BlackHat Asia 2019 presentation:
The complexity of x86-based systems has become so great that not even specialists can know everything. The recently discovered Meltdown/Spectre vulnerabilities, as well as numerous issues in Intel Management Engine, underscore the platform’s mindboggling intricacies. So, the chips manufacturer has to actively use of various means for manufacturing verification and post-silicon debugging. We found that modern Platform Controller Hub (PCH) and CPU contain a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time—a gold mine for researchers. A vulnerability previously discovered by us, INTEL-SA-00086, enabled studying this technology, which is called Intel Visualization of Internal Signals Architecture (VISA). We believe it is used for manufacturing line verification of chips. With an enormous number of settings, VISA allows for the creating of custom rules for capturing and analyzing signals. VISA documentation is subject to an NDA and not available to ordinary users. However, we will show how, with the help of publicly available methods, one can access all the might of this technology WITHOUT ANY HARDWARE MODIFICATIONS on publicly available motherboards. With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data. In our talk, we will demonstrate how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices.