 00:15:35,819 can insert a kernel module into 406 00:15:35,820 --> 00:15:37,859 the running Linux kernel. 407 00:15:37,860 --> 00:15:41,039 We try to locate the Linux kernel 408 00:15:41,040 --> 00:15:42,040 and the. 409 00:15:43,580 --> 00:15:45,799 As we can see here 410 00:15:45,800 --> 00:15:47,959 today, it's actually fallen below 411 00:15:47,960 --> 00:15:49,369 four degrees, it's happened to be around 412 00:15:49,370 --> 00:15:50,509 the ice in that position. 413 00:15:50,510 --> 00:15:52,669 So but it seems to be 414 00:15:52,670 --> 00:15:53,670 working anyway. 415 00:15:54,770 --> 00:15:56,869 Let's mount the light filesystem. 416 00:15:58,790 --> 00:16:00,590 Using the kernel module address here. 417 00:16:04,700 --> 00:16:07,819 And once the file system is mounted, 418 00:16:07,820 --> 00:16:09,559 we can just click into it. 419 00:16:09,560 --> 00:16:12,199 Actually, we have mounted a live memory, 420 00:16:12,200 --> 00:16:14,599 uh, library as well. 421 00:16:14,600 --> 00:16:16,909 Like, you can go into the ATC folder 422 00:16:16,910 --> 00:16:18,889 and locate the shadow file, which 423 00:16:18,890 --> 00:16:20,989 contains the password hashes of 424 00:16:20,990 --> 00:16:22,159 the users. 425 00:16:22,160 --> 00:16:24,589 You can edit it in our favorite favorite 426 00:16:24,590 --> 00:16:26,569 editor here and here. 427 00:16:26,570 --> 00:16:29,239 We have lots of user accounts with 428 00:16:29,240 --> 00:16:31,399 no hashes and they have the user 429 00:16:31,400 --> 00:16:33,559 account that's been around a very long 430 00:16:33,560 --> 00:16:35,149 password hash here. 431 00:16:35,150 --> 00:16:37,339 And of course, if you know the password 432 00:16:37,340 --> 00:16:39,229 hash, you can try to crack it or 433 00:16:39,230 --> 00:16:41,299 something like that. But that's no fun. 434 00:16:41,300 --> 00:16:43,609 It's much easier to just delete it and 435 00:16:43,610 --> 00:16:46,009 replace it with something 436 00:16:46,010 --> 00:16:48,500 else and then would save. 437 00:16:51,140 --> 00:16:52,909 Let's see if we can log on, if you switch 438 00:16:52,910 --> 00:16:54,739 back to the. 439 00:16:57,900 --> 00:16:59,099 Try this single password of. 440 00:17:13,290 --> 00:17:14,848 Thank you. 441 00:17:14,849 --> 00:17:17,039 And so let's go 442 00:17:17,040 --> 00:17:18,180 back to the presentation. 443 00:17:25,040 --> 00:17:26,868 If they go through the other computer 444 00:17:26,869 --> 00:17:29,089 here and we need 445 00:17:29,090 --> 00:17:31,579 to, uh, 446 00:17:31,580 --> 00:17:33,619 if we can switch the camera to the other, 447 00:17:33,620 --> 00:17:35,899 that it was like filming already and 448 00:17:35,900 --> 00:17:38,509 you can also attack a fight 449 00:17:38,510 --> 00:17:40,619 and you find some way, 450 00:17:40,620 --> 00:17:42,949 if I may protect themselves against DMA 451 00:17:42,950 --> 00:17:46,249 attacks, Mouse Dewa, if I don't 452 00:17:46,250 --> 00:17:48,619 if you are able to get into a fight, 453 00:17:48,620 --> 00:17:49,769 you might even compromise. 454 00:17:49,770 --> 00:17:51,259 Secure Booth. 455 00:17:51,260 --> 00:17:53,539 And let's try to get into 456 00:17:53,540 --> 00:17:54,799 a fight here today. 