Skip to content

Latest commit

 

History

History
737 lines (502 loc) · 22.6 KB

eu-19-Han-BitLeaker-Subverting-BitLocker-With-One-Vulnerability.pdf.md

File metadata and controls

737 lines (502 loc) · 22.6 KB

BitLeaker: Subverting BitLocker with One Vulnerability 1 0 1 0 1 0

1 1 0 1 1 1

0 1 0 1 0 1

1 1 0 1 1 1

0 1 0

1 0 1

1 0 1

0 1 0

Seunghun Han, Jun-Hyeok Park (hanseunghun || parkparkqw)@nsr.re.kr Wook Shin, Junghwan Kang, Byungjoon Kim (wshin || ultract || bjkim)@nsr.re.kr

Who Are We?

  • Senior security researcher at the Affiliated Institute of ETRI - Review board member of Black Hat Asia and KimchiCon - Speaker at USENIX Security, Black Hat Asia, HITBSecConf, BlueHat Shanghai, KimchiCon, BeVX, TyphoonCon and BECS - Author of "64-bit multi-core OS principles and structure, Vol.1&2" - a.k.a kkamagui, @kkamagui1
  • Senior security researcher at the Affiliated Institute of ETRI - Speaker at Black Hat Asia 2018 ~ 2019 - Embedded system engineer - Interested in firmware security and IoT security - a.k.a davepark, @davepark312

Previous Works

Goal of This Presentation

  • We present an attack vector, S3 Sleep, to subvert the Trusted Platform Modules (TPMs)
  • S3 sleeping state cuts off the power of CPU and peripheral devices - We found CVE-2018-6622, and it affects a discrete TPM (dTPM) and a firmware TPM (fTPM)
  • We introduce a new tool, BitLeaker
  • BitLeaker extracts the Volume Master Key (VMK) of BitLocker from TPMs
  • BitLeaker can mount a BitLocker-locked partition with the VMK

DISCLAIMER

  • We do not explain BitLocker's encryption algorithm
  • We focus on the protection mechanism for the VMK - Especially, the mechanism only with a TPM!
  • It is a default option of BitLocker - We do not consider combinations of a TPM and other options (PIN or USB startup key)
  • We do not explain a vulnerability in BitLocker
  • We introduce the TPM vulnerability and subvert the VMK protection mechanism of BitLocker with it - The vulnerability we found is in the TPM, not BitLocker!

Life is wild

  • Father

To-be

As-is

Maybe...? Reality!!

LINUX

MY HERO!

BitLocker

MY PC! Linux

... ?! ...

BitLocker kidnapped proteycoteudr ydoautar!data!

NO, PLEASE!!!!

GIVE MY NUTS DATA BACK!!

Data!! FOR NUTS DATA!!!

Contents

  • Background - Subverting TPMs with One Vulnerability - Subverting Microsoft's BitLocker - BitLeaker Design and Implementation - Demo and Conclusion

Contents

  • Background - Subverting TPMs with One Vulnerability - Subverting Microsoft's BitLocker - BitLeaker Design and Implementation - Demo and Conclusion

Target System

Intel NUC8i7HVK

CPU: Intel Core i7-8809G RAM: 32GB OS: Windows 10, Ubuntu 18.04

VGA: AMD Radeon RX Vega M NVME: 512GB * 2 Security: Secure Boot, TPM 2.0

Microsoft's BitLocker (1)

  • According to Microsoft's documents... - Is a data protection feature that integrates with the OS
  • It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers
  • Provides the most protection when used with a Trusted Platform Module (TPM)
  • BIOS/UEFI firmware establishes a chain of trust for the pre-operating system startup with a TPM
  • The firmware must support TCG-specified Static Root of Trust for Measurement (SRTM)

Microsoft's BitLocker (2)

  • Uses the TPM by default to protect the Volume Master Key

(VMK)

?!

  • VMK encrypts the Full Volume Encryption Key (FVEK)

  • FVEK is used to encrypt and decrypt a disk

TPM!!!

<Key Management and Decryption Process ­ from an Ancient Scroll of Microsoft>

Trusted Platform Module (TPM) (1)

  • Is a tamper-resistant device and has two versions
  • TPM 2.0 is more widely deployed than TPM 1.2
  • Has own processor, RAM, ROM, and non-volatile RAM
  • It has own state separated from the system
  • Provides cryptographic and accumulating measurement functions
  • Integrity measurement values are accumulated to Platform Configuration Registers (PCR #0~#23)

Trusted Platform Module (TPM) (2)

  • Is used to determine the trustworthiness of a system by investigating the values stored in PCRs
  • A local verification or remote attestation can be used
  • Is used to limit access to secret data based on specific PCR values
  • Seal operation encrypts secret data with PCRs of the TPM - Unseal operation can decrypt the sealed data only if the PCR values match the specific values - BitLocker also uses the seal and unseal functions for VMK protection

Root of Trust for Measurement (RTM)

  • Sends integrity-relevant information (measurements) to the TPM
  • TPM accumulates the measurements (hashes) to a PCR with the previously stored value in the PCR Extend: PCRnew = Hash(PCRold || Measurementnew)
  • Is the CPU controlled by Core RTM (CRTM)
  • The CRTM is the first set of instructions when a new chain of trust is established

Static RTM (SRTM)

  • SRTM is started by static CRTM (S-CRTM) when the host platform starts at POWER-ON or RESTART
  • It extends measurements (hashes) of components to PCRs BEFORE passing control to them

BIOS/UEFI firmware

S-CRTM

BIOS/UEFI Code

Bootloader

Kernel

User Applications

Power On/ Restart

TPM

: Extend a hash of next code to TPM : Execute next code

Examples of PCR values SRTM PCRs

If we want to get the data back...

  • We have to...
  1. Recover PCRs of a TPM to unseal the VMK 2) Get the encrypted VMK from BitLocker 3) Decrypt the encrypted VMK with the TPM 4) Unlock a BitLocker-locked partition with the VMK!!

Contents

  • Background - Subverting TPMs with One Vulnerability - Subverting Microsoft's BitLocker - BitLeaker Design and Implementation - Demo and Conclusion

Security researchers have tried to get the VMK

with PHYSICAL ATTACKS!!

Tramell Hudson

Pulse Security

Physical bus attacks was rational and practical!

  • TPM is a tamper-resistant device, but the bus is not
  • It is hard to get data from inside of a TPM - The bus called Low Pin Count (LPC) is not secure and tamper- resistant!
  • Researchers believed PCRs of a TPM were well-protected
  • According to TPM specifications, SRTM PCRs only can be reset by host reset (power on or reboot)
  • We usually trust the specifications, but the implementation is...

PCR protection is critical!

  • PCRs MUST NOT be reset by disallowed operations even though an attacker gains root privilege!
  • SRTM PCRs (PCR #0~#15) can be reset only if the host resets
  • If attackers reset PCRs, they can reproduce specific PCR values by replaying hashes
  • They can unseal the secret without physical attacks

Unfortunately, Software development is not easy.... Specifications he should have read...

We got the power?

  • We found and published CVE-2018-6622 last year
  • It could reset the TPM when the system entered the S3 sleeping state of Advanced Configuration and Power Interface (ACPI)
  • All PCRs and the state were initialized after exploiting the vulnerability
  • We could reset the TPM without PHYSICAL ACCESS
  • Unlike other researches, entering the S3 sleeping state was enough to exploit the vulnerability
  • It meant we did not worry about tearing down the PC!

ACPI and Sleeping State

  • ACPI is a specification about configuring hardware components and performing power management
  • When ACPI enters sleeping states, it powers off...
  • S0: Normal, no context is lost - S1: Standby, the CPU cache is lost - S2: Standby, the CPU is POWERED OFF - S3: Suspend, the CPU and devices are POWERED OFF - S4: Hibernate, the CPU, devices, and RAM are POWERED OFF - S5: Soft Off, all parts are POWERED OFF

ACPI and Sleeping State

  • ACPI is a specification about configuring hardware components and performing power management
  • When ACPI enters sleeping states, it powers off...
  • S0: Normal, no context is lost
  • S1: Standby,TthPeMCPiUscaaclhseoisPloOst WERED OFF!!
  • S2: Standby, the CPU is POWERED OFF - S3: Suspend, the CPU and devices are POWERED OFF - S4: Hibernate, the CPU, devices, and RAM are POWERED OFF - S5: Soft Off, all parts are POWERED OFF

Sleep Process of the SRTM

(1) Request to

save a state

OS

TPM

(2) Request to enter sleep

(6) Resume OS

ACPI (5) Request to (BIOS/UEFI) restore a state

(3) Sleep

(4) Wake up

Sleep (S3)

"Grey Area" Vulnerability (1)

(CVE-2018-6622)

(1) Request to

save a state

OS

TPM

(2) Request to enter sleep

(6) Resume OS

ACPI (5) Request to (BIOS/UEFI) restore a state

(3) Sleep

(4) Wake up

Sleep (S3)

TPM 2.0

"Grey Area" Vulnerability (2) (CVE-2018-6622) What is the "corrective action"?

This means "reset the TPM" TPM 1.2

I hav"eGnreoyid(ACerVaeEaa-"b2oV0uu1t8l"n-c6eo6rra2reb2ci)ltiitvye(a2c)tion"

I should do nothing! TPM 2.0

What is the "corrective action"?

This means "reset the TPM" TPM 1.2 ...... ?!

Clear!

So, I tried to exploit the TPM with the vulnerability... and... My effort went to /dev/null! Intel TPM?! NO!!!!!

Typical Types of TPMs

  • Discrete TPM (dTPM)

  • Is a hardware-based TPM and connected to the LPC - Is secure, expensive, and widely deployed in high-end products - Supports TPM 1.2 or 2.0 specification

  • Firmware TPM (fTPM)

  • Is a firmware-based TPM and resides in a secure processor

  • Is secure (?), cheap, and also widely deployed from entry products to

high-end products

  • Supports only the TPM 2.0 specification

Intel PTT

CVE-2018-6622 and fTPM

  • Unfortunately, Intel Platform Trust Technology (PTT) also had the sleep mode vulnerability
  • We reported it to Intel in Feb 2019, and they would assign a new Intel SA and a CVE!
  • According to test results, many manufacturers such as Intel, Lenovo, GIGABYTE, and ASUS were vulnerable!
  • TPM related code of BIOS/UEFI firmware seems to be shared for the dTPM and the fTPM
  • How about AMD's fTPM...?

You got the REAL power! We could RESET the dTPM and the fTPM with ONE SLEEP MODE VULNERABILITY!

Kernel Module for Exploiting the Vulnerability

  • Patches tpm_pm_suspend() function in Linux TPM driver
  • The kernel module changes the function to "return 0;"

Contents

  • Background - Subverting TPMs with One Vulnerability - Subverting Microsoft's BitLocker - BitLeaker Design and Implementation - Demo and Conclusion

BitLocker and TPM

  • TPM seals the VMK of BitLocker
  • Seal operation encrypts data with a TPM bind key and TPM state (PCRs)
  • Unseal operation decrypts data with a TPM bind key when the TPM state is the same as the sealed state
  • BitLocker uses two PCR profiles
  • If UEFI Secure Boot is enabled, it uses PCR #7 and #11 - If UEFI Secure Boot is disabled, it uses PCR #0, #2, #4 and #11

Query Protectors with Manage-bde tool Query PCR #7 and #11

PCR usage of UEFI

  • PCR #0: S-CRTM, host platform extensions, and embedded option ROMs
  • PCR #1: Host platform configuration - PCR #2: UEFI driver and application code - PCR #3: UEFI driver and application configuration data - PCR #4: UEFI boot manager code and boot attempts - PCR #5: Boot manager configuration, data, GPT partition table - PCR #6: Host platform manufacturer specification - PCR #7: Secure boot policy - PCR #8 - #15: Defined for use by the OS with SRTM

So, we needed hashes of the normal system for PCR #7 and #11 But, how?

