Upload File

wiretapping the tpm

11
Johannes Winter Institut for Applied Information Processing and Communications 1 ETISS 2009 TPM Lab – Wiretapping demo Wiretapping the TPM Johannes Winter <[email protected]>

Upload: others

Post on 28-Nov-2021

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

1

ETISS 2009 TPM Lab – Wiretapping demo

Wiretapping the TPM

Johannes Winter <[email protected]>

mailto:[email protected]
Page 2: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

2

ETISS 2009 TPM Lab – Wiretapping demo

Outline

▪ Motivation

▪ Integration of the TPM in PC platforms

▪ Demo

Page 3: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

3

ETISS 2009 TPM Lab – Wiretapping demo

Motivation

▪ Examples of simple TPM hardware attacks▫ “TPM Reset Attack”

▪ Pecularity of PC platform reset (active low PCI reset line)

▫ “Analyzing TPM communication” (Kursawe, Schellekins, Prenel)

▪ Detailed analysis of TPM 1.1 communication

▪ Unencrypted communication between the TPM and the Southbridge/CPU

▪ Authors used professional Lab equipment (Logic Analyzer, …)

▪ We will try a variant of the attack by Kursawe et al.

Page 4: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

4

ETISS 2009 TPM Lab – Wiretapping demo

What can an adversary learn by wiretapping?

▪ Our test platform has a version 1.1 TPM▫ Normally, communication to and from the TPM is unencrypted …

▫ … e.g. decrypted plaintext of sealed blob (TPM_Unseal)

▪ Current version 1.2 TPMs provide countermeasures▫ e.g. Transport sessions, enhanced TPM_Unseal command

▫ Chicken-Egg Problem: Where to store the secret needed to protect the secret?

Page 5: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

5

ETISS 2009 TPM Lab – Wiretapping demo

Integration of the TPM in the PC platform

▪ External TPM▫ Interface to the CPU via the

Low-Pin-Count (LPC) bus on the PC's southbridge (ICH).

▫ The TPM shares the LPC bus with other peripherals (Flash BIOS, Super I/O)

▫ Recent Intel southbridges come with an integrated TPM

[Image taken from “Intel 965 Express Chipset Family Datasheet”]

Page 6: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

6

ETISS 2009 TPM Lab – Wiretapping demo

Integration of the TPM in the PC platform

Page 7: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

7

ETISS 2009 TPM Lab – Wiretapping demo

LPC bus fundamentals

Page 8: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

8

ETISS 2009 TPM Lab – Wiretapping demo

LPC bus fundamentals

▪ Bi-directional low-bandwidth Low-Pin-Count Bus▫ Originally invented as replacement for ISA

▪ Minimum Configuration▫ Clock Line (LCLK)

▫ Frame Marker (LFRAME#)

▫ Four bi-directional data lines (LAD[0], LAD[1], LAD[2], LAD[3])

▪ Optional support for interrupts, DMA and bus-mastering▫ Interrupts require one additional SERIRQ# line

▪ The TPM is a passive component by design▫ No DMA or busmaster capabilites

Page 9: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

9

ETISS 2009 TPM Lab – Wiretapping demo

A Low-Cost LPC bus sniffer

Spartan 3E FPGA (S3E100)

SPI Interface

Input FIFO5bit x 16

Output FIFO16bit x 4096

LPC ProtocolAnalyzer

CaptureFilter

Packetserialization

FX2 SlaveFIFO interface

CypressFX2 CPU

(8051) Slave FIFO

GPIOPins

LPC CaptureFrontend

USB2.0Host PC

Target PC

LPC probes

Page 10: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

10

ETISS 2009 TPM Lab – Wiretapping demo

Ad arma!

Page 11: Wiretapping the TPM

Johannes Winter

Institut for Applied Information Processing and Communications

11

ETISS 2009 TPM Lab – Wiretapping demo

Thank you for your attention!


