This website uses cookies to ensure you get the best experience on our website. Learn more

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - Russian (русский) translation

x

36C3 - Uncover, Understand, Own - Regaining Control Over Your AMD CPU





The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your AMD processor and runs undocumented, proprietary firmware provided by AMD.

It is a processor inside your processor that you don't control. It is essential for system startup. In fact, in runs before the main processor is even started and is responsible for bootstrapping all other components.

This talk presents our efforts investigating the PSP internals and functionality and how you can better understand it.

Our talk is divided into three parts:

The first part covers the firmware structure of the PSP and how we analyzed this proprietary firmware. We will demonstrate how to extract and replace individual firmware components of the PSP and how to observe the PSP during boot.

The second part covers the functionality of the PSP and how it interacts with other components of the x86 CPU like the DRAM controller or System Management Unit (SMU). We will present our method to gain access to the, otherwise hidden, debug output.

The talk concludes with a security analysis of the PSP firmware.
We will demonstrate how to provide custom firmare to run on the PSP and introduce our toolchain that helps building custom applications for the PSP.

This talk documents the PSP firmware's proprietary filesystem and provides insights into reverse-engineering such a deeply embedded system. It further sheds light on how we might regain trust in AMD CPUs despite the delicate nature of the PSP.


Robert Buhren Alexander Eichner Christian Werling

x

36C3 - KTRW: The journey to build a debuggable iPhone - deutsche Übersetzung





Development-fused iPhones with hardware debugging features like JTAG are out of reach for many security researchers. This talk takes you along my journey to create a similar capability using off-the-shelf iPhones. We'll look at a way to break KTRR, a custom hardware mitigation Apple developed to prevent kernel patches, and use this capability to load a kernel extension that enables full-featured, single-step kernel debugging with LLDB on production iPhones.

This talk walks through the discovery of hardware debug registers on the iPhone X that enable low-level debugging of a CPU core at any time during its operation. By single-stepping execution of the reset vector, we can modify register state at key points to disable KTRR and remap the kernel as writable. I'll then describe how I used this capability to develop an iOS kext loader and a kernel extension called KTRW that can be used to debug the kernel with LLDB over USB.

Brandon Azad

x

Critical Decentralisation Cluster (36c3) Livestream - Saturday

Talk timestamps in the description.

The Critical Decentralisation Cluster on the Chaos Communication Congress (36C3) is an area and grouping of similar minded projects, which are offering workshops and host a space to critically discuss the future of decentralisation. The cluster on 36C3 is organised by RIAT and the Monero Community. We also host other assemblies in the categories Pri vacy & Anonymity, Coded Cultures and Open Hardware.




0:00:00 - 0:25:35 : Introduction / Funding models of FOSS (Diego Salazar)

0:25:52 - 0:52:28 : The sharp forks we follow (OmeGak)

0:53:33 - 1:27:16 : The Secret Truecrypt Audit from the BSI (Hanno Böck)

1:53:10 - 2:10:35 : P2P Trading in Cryptoanarchy / BISQ (m52go)

2:26:50 - 2:44:55 : Monero's Adaptive Blockweight Approach to Scaling (Francisco Cabañas)

2:48:19 - 3:20:46 : Nym (Harry Halpin)

3:24:20 - 3:54:58 : Digital Integrity of the Human Person (Alexis)

3:57:02 - 4:12:30 : cyber~Congress (Sergei)

4:24:05 - 4:36:30 : KYC & Crypto-AML Tools (polto)

4:45:40 - 5:15:50 : Parallel Polis, Temporary autonomous zones (Juraj Bednar)

5:46:15 - 6:12:10 : Mandelbot:HAB Open Source Ecotecture & Horizontalism (Scott Beibin)

6:16:50 - 6:46:40 : Adding Namecoin to Tor Browser (Jeremy Rand)

7:11:35 - 7:28:07 : Fair Data Society (Gregor Zavcer)

7:29:14 - 7:32:45 : Open Data PSI (vavoida)

7:33:28 - 8:01:52 : State of Secure Messaging: The Case for OTR (Sophia Celi)

8:10:42 - 8:46:15 : Building an (Actual) Alternative (Deanna MacDonald)
x

36C3 - HAL - The Open-Source Hardware Analyzer - deutsche Übersetzung



A dive into the foundations of hardware reverse engineering and our netlist analysis framework HAL

Since the Snowden revelations the fear of stealthy hardware manipulations is no longer regarded as far fetched.
This fear is also reflected in the massive discussions sparked by last year's Bloomberg allegations on a supposed hardware spy implant on Supermicro serverboards or the recent USA ban on Huawei telecommunication equipment.

Hardware reverse engineering (HRE) is a promising method to detect such manipulations or hidden backdoors.
However, HRE is a highly complex and cumbersome task.
It takes months of work as well as expensive equipment to even obtain the netlist of a chip, the equivalent to the binary in software reverse engineering (SRE).
In contrast to SRE where various paid or open-source tools for binary analysis exist, e.g., IDA Pro or Ghidra, in HRE simply no tool for netlist analysis were available - neither commercial, nor free.
To close this gap, researchers from the Ruhr University Bochum developed HAL, the first open-source netlist analysis framework.

In this talk, we start with a basic introduction into the challenges of HRE.
Then, we demonstrate the capabilities of HAL before giving a brief overview on our current research with HAL.

Hardware reverse engineering (HRE) is an important technique for analysts to understand the internals of a physical system.
Use cases range from recovering interface specifications of old chips, over detection of malicious manipulations or patent infringements, to straight up counterfeiting.
However, HRE is a notably complex and cumbersome task which consists of two phases:
In the first phase the netlist, i.e., circuit description of a chip, has to be extracted from the physical device.
Such a netlist is equivalent to the binary in software reverse engineering (SRE).
In the second phase, the analyst then processes the netlist in order to understand (parts of) its functionality.

However, obtaining a netlist from a chip can take several months and requires professional and costly equipment as well as expertise.
Even with a recovered netlist, understanding its functionality is an enormously challenging task.
This is partly due to the lack of proper tools for netlist analysis:
While in SRE various commercial or open-source tools for binary analysis exist, e.g., IDA Pro or Ghidra, in HRE simply no tool for netlist analysis was available, neither commercial, nor free.
To close this gap, researchers from the Embedded Security group of the Horst-Görtz Institute for IT-Security at the Ruhr University Bochum developed HAL, the first open-source netlist analysis framework.
Inspired by the modularity of its SRE equivalents, HAL can be extended through optimized C++ plugins or directly used as a Python library, while at the same time offering a GUI for explorative and interactive analysis.
The project is supposed to give hardware analysts a common platform for the development of new algorithms with a portable design, ultimately aiding both professionals in their daily work as well as researchers in their efforts to publish reproducible results.

In this talk, we will first introduce the foundations and main challenges of HRE, before giving a live demonstration of HAL and some of its capabilities on selected case studies.
We conclude the talk with a glimpse at our associated research at the university that spans both, technical research as well as cross-disciplinary work with psychologists.

Our talk requires only minimum prior knowledge on digital hardware.

Max Hoffmann

x

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - Russian (русский) translation





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - deutsche Übersetzung





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

36C3 - phyphox: Using smartphone sensors for physics experiments - deutsche Übersetzung



An open source project for education, research and tinkering

Modern smartphones offer a whole range of sensors like magnetometers, accelerometers or gyroscopes. The open source app phyphox, developed at the RWTH Aachen University, repurposes these sensors as measuring instruments in physics education.

When put into a salad spinner, the phone can acquire the relation of centripetal acceleration and angular velocity. Its barometer can be used to measure the velocity of an elevator. And when using two phones, it is easy to determine the speed of sound with a very simple method.

In this talk, I will show these possibilities in demonstration experiments, discuss available sensors and their limitations and introduce interfaces to integrate phyphox into other projects.

In this talk, the developer of the app phyphox at the RWTH Aachen University will first introduce how sensors in smartphones can be used to enable experimentation and data acquisition in physics teaching with several demonstrations on stage. Available sensors and their limitations will be discussed along with interfaces allowing the integration of phyphox into other project, either as a means to access sensor data or to display data from other sources.

The app is open source under the GNU GPLv3 licence and available for Android (>=4.0) and iOS (>=8.0). It is designed around experiment configurations for physics education at school and university, allowing for a quick setup with a single tap. At the same time, these configurations may be modified by any user to set up customized sensor configurations along with data analysis and data visualization, defined in an XML format. These configurations are Turing complete and can easily be transferred via QR codes, so an experienced user (teacher) can create a specific configuration and allow less experienced users (students) to use it with ease.

Sebastian Staacks

36C3 - Warum die Card10 kein Medizinprodukt ist - english translation



Was müssen Medizinproduktehersteller einhalten (und was nicht)?

Es soll grundlegend erklärt werden, nach welchen Kriterien Medizinprodukte entwickelt werden. Dazu werden die wichtigsten Regularien (Gesetze, Normen, ...) vorgestellt die von den Medizinprodukteherstellern eingehalten werden müssen. Diese regeln, was die Hersteller umsetzen müssen (und was nicht).
Hier wird auch die Frage beantwortet, warum beispielsweise die Apple-Watch (oder genauer gesagt nur zwei Apps) ein Medizinprodukt sind aber die card10 nicht.



Dieser Vortrag gibt Antworten auf die folgenden Fragen:

Was ist denn überhaupt ein Medizinprodukt?
Was steht dazu im Gesetz?
Was haben Normen damit zu tun?
Was tun die Hersteller überlicherweise um diese Anforderungen umzusetzen?
Wie sieht ein typischer Entwicklungsprozess aus?
Wie sieht es mit Security und Safety aus?
Warum sind Innovationen so schwer?
Was passiert nach der Entwicklung?
Wer überwacht das alles?


Es wird Schwerpunktmäßig die EU betrachtet um die Dauer des Vortrags nicht zu sprengen.

Phil

36C3 - An ultrashort history of ultrafast imaging - deutsche Übersetzung



Featuring the shortest movies and the largest lasers

Did you ever wonder what happens in the time period it takes light to cross the diameter of your hair? This is the femtosecond, a millionth of a billionth of a second. It is the time scale of electron and nuclear motion, and therefore the most fundamental processes in atomic and molecular physics, chemistry and biology start here. In order to take movies with femtosecond time resolution, we need ultrafast cameras – flashes of light that act faster than any camera shutter ever could. And imaging ultrafast motion is only the first step: We aim to control dynamics on the femtosecond time scale, ultimately driving chemical reactions with light.

Investigating ultrafast processes is challenging. There simply are no cameras that would be fast enough to image a molecule in motion, so we need to rely on indirect measurements, for example by ultrashort light pulses. Such ultrashort pulses have been developed for several years and are widely applied in the study of ultrafast processes by, e.g., spectroscopy and diffraction. Depending on the specific needs of the investigation, they can be generated either in the laboratory or at the most powerful light sources that exist today, the x-ray free-electron lasers.

With ultrafast movies, a second idea comes into play: once we understand the dynamics of matter on the femtosecond time scale, we can use this knowledge to control ultrafast motion with tailored light pulses. This is promising as a means to trigger reactions that are otherwise not accessible.

In my talk, I will give a brief introduction to the rapidly developing field of ultrafast science. I will summarize main findings, imaging techniques and the generation of ultrashort pulses, both at lab-based light sources and large free-electron laser facilities. Finally, I will give an outlook on controlling ultrafast dynamics with light pulses, with the future goal of hacking chemical reactions.


Caroline

x

36C3 - Cryptography demystified



An introduction without maths

This talk will explain the basic building blocks of cryptography in a manner that will (hopefully) be understandable by everyone. The talk will not require any understanding of maths or computer science.
In particular, the talk will explain encryption, what it is and what it does, what it is not and what it doesn't do, and what other tools cryptography can offer.

This talk will explain the basic building blocks of cryptography in a manner that will (hopefully) be understandable by everyone, in particular by a non-technical audience. The talk will not require any understanding of maths or computer science.
This talk will cover the following topics:

What is encryption and what does it do?
What are the different kinds of encryption?
What is authenticity? Are authenticity and encryption related?
How can authenticity be achieved?
What are certificates for?
What is TLS and what does it do?

While covering the above topcis, I will not explain the technical details of common cryptographic schemes (like RSA, AES, HMAC and so on), in order to avoid keep this talk accessible to a broad audience.

oots

36C3 - Digitalisierte Migrationskontrolle



Von Handyauswertung, intelligenten Grenzen und Datentöpfen

Die sogenannten digitalen Assistenzsysteme des BAMF, „intelligente Grenzen“ in der EU und immer größer werdende Datenbanken: Wer ins Land kommt und bleiben darf, wird immer mehr von IT-Systemen bestimmt. Davon profitiert die Überwachungsindustrie, während Menschen von automatisierten Entscheidungen abhängig werden.

Deutschland hat in den letzten Jahren massiv in Technik investiert, um Asylverfahren zu digitalisieren. Biometrische Bilder mit Datenbanken abgleichen, Handys ausgelesen und analysieren, Sprache durch automatische Erkennungssysteme schleifen. Ganz abgesehen von der Blockchain, die alles noch besser machen soll. Doch nicht nur in Deutschland werden zum Zweck der Migrationskontrollen immer mehr Daten genutzt. In Norwegen werden Facebook-Profile Geflüchteter ausgewertet, in Dänemark sogar USB-Armbänder. Die Grenzagentur Frontex soll für „intelligente Grenzen“ sorgen, Datenbanken werden EU-weit ausgebaut und zusammengelegt. Rechtschutzmechanismen versagen größtenteils. Worum es dabei geht? Schnellere Abschiebungen. Wer davon profitiert? Die Überwachungsindustrie.

In Vorbereitung von Klageverfahren bringt die Gesellschaft für Freiheitsrechte e.V. (GFF) gemeinsam mit der Journalistin Anna Biselli im Laufe des Dezembers eine Studie heraus, die sich diesem Thema genauer widmet. Die Ergebnisse der Studie wollen Lea Beckmann und Anna Biselli gemeinsam vorstellen und kontextualisieren.

Anna Biselli ist Informatikerin und Journalistin und arbeitet seit Jahren zu Fragen der Digitalisierung von Migrationskontrolle.
Lea Beckmann ist Juristin und Verfahrenskoordinatorin der Gesellschaft für Freiheitsrechte e.V. (GFF). Die GFF ist eine NGO, die durch strategische Gerichtsverfahren Grund- und Menschenrechte stärkt und zivilgesellschaftliche Partnerorganisationen rechtlich unterstützt. In vielen ihrer Verfahren setzt sich die GFF dabei für Datenschutz und einen verantwortungsvollen Einsatz von Technologie und gegen Diskriminierung ein.

Anna Biselli Lea Beckmann

36C3 - From Managerial Feudalism to the Revolt of the Caring Classes - deutsche Übersetzung



David Graeber

One apparent paradox of the digitisation of work is that while productivity in manufacturing is skyrocketing, productivity in caring professions (health, education) is actually declining - sparking a global wave of labour struggle. Existing economic paradigms blind us to understanding how economies have come to be organised. We meed an entirely new discipline, based on a different set of values.



David Graeber

Live von der Open Infrastructure Stage zum #36c3

Shares

x

Check Also

x

Menu