PCIe Device Attacks: Beyond DMA. Exploiting PCIe Switches, Messages and Errors

Presented at Black Hat USA 2021, Aug. 5, 2021, 3:20 p.m. (40 minutes).

PCIe is a high speed peripheral IO bus standard that is used inside systems today for connecting virtually all high-bandwidth peripherals like graphics cards, FPGAs, Thunderbolt, etc. - and is found on everything from servers to mobile and consumer electronics devices.<br><br>Most prior research on PCIe has focused on custom designed malicious endpoint device mounting DMA attacks against the host system. We will present a new class of threats and attacks by targeting the capabilities and features of PCIe switches instead of endpoint devices, and will discuss attacks possible using different types of Translation Layer Packets (TLPs) from the memory and IO read/write commonly used in previously known attacks.<br><br>First, we will provide a high-level threat model overview of SRIOV (Single Root IO Virtualization) Extended PCIe capability enabled devices. Next, we will share details of how we are able to exploit switch features & debug capabilities to corrupt switch EEPROMs to cause platform persistent DoS, inject crafted TLPs to target other server platform components like baseboard management controller (BMC) to escalate privilege, Inject PCIe fatal errors to cause platform DoS, and of course discuss mitigations for presented attacks. Finally, we shall demonstrate exploits targeting shipping products.<br><br>We hope that you will walk away with a better understanding of the breadth of the PCIe attack surface as well as an understanding of the importance of the potential mitigations.<br>

Presenters:

  • Hareesh Khattri - Security Researcher, Intel Corporation
    Hareesh Khattri is a security researcher working on Intel technologies since 2006. He received his M.S. degree in Electrical and Computer engineering from North Dakota State University. Currently, his focus is on server platform security and he leads the security hackathon team in the Intel IPAS Offensive Security Research (OSR) team. He is also a member of a technical committee organizing industry hardware hacking competitions Hack@Dac, Hack@Sec.
  • Nagaraju N Kodalapura - Offensive Security Researcher, Intel Corporation
    Nagaraju N Kodalapura is an Offensive Security Researcher working in Intel Corporation for about 20 years and has been working in the security research space for more than 10 years. He received his M.S. degree in Digital Design and Embedded Systems from Manipal University, India. He has 5 Patents granted and 5+ research publications in IEEE and other renowned venues. He leads a team of security researchers focusing on Trusted Computing and Virtualization technologies targeting cloud/datacentric platforms with Intel's IPAS (Intel Product Assurance and Security) organization. You can reach Nagaraju on Twitter at <a href="https://protect-us.mimecast.com/s/pjP2CmZ2EotpRPAN0FGIi2a?domain=twitter.com" data-mce-href="https://protect-us.mimecast.com/s/pjP2CmZ2EotpRPAN0FGIi2a?domain=twitter.com">https://twitter.com/HackFor_Good</a>
  • Nam N Nguyen - Offensive Security Researcher, Intel Corporation
    <span>Nam N Nguyen is a security research in the IPAS Offensive Security Research (OSR) team at Intel Corporation. He received his M.S. degree in Electrical Engineering from the University of Florida. His research focuses on Trusted Computing and Virtualization technologies for server platforms.</span>

Links:

Similar Presentations: