CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI

National Institute of Advanced Industrial Science and Technology
DeviceDisEnabler: a lightweight
hypervisor which hides devices to
t t b i d t iprotect cyber espionage and tampering
Kuniyasu Suzakiy
Research Institute for Secure Systemsy
Research Institute
for Secure Systems
CodeBlue 2014, Tokyo, 19/December/2014

Who am I?Who am I?
• A researcher for computer security
N ti l I tit t f Ad d I d t i l S i d– National Institute of Advanced Industrial Science and
Technology (AIST)
– Research Institute for Secure Systems (RISEC)
Research Institute
for Secure Systems Here is my
office
C i• Current interests https://staff.aist.go.jp/k.suzaki/
– Security on hypervisor (finding vulnerability and
hardening OS security)hardening OS security)
– Whitelisting Security on control systems
– KNOPPIX Japanese version
2

OutlineOutline
C b i hi h hi h l i d i• Cyber espionage which uses high resolution devices on
mobile gadgets.
• DeviceDisEanbler: a hypervisor which hides devices
– Key management using TPM
• Expansion plan for DeviceDisEanbler
• DemoDemo
3

QuestionQuestion
• Do you know how many cameras in this room?y y
• Is there anyone who DOESN’T have a camera?• Is there anyone who DOESN T have a camera?
Legacy Digital Camera
Smart phone
Tablet
4
Laptop PC

5

Do you know how many devicesDo you know how many devices
included in a mobile gadget?
• Digital Camera
• Microphone, Speakerp , p
• GPS
• GyroscopeGyroscope
• etc. (Many sensors)
• It is not a long time ago that these devices are included in mobileIt is not a long time ago that these devices are included in mobile
gadgets.
– Around 2000, PDA(e.g., Palm Pilot, Apple Newton) did not, ( g , , pp )
have such devices. First iPod does not have a digital camera!
• CURRENT mobile gadgets are not traditional computers. They
are an aggregation of sensor devices.
6

D k th l ti f th d i ?Do you know the resolution of these devices?
• Digital camera
– More than 1M pixel.
Hi h l ti• Microphone, Speaker
– More than CD (44.1 kHz）
High resolution
devices are
t t f b
( ）
• GPS
Resolution is less than 10 m
target for cyber
espionarge.
– Resolution is less than 10 m.
• Gyroscope
S li i th 20 H– Sampling is more than 20 Hz.
7

Facial Reflection
KeyloggerKeylogger
[T.Fiebig, WOOT’14]
The front camera takesThe front camera takes
shot of user’s face (eye).
Put on a keyboardDetect thumbZooming
8
T.fiebig, j.krissler and r.hanesch, “Security Impact of High Resolution Smartphone Cameras" woot 2014.
https://www.usenix.org/conference/woot14/workshop-program/presentation/fiebig

Facial Reflection
KeyloggerKeylogger
[T.Fiebig, WOOT’14]
The front camera takesThe front camera takes
shot of user’s face (eye).
Put on a keyboardDetect thumbZooming
9
T.fiebig, j.krissler and r.hanesch, “Security Impact of High Resolution Smartphone Cameras" woot 2014.
https://www.usenix.org/conference/woot14/workshop-program/presentation/fiebig

Eavesdropping caused by GyroscopeEavesdropping caused by Gyroscope
• Gyroscope is not a microphone, but it turns to be a speech logger.y p p , p gg
• It is called Gyrophone [USENIX Security 14, BlackHat Europe 14].
– Merit: Access to microphone requires permission, but access to gyroscope
does not. It makes easy to use for cyber espionage.
– Problem: The sampling rate of gyroscope (20-200Hz) does not fit speech
(male 85 - 180 Hz female 165 - 255 Hz)(male 85 180 Hz, female 165 255 Hz).
– ALIASING helps to understand speech.
10
Y.Michalevsky, D.Boneh, and Gabi Nakibly, “Gyrophone: Recognizing Speech from Gyroscope Signals”,
https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/michalevsky

Eavesdropping caused by microphoneEavesdropping caused by microphone
• “Bundestrojaner” (Federal Trojan) had high impact on• Bundestrojaner (Federal Trojan) had high impact on
society.
• It is also named “R2D2” because the code has the string "C3PO-r2d2-POE"It is also named R2D2 because the code has the string C3PO r2d2 POE .
All dl th l R2D2 i t ll d b ffi• Allegedly, the malware R2D2 was installed by an officer
at a German Airport.
d k di i d d h d– R2D2 records Skype audio conversations and sends the data to a
remote website.
R2D2 di d b Ch C t Cl b (CCC) i 2011– R2D2 was discovered by Chaos Computer Club (CCC) in 2011.
• WikiLeaks says that German authorities ordered the cyber
i lespionage malware.
11

Malicious location tracking by GPSMalicious location tracking by GPS
• “Cerberus” and “mSpy” are normal applications (anti theft• Cerberus and mSpy are normal applications (anti-theft
application), but they are used to track employee.
• Japanese application named “karelog” (Boyfriend Log) was sold byJapanese application named karelog (Boyfriend Log) was sold by
the name of “GPS Control manager”, but it steals data of GPS
without permission.
– It became social a problem in Japan and the company had to terminate the
service.
12

Mobile gadgets are used in a restricted areaMobile gadgets are used in a restricted area.
• Mobile gadgets are commonly used in factories, meeting
rooms, hospitals, where treat important information.
• The administrator wants to prohibit devices which arep
not used for work.
– Devices are embedded in a mobile gadget and non-removable.g g
13Factory Meeting

Extra ThreatExtra Threat
• Not only attackers but also users (workers) want to use• Not only attackers but also users (workers) want to use
the devices on mobile gadgets.
• The users may circumvent countermeasures.
• Administrators have to deal with attackers as well as
workers.
14

Current CountermeasuresCurrent Countermeasures
S BIOS/EFI di bl d i• Some BIOS/EFI can disenable devices.
– It is useful, but all mobile gadgets do not
have such function.have such function.
Protect cap
• Security goods
p
Security seal (for a camera)
15
They depend on user’s conscience.

My ProposalMy Proposal
• “DeviceDisEnabler (DDE)”: a lightweight hypervisor( ) g g yp
which hides devices to protect cyber espionage and
tamperingtampering
• Features
i h i h d i bl i i OS1. Lightweight and insertable to an existing OS on many
mobile gadgets
2. Hiding PCI devices from an OS
3. Tamper resident (prevention of circumvention)p (p )
• The OS cannot boot without the DDE because a part
of the disk is encrypted by the DDEof the disk is encrypted by the DDE.
• The encryption key is hidden from the user. 16

Targets of DDETargets of DDE
• Mobile gadgets (Note PC, Tablet, etc.) with x86/AMD64
architecture CPU.
• DDE is developed on open source hypervisor “BitVisor”.p p yp
• http://www.bitvisor.org/
• DDE disenables PCI devices which are not used for work.
– Current implementation does not treat USB devices.
L t PC d f t ti t id f ffi T bl t d i h it l
Camera
Laptop PC used for presentation outside of a office Tablet used in hospital
Camera
Microphone GPS
Bluetooth
Gyroscope
17

Division of roles between DDE and OSDivision of roles between DDE and OS
• DDE manages physical devices• DDE manages physical devices.
– The DDE is independent of the OS and hides some physical
devices from the OSdevices from the OS.
• OS has responsibility for the user account.
DDE is independent of login a thentication– DDE is independent of login authentication.
• DDE’s Disk encryption is independent of the OS’s
tiencryption.
– The DDE’s Disk encryption can coexist with OS’s disk
ti ( Wi d ’ BitL k )encryption (e.g., Windows’s BitLocker).
18

(1) Insertable Hypervisor on an existing OS(1) Insertable Hypervisor on an existing OS
• Thin type-I (bare-metal) hypervisor
P th h hit t (BitVi [VEE’09])– Para-passthrough architecture (BitVisor[VEE’09])
• No Device Model. Guest OS can access devices directly.
Small Trusted Computing Base (TCB)– Small Trusted Computing Base (TCB)
• BitVisor does not require a host OS and makes a small TCB.
• DDE is inserted using chainload function of boot loader• DDE is inserted using chainload function of boot-loader.
Existing System BIOS
Applications
(User Space)
GRUB D i Di E bl
Go back to GRUB
Preinstalled OS
DeviceDisEnabler
(hypervisor) Insert at boot time
GRUB DeviceDisEnabler
(resides in memory)
chain loader
(hypervisor)
Hardware
19
NTLDR Windows
(Windows Bootloader)

(2) Hiding PCI devices from an OS(2) Hiding PCI devices from an OS
• A mobile gadget has many devices on PCI.
• Tool: PCI-Z
http://www pci z com/
(ThinkPad Helix)
– http://www.pci-z.com/
20

H OS i d i PCI
Device classes
How an OS recognizes a device on PCI
• An OS gets the information of devices on PCI from
“PCI configuration space”.g p
– The information includes Vendor ID, Device ID, and Device
Class Code, etc.
• Vendor ID and Device Class code are defined by PCI-SIG.
21

PCI Configuration SpacePCI Configuration Space
• PCI configuration space is the underlying way that the• PCI configuration space is the underlying way that the
Conventional PCI, PCI-X, and PCI Express perform
auto configuration of the devicesauto configuration of the devices.
• PCI configuration space has 2 registers (I/O ports).
1. PCI Address Register I/O port: 0x0cf8
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
E
N
Reserved Bus No Dev No Fun No Register Address 0 0 0x00
2. PCI Configuration Register I/O port: 0x0cfc
22

PCI Configuration RegisterPCI Configuration Register
• I/O port: 0x0cfc
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
Device ID Vendor ID 0x00
Device Status Device Control 0x04
p
Device Status Device Control 0x04
Class Code Revision ID 0x08
Header Type 0x0c
Base Address 0 0x10
Base Address 1 0x14
Base Address 2 0x18
Base Address 3 0x1c
Base Address 4 0x20Base Address 4 0x20
Base Address 5 0x24
0x28
Subsystem ID Subsystem Vendor ID 0x2c
0x30
Reserved 0x34
Reserved 0x38
Interrupt Pin Interrupt Line 0x3cp p
Undefined
0x40
～
0xfc 23

Device recognition of Normal OSDevice recognition of Normal OS
• In order to get device information on the PCI, the OS accesses to the
I/O (PCI fi i i )I/O ports (PCI configuration register).
• The OS running on Intel CPU uses I/O instructions (i.e., IN or
OUT) to access the I/O portsOUT) to access the I/O ports.
OS
Visible devices from OS Invisible devices from OS
OS recognizes no device.
CVideo
Vendor ID #8086 #0101 #04A9 #1033 #FFFFF
Device ID #0013 #0024 #5031 #7623 #FFFFF
24
Disk GPSCPU Mem LAN CameraVideo
Card
???
PCI Configuration Register

DDE hides devices (1/2)DDE hides devices. (1/2)
• The DDE inter enes in I/O operations sing Intel&AMD• The DDE intervenes in I/O operations using Intel&AMD
virtualization architecture.
A I/O i t ti (i IN OUT) i d b th OS i t d– An I/O instruction (i.e., IN or OUT) issued by the OS is trapped
by Intel&AMD virtualization. Then the control is transferred to
the hypervisor(DDE)the hypervisor(DDE).
• When an I/O instruction is issued to PCI configuration
space the DDE checks the contentsspace, the DDE checks the contents.
25

DDE hides devices (2/2)DDE hides devices. (2/2)
• If the DDE found the PCI configuration Register for the device that must be hidden,
the DDE replaces the Vendor ID and Device ID with “#FFFF”.the DDE replaces the Vendor ID and Device ID with #FFFF .
• The OS recognizes that there is no device, and the device is not used.
– This effect is same to the hiding by BIOS.
OS
Invisible devices
from OS
Visible devices
from OS
Vendor ID  #8086        #0101 #FFFF           #FFFF
Hypervisor
DeviceDisEnabler Decryption
Device ID   #0013        #0024          #FFFF           #FFFF
Vendor ID  #8086        #0101 #04A9           #1033
Device ID   #0013        #0024          #5031            #7623
Video
26
Encrypted
Disk
GPSCPU Mem LAN Camera
Video
Card
PCI Configuration register

Hidden device by DDEHidden device by DDE
• DDE has 2 types to hide devices.
F d t d i (V d ID d D i ID)– For a product device (Vendor ID and Device ID)
• It does not mean an individual device. It means a certain product.
– For a category (defined by PCI device class code)
Class code Class Name
0x00 Unclassified device
0x01 Mass storage controller
0x02 Network controller
0 03 Di l t ll
Vendor ID Vendor name
0x05ac Apple, Inc.
0x04B3 IBM
0 1010 Vid L i Ltd 0x03 Display controller
0x04 Multimedia controller
0x05 Memory controller
0x06 Bridge
0x07 Communication controller
0x1010 Video Logic Ltd.
0x104D Sony Corporation
0x1061 8x8 Inc.
0x106B Apple Inc.
0 13B5 ARM L d 0x08 Generic system peripheral
0x09 Input device controller
0x0a Docking station
0x0b Processor
0x0c Serial bus controller
0x13B5 ARM Ltd
0x12E1 Nintendo Co. Ltd.
0x13B5 ARM Ltd
0x15AD VMware Inc.
h i l i i f d 0x0d Wireless controller
0x0e Intelligent controller
0x0f Satellite communications controller
0x10 Encryption controller
0x11 Signal processing controller
0x15C6 Technical University Of Budapest
0x8086 Intel Corporation
0x8087 Intel
0xA304 Sony
27
0x11 Signal processing controller
0x12 Processing accelerators
0x13 Non-Essential Instrumentation
0xff Unassigned class
0xF5F5 F5 Networks Inc.

(3) Tamper resident (prevention of circumvention)(3) Tamper resident (prevention of circumvention)
• Unfort natel e can't r le o t the possibilit that• Unfortunately, we can't rule out the possibility that
users try to bypass the DDE because they want to use
the devicesthe devices.
• DDE’s countermeasure
– The DDE encrypts a part of the disk and tries to make
impossible to boot the OS without the DDE.
• Problem
– However, it is not easy to stop booting OS (Windows) using
28
However, it is not easy to stop booting OS (Windows) using
simple disk-block encryption.

Difficulty to stop booting OSDifficulty to stop booting OS
• BitVisor (the base of DDE) has a function to encrypt a( ) yp
region (blocks) of hard-disk.
– It is useful to protect the data when the disk is stolen.p
• Unfortunately, BitVisor’s encryption is not applied to a
whole partition of Windows because a part of the bootwhole partition of Windows because a part of the boot
sequence can access the disk without a hypervisor.
– Maybe the booting of a kernel uses BIOS to access the diskMaybe, the booting of a kernel uses BIOS to access the disk.
BitVisor cannot intercept the BIOS’s disk access.
– Even if the DDE decrypts the partition correctly, OS cannotyp p y,
boot.
• (Note) If I can use Linux, I can separate the disk image into 2 partitions: miniroot and
tFS Th i i t i d f b ti Li k l d tFS i d f tirootFS. The miniroot is used for booting Linux kernel and rootFS is used for mounting
root file system. The DDE encrypts the partition of rootFS and stops the booting of the
Linux properly. 29

