当前位置:首页 > 报告详情

汤姆·多尔曼_所有你的秘密属于我们利用固件漏洞破解TEEs.pdf

上传人: 张** 编号:175469 2024-09-13 58页 1.03MB

1、#BHUSA BlackHatEventsAll Your Secrets Belong to Us:All Your Secrets Belong to Us:Leveraging Firmware Bugs to Break TEEsLeveraging Firmware Bugs to Break TEEsTom Dohrmann#BHUSA BlackHatEventswhoamiTom DohrmannLow-level enthusiastCodingHacking#BHUSA BlackHatEventsOutlineShort Intro to TEEs and AMD SEV

2、-SNPPrerequisitesPlatform Security Processor&FirmwareReverse Map TableBug#1Simple ExploitImproved ExploitBug#2ExploitWrap-up and take-aways#BHUSA BlackHatEventsWhats a TEE Anyway?TEE=Trusted Execution Environment A secure area of a main processor Workloads are protected from conventionally privilege

3、d parts of an OS e.g.the kernel For a lot of applications leakage of secrets is a bad as arbitrary code execution.Many implementations:AMD SEV(-ES/-SNP)Intel SGX,Intel TDX Arm TrustZone,Arm CCA IBM SE RISC-V CoVE NVIDIA H100“Compromising Confidential Compute,One Bug at a Time”#BHUSA BlackHatEventsVe

4、ry Short Intro to AMD SEV-SNP AMD SEV-SNP implements a Trusted Execution Environment(TEE).It aims to shield protected virtual machines from untrusted and even malicious hypervisors.All data and code is encrypted and integrity protected.Upon creation of a VM,the initial memory contents are measured a

5、nd can be verified through attestation reports.#BHUSA BlackHatEventsPlatform Security Processor(PSP)The Platform Security Processor is a highly privileged components of AMD SoCs.In the context of SEV,the PSP implements the root of trust and is required to create,attest,migrate,delete SEV-SNP virtual

6、 machines.The SEV firmware is also used with the SEV-SNPs predecessors,SEV and SEV-ES.The firmware can be live-updated.Parts of the firmware were published in August 2023.#BHUSA BlackHatEventsReverse Map Table(RMP)The RMP is used to protect the integrity of memory.It contains an entry for every gues

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了如何利用AMD SEV-SNP的固件漏洞来破解可信执行环境(TEE)。主要内容包括: 1. 介绍了TEE的概念,以及AMD SEV-SNP的实现方式。 2. 详细解释了平台安全处理器(PSP)和反向映射表(RMP)的作用。 3. 描述了两个固件漏洞(CVE-2024-21980和CVE-2024-21978)的发现过程和利用方法。 4. 第一个漏洞允许攻击者通过修改内存中的数据来影响受保护的虚拟机。 5. 第二个漏洞允许攻击者通过修改内存中的数据来欺骗固件使用其他虚拟机的加密密钥。 6. 文章还讨论了这些漏洞的利用策略和可重用性。 7. 最后,作者呼吁对TEE固件进行更多的研究,并要求在所有层次上提供尽可能多的透明度。
如何在AMD SEV-SNP中利用Reverse Map Table漏洞? 如何通过AMD SEV-SNP的Guest Context Pages获取加密密钥? 如何利用AMD SEV-SNP的bug #2实现对其他虚拟机的攻击?
客服
商务合作
小程序
服务号
折叠