457 00:17:54,800 --> 00:17:57,079 Let's backdoor the exit booth services 458 00:17:57,080 --> 00:17:59,899 function that is called by the 459 00:17:59,900 --> 00:18:01,999 operating system loader at 460 00:18:02,000 --> 00:18:03,949 once you wish to take control of the 461 00:18:03,950 --> 00:18:05,449 target system. 462 00:18:05,450 --> 00:18:07,879 Let's retrieve the memory map of 463 00:18:07,880 --> 00:18:10,069 the EFI memory map and let's also 464 00:18:10,070 --> 00:18:12,229 patch the not yet booted 465 00:18:12,230 --> 00:18:14,389 Windows kernel that is loaded 466 00:18:14,390 --> 00:18:16,009 at this stage. 467 00:18:16,010 --> 00:18:17,989 And actually what I'm doing here today, 468 00:18:17,990 --> 00:18:20,089 Dimitri has done some really awesome work 469 00:18:20,090 --> 00:18:21,169 in this area as well. 470 00:18:21,170 --> 00:18:23,239 So if you haven't checked out this stuff, 471 00:18:23,240 --> 00:18:25,399 I would like you to 472 00:18:25,400 --> 00:18:27,619 do that at. 473 00:18:30,840 --> 00:18:33,029 So if you switch to the album, maybe 474 00:18:33,030 --> 00:18:36,089 we can have this here and 475 00:18:36,090 --> 00:18:37,980 so here we have another system. 476 00:18:45,260 --> 00:18:47,389 I need to 477 00:18:47,390 --> 00:18:49,549 switch around the PDA here, I think 478 00:18:53,420 --> 00:18:54,420 cabling. 479 00:19:00,680 --> 00:19:02,689 So what we are doing, we are inserting 480 00:19:02,690 --> 00:19:04,909 the FPGA here 481 00:19:04,910 --> 00:19:08,029 in the not get booted computer 482 00:19:08,030 --> 00:19:10,939 and if we 483 00:19:10,940 --> 00:19:11,940 started. 484 00:19:13,310 --> 00:19:14,960 We switch back to the presentation. 485 00:19:19,320 --> 00:19:20,619 To connect to the device. 486 00:19:35,490 --> 00:19:36,809 Let's try to do it again. 487 00:19:44,570 --> 00:19:46,699 Yeah, works better this time, probably 488 00:19:46,700 --> 00:19:47,700 a bad connection. 489 00:19:49,250 --> 00:19:52,159 The computer is starting and 490 00:19:52,160 --> 00:19:54,319 now the operating system loader called 491 00:19:54,320 --> 00:19:56,749 in to the exit, but services function, 492 00:19:56,750 --> 00:19:59,029 which we hooked with our 493 00:19:59,030 --> 00:20:01,669 code, we 494 00:20:01,670 --> 00:20:02,689 tracked it there. 495 00:20:02,690 --> 00:20:05,179 We retrieved Wi-Fi memory map or the EFI 496 00:20:05,180 --> 00:20:06,649 memory map. 497 00:20:06,650 --> 00:20:09,049 And once we are in this stage, these 498 00:20:09,050 --> 00:20:11,449 Windows kernel is already in the memory, 499 00:20:11,450 --> 00:20:13,789 the normal Anthos kernel, the hypervisor 500 00:20:13,790 --> 00:20:15,799 is already in the memory and the secure 501 00:20:15,800 --> 00:20:18,139 control is already in the memory. 502 00:20:18,140 --> 00:20:20,239 But the Windows operating system is not 503 00:20:20,240 --> 00:20:22,639 yet bolted, so it cannot protect itself 504 00:20:22,640 --> 00:20:24,949 against the AMAI attacks yet. 505 00:20:24,950 --> 00:20:27,680 So here we can actually patch into the 506 00:20:28,730 --> 00:20:30,259 Windows kernel. 507 00:20:30,260 --> 00:20:32,779 And if you look at Windows virtualization 508 00:20:32,780 --> 00:20:35,329 based security, it 509 00:20:35,330 --> 00:20:37,519 has something that we can enable that 510 00:20:37,520 --> 00:20:39,669 protects kernel code integrity with 511 00:20:39,670 --> 00:20:41,749 the help of the hypervisor and secure 512 00:20:41,750 --> 00:20:43,819 kernel which regards to 513 00:20:43,820 --> 00:20:45,529 evil devices that are trying to do 514 00:20:45,530 --> 00:20:47,899 damage, access to the memory, the 515 00:20:47,900 --> 00:20:50,089 hypervisor and the secure kernel 516 00:20:50,090 --> 00:20:51,229 memory. 517 00:20:51,230 --> 00:20:53,660 We have no access to that memory at all. 518 00:20:54,680 --> 00:20:57,559 Normal, executable pages in the normal 519 00:20:57,560 --> 00:20:59,749 windows space and 520 00:20:59,750 --> 00:21:01,849 normal userspace normal kernel space are 521 00:21:01,850 --> 00:21:04,309 marked as read only with regards to DMA 522 00:21:04,310 --> 00:21:05,369 from evil devices. 523 00:21:05,370 --> 00:21:07,669 So we cannot patch the memory directly 524 00:21:07,670 --> 00:21:10,069 there and normal non executable pages 525 00:21:10,070 --> 00:21:13,009 are pretty much as usual read right. 526 00:21:13,010 --> 00:21:15,499 And as I said, the 527 00:21:15,500 --> 00:21:17,749 kernel code integrity features are not 528 00:21:17,750 --> 00:21:18,979 yet enabled in this stage. 529 00:21:18,980 --> 00:21:21,109 We are now, since the Windows operating 530 00:21:21,110 --> 00:21:22,490 system is not yet rebooted. 531 00:21:24,650 --> 00:21:26,719 So let's try to 532 00:21:26,720 --> 00:21:28,969 insert some code there and 533 00:21:30,470 --> 00:21:31,599 spottiness system shall. 534 00:21:38,710 --> 00:21:41,379 Here we located we communicated 535 00:21:41,380 --> 00:21:42,909 with our UA five module. 536 00:21:42,910 --> 00:21:45,129 We located the Windows terminal 537 00:21:45,130 --> 00:21:47,199 and we locate some 538 00:21:47,200 --> 00:21:49,239 code caves in there to put our code in 539 00:21:49,240 --> 00:21:50,259 there. 540 00:21:50,260 --> 00:21:52,359 And now Windows is booting, 541 00:21:52,360 --> 00:21:54,489 enabling virtualization based security. 542 00:21:54,490 --> 00:21:56,949 We cannot edit the kernel anymore, 543 00:21:56,950 --> 00:21:59,169 but our eval code is already in 544 00:21:59,170 --> 00:22:00,170 there. 545 00:22:00,520 --> 00:22:02,589 So we should be able to try to log 546 00:22:02,590 --> 00:22:04,749 on to this computer if we switch 547 00:22:04,750 --> 00:22:05,859 to the FPGA. 548 00:22:09,230 --> 00:22:12,259 Here we have the witness computer 549 00:22:12,260 --> 00:22:14,209 tried to log on to that one, using no 550 00:22:14,210 --> 00:22:16,649 password at all, and 551 00:22:16,650 --> 00:22:18,859 that's you can see we couldn't log on if 552 00:22:18,860 --> 00:22:20,260 we switched back to the presentation. 553 00:22:23,380 --> 00:22:25,479 Let's change 554 00:22:25,480 --> 00:22:27,579 that, let's spawn 555 00:22:27,580 --> 00:22:28,580 a system, shall. 556 00:22:30,930 --> 00:22:31,930 Every are system. 557 00:22:39,440 --> 00:22:41,959 And of course, if your system, 558 00:22:41,960 --> 00:22:44,149 we can remove 559 00:22:44,150 --> 00:22:45,529 the password off the user account. 560 00:22:47,460 --> 00:22:49,349 And they switch back to the FPGA. 561 00:22:52,580 --> 00:22:53,580 We can try to log on. 562 00:22:59,040 --> 00:23:00,040 And Maureen. 