Stop Windows bootingStop Windows booting
• I give up stopping kernel booting. I tried to stop the boot sequence in
user space.
• I analyzed the boot sequence in user space of Windows, and tried to
fil hi h d d b i dencrypt a file which was needed to boot Windows.
• I chose “smss.exe” file to be encrypted by the DDE.
If h fil i d d b h DDE Wi d d ’ b l– If the file is not decrypted by the DDE, Windows don’t not boot properly.
30

Finding blocks allocated for a fileFinding blocks allocated for a file
• (Problem) It is not easy to find disk-blocks allocated for(Problem) It is not easy to find disk blocks allocated for
a file on NTFS.
– I used a tool offered by Mark RoddyI used a tool offered by Mark Roddy.
• getFileExtents.exe
• http://www.wd-3.com/archive/luserland.htm
– The getFileExtents worked well in Windows7. However,
Windows8 has a harder security mechanism and the
getFileExtents does not work well.
• Hander “initFileTranslation” is not available in Windows 8.
F i d 8 I k di k i h “dd” d d– For windows8, I make a disk copy with “dd” command and
mount the disk image on Window7. It makes possible to find
disk-blocks for a file using getFileExtentsdisk-blocks for a file using getFileExtents.
31

Stop Window boot by DDEStop Window boot by DDE
Windows cannot boot
Windows because the file used for
booting is not decrypted.
Hypervisor
If the DDE is removed, …
Hypervisor
DeviceDisEnabler
Decryption
File used for This file is This file isFile used for
booting
smss.exe
This file is
encrypted by
DDE.
This file is
encrypted by
DDE.
booting
smss.exe
• It makes tamper resistance for the DDE, but …
32

Struggle with recovery mechanismStruggle with recovery mechanism
• C rrent OS has automatic recovery mechanism• Current OS has automatic recovery mechanism.
– Automatic recovery mechanism can fix a broken file.
Wi d RE (R E i t)• e.g., Windows RE (Recovery Environment)
• On current implementation of DDE, administrator must halt
th h i i Wi d 8the recovery mechanism in Windows 8.
• This problem has not solved yet. However, the situation is
same to re-install attack.
– When a user tries to re-install the OS on the target machine, most
countermeasure mechanisms cannot prevent it.
33

Hiding an encryption keyHiding an encryption key
• The encryption key of DDE must be unknown to theThe encryption key of DDE must be unknown to the
user.
• Original BitVisor only includes the key in the binary• Original BitVisor only includes the key in the binary.
– Attacker can get the key by comparing the binaries of DDE.
DDE h h i hid h i k i• DDE has a mechanism to hide the encryption key in a
secure chip TPM (Trusted Platform Module).
– It utilizes Trusted boot and TPM non-volatile storage.
34

Hiding encryption key in the TPM (1/3)Hiding encryption key in the TPM (1/3)
• TPM offers a mechanism of Trusted Boot. Trusted Boot measures
boot sequence and keeps the log. It makes possible to certify the
integrity of the boot sequence (i.e., Chain of Trust).
Th SHA 1 f h ( BIOS i h l b tl d t ) i t d– The SHA-1 of each sequence (e.g., BIOS, peripherals, bootloader, etc.) is stored
to a PCR (Platform Configuration Register) in a TPM with “extend” operation.
• PCR=SHA-1(PCR + SHA-1(Component))
– It means that PCR shows the stage of the boot sequence.
I t it M t Option
Peripherals
CRTM TCG‐BIOS Boot Loader
(TrustedBRUB)
Integrity Measurement Option
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
a category of action.
35
value to PCR
Root of Trust
KEY
Extracting a disk
encryption key from TPM
at certain PCR’s values.

