Using an Option ROM to overwrite SMM/SMI handlers in QEMU

This article explores PCI Expansion ROM (or Option ROM) execution within UEFI and walks through a practical scenario of using Option ROM code to modify SMM. In order to accomplish this goal we relax the security within EDK2. Note that this article does not reveal any security weaknesses. We begin with how to create a QEMU/OVMF/iPXE testing environment that boots Fedora with UEFI Secure Boot enabled and measures the pre-OS environment using a software TPM2. We then install an SMI handler by modifying our iPXE EFI Option ROM, which is the same as a DXE driver run during Boot Device Select (BDS). Finally, we again modify our Option ROM code and overwrite and reliably ‘shim’ an existing SMI’s handler with our own.[…]

Bitleaker: decrypts BitLocker-locked partition with the TPM vulnerability (CVE-2018-6622)

BitLeaker is a new tool for extracting the VMK and mounting a BitLocker-locked partition. BitLeaker uses the TPM vulnerability, CVE-2018-6622 for a discrete TPM and related vulnerability for a firmware TPM. They are related to the S3 sleeping state of Advanced Configuration and Power Interface (ACPI) and can reset the TPMs. If you want the detailed information about CVE-2018-6622 and a vulnerability checking tool, please read our USENIX paper, A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping and Black Hat Asia presentation, Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with Napper.

PCI Express DIY hacking toolkit

This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. To demonstrate applied use cases of the design, there’s a tool for pre-boot DMA attacks on UEFI based machines which allows executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.

SEC Xtractor: HW/FW tools for dumping memory chips and identifying on-chip debugging/programming interfaces

We have just made the “SEC Xtractor” tool (SEC Consult’s hardware exploitation and firmware extraction tool) open-source! It comes with an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). As its firmware and hardware are completely open-source, it can be easily extended. Interface identification is another requirement that was fulfilled by integrating JTAG brute-forcing and UART scanning. It can also be used as an OpenOCD adapter and it provides two UART-to-USB bridges. Most devices require anything between 1.8 and 5.5 volts, which is supported by the SEC Xtractor.[…]

SEC Xtractor (Hardware)

SEC Xtractor (Firmware)

UL offering IoT security ratings

The IoT Security Rating, which is based on UL’s IoT Security Top 20 Design Principles, aims to serve two purposes:

1) Help manufacturers and developers improve the security posture of their solutions by leveraging proven security best practices

2) Rate the security posture of IoT solutions in order to make security more transparent and accessible to consumers.

Updated artwork IoT

I wish these logos had more specifics, like what boot security technologies are available.

Redfish-Tacklebox: Python based utilities for performing common management operations with Redfish

DMTF has a relatively-new Redfish project, with tools (currently 6 Python-based tools) that’re useful for security researchers, system administrators, and firmware testers:

Sensor List ( walk a Redfish service and list sensor info

System Inventory ( walk a Redfish service and list component information

Power/Reset ( perform a power/reset operation of a system

Boot Override ( perform a one time boot override of a system

Accounts ( manage user accounts on a Redfish service

Update ( perform an update with a Redfish service

There is a new web site with multiple TPM resources, many things to see. And a physical event, if you are based in Germany.

Tastless CTF: tee-challenges: an exploitation challenge based on the Open Portable Trusted Execution Environment (OP-TEE)

Offered with no further comments, I’ve not yet had a chance to play this CTF yet…

coreboot 4.11 released

“[…]Since 4.10 there were 1630 new commits by over 130 developers. Of these, about 30 contributed to coreboot for the first time.[…]
Verified Boot: The vboot feature that Chromebooks brought into coreboot was extended to work on devices that weren’t specially adapted for it: In addition to its original device family it’s now supported on various Lenovo laptops, Open Compute Project systems and Siemens industrial machines. Eltan’s support for measured boot continues to be integrated with vboot, sharing data structures and generally working together where possible.[…]”

Detailed blog post:

PrimeG2Pkg: UEFI for HP Prime G2 calculator

[…]Basically the UEFI consists a set of device drivers and core components from TianoCore. ACPI tables are copied from the Windows IoT iMX Project Mu Repo and stripped down. I chainload the UEFI from U-Boot. iMX does not enable unaligned memory access by default and this causes a lot of troubles in UEFI DXE and BDS phases.[…]

blog post:

edk2-vscode: Visual Studio Code plugin for EDKII files

There is a Visual Studio Code plugin for working with Microsoft Project Mu:

There is also another VS Code plugin for working with EDK2, which appears to be about 3 months old:

Develop smoothly EDKII/UEFI:
* Add FDF syntax highlight and destionation
* Add DSC syntax highlight and destionation
* Add DEC syntax highlight and destionation
* Add INF syntax highlight and destionation
* Add UNI syntax highlight
* Add VFR syntax highlight

Sourcetrail source code explorer for C/C++/Python/Java has been open-sourced

Coatia Software’s Sourcetrail is a source explorer for Linux/Windows/Mac which “uses static analysis on C, C++, Java and Python source code and lets you navigate the collected information within a user interface that interactively combines graph visualization and code display.” This closed-source codebase is now open-source.

Intel ATR training: no longer publicly-available


It appears training materials that used to be on Github are no longer there, unsure why. Hopefully it has moved (from the “Advanced-Threat-Research” top-level Github project and moved to some Intel/McAfee/Eclypsium project, and I just don’t know the new URL.

As I understand it, the training was created by Intel employees, mostly from the CHIPSEC team, before many of the CHIPSEC team left to create Eclypsium, and also during the Intel/McAfee split of Intel Advanced Threat Research. I have a copy of the Github project that’s been taken down somewhere, in case the authors at (Intel, McAfee, Eclypsium) mistakenly deleted it and want a copy.

The current CHISPEC team offers training, but appears to use a different set of of materials, which are online:

The MinnowBoard Chronicles: A Journey into x86, UEFI, and Linux

Even if you don’t have a SourcePoint hardware debugger, you’ll probably still get a benefit from reading this 45-chapter blog post series.

Over the last two and a half years, I’ve intermittently chronicled my explorations into some fairly esoteric technical topics, using the MinnowBoard Turbot board as a platform. And yes, time flies, and I’ve covered a lot of ground. All 45 chapters are listed below. Enjoy!

GospelRoom: Data Storage in UEFI NVRAM Variables

Click on the URL in the above Twitter URL, as WordPress chokes on Github Gist URLs.

Static analysis framework for GCC by Red Hat

David Malcolm of Red Hat has submitted a 49-part patch to GCC which gives GCC a static analysis feature:

This patch kit introduces a static analysis pass for GCC that can diagnose various kinds of problems in C code at compile-time (e.g. double-free, use-after-free, etc). The analyzer runs as an IPA pass on the gimple SSA representation. It associates state machines with data, with transitions at certain statements and edges. It finds “interesting” interprocedural paths through the user’s code, in which bogus state transitions happen.[…\