Intel VISA: Through the Rabbit Hole

Presented at Black Hat Asia 2019, March 28, 2019, 2:15 p.m. (61 minutes).

The complexity of x86-based systems has become so great that not even specialists can know everything. The recently discovered Meltdown/Spectre vulnerabilities, as well as numerous issues in Intel Management Engine, underscore the platform's mindboggling intricacies. So, the chips manufacturer has to actively use of various means for manufacturing verification and post-silicon debugging.

We found that modern Platform Controller Hub (PCH) and CPU contain a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time—a gold mine for researchers. A vulnerability previously discovered by us, INTEL-SA-00086, enabled studying this technology, which is called Intel Visualization of Internal Signals Architecture (VISA). We believe it is used for manufacturing line verification of chips. With an enormous number of settings, VISA allows for the creating of custom rules for capturing and analyzing signals. VISA documentation is subject to an NDA and not available to ordinary users. However, we will show how, with the help of publicly available methods, one can access all the might of this technology WITHOUT ANY HARDWARE MODIFICATIONS on publicly available motherboards.

With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data. In our talk, we will demonstrate how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices.


Presenters:

  • Maxim Goryachy - Security researcher, Positive Technologies
    Maxim Goryachy is a system and embedded programmer and security researcher at Positive Technologies. He is interested in cryptography, virtualization technologies, reverse engineering, and hardware. He has given talks at many conferences, such as Black Hat, Confidence, Hack In The Box and Chaos Communication Congress.
  • Mark Ermolov - Security researcher, Positive Technologies
    Mark Ermolov is a system programmer that is interested in security aspects of hardware, firmware, and low-level system software (bare-metal hypervisors, OSes cores, device drivers). He has had talks at BlackHat, HITB conferences. Some of his previous research was about internal structure of Microsoft PathGuard and ways to compromise it. Now, he is researching various hardware components of Intel platforms: PCH, IOSF, iGPU, and corresponding firmware.

Links:

Similar Presentations: