SlideShare uma empresa Scribd logo
1 de 50
Baixar para ler offline
ME
Igor Skochinsky
Hex-Rays
CODE BLUE 2014
Tokyo
2(c) 2014 Igor Skochinsky
	
  
!   ME 	
  
!   	
  
!   ME 	
  
!   	
  
!   	
  
!   	
  
3(c) 2014 Igor Skochinsky
	
  
!   15 	
  
!   IDA 	
  
!   2008 Hex-­‐Rays 	
  
!   IDA (
)	
  
!   ( Kindle
Sony	
  Reader)	
  
!   PC (BIOS,	
  UEFI,	
  ME)	
  
!   reddit.com/r/ReverseEngineering/	
   	
  
4(c) 2014 Igor Skochinsky
ME:	
   	
  
!   ( )
	
  
!  
(GMCH,	
  PCH,	
  MCH) 	
  
!   BIOS CPU
	
  
!  
( CPU ) 	
  
!  
CPU 	
  
5(c) 2014 Igor Skochinsky
ME:	
   	
  
Credit: Intel 2009
6(c) 2014 Igor Skochinsky
ME:	
   	
  
OS
!   HECI	
  (MEI):	
  Host	
  Embedded	
  Controller	
  Interface;	
  	
  
PCI 	
  
!   SOAP ;	
   HTTP
HTTPS	
  
7(c) 2014 Igor Skochinsky
ME:	
   	
  
ME 	
  
!   (AMT):	
  
KVM	
  
!   :	
  
/ 	
  
!   IDE (IDE-­‐R) LAN	
  (SOL):	
  
OS CD/
HDD PC 	
  
!   :	
  2
(OTP) 	
  
!   :	
  
PIN 	
  
8(c) 2014 Igor Skochinsky
ME:	
   	
  
	
  
!  
PC
” ” PC
	
  
!   3G SMS
	
  
!   HDD
	
  
!  
	
  
9(c) 2014 Igor Skochinsky
ME:
10(c) 2014 Igor Skochinsky
ME:	
   	
  
	
  
!   ( )	
  
!   	
  
!   HECI	
   	
  
!   AMT	
  SDK 	
  
!   Linux	
   ;	
  coreboot	
  
!   BIOS 	
  
!   ME
BIOS 	
  
!   ME
	
  
11(c) 2014 Igor Skochinsky
ME	
   	
  
	
  
!   ME 	
  
	
  	
  	
  	
   	
  
!  
FTP 	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
   	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
   	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
   :)	
  
12(c) 2014 Igor Skochinsky
FSP	
  
!   2013
	
  
!  
	
  
!   Intel 	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  HM76/QM77 	
  
!   	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  ME 	
  
	
  
http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp-
overview
"confidential“
:)
13(c) 2014 Igor Skochinsky
SPI 	
  
!   SPI BIOS ME GbE
	
  
!   BIOS( OS) ME
	
  
!   Descriptor
ME
	
  
!   Descriptor
	
  
14(c) 2014 Igor Skochinsky
ME 	
  
!   ME 	
  
!  
	
  
15(c) 2014 Igor Skochinsky
ME 	
  
!   “ " 	
  
!  
RSA 	
  
16(c) 2014 Igor Skochinsky
ME 	
  
!  
2 	
  
!   Gen	
  2:	
  Intel	
  5	
  Series( Ibex	
  Peak)
	
  
Gen 1 Gen 2
ME versions 1.x-5.x 6.x-9.x
Core ARCTangent-A4 ARC 600(?)
Instruction set ARC (32-bit) ARCompact (32/16)
Manifest tag $MAN $MN2
Module header tag $MOD $MME
Code compression None, LZMA None, LZMA, Huffman
17(c) 2014 Igor Skochinsky
ME 	
  
Module name Description
BUP Bringup (hardware initialization/configuration)
KERNEL Scheduler, low-level APIs for other modules
POLICY Secondary init tasks, some high-level APIs
HOSTCOMM Handles high-level protocols over HECI/MEI
CLS Capability Licensing Service – enable/disable
features depending on SKU, SKU upgrades
TDT Theft Deterrence Technology (Intel Anti-Theft)
Pavp Protected Audio-Video Path
JOM Dynamic Application Loader (DAL) – used to
implement Identity Protection Technology (IPT)
	
  
18(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!  
ROM
	
  
!  
	
