Here's my layman's not-totally-accurate-but-gets-the-point-across story about how #meltdown & #spectre type attacks work:
Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10
You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book." 2/10
The librarian dutifully goes and gets special book #1, looks at page 1, sees 'C', and also grabs 'C is for Corpse', and comes back to the desk, but does not show you the books. 3/10
The librarian scans your card, then scans the first book, and says "sorry, you don't have access to this book, let's start over." But puts the books on the nearby re-shelve cart instead of back on the shelf. 4/10
In response you say "I'd like to borrow 'A is for Alibi' and the librarian responds "just a moment while I get that". You interrupt and ask for 'B is for Burgler and the librarian responds "just a moment while I get that" again. 5/10
When you interrupt again, and say "I'd also like C is..." the librarian interrupts you to say ' oh I have that one right here on the cart!" 6/10
You say "Great! But actually I don't want any books. You can put all those back!" and write down 'C' in your notebook. 7/10
The dutiful librarian re-shelves all the books and then you repeat the process... For every single letter on every page in special book #1. The librarian is especially dutifully and luckily fast, so this only takes you a few moments. 8/10
Let's try fixing it by having a separate shelf, reshelving rack, librarian, and line for the special collection. It solves the problem, but all the people who have access to and use the special collection complain about how it takes 5 to 30% longer to get their books. 9/10
So, the books are memory. The special collection is operating system or other programs memory. The reshelving rack is cache and/or register file. The librarian is the page management.
It's not a perfect analogy, but it describes it in non-technical terms. Feedback welcome. 10/10
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I’ve gotten lots of inquiries if I could analyze some hardware for or could recommend someone who might.
I’ll be blunt - most of you don’t need this. Here are some things you should consider before seeking out services like this:
1. It’s unlikely you’re affected. Really. Even assuming every claim is true, and even if there is a secret device on every single X brand motherboard, it’s unlikely you’re targeted by whatever payload the implant carries.
2. There are no published hardware indicators of compromise (IOCs). The device and placement referenced in the article are only representative and not actual devices. Having experienced hardware eyes on your board might pick out something odd, but won’t be conclusive.
Hector and others have identified the component used in the bloomberg article to represent the hardware implant. I'd like to share my perspective on whether it's realistically possible:
If someone said that the implant was found inside a coupler, first I'd check component suppliers for couplers that might fit the bill. And the one displayed is pretty much the smallest one you can find with 'coupler' in the name.
A coupler is a filter - you'd normally have signals coming in & filtered signals going out the other side.
If you see a piece of alumina or ceramic and it has markings on top with a coupler's model number you'll assume that's what it is.
Perfect man-in-the-middle opportunity
At one point in time I had a conversation about how I would put a hardware implant into a system. I'm delighted to see @qrs had a very similar assessment:
Given a photo of a server motherboard, this was my response after a few minutes. You'll have to take my word i wrote this 4 Sept 2017.
" Well, you picked an easy one, it already has a backdoor :)"
"The ASPEED chip (1) is the BMC or Board Management Controller. It's an extra CPU on the system that is supposed to 'manage' the actual server that does all the work, like negotiating power supplies and storage connections with the rest of the servers in the rack."
There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: securinghardware.com/articles/hardw…
The core of the claim is that someone implanted extra components on some server motherboards that would do malicious stuff, subvert the system and possibly allow it to ‘phone home’. I looked at the claims through a technical and feasibility lens.
I’ve studied hardware implants for a few years now. I’ve done multiple reviews of server hardware looking for backdoors I profit, via @securinghw and @SecureHardware, from people being more interested in hardware security.
Remember the USB fans from Singapore that were in the news? @HackingThings and I took some more of them apart and there's plenty of potential for foul play.
This is an older lightning port fan that @HackingThings had. No surprise there's a chip in there to speak SDQ to tell the iPhone to supply power
Congratulations, your talk has been declined! Many of us have been disappointed or relieved by a rejection in the past few days. As a follow-on to my previous post about the CFP process and writing an abstract, I figured it would be fitting to write a bit about what to do now.
Don’t worry, a post about what to do if you’re *accepted* should come right on time, about a week before Black Hat and Defcon.
It’s okay to be disappointed. You put lots of work into your research, and more into making it look good for the cfp. If you’re smart, you’ve been scrambling to deliver on the things you promised in case they asked for more info. It might feel like all that was a waste of time.