563 00:23:05,970 --> 00:23:07,619 If you switch back to the presentation. 564 00:23:09,630 --> 00:23:11,519 We can also dump the memory of the 565 00:23:11,520 --> 00:23:13,649 Windows system here, we see that we 566 00:23:13,650 --> 00:23:15,929 get lots of pictures when we are dumping 567 00:23:15,930 --> 00:23:18,269 the memory. It's pages that are marked 568 00:23:18,270 --> 00:23:20,749 as not readable via the 569 00:23:20,750 --> 00:23:22,889 menu, the ability that Windows 570 00:23:22,890 --> 00:23:25,049 protects. It's primarily the hypervisor 571 00:23:25,050 --> 00:23:26,999 and secure kernel pages in memory. 572 00:23:27,000 --> 00:23:29,219 We cannot read those, but everything else 573 00:23:29,220 --> 00:23:30,240 pretty much we can. 574 00:23:34,050 --> 00:23:36,749 Basically, FPGA is 575 00:23:36,750 --> 00:23:38,939 open source pretty much, at least 576 00:23:38,940 --> 00:23:41,759 the parts I coded, it's 577 00:23:41,760 --> 00:23:44,069 found on GitHub 578 00:23:44,070 --> 00:23:46,349 and I tried to make it as easy to use 579 00:23:46,350 --> 00:23:47,339 as possible. 580 00:23:47,340 --> 00:23:49,739 You don't need any prior FPGA knowledge 581 00:23:49,740 --> 00:23:52,559 at all. You should just be able to 582 00:23:52,560 --> 00:23:55,349 flash it on this hardware and start 583 00:23:55,350 --> 00:23:57,789 DMA attacking, unfortunately, 584 00:23:57,790 --> 00:23:59,879 its windows only at the moment on the 585 00:23:59,880 --> 00:24:03,029 attacker PC. I have some Linux 586 00:24:03,030 --> 00:24:04,859 driver problems with the hardware I'm 587 00:24:04,860 --> 00:24:07,139 using here. I hope to resolve that 588 00:24:07,140 --> 00:24:08,549 quite soon. 589 00:24:08,550 --> 00:24:10,769 And what's even more exciting is 590 00:24:10,770 --> 00:24:12,329 that there seems to be coming lots of 591 00:24:12,330 --> 00:24:14,969 devices quite soon 592 00:24:14,970 --> 00:24:17,039 be able to do DNA attacks, 593 00:24:17,040 --> 00:24:18,119 for example. 594 00:24:18,120 --> 00:24:19,120 There will be. 595 00:24:20,280 --> 00:24:22,529 Lots of yeah, some 596 00:24:22,530 --> 00:24:24,509 devices will be really inexpensive, while 597 00:24:24,510 --> 00:24:25,510 some others will 598 00:24:27,030 --> 00:24:29,099 be a little bit more pricey, but still 599 00:24:29,100 --> 00:24:31,319 less pricey than the specifics of 600 00:24:31,320 --> 00:24:32,879 our solution. 601 00:24:32,880 --> 00:24:35,039 One such example is a new 602 00:24:35,040 --> 00:24:37,229 hardware, the express screamer. 603 00:24:37,230 --> 00:24:39,839 It's a new hardware by key to Rampino 604 00:24:39,840 --> 00:24:40,889 mean. 605 00:24:40,890 --> 00:24:42,839 It's going to be easier to use. 606 00:24:42,840 --> 00:24:45,119 It's going to be a lower price tag 607 00:24:45,120 --> 00:24:47,369 than DSB six of five solution. 608 00:24:47,370 --> 00:24:48,919 It's going to be more capable. 609 00:24:48,920 --> 00:24:51,269 PC Express Generation two. 610 00:24:51,270 --> 00:24:53,399 And I plan to add support 611 00:24:53,400 --> 00:24:56,519 for this one sometime early 2018 612 00:24:56,520 --> 00:24:58,619 here. So it's going to be really, 613 00:24:58,620 --> 00:25:00,719 really early next year, hopefully 614 00:25:00,720 --> 00:25:01,720 in the coming months. 