  
!  
	
  
!   ME
"ROMB"
	
  
19(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ROM
	
  
!   	
  
20(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ME
	
  
!   ROMB 	
  
21(c) 2014 Igor Skochinsky
ME:	
  ROM 	
  
!   ROMB ROM
	
  
!   ROM :	
  
!   C (memcpy,	
  memset,	
  strcpy )	
  
!   ThreadX	
  RTOS	
   	
  
!   API	
  
!   ROM 	
  
!   FTPR BUP
	
  
!   BUP KERNEL
:(	
  
22(c) 2014 Igor Skochinsky
ME:
23(c) 2014 Igor Skochinsky
ME:	
   	
  
!   ME
!   : ME RSA
ROM
“During the design phase, a Firmware Signing Key (FWSK) public/private pair is
generated at a secure Intel Location, using the Intel Code Signing System. The
Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM
includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus
fixed. Each approved production firmware image is digitally signed by Intel with
the private FWSK. The public FWSK and the digital signature are appended to
the firmware image manifest.
At runtime, a secure boot sequence is accomplished by means of the boot ROM
verifying that the public FWSK on Flash is valid, based on the hash value in
ROM. The ROM validates the firmware image that corresponds to the manifest’s
digital signature through the use of the public FWSK, and if successful, the
system continues to boot from Flash code.”
“Architecture Guide: Intel® Active Management Technology”, 2009
24(c) 2014 Igor Skochinsky
ME: (UMA) 	
  
!   ME
RAM	
  (UMA) (MCU
) 	
  
!   ME BIOS
CPU 	
  
!   2009 Invisible	
  Things	
  Lab
	
  
!   ...	
  
25(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!  
UMA
	
  
!   #1:	
  BIOS MESEG
	
  
!   [
...]	
  
!   	
  
!   UEFI 	
  
!   	
  
!   :	
   	
  
!   :	
  
...	
  
26(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #2:	
   	
  
!   DRAM UMA
	
  
!   ...	
  
: ME UMA
:
UMA
27(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   – 	
  
!   – 	
  
!   DDR3
	
  
“The memory controller incorporates a DDR3 Data
Scrambling feature to minimize the impact of excessive di/dt
on the platform DDR3 VRs due to successive 1s and 0s on
the data bus. [...] As a result the memory controller uses a
data scrambling feature to create pseudo-random patterns on
the DDR3 data bus to reduce the impact of any excessive di/
dt.”
(from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor
Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel®
Celeron® Processor Family Datasheet)
28(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #3:	
   UMA 	
  
!   UMA FPT 1 	
  
!   FPT
	
  
!   :	
  
1)	
  32MB FPT BIOS 32MB
ME 16MB 	
  
2)	
  16MB FPT BIOS 16MB
16MB 	
  
!  
	
  
29(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #4:	
   	
  
!   BIOS
	
  
!   UEFI
"Setup" ( Breakpoint	
  
2012 ) 	
  
!   	
  – 	
  
30(c) 2014 Igor Skochinsky
ME:	
  UMA 	
  
!   #5:	
   	
  
!   	
  
!   	
  
!   ...	
  
31(c) 2014 Igor Skochinsky
	
  
!   ME 	
  
!   	
  
!   (SPS) 	
  
!   BUP KERNEL
	
  
!   #1:	
  BUP !	
  
!   KERNEL " " ...	
  
!   #2:	
  
( ) 	
  
!   2
	
  
!  
	