PCRs, Measurements, and Event Logs (1)

  • Event logs consist of PCR numbers, hashes, event types, and event data
  • According to the TPM spec., RTM extends hashes to a TPM and saves event logs for each measurement
  • UEFI firmware has EFI TCG protocols for TPM 1.2 and 2.0 to communicate with TPM implementations
  • So, we needed the event logs!
  • We could make the TPM state normal by replaying them

PCRs, Measurements, and Event Logs (2)

PCRs, Measurements, and Event Logs (3)

  • Unfortunately, event logs were gone when the kernel started
  • If ExitBootServices() of EFI_BOOT_SERVICES was called, UEFI firmware flushed them
  • It meant we had to save event logs into somewhere and retrieved them with a kernel module! We needed a custom BOOTLOADER!

PCRs, Measurements, and Event Logs (3)

  • Unfortunately, event logs were gone when the kernel

started

  • If ExitBootServices() of EFI_BOOT_SERVICES was called, UEFI

firmware flushed them

NO!!!!

  • It meant we had to save event logs into somewhere and retrieved

them with a kernel module!

We needed a custom BOOTLOADER! SOMETHING WRONG!

Custom Bootloader v1

  • Custom bootloader is based on GRUB2 of Coreboot
  • GRUB2 of Coreboot has a wrapper of EFI TCG2 protocol - We did not need to make the custom bootloader from scratch
  • We added a new feature to extract event logs from UEFI firmware
  • Custom bootloader gets event logs with GetEventLogs() of EFI_ TCG2_PROTOCOL
  • Custom bootloader parses and saves them into 0x80000

Crypt Agile Log Format Event Log Header Event Log #1 Event Log #2 Event Log #3 Event Log #4 Event Log #5 ... Event Log #N

2) Save event logs into 0x80000 (memmap=64K$0x80000)

  1. Load event logs from 0x80000 and dump them into a kernel log file

UEFI

Shim Bootloader

Custom Bootloader v1

Linux Kernel

Kernel Module

Replay Tool

  1. EFI_TCG2_PROTOCOL.GetEventLogs()

  2. Replay hashes to a TPM

Analysis of UEFI Event Logs

  • UEFI firmware extended Secure Boot data to PCR #7
  • Secure Boot flag, platform key (PK), key exchange key (KEK), signature database (db), forbidden signature database (dbx)
  • Certificate used to verify a bootloader's signature
  • UEFI firmware extended nothing to PCR #11
  • PCR #11 was all 0 values! We needed a hash of the certificate in UEFI variables!

2-1) Microsoft Windows Production PCA 2011

UEFI Firmware

2-2) Microsoft Corporation UEFI CA 2011

  1. Vendor's PK, KEK, db, dbx, and Secure Boot flag (Always same)

Linux Boot Manager (Shim.efi + Grub.efi)

Window Boot Manager (Bootmgfw.efi)

Unseal

TPM

Unseal

Final PCR #07 of 2-1: 257B1024...

Window Boot Manager (Bootmgfw.efi)

Final PCR #07 of 2-2:DEADBEEF...

Get Hashes from Windows Logs

  • Microsoft Windows Production PCA 2011 is everywhere!
  • UEFI firmware that supports Secure Boot has it - So, we could get it from other PCs like coworker's PC!
  • Windows OS saves all measurement logs
  • The logs are in the c:\Windows\Logs\MeasuredBoot directory - We could read them using Microsoft's TPM Platform Crypto- Provider (PCP) Toolkit! - ex) PCPTool GetLog

SHA256 hash of the certificate variable: 30bf464ee37f1bc0c7b1a5bf25eced275347c3ab1492d5623ae9f7663be07dd5

Unseal VMK with a TPM (1)

  • Unsealing is not performed in a single TPM command!
  • Several commands and parameters are needed!
  • TPM2_Load(): Loads encrypted private and public data of the VMK object with a handle used for sealing
  • TPM2_StartAuthSession(): Starts a new session for unsealing - TPM2_PolicyAuthorize(): Allows to change a policy of a session handle - TPM2_PolicyPCR(): Sets PCR-based policy to a session - TPM2_Unseal(): Unseals the VMK with the loaded VMK handle and the session handle

Unseal VMK with a TPM (2)

  • Fortunately, all parameters of TPM commands were static!
  • Because Windows Boot Manager (bootmgfw.efi) was the first application after UEFI firmware - All parameters started from the base index.
  • If we got the parameters, we could reuse them FOREVER!
  • How to get the parameters of each command?
  • Reverse engineering of Bootmgfw.efi? - Possible. However, we did not have much time!