615 00:25:03,480 --> 00:25:06,089 To sum everything up, affordable FPGA 616 00:25:06,090 --> 00:25:09,089 dman attacking is the reality of today. 617 00:25:09,090 --> 00:25:11,579 Physical access is still an issue. 618 00:25:11,580 --> 00:25:13,709 All my meals are Derinda hardware 619 00:25:13,710 --> 00:25:15,779 since forever, but it might not 620 00:25:15,780 --> 00:25:17,639 always be used. 621 00:25:17,640 --> 00:25:19,679 And I hope I showed you today that I 622 00:25:19,680 --> 00:25:21,539 believe there is more research to be done 623 00:25:21,540 --> 00:25:23,819 in this area and hopefully my 624 00:25:23,820 --> 00:25:25,889 tools will be useful 625 00:25:25,890 --> 00:25:28,020 to everyone that is interested. 626 00:25:30,030 --> 00:25:31,030 Thank you. 627 00:25:41,460 --> 00:25:43,319 Thank you so much. 628 00:25:43,320 --> 00:25:45,449 So everybody just saw that you 629 00:25:45,450 --> 00:25:48,119 should keep your devices always 630 00:25:48,120 --> 00:25:51,299 on the person and we have questions. 631 00:25:51,300 --> 00:25:53,399 Microphone one, please. 632 00:25:53,400 --> 00:25:55,769 So one question I have is 633 00:25:55,770 --> 00:25:58,169 right now you're dumping memory and 634 00:25:58,170 --> 00:26:00,329 doing edits and memory and 635 00:26:00,330 --> 00:26:01,979 patching the call. 636 00:26:01,980 --> 00:26:04,169 Did you have the idea of, say, 637 00:26:04,170 --> 00:26:06,569 taking the writing 638 00:26:06,570 --> 00:26:09,029 and driver for, say, a virtual machine, 639 00:26:09,030 --> 00:26:11,879 which is mapping another machine's 640 00:26:11,880 --> 00:26:14,129 memory into that virtual machine so 641 00:26:14,130 --> 00:26:16,349 that you can kind of say stop the process 642 00:26:16,350 --> 00:26:18,509 or the attack machine, use 643 00:26:18,510 --> 00:26:20,639 a virtual processor to do operations 644 00:26:20,640 --> 00:26:22,919 on the memory of the machine 645 00:26:24,060 --> 00:26:25,679 where you can see what the program is 646 00:26:25,680 --> 00:26:26,849 doing in the emulator. 647 00:26:27,900 --> 00:26:30,429 I haven't gone into, like, 648 00:26:30,430 --> 00:26:32,249 attacking with, like, virtual machines, 649 00:26:32,250 --> 00:26:33,389 the nasty stuff as well. 650 00:26:33,390 --> 00:26:35,429 But it's an interesting idea. 651 00:26:35,430 --> 00:26:38,029 And to be able to go into 652 00:26:38,030 --> 00:26:40,109 it that I do have kernel access 653 00:26:40,110 --> 00:26:42,969 at the moment. So it should be possible. 654 00:26:42,970 --> 00:26:45,239 But this is like a hobby project of mine. 655 00:26:45,240 --> 00:26:47,779 My timing is a little bit limited here. 656 00:26:47,780 --> 00:26:49,919 It would be this stuff is out there, so 657 00:26:49,920 --> 00:26:50,819 it would be awesome. 658 00:26:50,820 --> 00:26:53,039 If someone can actually look into this, 659 00:26:53,040 --> 00:26:54,899 I think it might be quite useful 660 00:26:56,520 --> 00:26:58,049 the way of a lot of questions here. 661 00:26:58,050 --> 00:26:59,470 Also from the signal angel. 