Teoria de las compunicaciones TP1: Wiretapping · Facultad de Ciencias Exactas y Naturales – UBA Departamento de computacion Teoria de las compunicaciones TP1: Wiretapping Integrantes

Ch3a Wiretapping

Using the TPM - eLinux.org

the ethical dilemma of warrantless wiretapping in the united states of

TPM AOM-TPM-9670V AOM-TPM-9670H AOM-TPM … · TPM Users Guide Chapter 1: Introduction 1-1 Chapter 1 Introduction 1.1 Overview of the Trusted Platform Module (TPM) The Trusted Platform

Exploiting Lawful Intercept to Wiretap the Internet...IBM Corporation IETF Policy on Wiretapping (RFC 2804) The IETF will not consider requirements for wiretapping in protocol designs

TPM 2 - GIGABYTE GAMINGdownload1.gigabyte.ru/manual/motherboard_manual_tpm_c.pdfInfineon TPM Driver GIGABYTE Ultra TPM Infineon TPM Ultra TPM - 4 - 3. TPM BIOS Infineon Security Platform

Wiretapping and Encryption More Week 5 cont.. Early Forms of Wiretapping uParty Lines uHuman Operators

Verizon Wiretapping - Alex Haas Department of Justice Comments

XDM-300 von ECI - 3M Services GmbH: Lösungen und ... TPM TPM TPM TPM TCF 48Vin 48Vin IM13 IM14 IM15 IM16 IM9 IM10 IM11 IM12 IM18 IM17 Fan OCM OCM OCM OCM TCF TPM TPM TPM TPM TCF •

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS

Trusted Platform Module (TPM) TCG 1.2 / 2 · PDF file2.2 Enabling the TPM 1.2 via the SUM ... is designed to run on Intel Xeon® E5 and E7, ... TPM Version 1.2 TPM Version 2.0 AOM-TPM-9655V

CS 458 / 658 Computer Security and Privacy · Owner of node can always monitor communication owing through node Eavesdropping or passive wiretapping Active wiretapping involves modi

Advancing Academic Language for All Should secret wiretapping be legal?lincolnteachernetwork.weebly.com/uploads/5/1/2/9/5129910/... · 2019-03-17 · Should secret wiretapping be

Verizon Wiretapping - Public Advocate Commnts 02

Wiretapping Rady Rann 1055-621. What is Wiretapping Wiretapping is the monitoring of conversations by a third party. Wiretapping is the monitoring of

Nsa Report on Nyt Warrantless Wiretapping Story

Statement by the Prime Minister on illegal wiretapping

Anti wiretapping law and related issues consti-ii

Smart TPM · 2010-04-14 · - 4 - 2. Installing the Infineon TPM Driver and the Smart TPM Utility Before you use the Smart TPM utility, ensure that the Infineon TPM driver and the

경영 혁신과 TPM 의 필요성 TPM 의 정의 TPM Vision TPM 의 목적 TPM 의 8 대 기능 TPM 의 추진내용

Verizon Wiretapping - John Patterson Letter Regarding Court Order 02

Teoria de las compunicaciones TP1: Wiretapping€¦ · Facultad de Ciencias Exactas y Naturales – UBA Departamento de computacion Teoria de las compunicaciones TP1: Wiretapping

The TPM 2.0 specs are here, now what? · Errors at TPM Initialization •Section 2.4.2.1, If the startup command fails during TPM Initialization… The platform must make the TPM

Lawful Hacking: Wiretapping via Internet Vulns

Signaling vulnerabilities in wiretapping systems

Nebraska USDC, Damages for Teddybear Wiretapping

Does Warrantless Wiretapping Violate Moral Rights?

2004 Wiretapping Updated

Integrating SPC, OEE and TPM - DataLyzer...at the shop floor is an important essential within TPM. In fact, this is the first pillar of TPM. TPM has a strong focus on the equipment,

TPM WORKING COMMITTEE - Plant · PDF fileZenPower International Industry TPM Consultants tpm/moses 1 Moses Tan (MSc, BIT), is the Principal TPM Consultant of his own Consultancy Company,

TPM AOM-TPM-9671V AOM-TPM-9671H AOM-TPM-9671V(H)-S AOM-TPM … · 2018-06-11 · TPM Users Guide Chapter 1: Introduction 1-1 Chapter 1 Introduction 1.1 Overview of the Trusted Platform

Wiretapping and Surveillance II - cs.columbia.edu

The Wiretapping--Eavesdropping Problem: A Professor's View

TPM® Project Assessment - managementexchange.com · TPM® Project Assessment Organization SAMPLE ... knowledge areas Scope Mgmt 7 The TPM® Assessment results ... 13 The TPM® Assessment