title = {Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode},
journal = {arXiv},
year = {2018},
url = {https://arxiv.org/abs/1803.02700}
}
@inproceedings{brown2003linuxbios,
title = {LinuxBIOS as an Open-Source Firmware Alternative},
author = {R. E. Brown and others},
booktitle = {Proceedings of the 2003 Linux Symposium},
year = {2003}
}
@inproceedings{reinauer2008coreboot,
title = {The coreboot Open Source BIOS - A Review},
author = {Stefan Reinauer and others},
booktitle = {Usenix Annual Technical Conference},
year = {2008}
}
@techreport{mohr2012comparative,
title = {A Comparative Analysis of Bootloaders},
author = {Benjamin Mohr},
institution = {University of Freiburg},
year = {2012}
}
@article{HaiYa2024Awah,
% abstract = {This paper presents a wide-frequency and high-precision ZQ calibration circuit for NAND Flash memory. To achieve high-precision impedance calibration within the wide frequency range of NAND Flash memory, the proposed ZQ calibration circuit adopts dynamic comparator with offset voltage compensation to accurately control the equivalent impedance of driver. And to ensure that the offset voltage of comparator can be accurately compensated in a wide frequency range, the offset voltage compensation circuit is controlled by a charge pump whose charging and discharging step time can be adjusted based on operating frequency range. The proposed circuit is fabricated in 130 nm CMOS process. In the frequency range of 1 MHz to 200 MHz, the Monte-Carlo analysis results show that the standard deviation of offset voltage is within 0.18 mV and the standard deviation of targeting calibrated impedance on 300 ohm is within 3.5 ohm. And the chip testing results show that the proposed ZQ calibration circuit can achieve 1.5% calibration accuracy.},
author = {Hai, Ya and Liu, Fei and Wang, Yongshan and Fu, Liyin and Huo, Jian},
copyright = {2023},
issn = {1879-2391},
journal = {Microelectronics},
language = {eng},
pages = {106051-},
title = {A wide-frequency and high-precision ZQ calibration circuit for NAND Flash memory},
volume = {143},
year = {2024},
publisher = {Elsevier Ltd}
}
@inproceedings{pearson2014,
title = {The World Beyond x86},
author = {Timothy Pearson},
year = {2014}
}
@inproceedings{altera2008,
title = {DDR3 SDRAM Memory Interface Termination and Layout Guidelines},
author = {Altera®},
year = {2008},
number = {AN-520-1.0}
}
@article{LiHuiyong2014RRoD,
% abstract = {The signal integrity of the circuit, as one of the important design issues in high-speed digital system, is usually seriously affected by the signal reflection due to impedance mismatch in the DDR3 bus. In this paper, a novel optimization method is proposed to optimize impedance mismatch and reduce the signal refection. Specifically, by applying the via parasitic, an equivalent model of DDR3 high-speed signal transmission, which bases on the match between the on-die-termination (ODT) value of DDR3 and the characteristic impedance of the transmission line, is established. Additionally, an improved particle swarm optimization algorithm with adaptive perturbation is presented to solve the impedance mismatch problem (IPSO-IMp) based on the above model. The algorithm dynamically judges particles’ state and introduces perturbation strategy for local aggregation, from which the local optimum is avoided and the ability of optimization-searching is activated. IPSO-IMp achieves higher accuracy than the standard algorithm, and the speed increases nearly 33% as well. Finally, the simulation results verify that the solution obviously decreases the signal reflection, with the signal transmission quality increasing by 1.3 dB compared with the existing method.},
author = {Li, Huiyong and Jiang, Hongxu and Li, Bo and Duan, Miyi},
title = {Reflection Reduction on DDR3 High-Speed Bus by Improved PSO},
volume = {2014},
year = {2014},
publisher = {Hindawi Publishing Corporation}
}
@article{ChengKaixing2021TOWo,