  
32(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   JOM ME 7.1
!   (DAL)
!   ME ( )
!  
( IPT)
!   ME
!   ...
33(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   :
!   Java
Could	
  not	
  allocate	
  an	
  instance	
  of	
  
java.lang.OutOfMemoryError	
  
linkerInternalCheckFile:	
  JEFF	
  format	
  version	
  not	
  
supported	
  
com.intel.crypto	
  
com.trustedlogic.isdi	
  
Starting	
  VM	
  Server...	
  
34(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   Java VM
!   ME Base64 BLOB "oath.dalp"
!  
!   "Medal App"
!   JOM "JEFF"
!   JEFF Java
!   Java
!  
35(c) 2014 Igor Skochinsky
JOM	
   DAL	
  
!   ...
!   Java
...
.ascii	
  "Invalid	
  constant	
  offset	
  in	
  the	
  SLDC	
  instruction"	
  
36(c) 2014 Igor Skochinsky
JEFF 	
  
!   JEFF
!   J 2001
!   ISO (ISO/IEC 20970)
!  
!  
!  
!  
!  
!  
37(c) 2014 Igor Skochinsky
JEFF 	
  
!   Python
!   oath.dalp JEFF
!  
!   Java
!   :
!  
!   UI ( )
!  
!  
38(c) 2014 Igor Skochinsky
JEFF	
   	
  
!   ( )
Class	
  com.intel.util.IntelApplet	
  
private:	
  
	
  	
  /*	
  0x0C	
  */	
  boolean	
  m_invokeCommandInProcess;	
  
	
  	
  /*	
  0x00	
  */	
  OutputBufferView	
  m_outputBuffer;	
  
	
  	
  /*	
  0x0D	
  */	
  boolean	
  m_outputBufferTooSmall;	
  
	
  	
  /*	
  0x04	
  */	
  OutputValueView	
  m_outputValue;	
  
	
  	
  /*	
  0x08	
  */	
  byte[]	
  m_sessionId;	
  
public:	
  
	
  	
  void	
  <init>();	
  
	
  	
  final	
  int	
  getResponseBufferSize();	
  
	
  	
  final	
  int	
  getSessionId(byte[],	
  int);	
  
	
  	
  final	
  int	
  getSessionIdLength();	
  
	
  	
  final	
  String	
  getUUID();	
  
	
  	
  final	
  abstract	
  int	
  invokeCommand(int,	
  byte[]);	
  
	
  	
  int	
  onClose();	
  
	
  	
  final	
  void	
  onCloseSession();	
  
	
  	
  final	
  int	
  onCommand(int,	
  CommandParameters);	
  
	
  	
  int	
  onInit(byte[]);	
  
	
  	
  final	
  int	
  onOpenSession(CommandParameters);	
  
	
  	
  final	
  void	
  sendAsynchMessage(byte[],	
  int,	
  int);	
  
	
  	
  final	
  void	
  setResponse(byte[],	
  int,	
  int);	
  
	
  	
  final	
  void	
  setResponseCode(int);	
  
39(c) 2014 Igor Skochinsky
IPT	
   	
  
!  
!   OATH :
package	
  com.intel.dal.ipt.framework;	
  
public	
  class	
  AppletImpl	
  extends	
  com.intel.util.IntelApplet	
  
{	
  
	
  	
  final	
  int	
  invokeCommand(int,	
  byte[])	
  
	
  	
  {	
  
	
  	
  	
  	
  ...	
  
	
  	
  }	
  
	
  	
  int	
  onClose()	
  
	
  	
  {	
  
	
  	
  	
  	
  ...	
  
	
  	
  }	
  
	
  	
  int	
  onInit(byte[])	
  
	
  	
  {	
  
	
  	
  	
  	
  ...	
  