662 00:27:00,600 --> 00:27:03,929 It's actually not that many just to 663 00:27:03,930 --> 00:27:06,119 what prevents you from implementing 664 00:27:06,120 --> 00:27:09,089 the PCI device without any proprietary 665 00:27:09,090 --> 00:27:11,579 stuff? And is the controller 666 00:27:11,580 --> 00:27:13,649 limited to Windows because of that 667 00:27:13,650 --> 00:27:15,569 proprietary stuff? 668 00:27:15,570 --> 00:27:17,969 And to us, the Windows 669 00:27:17,970 --> 00:27:20,399 question, it's I believe I get it working 670 00:27:20,400 --> 00:27:23,309 on Linux quite soon and 671 00:27:23,310 --> 00:27:24,599 it's just a driver issue. 672 00:27:24,600 --> 00:27:26,759 I just haven't had the time to actually 673 00:27:26,760 --> 00:27:29,159 actually code it for Linux yet. 674 00:27:29,160 --> 00:27:31,049 Yeah, I had a little bit of a problem 675 00:27:31,050 --> 00:27:32,579 with that driver, but it shouldn't be a 676 00:27:32,580 --> 00:27:34,379 problem, really. I just need to find the 677 00:27:34,380 --> 00:27:36,869 time to actually do it. 678 00:27:36,870 --> 00:27:39,659 And the other 679 00:27:39,660 --> 00:27:41,729 question with regards to produce 680 00:27:41,730 --> 00:27:43,949 the I'm quite new to FPGA actually, 681 00:27:43,950 --> 00:27:46,919 so I just use the default 682 00:27:46,920 --> 00:27:49,109 to start the sailing's 683 00:27:49,110 --> 00:27:50,939 tool kit provides. 684 00:27:50,940 --> 00:27:53,039 It should be possible to replace 685 00:27:53,040 --> 00:27:55,229 some elements with the more open 686 00:27:55,230 --> 00:27:57,269 elements in this design as well. 687 00:27:57,270 --> 00:27:59,339 But I'm really FPGA new, 688 00:27:59,340 --> 00:28:01,499 so it's just it was my first 689 00:28:01,500 --> 00:28:03,509 attempt at an FPGA, so it should be 690 00:28:03,510 --> 00:28:05,819 possible to do this as well. 691 00:28:05,820 --> 00:28:08,100 So you should talk to each other further. 692 00:28:09,210 --> 00:28:11,429 So, um, microphone 693 00:28:11,430 --> 00:28:12,430 two, please. 694 00:28:13,530 --> 00:28:15,629 Uh, so I wonder if 695 00:28:15,630 --> 00:28:18,479 you can access, uh, 696 00:28:18,480 --> 00:28:20,729 memory used by me that 697 00:28:20,730 --> 00:28:22,739 you made, which is not accessible by. 698 00:28:22,740 --> 00:28:24,869 You know, this is out of 699 00:28:24,870 --> 00:28:26,219 limits from this. 700 00:28:26,220 --> 00:28:28,440 It's going to be mapped away in the 701 00:28:29,640 --> 00:28:31,559 platform controller hub. 702 00:28:31,560 --> 00:28:33,899 So it's, uh, I should be able to 703 00:28:33,900 --> 00:28:36,149 access it. And I cannot access system 704 00:28:36,150 --> 00:28:38,009 management node memory either. 705 00:28:38,010 --> 00:28:39,010 Okay. Thank you. 706 00:28:40,440 --> 00:28:42,149 And the last question from microphone 707 00:28:42,150 --> 00:28:44,459 three, you're 708 00:28:44,460 --> 00:28:47,039 using think pets as I've seen, 709 00:28:47,040 --> 00:28:49,199 do any bios settings 710 00:28:49,200 --> 00:28:51,419 of those. I think pets interfere 711 00:28:51,420 --> 00:28:53,879 with your DMA attack, for example, 712 00:28:53,880 --> 00:28:56,099 that's disabling the express 713 00:28:56,100 --> 00:28:57,209 lot. Really help. 714 00:28:57,210 --> 00:28:59,519 I said trust more disabling 715 00:28:59,520 --> 00:29:01,949 trusted power lines something and 716 00:29:01,950 --> 00:29:04,049 