• In order to keep “Chain of Trust”, each component must
have a function to measure next component.
– The mobile gadget must have TCG-BIOS as well as TPM.
– The boot loader must support measurement function.
• Trusted GRUB http://sourceforge.net/projects/trustedgrub
I t it M t Option
Peripherals
(TrustedBRUB)
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
36
value to PCR
Root of Trust
KEY
Extracting a disk

• The encryption key is stored to a TPM. It can be set to
extract at certain PCR values.
– If PCR values are changed (the binary of DDE is customized),
the key is not extracted.
• It means that the users MUST use the valid DDE.
I t it M t Option
Peripherals
(TrustedBRUB)
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
37
value to PCR
Root of Trust
KEY
Extracting a disk

Chain of TrustChain of Trust
• Boot sequence in ThinkPad HelixBoot sequence in ThinkPad Helix
– Software and devices used in the boot sequence are measured in a TPM.
• PCR=SHA-1(PCR + SHA-1(Component))
0 4b81c044c1472a34c73da87d7ad3a64ba62e9047 08 [S-CRTM Version]
6 fcad787f7771637d659638d92b5eee9385b3d7b9 05 [Wake Event 6]
PCR SHA1 Event
↓ ↓ ↓
0 8841e9e7d8eb4c753d2ef7dc9f89a07c756cb30b 07 [S-CRTM Contents]
0 3d9766e45814d6374d9a85aa519071dc82574017 01 [POST CODE]
1 b83f6c64a1727add477a94874f3f11f29d531c47 09 [CPU Microcode]
4 9069ca78e7450a285173431b3e52c5c25299e473 04 []
2 199804c152f10535cd88f8f5d607ae55e9e2f3ef 06 [Option ROM]
5 cd0fdb4531a6ec41be2753ba042637d6e5f7f256 80000007 []
Each PCR represents a
category of action. 5 cd0fdb4531a6ec41be2753ba042637d6e5f7f256 80000007 []
0 afbf30b554a35d0ba6a469934d35cf9f58eec6af 80000009 []
1 8de522ea7b732f0bf261ed931245c5c7e75fedbb 80000009 []
0 9069ca78e7450a285173431b3e52c5c25299e473 04 []
1 9069ca78e7450a285173431b3e52c5c25299e473 04 []
2 9069ca78e7450a285173431b3e52c5c25299e473 04 []
3 9069 78 7450 285173431b3 52 5 25299 473 04 []
g y
3 9069ca78e7450a285173431b3e52c5c25299e473 04 []
5 9069ca78e7450a285173431b3e52c5c25299e473 04 []
6 9069ca78e7450a285173431b3e52c5c25299e473 04 []
7 9069ca78e7450a285173431b3e52c5c25299e473 04 []
1 1f3c97f0b6d45a46ec1aa91e5868322dea94d76c 80000002 []
4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]
38
4 d564bb707b030e193fdd3ddae8818703225c49c3 05 [Booting BCV Hard
Disk]
4 f2e7a20ef1397308f937841b55040905ff7cabca 0d [IPL]
5 c358aaa78d400ad539f90d542e5519aa4e403714 0e [IPL Partition Data]
4 e479a239ff8d17b2391782a86e19ca873ec6536c 0d [IPL]

TPM non volatile storageTPM non-volatile storage
• TPM has storage system named “TPM non-volatileTPM has storage system named TPM non volatile
storage”, which allows access when PCRs has certain
values.values.
• The disk encryption key of DDE is stored on the
storage which prevents the circumvention of DDEstorage, which prevents the circumvention of DDE.
– PCR values are changed when the binary of DDE is
customized The encryption key in the TPM is not exposedcustomized. The encryption key in the TPM is not exposed.
R f• Reference
– TPM Main Part 3 Commands, Specification Version 1.2, Level 2
Revision 116, 1 March 2011,
http://www.trustedcomputinggroup.org/files/static_page_files/72C33D71-1A4B-B294-D02C7DF86630BE7C/TPM_Main-Part_3_Commands_v1.2_rev116_01032011.pdf
39

I t f f TPM l til tInterface of TPM non-volatile storage
• The “TPM non-volatile storage” is accessed by the API
offered by TCG-BIOS.
API of TCG BIOS Description
TPM NV DefineSpace •API to reserve a region of TPM non volatile storageTPM_NV_DefineSpace •API to reserve a region of TPM non-volatile storage.
•The region has “index” number to access.
•The access can be limited by certain vales of PCRs.
TPM NV W it V l API t it d t t th TPM l til tTPM_NV_WriteValue •API to write data to the TPM non-volatile storage.
•The region is accessed when PCRs are same to
registered values.
TPM_NV_ReadValue •API to read data from the TPM non-volatile storage.
•The region is accessed when PCRs are same to
registered values.
40

Example of TPM non volatile storageExample of TPM non-volatile storage
• A region of TPM non-volatile storage has an index to access.
h i b d/ i h h h h f• The region can be read/written when the hash of PCR[0-7,12-14]
is the registered hash value.
On ThinkPad Helix
# tpm_nvinfo
NVRAM index : 0x00010016 (65558)
PCR read selection:
PCRs : 0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14
Localities : 0x7
Hash : bcea2524269cafd359d69caa850e209481feeec4 Hash of values
PCRs to verify
Hash : bcea2524269cafd359d69caa850e209481feeec4
PCR write selection:
PCRs : 0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14
Localities : 0x7
Hash of values
of PCRs
PCRs to verify
Hash : bcea2524269cafd359d69caa850e209481feeec4
Permissions : 0x00000000 ()
bReadSTClear : FALSE
bWriteSTClear : FALSE
Hash of values
of PCRs
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 32 (0x20)
41

Example of PCRs on TPMExample of PCRs on TPM
On ThinkPad Helix
Trusted GRUB uses PCR[12-14]
Original DDE
PCR 00: 27 CD 64 2F DA 95 EA 09 3B 8C AE BC 68 9F FA C7PCR-00: 27 CD 64 2F DA 95 EA 09 3B 8C AE BC 68 9F FA C7
2A 59 76 01
PCR-01: E2 60 C4 57 A9 DC 8B C1 3C 5D E8 23 9F 2B 6B 71
86 19 72 19
PCR-02: F2 E5 65 2A DC 7F 57 8A F0 89 9D F1 0F 6B AE A1
13 08 19 E2
PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9
55 AD 72 36
PCR-04: AA C6 8F 43 8F 5C 23 4E BD 70 F7 46 7D 51 18 4E
BD A3 CA 55
PCR-05: 01 C2 F5 26 13 11 B9 6F 4B BF A4 39 14 AC CA 6B
CD A2 65 41
PCR[0-7, 12-14] are used to get the
encryption key from the TPM non- CD A2 65 41
PCR-06: EE 1B 0F 99 7D 75 17 B2 86 BC 9D 73 A4 CF 74 2C
65 A7 69 BE
PCR-07: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9
55 AD 72 36
PCR-08: 93 41 C4 1A 6D EA 42 08 65 16 B8 4B AF AF 48 3C
CD 96 36 91
PCR[0-7] are used to certify the true
yp y
volatile storage.
CD 96 36 91
PCR-09: 1B 60 78 EA 42 8E FA 3A 2A D2 A9 7E 22 04 90 7C
1A E6 33 A9
PCR-10: 3D C7 DF C4 CB B0 EC D3 9F B2 75 14 4B 41 E0 42
52 AF C1 17
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR[12-14] are changed when the
DDE is customized
boot sequence before Trusted GRUB.
42
00 00 00 00
PCR-12: 98 CB C3 5A 43 22 54 CB CB DD E6 04 30 B1 89 D9
54 E4 E7 F8
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
PCR-14: FB 17 F0 8C C8 E0 1F D6 8B 96 62 14 63 54 70 A4
DDE is customized.