	
  	
  }	
  
}	
  
40(c) 2014 Igor Skochinsky
IPT	
   	
  
!   ME
!  
!  
!   ...
41(c) 2014 Igor Skochinsky
IPT	
   	
  
!   C/C++, Java, .NET
API DLL
!   DLL JHI
COM TCP/IP
!   ME HECI/MEI
!   ME JOM
!   JOM
!  
!   out-of-
bound
42(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   JOM Trusted Logic Mobility (
Trustonic) "Trusted Foundations"
Trusted Execution Environment (TEE)
:
Trusted Foundations
43(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   Trusted Foundations
!   ARM TrustZone
!   GPL Trusted Foundations
!  
!   TrustZone ME/JOM
HECI/MEI
!  
44(c) 2014 Igor Skochinsky
Trusted	
  Execu;on	
  Environment	
  
!   GlobalPlatform (Trusted Logic Mobililty/
Trustonic ) TEE
!   API (TEE
) API
!   ME
http://www.globalplatform.org/specificationsdevice.asp
45(c) 2014 Igor Skochinsky
	
  
!   ME
!   ME
!   ROM BUP KERNEL
!   API
!   JEFF DAL/IPT
!   ARC IDA 6.4 IDA 6.5
46(c) 2014 Igor Skochinsky
	
  
!   	
  
!   JEFF .class JEFF
	
  
!  
	
  
!   Linux	
  IPT 	
  
!   EFFS 	
  
!   ME 	
  
!   EFFS 	
  
!  
	
  
!  
	
  
47(c) 2014 Igor Skochinsky
	
  
!   	
  
!  
	
  
!   	
  
!   UMA 	
  
!   	
  
!   ME	
  ↔ 	
  
!  
	
  
!   ;	
  
	
  
!  
...	
  	
  
!   	
  
48(c) 2014 Igor Skochinsky
	
  
!   BIOS	
  RE	
  
!   ME
	
  
!   ME BIOS
	
  
!   BIOS 	
  
!   Nikolaj	
  Schlej UEFITool UEFI
	
  
hkps://github.com/NikolajSchlej/UEFITool	
  
!   Coreboot ME 	
  
!   	
  
!   Open	
  Virtual	
  Plalorm	
  (www.ovpworld.org)	
   ARC600
ARC700(ARCompact ) 	
  
!  
	
  
!   	
  
49(c) 2014 Igor Skochinsky
	
  
http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/
http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html
http://download.intel.com/technology/itj/2008/v12i4/paper[1-10].pdf
http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf
http://www.stewin.org/papers/dimvap15-stewin.pdf
http://www.stewin.org/techreports/pstewin_spring2011.pdf
http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf
http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt
http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c
http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf
http://me.bios.io/
http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf
50(c) 2014 Igor Skochinsky
	
  
	
  
igor@hex-­‐rays.com	
  
skochinsky@gmail.com	
  

Mais conteúdo relacionado

Mais procurados

Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法
Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法
Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法モノビット エンジン
 
どうやらテスト駆動型開発は死んだようです。これからのCI
どうやらテスト駆動型開発は死んだようです。これからのCIどうやらテスト駆動型開発は死んだようです。これからのCI
どうやらテスト駆動型開発は死んだようです。これからのCIKoichiro Sumi
 
僕がつくった 70個のうちの48個のWebサービス達
僕がつくった 70個のうちの48個のWebサービス達僕がつくった 70個のうちの48個のWebサービス達
僕がつくった 70個のうちの48個のWebサービス達Yusuke Wada
 
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までDocker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までMasahito Zembutsu
 
文字コードに起因する脆弱性とその対策(増補版)
文字コードに起因する脆弱性とその対策(増補版)文字コードに起因する脆弱性とその対策(増補版)
文字コードに起因する脆弱性とその対策(増補版)Hiroshi Tokumaru
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみたKohei Tokunaga
 
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会モノビット エンジン
 
GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -zgock
 
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)NTT DATA Technology & Innovation
 
ネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けモノビット エンジン
 
Dockerfile を書くためのベストプラクティス解説編
Dockerfile を書くためのベストプラクティス解説編Dockerfile を書くためのベストプラクティス解説編
Dockerfile を書くためのベストプラクティス解説編Masahito Zembutsu
 
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現Yoshifumi Kawai
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Masahito Zembutsu
 
ネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けモノビット エンジン
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 Yugo Shimizu
 
セキュリティを楽しむ(CTFとbugbountyの始め方)
セキュリティを楽しむ(CTFとbugbountyの始め方)セキュリティを楽しむ(CTFとbugbountyの始め方)
セキュリティを楽しむ(CTFとbugbountyの始め方)kazkiti
 
Chromebook 「だけ」で WebRTCを動かそう
Chromebook 「だけ」で WebRTCを動かそうChromebook 「だけ」で WebRTCを動かそう
Chromebook 「だけ」で WebRTCを動かそうmganeko
 

Mais procurados (20)

Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法
Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法
Unityネットワーク通信の基盤である「RPC」について、意外と知られていないボトルネックと、その対策法
 
どうやらテスト駆動型開発は死んだようです。これからのCI
どうやらテスト駆動型開発は死んだようです。これからのCIどうやらテスト駆動型開発は死んだようです。これからのCI
どうやらテスト駆動型開発は死んだようです。これからのCI
 
僕がつくった 70個のうちの48個のWebサービス達
僕がつくった 70個のうちの48個のWebサービス達僕がつくった 70個のうちの48個のWebサービス達
僕がつくった 70個のうちの48個のWebサービス達
 
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までDocker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
 
文字コードに起因する脆弱性とその対策(増補版)
文字コードに起因する脆弱性とその対策(増補版)文字コードに起因する脆弱性とその対策(増補版)
文字コードに起因する脆弱性とその対策(増補版)
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
 
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会
新しくなったモノビットエンジンを使って10万人規模のサーバを構築するノウハウを公開!2017年10月27日モノビットエンジン勉強会
 
GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -GPU仮想化最前線 - KVMGTとvirtio-gpu -
GPU仮想化最前線 - KVMGTとvirtio-gpu -
 
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)
乗っ取れコンテナ!!開発者から見たコンテナセキュリティの考え方(CloudNative Days Tokyo 2021 発表資料)
 
ネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分け
 
Jenkins 再入門
Jenkins 再入門Jenkins 再入門
Jenkins 再入門
 
Dockerfile を書くためのベストプラクティス解説編
Dockerfile を書くためのベストプラクティス解説編Dockerfile を書くためのベストプラクティス解説編
Dockerfile を書くためのベストプラクティス解説編
 
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現
Unityによるリアルタイム通信とMagicOnionによるC#大統一理論の実現
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
 
Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版
 
ネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分けネットワーク ゲームにおけるTCPとUDPの使い分け
ネットワーク ゲームにおけるTCPとUDPの使い分け
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
 
セキュリティを楽しむ(CTFとbugbountyの始め方)
セキュリティを楽しむ(CTFとbugbountyの始め方)セキュリティを楽しむ(CTFとbugbountyの始め方)
セキュリティを楽しむ(CTFとbugbountyの始め方)
 
Chromebook 「だけ」で WebRTCを動かそう
Chromebook 「だけ」で WebRTCを動かそうChromebook 「だけ」で WebRTCを動かそう
Chromebook 「だけ」で WebRTCを動かそう
 

Semelhante a インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Cristofaro Mune
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Piotr Król
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
2014 09 12 Dia Programador Session Materials
2014 09 12 Dia Programador Session Materials2014 09 12 Dia Programador Session Materials
2014 09 12 Dia Programador Session MaterialsBruno Capuano
 
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyYodalee
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceRodolpho Concurde
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 

Semelhante a インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky (20)

Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Unity3D Programming
Unity3D ProgrammingUnity3D Programming
Unity3D Programming
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇACODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
CODE BLUE 2014 : BadXNU、イケてないリンゴ! by ペドロ・ベラサ PEDRO VILAÇA
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
2014 09 12 Dia Programador Session Materials
2014 09 12 Dia Programador Session Materials2014 09 12 Dia Programador Session Materials
2014 09 12 Dia Programador Session Materials
 