% abstract = {As we enter the 5G (5th-Generation) era, the amount of information and data has become increasingly tremendous. Therefore, electronic circuits need to have higher chip density, faster operating speed and better signal quality of transmission. As the carrier of electronic components, the design difficulty of high-speed PCB (Printed Circuit Board) is also increasing. Equal-length wiring is an essential part of PCB design. But now, it can no longer meet the needs of designers. Accordingly, in view of the shortcomings of the traditional equal-length wiring, this article proposes two optimization ways: the â€spiral wiring†way and the â€double spiral wiring†way. Based on the theoretical analysis of the transmission lines, the two optimization ways take the three aspects of optimizing the layout and wiring space, suppressing crosstalk and reducing reflection as the main points to optimize the design. Eventually, this article performs simulation and verification of schematic diagram and PCB of the optimal design by using HyperLynx simulation software. The simulation results show that these two ways not only improve the flexibility of the transmission line layout, but also improve the signal integrity of the transmission lines. Of course, this also proves the feasibility and reliability of the two optimized designs.},
author = {Cheng, Kaixing and Luo, Zhongqiang and Xiong, Xingzhong and Wei, Xiaohan},
address = {Warsaw},
copyright = {2021. This work is licensed under https://creativecommons.org/licenses/by-sa/4.0/ (the “Licenseâ€). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.},
issn = {2081-8491},
journal = {International Journal of Electronics and Telecommunications},
title = {Two Optimization Ways of DDR3 Transmission Line Equal-Length Wiring Based on Signal Integrity},
volume = {67},
year = {2021},
publisher = {Polish Academy of Sciences}
}
@article{ErmolovMarkM.2022Uxit,
% abstract = {The purpose of this study was to uncover previously unknown vulnerabilities in Intel CPUs caused by implementation errors or backdoors embedded in system firmware, applications, and hardware. The authors have discovered the Red Unlocked debugging mode which allows microcode to be extracted from Intel Atom processors. Using this debugging mode, the internal microcode structure and the implementation of x86 instructions have been examined, and two undocumented x86 instructions were found. These undocumented x86 instructions, udbgrd and udbgwr, can read and write microarchitectural data. These instructions are assumed to be intended for Intel engineers to debug the CPU microarchitecture. However, their existence poses a cybersecurity threat: there is a working demonstration available in the public domain on how to activate the Red Unlock mode for one of the current Intel platforms. This paper presents the analysis of the udbgrd and udbgwr instructions and explains the conditions under which they can be used on commonly available platforms. This kind of research can be used to develop methods, tools, and solutions to ensure information security of systems and networks by countering threats that arise from newly identified vulnerabilities stemming from implementation defects or backdoors in system firmware, applications, and hardware.},
author = {Ermolov, Mark M. and Sklyarov, Dmitry V. and Goryachy, Maxim S.},
title = {SMM rootkit: a new breed of OS independent malware},
volume = {6},
year = {2013},
publisher = {Blackwell Publishing Ltd}
}
@article{WaqarMuhammad2021DDCF,
% abstract = {This paper shows that an intermittent AC coupling defect occurring in a DDR4 data channel will cause more intermittent errors in DDR4, compared to such defect in DDR3. The intermittent AC coupling defect occurs due to intermittent fracture in DDR4 package solder ball. The defect causes DC offset in DDR4, which shifts the data signal or data eye and results in DDR4 data channel failure. The DC offset occurs due to the asymmetric nature of pseudo open drain termination scheme. DDR4 data channel response is compared with DDR3 channel. It is shown that pseudo random binary sequence (PRBS) pattern will always cause failure for DDR4, but PRBS will only cause failure in DDR3 if the sequence of consecutive 0's or 1's in PRBS pattern is long enough to cause threshold violation. As a result there will be more intermittent errors in DDR4 compared to DDR3. The defect due to fracture in solder ball is modelled by an AC coupling capacitor. A 1nF AC coupling capacitor corresponding to a solder ball fracture of height about 1nm is used to show the difference between DDR4 and DDR3 response.},