Custom Bootloader v2

  • We added hooks to the TPM protocol of UEFI firmware
  • Custom bootloader v2 hooks functions of EFI_TCG_PROTOCOL like HashLogExtendEvent() and SubmitCommand()
  • Custom bootloader v2 dumps all TPM commands
  • GRUB2 has a chainloader feature that can load another bootloader - Boot sequence changes to UEFI firmware Shim.efi grub.efi Bootmgfw.efi - Hooks of TPM protocol dumps all commands and executes original functions

UEFI

Shim Bootloader

Custom Bootloader v2

Windows Boot Manager (Bootmgfw.efi)

Original EFI_TCG_PROTOCOL GetCapability GetEventLog HashLogExtendEvent SubmitCommand GetActivatePcrBanks SetActivatePcrBanks GetResultOfSetActive PcrBanks

Dump parameters and execute Dump results and return

Hooked EFI_TCG_PROTOCOL GetCapability GetEventLog HashLogExtendEvent SubmitCommand GetActivatePcrBanks SetActivatePcrBanks GetResultOfSetActive PcrBanks

TPM2_Load() TPM2_StartSession() TPM2_PolicyAuthorize() TPM2_PolicyPCR() TPM2_Unseal()

TPM2_Load command (0x157) Handle used for sealing VMK (0x81000001) Public data of sealed VMK object Private data of sealed VMK object Result code (success) Loaded handle of sealed VMK object (0x80000001)

TPM2_StartAuthSession (0x176) Handles for protecting new session (RH_NULL, 0x40000007) SHA256 of nonce for new session Result code (success) New session handle (0x03000000)

TPM2_PolicyAuthorize (0x16b) Session handle (0x03000000) Result code (success) TPM2_PolicyPCR (0x17f) Session handle (0x03000000) Policy digest and bitmap (PCR #7, #11) Result code (TPM_RC_VALUE)

TPM2_Unseal (0x15e) Loaded handle of sealed VMK (0x80000001) Session handle (0x03000000)

TPM2_Unseal (0x15e) Loaded handle of sealed VMK (0x80000001) Session handle (0x03000000) Result code (success) VMK of BitLocker!!

Get Parameters from BitLocker's Metadata (1)

  • BitLocker saved parameters into its metadata area

  • A TPM-encoded VMK blob in metadata had essential data we needed! - We could get BitLocker's metadata with a well-known tool, Dislocker!

  • Could we extract the VMK from other PCs? YES!!

  • If the PC had the TPM vulnerability, we could get it!

YA!!

SPEAKER!!

Get Parameters from BitLocker's Metadata (2) Public and private data of sealed VMK for TPM2_Load Policy digest and PCR bitmap for TPM2_PolicyPCR

We got the last piece of the puzzle

  • We finally....
  • Reset a dTPM and fTPM - Got normal hashes and replayed them to the TPM - Got a TPM-encoded VMK blob and sent it to the exploited TPM - Extracted the VMK from the exploited TPM YA!!!

I GOT YOU!!

VMK of BitLocker!!

Contents

  • Background - Subverting TPMs with One Vulnerability - Subverting Microsoft's BitLocker - BitLeaker Design and Implementation - Demo and Conclusion

BitLeaker?

  • Is a new tool to get your data back!
  • It can decrypt the BitLocker-locked partition with the sleep mode vulnerability

1 0

1

0

1 0

1 0

1 0

1 11

0

1 1

0 1

1 1 0 1 1 1

0 1 0 1 0 1

1 0 1 0 1 0

  • Consists of several parts we made and customized
  • BitLeaker bootloader, BitLeaker kernel module, BitLeaker launcher, and Customized Dislocker

Project Link: https://github.com/kkamagui/bitleaker

BitLeaker Bootloader

  • Is the custom bootloader v2 we made!
  • Dumps event logs from UEFI firmware and saves them into RAM
  • It saves event types, PCR numbers, and hashes into 0x80000 - BitLeaker kernel module uses the data
  • Dumps all TPM commands of BitLocker
  • It hooks EFI_TCG2_PROTOCOL of UEFI firmware and loads the Windows boot manager, bootmgfw.efi
  • It shows all TPM commands on the screen