disabling the express card slot will 717 00:29:04,050 --> 00:29:06,329 help. Then I can't get into the express 718 00:29:06,330 --> 00:29:08,429 card slot, but usually on 719 00:29:08,430 --> 00:29:10,289 laptops if you I'm screwed the back 720 00:29:10,290 --> 00:29:12,389 cover. There are something like 721 00:29:12,390 --> 00:29:14,279 a biffy card or something like that in 722 00:29:14,280 --> 00:29:16,449 there that's probably going to be PC 723 00:29:16,450 --> 00:29:18,719 Express as well and that 724 00:29:18,720 --> 00:29:20,909 maybe it's harder to disable that 725 00:29:20,910 --> 00:29:21,910 one. 726 00:29:25,280 --> 00:29:26,480 If I may, the 727 00:29:27,920 --> 00:29:29,569 question before the last one, I can 728 00:29:29,570 --> 00:29:32,029 answer that you can't replace 729 00:29:32,030 --> 00:29:34,279 some of the exiling scores, for example, 730 00:29:34,280 --> 00:29:36,709 the PCI Express one, because that 731 00:29:36,710 --> 00:29:39,289 so-called hot item that's really 732 00:29:39,290 --> 00:29:41,419 on FPGA non 733 00:29:41,420 --> 00:29:42,619 changeable stuff. 734 00:29:43,880 --> 00:29:45,199 So it's just. 735 00:29:45,200 --> 00:29:46,219 Yeah, yeah. 736 00:29:46,220 --> 00:29:47,569 Hardware, it's hardware. 737 00:29:47,570 --> 00:29:50,119 And yeah. But you 738 00:29:50,120 --> 00:29:51,349 should be able probably. 739 00:29:54,200 --> 00:29:55,159 Thank you. 740 00:29:55,160 --> 00:29:57,469 Thank you. On microphone two, 741 00:29:57,470 --> 00:29:59,989 did you wanted to say something still OK? 742 00:29:59,990 --> 00:30:02,209 No. So thanks again. 743 00:30:02,210 --> 00:30:03,829 Thank you all first. 744 00:30:03,830 --> 00:30:06,009 And somebody showed up for 745 00:30:06,010 --> 00:30:07,549 the Microsoft phone one. 746 00:30:07,550 --> 00:30:08,550 Yeah. So. 747 00:30:11,150 --> 00:30:13,459 So regarding the heart episode, 748 00:30:13,460 --> 00:30:15,799 what these Heart OPIS normally implement 749 00:30:15,800 --> 00:30:18,259 is, uh, the physical interface 750 00:30:18,260 --> 00:30:20,209 to the Pizza Express, which is doing 751 00:30:20,210 --> 00:30:22,789 these transactionally packets, but 752 00:30:22,790 --> 00:30:25,489 the actual DMA is usually done 753 00:30:25,490 --> 00:30:27,619 using Epicor, 754 00:30:27,620 --> 00:30:28,819 which you load into the thing. 755 00:30:28,820 --> 00:30:31,099 So usually it's the IP core 756 00:30:31,100 --> 00:30:33,169 which is proprietary and 757 00:30:33,170 --> 00:30:35,449 running on the hard IP for the 758 00:30:35,450 --> 00:30:36,979 PCI physical layer. 759 00:30:36,980 --> 00:30:39,199 So you would probably 760 00:30:39,200 --> 00:30:41,359 need an open DM, our IP 761 00:30:41,360 --> 00:30:42,360 core. 762 00:30:42,800 --> 00:30:44,779 OK, yeah. 763 00:30:44,780 --> 00:30:45,780 Thank you. 764 00:30:46,490 --> 00:30:48,619 OK, so now we're done with 765 00:30:48,620 --> 00:30:49,669 all the questions. 766 00:30:49,670 --> 00:30:52,429 I guess you will have a lot of people 767 00:30:52,430 --> 00:30:54,829 surrounding you after the talk 768 00:30:54,830 --> 00:30:57,199 to not speaking to microphones 769 00:30:57,200 --> 00:30:59,779 and yeah. I wish you a great evening 770 00:30:59,780 --> 00:31:01,400 and thanks again, officer.