author = {Waqar, Muhammad and Bak, Geunyong and Kwon, Junhyeong and Baeg, Sanghyeon},
address = {Piscataway},
copyright = {Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021},
title = {DDR4 Data Channel Failure Due to DC Offset Caused by Intermittent Solder Ball Fracture in FBGA Package},
volume = {9},
year = {2021},
publisher = {IEEE}
}
@inproceedings{BashunVladimir2013Tytb,
% abstract = {Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In general, UEFI has many technical advantages over BIOS (pre-OS environment, boot and run-time services, CPU-independent drivers etc.) including also powerful security mechanisms (e.g. secure boot, update, etc.). They are aimed to provide platform integrity, be root of trust of security architecture, control all stages of boot process until it pass control to authenticated OS kernel. From the other side UEFI technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. The main goal of this research is to provide analysis of the UEFI security issues, find the point and source of the security problems and classify them. The paper describes the architectural and implementation troubles of UEFI which lead to threats, vulnerabilities and attacks. It also includes extensive review of the previous research activities in this area and the results of our own experiments. As the result of the work some recommendation about how to make this young technology more safe and secure are provided.},
author = {Bashun, Vladimir and Sergeev, Anton and Minchenkov, Victor and Yakovlev, Alexandr},
booktitle = {14th Conference of Open Innovation Association FRUCT},
isbn = {1479949779},
issn = {2305-7254},
keywords = {Hardware ; Microprogramming},
language = {eng},
number = {14},
pages = {16-24},
title = {Too young to be secure: Analysis of UEFI threats and vulnerabilities},
volume = {232},
year = {2013},
publisher = {FRUCT Oy}
}
@article{AlexanderOgolyuk2017UBaI,
% abstract = {We describe principles and implementation details of UEFI BIOS attacks and vulnerabilities, suggesting the possible security enhancement approaches. We describe the hidden Intel Management Engine implementation details and possible consequences of its security possible discredit. Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of "invulnerable" malicious applications. We highlight the base principles and actual state of Management Engine (which is a part of UEFI BIOS firmware) and its attack vectors using reverse engineering techniques.},
author = {Alexander Ogolyuk and Andrey Sheglov and Konstantin Sheglov},
issn = {2305-7254},
journal = {Proceedings of the XXth Conference of Open Innovations Association FRUCT},
language = {eng},
number = {20},
pages = {657-662},
title = {UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities},
volume = {776},
year = {2017},
publisher = {FRUCT}
}
@inproceedings{ChevalierRonny2017CBMA,
% abstract = {Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 µs threshold defined by Intel).},
author = {Chevalier, Ronny and Villatel, Maugan and Plaquin, David and Hiet, Guillaume},
copyright = {Distributed under a Creative Commons Attribution 4.0 International License},
keywords = {Computer science},
language = {eng},
pages = {399-411},
title = {Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode},
volume = {2017},
year = {2017},
publisher = {ACM}
}
@article{YiJinhui2021DoDS,
% abstract = {In order to flexibly adjust the frame delay of real-time image acquisition by high-resolution cameras, which is based on optical fiber communication protocol, and facilitate subsequent control, this article uses MT41J128M16JT-125IT DDR3 SDRAM of Mircon company to cache image data. And based on the MIG controller that comes with Xilinx Vivado development tool for continuous read and write control, the results show that when the camera system is designed at 2fps and the system clock is 50Mhz, the system data bandwidth is 2.2Gbps. The selected DDR3 chip has a bandwidth of 6.25Gbps, which can meet the real-time transmission requirements of the design system.},
author = {Yi, Jinhui and Wang, Mingfu and Bai, Lidong},
address = {Bristol},
copyright = {2021. This work is published under http://creativecommons.org/licenses/by/3.0/ (the “Licenseâ€). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.},
issn = {1742-6588},
journal = {Journal of physics. Conference series},
title = {Design of DDR3 SDRAM read-write controller based on FPGA},
volume = {1846},
year = {2021},
publisher = {IOP Publishing}
}
@article{VersenM.2020Rhaa,
% abstract = {A DDR3 SDRAM test setup implemented on the Griffin III test system from HILEVEL Technologies is used to analyse the row hammer bug. Row hammer pattern experiments are compared to standard retention tests for different manufacturing technologies. The row hammer effect is depending on the number of stress activation cycles. The analysis is extended to an avoidance scheme with refreshes similar to the Target Row Refresh scheme for the DDR4 SDRAM technology.},
author = {Versen, M. and Ernst, W.},
copyright = {2020},
issn = {0026-2714},
journal = {Microelectronics and reliability},
language = {eng},
pages = {113744-},
title = {Row hammer avoidance analysis of DDR3 SDRAM},
volume = {114},
year = {2020},
publisher = {Elsevier Ltd}
}
@article{WangDong2019AIUb,
% abstract = {The Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In this paper, we evaluated the security mechanisms used to protected SPI Flash, and then analyzed the attack surface presented by those security mechanisms. Intel provides several registers in its chipset relevant to locking down the SPI Flash chip that contains the UEFI in order to prevent arbitrary writes. Since these registers implement their functions through the system management mode, the main attack surface is concentrated in the system management mode. In this paper, we propose an attack vector for the system management mode, which uses the method of cache poisoning to attack the system management mode and destroy the protection mechanism of SPI Flash. This method can overcome the limitations for the traditional attacks. Experimental results proved that this kind of attack can arbitrarily write to the UEFI.},
author = {Wang, Dong and Dong, Wei Yu},
address = {Bristol},
copyright = {Published under licence by IOP Publishing Ltd},
issn = {1742-6588},
journal = {Journal of physics. Conference series},
title = {Attacking Intel UEFI by Using Cache Poisoning},
volume = {1187},
year = {2019},
publisher = {IOP Publishing}
}
@article{SridharanVilas2015MEiM,
% abstract = {Several recent publications have shown that hardware faults in the memory subsystem are commonplace. These faults are predicted to become more frequent in future systems that contain orders of magnitude more DRAM and SRAM than found in current memory subsystems. These memory subsystems will need to provide resilience techniques to tolerate these faults when deployed in high-performance computing systems and data centers containing tens of thousands of nodes. Therefore, it is critical to understand the efficacy of current hardware resilience techniques to determine whether they will be suitable for future systems. In this paper, we present a study of DRAM and SRAM faults and errors from the field. We use data from two leadership-class high-performance computer systems to analyze the reliability impact of hardware resilience schemes that are deployed in current systems. Our study has several key findings about the efficacy of many currently deployed reliability techniques such as DRAM ECC, DDR address/command parity, and SRAM ECC and parity. We also perform a methodological study, and find that counting errors instead of faults, a common practice among researchers and data center operators, can lead to incorrect conclusions about system reliability. Finally, we use our data to project the needs of future large-scale systems. We find that SRAM faults are unlikely to pose a significantly larger reliability threat in the future, while DRAM faults will be a major concern and stronger DRAM resilience schemes will be needed to maintain acceptable failure rates similar to those found on today's systems.},
author = {Sridharan, Vilas and DeBardeleben, Nathan and Blanchard, Sean and Ferreira, Kurt B. and Stearley, Jon and Shalf, John and Gurumurthi, Sudhanva},
issn = {0163-5964},
journal = {Computer architecture news},
language = {eng},
number = {1},
pages = {297-310},
title = {Memory Errors in Modern Systems: The Good, The Bad, and The Ugly},
volume = {43},
year = {2015}
}
@book{freiberger2000fire,
title={Fire in the Valley: The Birth and Death of the Personal Computer},