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Gameboy emulator in rust and web assembly
Gameboy emulator in rust and web assemblyGameboy emulator in rust and web assembly
Gameboy emulator in rust and web assembly
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 

Mais de CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Mais de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Último

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Último (20)

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

  • 2. 2(c) 2014 Igor Skochinsky   !   ME   !     !   ME   !     !     !    
  • 3. 3(c) 2014 Igor Skochinsky   !   15   !   IDA   !   2008 Hex-­‐Rays   !   IDA ( )   !   ( Kindle Sony  Reader)   !   PC (BIOS,  UEFI,  ME)   !   reddit.com/r/ReverseEngineering/    
  • 4. 4(c) 2014 Igor Skochinsky ME:     !   ( )   !   (GMCH,  PCH,  MCH)   !   BIOS CPU   !   ( CPU )   !   CPU  
  • 5. 5(c) 2014 Igor Skochinsky ME:     Credit: Intel 2009
  • 6. 6(c) 2014 Igor Skochinsky ME:     OS !   HECI  (MEI):  Host  Embedded  Controller  Interface;     PCI   !   SOAP ;   HTTP HTTPS  
  • 7. 7(c) 2014 Igor Skochinsky ME:     ME   !   (AMT):   KVM   !   :   /   !   IDE (IDE-­‐R) LAN  (SOL):   OS CD/ HDD PC   !   :  2 (OTP)   !   :   PIN  
  • 8. 8(c) 2014 Igor Skochinsky ME:       !   PC ” ” PC   !   3G SMS   !   HDD   !    
  • 9. 9(c) 2014 Igor Skochinsky ME:
  • 10. 10(c) 2014 Igor Skochinsky ME:       !   ( )   !     !   HECI     !   AMT  SDK   !   Linux   ;  coreboot   !   BIOS   !   ME BIOS   !   ME  
  • 11. 11(c) 2014 Igor Skochinsky ME       !   ME             !   FTP   !                                                                                                                                   !                                                                                                                                                                             !                                                                                                                                                                   :)  
  • 12. 12(c) 2014 Igor Skochinsky FSP   !   2013   !     !   Intel   !                                                                                                    HM76/QM77   !                                                                                            ME     http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp- overview "confidential“ :)
  • 13. 13(c) 2014 Igor Skochinsky SPI   !   SPI BIOS ME GbE   !   BIOS( OS) ME   !   Descriptor ME   !   Descriptor  
  • 14. 14(c) 2014 Igor Skochinsky ME   !   ME   !    
  • 15. 15(c) 2014 Igor Skochinsky ME   !   “ "   !   RSA  
  • 16. 16(c) 2014 Igor Skochinsky ME   !   2   !   Gen  2:  Intel  5  Series( Ibex  Peak)   Gen 1 Gen 2 ME versions 1.x-5.x 6.x-9.x Core ARCTangent-A4 ARC 600(?) Instruction set ARC (32-bit) ARCompact (32/16) Manifest tag $MAN $MN2 Module header tag $MOD $MME Code compression None, LZMA None, LZMA, Huffman
  • 17. 17(c) 2014 Igor Skochinsky ME   Module name Description BUP Bringup (hardware initialization/configuration) KERNEL Scheduler, low-level APIs for other modules POLICY Secondary init tasks, some high-level APIs HOSTCOMM Handles high-level protocols over HECI/MEI CLS Capability Licensing Service – enable/disable features depending on SKU, SKU upgrades TDT Theft Deterrence Technology (Intel Anti-Theft) Pavp Protected Audio-Video Path JOM Dynamic Application Loader (DAL) – used to implement Identity Protection Technology (IPT)  
