Joseph FitzPatrick

Joseph FitzPatrickTrainer Name: Joseph FitzPatrick
Title: Applied Physical Attacks on X86 Systems

Duration: 2days
Dates:  20th to 21th Sept 2016


This course introduces and explores attacks on several different relatively accessible interfaces on x86 systems. Attendees will get hands-on experience implementing and deploying a number of low-cost hardware devices to enable access, privilege, and deception which is in some cases imperceptible from software.

The course has several modules. Each begins with an architectural overview of an interface, and follows with a series of labs for hands-on practice understanding, observing, interacting with, and exploiting the interface, finishing with either potentially exploitable crashes or directly to root shells.

Depending on allotted time, topic interest, and class pace, not all topics will be covered completely, but all materials are included for reference and individual practice.


Course outline

Module 1: USB

  • Background: USB Architecture and background:
    • USB Lab 1: Mapping out USB
    • USB Lab 2: Sniffing and Parsing USB
    • USB Lab 3: Attacking via USB
    • USB Lab 4: Fuzzing via USB

Module 2: BIOS and SPI

  • Background: Early Boot and SPI interface
    • SPI Lab 1: Dumping SPI from Software
    • SPI Lab 2: Sniffing and Parsing SPI
    • SPI Lab 3: Dumping SPI from Hardware
    • SPI Lab 4: Firmware Analysis

Module 3: SMBUS

  • Background: Uses of SMBUS in x86 systems
    • SMBus Lab 1: Mapping out SMBUS
    • SMBus Lab 2: Sniffing and Parsing SMBus
    • SMBus Lab 3: Attacking SMBus as a Master
    • SMBus Lab 4: Attacking SMBus as a Slave

Module 4: PCIe

  • Background: PCIe Architecture and Topology
    • PCIe Lab 1: Hardware and Software Setup
    • PCIe Lab 2: Dumping and Analyzing Memory
    • PCIe Lab 3: Bypassing Authentication

Module 5: JTAG

  • Background: JTAG History and Purpose
    • JTAG Lab 1: Hardware and Software Setup
    • JTAG Lab 2: Escalating Privilege via Kernel
    • JTAG Lab 3: Escalating Privilege via a Process

  • No hardware background required, but very helpful.
  • Computer architecture and programming knowledge required – real world experience very helpful but not required.

What to Bring?

Students should bring their own laptop for internet access and note taking. All equipment, including configured laptops, will be provided.

What to expect?

  • With a better understanding of what a hardware vulnerability really is
  • Familiar with hardware and software tools that can be used
  • Familiar with techniques to find hardware vulnerabilities
  • With a firm understanding of what malicious hardware is capable of
  • With their implicit trust of hardware systems dispelled and destroyed
  • With a healthy sense of paranoid

What not to expect?

  • Any physical modifications to systems
  • In depth software exploitation
  • Confidence in current hardware security

About the Trainer
Joe (@securelyfitz) is an Instructor and Researcher at Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks on x86 Systems, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.