I Can Read Your Mind
By David Hoelzer on 2019-09-05 11:23:44

"Locks are for honest people." I'm certain that you've heard this proverb, which is well known in security departments. While I certainly like to think of myself as an honest person, I am quite often taken by the incredible faith that people put into security systems in general. I often ruminate on the most direct ways to bypass security systems and to potentially access otherwise secret or protected information. This mindset has served me quite well in the field of network monitoring and intrusion detection.

I have often talked to classes about the potential to bypass hardware and software encryption features through physical access to systems. What I have in mind, specifically, is the ability to hook a 128 channel logic analyzer up to the data and address buses of a system and extract the "bytes of interest" directly. While this is technically feasible (though by no means am I intending to imply that it is trivial), I do suspect that someone would notice me hooking this big honking analyzer up to your disassembled computer!

I've recently been doing some major repairs on some forty year old computer systems. This has required a great deal of electronics troubleshooting and has required me to go back and relearn things that I simply haven't used in thirty years. Along the way I've had the tremendous fun of replacing faulty chips all over one board in particular to which the years had not been kind. It appears that some form of rodentia had taken up residence for a number of generations. Let's just say that marinating in rodent juices isn't great for electronic components.

One of the more frustrating issues that I've had to contend with is that some of the parts used are simply not made anymore. This means that replacement DRAM and SRAM chips, for example, must be had via eBay. While these parts can be pretty pricey -- for example, a 1 bit by 16k DRAM chip can run as much as $5 each, which is ridiculous -- the larger problem is that these chips are all decades old pulls, possibly even NOS (New Old Stock), and may or may not function.

I'm sure that at this point, if not earlier, at least some of you are wondering what the point of all of this is. Just wait, it's coming, and it's cool... Give me another paragraph or two to get to the interesting bits.

As I've replaced parts, this has created a vicious cycle in which I identify a fault, replace the part with a "new" part, only to discover more faults... some of which may or may not be caused by the "new" part that I just attached to the board! This has lead to me being forced to engineer a variety of test rigs for a large variety of logic chips, address buffers, multiplexers, SRAM, and DRAM chips. Effectively, I'm being forced to build the tools, which I can then use to build the tools which will ultimately be used to build the tools to fix this thing.

I do try to be efficient in my work. This means that I work hard not to repeat tasks whenever possible, building systems to do the work for me (hence all of the test rigs that now litter my workbench.) When I finally stood back and thought about the time I was putting into solving interesting, but ultimately not of long term utility, test circuits for chips, I decided that my time would be much better spent simply reengineering how parts of the board work. This has lead to me to replacing the two 4 bit by 1k SRAM chips that support the video display on this board with a much more modern Hitachi HM6116 8bit by 2k SRAM, for example. Obviously the board isn't designed to handle this chip, which didn't exist in 1979, so I've had to design and build a board that sockets into the SRAM chip sockets, successfully replacing the video RAM.

This (finally) brings me to the main point of this post. All of this work has gotten me to thinking about how to most efficiently replace all of the 1 bit by 16k DRAM on this board with a single 8 bit by 32k SRAM chip. From my perspective, the easiest approach is to simply build a board that sockets into the CPU socket that uses buffers and latches to redirect all RAM access to the board, while ROM, video RAM, and peripheral access is passed to the main board. The processor itself simply sockets into this board.

Hopefully, if you've made it this far, you are either following and can see where I'm heading, or you're determined to figure out what I'm getting at, so here it is. While there would be some significant effort involved in engineering the board to do so, it would be relatively simple to design a board into which the processor from an existing computer would socket, after which the board would be socketed into the mainboard of the computer.

As a simple Proof of Concept, I've already built a socket that accepts the CPU from this old computer and copies (not redirects) all of the data in the range of the video RAM to a 3" TFT screen hanging off the CPU socket. The board makes use of a 16 line address buffer and 8 bit data buffer all wired up to a 16k dual ported SRAM chip.

In case you're not familiar with the concept of dual ported or multi ported RAM, it is a RAM chip that allows you to perform multiple reads and/or writes to the chip simultaneously from separate address and data buses. These chips are widely used in mainframe and other highly scalable systems, allowing for multiple processors to access the same RAM simultaneously.

In my application, the dual ported RAM serves as a "tap" of the data bus, mirroring whatever data is written to the screen. Since the RAM is now mirrored, I can create hardware/software to access that mirror copy at any time and for any purpose. I'm simply displaying it to a TFT, but there's no reason that I couldn't send it over a wireless or cellular signal.

This brings us back to the modern application. While the design of the circuit would need to more rigorous than what is needed for my vintage system that is being used as a proof of concept, and the speed with which memory access occurs makes any significant processing daunting, it seems to me that it would be completely feasible for a well funded and motivated organization to effectively key what is copied to "keywords" (just think byte sequences) to identify data of interest and to copy that data directly off of the bus as the processor calls for and writes it. While I'm using dual ported RAM for my purposes, there also exists a family of RAM chips that work, effectively, as a FIFO queue, allowing you to stuff data into one end of the chip and pull it out of the other end for processing. Especially for the concept that I am outlining here, the actually memory location at which the data resides is unimportant (unlike my video RAM proof of concept). In other words, once something interesting has been identified, related bytes at related addresses, when read or written, can also be stuffed into the FIFO for processing on the other side!

David Hoelzer is the author and maintainer of theĀ SANS SEC503 Advanced Intrusion Detection course, the leading class for advanced network analysis in the industry. With more than 30 years of experience in information technology and security, he is the author of and a contributor to a number of open source defensive tools. In addition to acting as the Chief of Operations for Enclave Forensics, Inc., an incident response, secure coding, and managed services corporation, David is also the Dean of Faculty for the SANS Technology Institute (STI).