  • 18. 18(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !     !     !   ME "ROMB"  
  • 19. 19(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !    
  • 20. 20(c) 2014 Igor Skochinsky ME:  ROM   !   ME   !   ROMB  
  • 21. 21(c) 2014 Igor Skochinsky ME:  ROM   !   ROMB ROM   !   ROM :   !   C (memcpy,  memset,  strcpy )   !   ThreadX  RTOS     !   API   !   ROM   !   FTPR BUP   !   BUP KERNEL :(  
  • 22. 22(c) 2014 Igor Skochinsky ME:
  • 23. 23(c) 2014 Igor Skochinsky ME:     !   ME !   : ME RSA ROM “During the design phase, a Firmware Signing Key (FWSK) public/private pair is generated at a secure Intel Location, using the Intel Code Signing System. The Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus fixed. Each approved production firmware image is digitally signed by Intel with the private FWSK. The public FWSK and the digital signature are appended to the firmware image manifest. At runtime, a secure boot sequence is accomplished by means of the boot ROM verifying that the public FWSK on Flash is valid, based on the hash value in ROM. The ROM validates the firmware image that corresponds to the manifest’s digital signature through the use of the public FWSK, and if successful, the system continues to boot from Flash code.” “Architecture Guide: Intel® Active Management Technology”, 2009
  • 24. 24(c) 2014 Igor Skochinsky ME: (UMA)   !   ME RAM  (UMA) (MCU )   !   ME BIOS CPU   !   2009 Invisible  Things  Lab   !   ...  
  • 25. 25(c) 2014 Igor Skochinsky ME:  UMA   !   UMA   !   #1:  BIOS MESEG   !   [ ...]   !     !   UEFI   !     !   :     !   :   ...  
  • 26. 26(c) 2014 Igor Skochinsky ME:  UMA   !   #2:     !   DRAM UMA   !   ...   : ME UMA : UMA
  • 27. 27(c) 2014 Igor Skochinsky ME:  UMA   !   –   !   –   !   DDR3   “The memory controller incorporates a DDR3 Data Scrambling feature to minimize the impact of excessive di/dt on the platform DDR3 VRs due to successive 1s and 0s on the data bus. [...] As a result the memory controller uses a data scrambling feature to create pseudo-random patterns on the DDR3 data bus to reduce the impact of any excessive di/ dt.” (from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel® Celeron® Processor Family Datasheet)
  • 28. 28(c) 2014 Igor Skochinsky ME:  UMA   !   #3:   UMA   !   UMA FPT 1   !   FPT   !   :   1)  32MB FPT BIOS 32MB ME 16MB   2)  16MB FPT BIOS 16MB 16MB   !    
  • 29. 29(c) 2014 Igor Skochinsky ME:  UMA   !   #4:     !   BIOS   !   UEFI "Setup" ( Breakpoint   2012 )   !    –  
  • 30. 30(c) 2014 Igor Skochinsky ME:  UMA   !   #5:     !     !     !   ...  
  • 31. 31(c) 2014 Igor Skochinsky   !   ME   !     !   (SPS)   !   BUP KERNEL   !   #1:  BUP !   !   KERNEL " " ...   !   #2:   ( )   !   2   !    
  • 32. 32(c) 2014 Igor Skochinsky JOM   DAL   !   JOM ME 7.1 !   (DAL) !   ME ( ) !   ( IPT) !   ME !   ...
  • 33. 33(c) 2014 Igor Skochinsky JOM   DAL   !   : !   Java Could  not  allocate  an  instance  of   java.lang.OutOfMemoryError   linkerInternalCheckFile:  JEFF  format  version  not   supported   com.intel.crypto   com.trustedlogic.isdi   Starting  VM  Server...  
  • 34. 34(c) 2014 Igor Skochinsky JOM   DAL   !   Java VM !   ME Base64 BLOB "oath.dalp" !   !   "Medal App" !   JOM "JEFF" !   JEFF Java !   Java !  
  • 35. 35(c) 2014 Igor Skochinsky JOM   DAL   !   ... !   Java ... .ascii  "Invalid  constant  offset  in  the  SLDC  instruction"  
  • 36. 36(c) 2014 Igor Skochinsky JEFF   !   JEFF !   J 2001 !   ISO (ISO/IEC 20970) !   !   !   !   !   !  
  • 37. 37(c) 2014 Igor Skochinsky JEFF   !   Python !   oath.dalp JEFF !   !   Java !   : !   !   UI ( ) !   !  
  • 38. 38(c) 2014 Igor Skochinsky JEFF     !   ( ) Class  com.intel.util.IntelApplet   private:      /*  0x0C  */  boolean  m_invokeCommandInProcess;      /*  0x00  */  OutputBufferView  m_outputBuffer;      /*  0x0D  */  boolean  m_outputBufferTooSmall;      /*  0x04  */  OutputValueView  m_outputValue;      /*  0x08  */  byte[]  m_sessionId;   public:      void  <init>();      final  int  getResponseBufferSize();      final  int  getSessionId(byte[],  int);      final  int  getSessionIdLength();      final  String  getUUID();      final  abstract  int  invokeCommand(int,  byte[]);      int  onClose();      final  void  onCloseSession();      final  int  onCommand(int,  CommandParameters);      int  onInit(byte[]);      final  int  onOpenSession(CommandParameters);      final  void  sendAsynchMessage(byte[],  int,  int);      final  void  setResponse(byte[],  int,  int);      final  void  setResponseCode(int);  
  • 39. 39(c) 2014 Igor Skochinsky IPT     !   !   OATH : package  com.intel.dal.ipt.framework;   public  class  AppletImpl  extends  com.intel.util.IntelApplet   {      final  int  invokeCommand(int,  byte[])      {          ...      }      int  onClose()      {          ...      }      int  onInit(byte[])      {          ...      }   }  
  • 40. 40(c) 2014 Igor Skochinsky IPT     !   ME !   !   !   ...
  • 41. 41(c) 2014 Igor Skochinsky IPT     !   C/C++, Java, .NET API DLL !   DLL JHI COM TCP/IP !   ME HECI/MEI !   ME JOM !   JOM !   !   out-of- bound
  • 42. 42(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   JOM Trusted Logic Mobility ( Trustonic) "Trusted Foundations" Trusted Execution Environment (TEE) : Trusted Foundations
  • 43. 43(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   Trusted Foundations !   ARM TrustZone !   GPL Trusted Foundations !   !   TrustZone ME/JOM HECI/MEI !  
  • 44. 44(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   GlobalPlatform (Trusted Logic Mobililty/ Trustonic ) TEE !   API (TEE ) API !   ME http://www.globalplatform.org/specificationsdevice.asp
  • 45. 45(c) 2014 Igor Skochinsky   !   ME !   ME !   ROM BUP KERNEL !   API !   JEFF DAL/IPT !   ARC IDA 6.4 IDA 6.5
  • 46. 46(c) 2014 Igor Skochinsky   !     !   JEFF .class JEFF   !     !   Linux  IPT   !   EFFS   !   ME   !   EFFS   !     !    
  • 47. 47(c) 2014 Igor Skochinsky   !     !     !     !   UMA   !     !   ME  ↔   !     !   ;     !   ...     !    
  • 48. 48(c) 2014 Igor Skochinsky   !   BIOS  RE   !   ME   !   ME BIOS   !   BIOS   !   Nikolaj  Schlej UEFITool UEFI   hkps://github.com/NikolajSchlej/UEFITool   !   Coreboot ME   !     !   Open  Virtual  Plalorm  (www.ovpworld.org)   ARC600 ARC700(ARCompact )   !     !    
  • 49. 49(c) 2014 Igor Skochinsky   http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/ http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html http://download.intel.com/technology/itj/2008/v12i4/paper[1-10].pdf http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf http://www.stewin.org/papers/dimvap15-stewin.pdf http://www.stewin.org/techreports/pstewin_spring2011.pdf http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf http://me.bios.io/ http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf
  • 50. 50(c) 2014 Igor Skochinsky     igor@hex-­‐rays.com   skochinsky@gmail.com