BitLeaker Kernel Module

  • Exploits the sleep mode vulnerability
  • It changes tpm_pm_suspend() function to NULL function - When the system wakes up from sleep mode, TPM is reset
  • Dumps event types, PCR numbers, and hashes of BitLeaker bootloader into a kernel log file
  • It reads data of BitLeaker bootloader from 0x80000 and saves them to a kernel log file (kmsg)
  • BitLeaker launcher uses the data

BitLeaker Launcher

  • Loads BitLeaker kernel module and exploits a TPM
  • After exploiting, it replays hashes related to PCR #7 and #11
  • Extracts the VMK and mounts a BitLocker-locked partition
  • It gets a TPM-encoded blob with customized Dislocker - Dislocker extracts the blob from BitLocker's metadata area
  • It sends TPM commands with the blob and extracts the VMK - It mounts a BitLocker-locked partition with the customized Dislocker

Customized TPM2-Tools and Dislocker

  • Customized TPM2-Tools v1.0
  • Can send SHA256 hashes and TPM commands to a TPM - We added those features to the TPM2-Tools v1.0
  • Customized Dislocker
  • Can load the VMK directly and mount a BitLocker-locked partition - We added the feature and contributed it to the Dislocker project
  • Aorimn/dislocker#182

BitLeaker and USB Bootable Device

1 0 1 0 1 0

1 1 0 1 1 1

0 1 0 1 0 1

1 1 0 1 1 1

0 1

1 0

01

10

0 1

1 0

Ubuntu 18.04 +BitLeaker Bootloader BitLeaker Kernel Module

  • BitLeaker Launcher + Customized TPM2-Tools ++Customized Dislocker BitLeaker Bootable USB

Model Intel NUC8i7HVK Intel NUC5i5MYHE HP EliteDesk 800 G4 Dell Optiplex 7060 ASUS Q170M-C ASUS PRIME Z390-A ASRock Z390 Extreme GIGABYTE AORUS Z390 Elite GIGABYTE Z370-HD3 MSI MAG Z390M MORTAR

Status Vulnerable Vulnerable Safe Safe Vulnerable Safe Safe Safe Safe Safe

Vendor Intel Intel HP

BIOS Version J68196-503 MYBDWi5v.86A. 0055.2019.0820 .1505 Q21

Dell American Megatrends Inc. American Megatrends Inc. ASRock American Megatrends Inc. American Megatrends Inc. American Megatrends Inc.

1.4.2 4212 1302 P4.20 F8 F13 1.50

Release Date 12/17/2018 08/20/2019 02/15/2019 06/11/2019 07/24/2019 09/02/2019 07/29/2019 06/05/2019 08/13/2019 08/08/2019

The versTiPoMn we found

Manutfhacetuvreur lneVreanbdoilritSyt!ring

Intel Corporation (fTPM)

Intel

Infineon (IFX) (dTPM)

SLB9665

Infineon (IFX) (dTPM) NTC (dTPM) Infineon (IFX) (dTPM) Intel Corporation (fTPM) Intel Corporation (fTPM) Intel Corporation (fTPM) Intel Corporation (fTPM) Intel Corporation (fTPM)

SLB9670 rls NPCT 75x SLB9665 Intel Intel Intel Intel Intel

DEMO BitLeaker v1.0

Conclusion and Black Hat Sound Bytes

  • One vulnerability can subvert the dTPM and fTPM with the ACPI S3 sleeping state
  • We found CVE-2018-6622, and fTPM also has the same vulnerability
  • BitLeaker can decrypt a BitLocker-locked partition
  • It extracts the VMK from TPMs and mounts the encrypted partition
  • Update your BIOS/UEFI firmware with the latest version!
  • If there is no patched firmware, use BitLocker with the PIN - Check your system with the latest Napper version
  • https://github.com/kkamagui/napper-for-tpm

Questions ? SPEAKER!! CONTRIBUTION! Project : https://github.com/kkamagui/bitleaker Contact: [email protected], @kkamagui1 [email protected], @DavePark312

Reference