Failing the bootFailing the boot
• If the DDE is c stomi ed it fails to get the encr ption• If the DDE is customized, it fails to get the encryption
key from TPM non-volatile storage.
43

Current ImplementationCurrent Implementation
• C rrent DDE is applied to laptop PC and tablet hich• Current DDE is applied to laptop PC and tablet which
satisfy the following requirements.
86/AMD64 hit t CPU– x86/AMD64 architecture CPU
– DDE uses128MB memory.
TPM 1 2– TPM 1.2
– TCG BIOS (Current DDE does not support EFI.)
– Only PCI devices are controlled.
– OS independent (I have tried Windows 7,8, and Linux)
44

Expansion plan for DeviceDisEanblerExpansion plan for DeviceDisEanbler
• Apply to widely used mobile gadgets.
– Atom CPUAtom CPU
– ARM CPU
• Apply to mobile gadgets without TPM• Apply to mobile gadgets without TPM
45

Mobile gadgets with Atom CPUMobile gadgets with Atom CPU
• Current DeviceDisEnabler can be applied However• Current DeviceDisEnabler can be applied. However, …
• Virtualization may be trouble in Mobile gadgets with
At CPUAtom CPU.
– Atom CPU has virtualization, but the BIOS/EFI disables the
virtualization in many mobile gadgetsvirtualization in many mobile gadgets.
– Some home pages tell methods to enable virtualization.
TPM i t b dd d• TPM is not embedded.
– It is not clear that the BIOS is based on TCG-BIOS.
– EFI is not supported by current DeviceDisEnabler
• Example：MS Surface
46

Mobile gadgets with ARM CPUMobile gadgets with ARM CPU
• Lack of a hypervisor for ARM was a problem, but …
– ARM’s virtualization extension
• ARM Architecture Virtualization Extension and Large Physical Address
E i （LPAE） i d dExtension（LPAE）are introduced.
– Development DeviceDisEabler for ARM.
• Xen 4 4(official support from 2014 3 10) ARM/KVM Xvisor etc We• Xen 4.4(official support from 2014.3.10), ARM/KVM, Xvisor etc. We
will plan to develop DeviceDisEabler based on these hypervisors.
• Less TPM supportpp
– Exception：Samsung Chromebook2 has a TPM. It is not clear it supports TCG-
BIOS.
• Possibility of Installation
– Bootloader is not supported as PC environment.
47

Without TPMWithout TPM
1. Network download
– Easy to implement, but it requires Internet connection as
ChromeOS.
2. Embedded an encryption key using code obfuscation
– We can use White-box cryptography and other obfuscation
techniques, but they are theoretically breakable.
cipher textkey cipher text
Traditional White-box cryptography
48plain text plain text

Demo VideoDemo Video
Th ki d f b ti• Three kinds of booting
– Standalone boot of Windows8
• smss.exe is encrypted by the DDE and it fails to boot.
– Customized DDE
I h i k d f il b• It cannot get the encryption key and fails to boot.
– DDE and Windows8
• It works well• It works well.
!Just Fun!
49

Trusted GRUB has 3 boot options • Windows 8
• Hacked DDE (Customized DeviceDisEnabler)( )
• DDE
50

ConclusionConclusion
• High-resolution devices on mobile gadgets may be used for
cyber espionagecyber espionage.
– Administrators want to disenable unnecessary devices on their working
place.
• I proposed a thin hypervisor “DeviceDisEnabler” which hides
devices from an OS.
D i Di E bl h i h i hi h• DeviceDisEnabler has a tamper resistance mechanism which
uses a. TPM. It prevents the circumvention caused by users.
–
• As future work
– Supporting EFI boot (for Microsoft Surface)Supporting EFI boot (for Microsoft Surface).
– Hiding USB device.
– Supporting ARM CPU. 51

Special ThanksSpecial Thanks
• Toshiki Yagi AIST• Toshiki Yagi, AIST
• Michitaka Yoshimoto, AIST
• Kazukuni Kobara, AIST
• Developers for BitVisor
http://www bitvisor org/– http://www.bitvisor.org/
52

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (11)

Similar to CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI

Similar to CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (7)

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI