Uncategorized

pcie_injector – PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip

Latest commit: 2 days ago

PCIe Injector Gateware

The PCIe bus is now the main high speed communication bus between a processor and its peripherials. It is used in all PC (sometime encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on PCIe systems can requires very expensive tools (>$50k) and packet generaration for such tools is not a common feature. PCIe Injector provides a such tool at a more reasonable price. Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.

The PCIe injector is based on a Artix7 FPGA from Xilinx connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI. It allows:
* Having a full control of the PCIe core.
* Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
* Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, …)

https://github.com/enjoy-digital/pcie_injector

http://www.enjoy-digital.fr/

http://pcisig.com/

Standard
Uncategorized

Sysdream article on using PCILeech to attack Windows

Nice article by Sysdream on using PCIleech to attack Windows DMA.

https://sysdream.com/news/lab/2017-12-22-windows-dma-attacks-gaining-system-shells-using-a-generic-patch/

Standard
Uncategorized

Qubes MSI support for PCI device pass-through with stub domains

MSI support for PCI device pass-through with stub domains
by Simon Gaiser
In this post, we will describe how we fixed MSI support for VMs running in HVM mode in Qubes 4.0. First, allow us to provide some background about the MSI feature and why we need it in the first place.[…]

https://www.qubes-os.org/news/2017/10/18/msi-support/

 

Standard
Uncategorized

Microsoft Windows DMA Guard

[…] New Bitlocker features in Windows 10, version 1507:
* DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
[…]

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage
https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies

Standard
Uncategorized

PCILeech 2.0 released

https://github.com/ufrisk/pcileech

 

Standard