libelfmaster: Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools

https://github.com/elfmaster/libelfmaster

See-also:
http://www.bitlackeys.org/
https://www.eventbrite.com/o/bitlackeys-17575943369
https://www.eventbrite.com/e/elf-voodoo-binary-analysis-workshop-brought-to-you-by-the-elfmaster-leviathan-tickets-48427221122

ARM v8.5-A adds Branch Target Indicators for new security

https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a

Security: Limiting Exploits

Once an attacker has found a vulnerability to exploit, their next aim is to execute code to gain control of the machine they have accessed. Techniques used include ROP and JOP Attacks (Return- and Jump-Oriented Programming). These techniques find small sections (called gadgets) of vulnerable programs that chain together to run the code the attacker wants. These methods work because the architecture puts no restrictions on where code can branch to, or where branches can have come from. This enables attackers to use small snippets of functions, which do what they want.

In Armv8.3-A, we introduced the Pointer Authentication feature, which can be used to ensure functions return to the location expected by the program.

In Armv8.5-A, we introduce Branch Target Indicators (BTI). Systems supporting BTI can enforce that indirect branches only go to code locations where the instruction is one of a small acceptable list. This reduces the ability of an attacker to execute arbitrary code.

These two features work together to significantly reduce the number of gadgets available to an attacker. The gadgets that remain available are large in size, making it much harder for an attacker to make a viable exploit, even if they find a vulnerability that lets them gain access to a machine.

NIST RFC: Draft NISTIR 8221, A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

NIST has released Draft NIST Internal Report (NISTIR) 8221, “A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks”, which analyzes recent vulnerabilities associated with two open-source hypervisorsXen and KVMas reported by the NIST National Vulnerability Database. The document develops a profile of those vulnerabilities in terms of hypervisor functionality, attack type, and attack source. The objective is to determine the evidence coverage for detecting and reconstructing those attacks and subsequently identify the techniques required to gather missing evidence. The methodologies outlined can assist cloud providers in enhancing the security of their virtualized infrastructure and take proactive steps toward preventing such attacks on their operating environment in the future.

A public comment period for this draft document is open until October 12, 2018.

https://csrc.nist.gov/publications/detail/nistir/8221/draft

https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8221-for-comment

NIST: Internet of Things (IoT) Trust Concerns

https://csrc.nist.gov/publications/detail/nistir/8222/draft

https://csrc.nist.gov/publications/detail/nistir/8222/draft

Internet of Things (IoT) Trust Concerns

Date Published: September 2018
Withdrawn: September 18, 2018

Planning Note (9/18/2018):
Draft NISTIR 8222 has been temporarily withdrawn to synchronize with other pending documents on this topic, and to ensure time for stakeholders to review and comment. Once the draft document has been re-posted, the comment period will be extended.

The Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and actuation (as presented in NIST Special Publication (SP) 800-183). IoT involves the connection between humans, non-human physical objects, and cyber objects, enabling monitoring, automation, and decision making. The connection is complex and inherits a core set of trust concerns, most of which have no current resolution This publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. The set of concerns discussed here is necessarily incomplete given this rapidly changing industry, however this publication should still leave readers with a broader understanding of the topic. This set was derived from the six trustworthiness elements in NIST SP 800-183. And when possible, this publication outlines recommendations for how to mitigate or reduce the effects of these IoT concerns. It also recommends new areas of IoT research and study. This publication is intended for a general information technology audience including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement.

LLVM 7.0.0 released

[…]It is the result of the community’s work over the past six months, including: function multiversioning in Clang with the ‘target’ attribute for ELF-based x86/x86_64 targets, improved PCH support in clang-cl, preliminary DWARF v5 support, basic support for OpenMP 4.5 offloading to NVPTX, OpenCL C++ support, MSan, X-Ray and libFuzzer support for FreeBSD, early UBSan, X-Ray and libFuzzer support for OpenBSD, UBSan checks for implicit conversions, many long-tail compatibility issues fixed in lld which is now production ready for ELF, COFF and MinGW, new tools llvm-exegesis, llvm-mca and diagtool. And as usual, many optimizations, improved diagnostics, and bug fixes.[…]

Some highlights:

Early support for UBsan, X-Ray instrumentation and libFuzzer (x86 and x86_64) for OpenBSD. Support for MSan (x86_64), X-Ray instrumentation and libFuzzer (x86 and x86_64) for FreeBSD.

AArch64 target: Assembler and disassembler support for the ARM Scalable Vector Extension has been added.

A new Implicit Conversion Sanitizer (-fsanitize=implicit-conversion) group was added. Please refer to the Undefined Behavior Sanitizer (UBSan) section of the release notes for the details.

An existing tool named diagtool has been added to the release. As the name suggests, it helps with dealing with diagnostics in clang, such as finding out the warning hierarchy, and which of them are enabled by default or for a particular compiler invocation.

clang-tidy: New module zircon for checks related to Fuchsia’s Zircon kernel.

The DEBUG macro has been renamed to LLVM_DEBUG, the interface remains the same.

A new tool named llvm-mca has been added. llvm-mca is a static performance analysis tool that uses information available in LLVM to statically predict the performance of machine code for a specific CPU.

http://releases.llvm.org/7.0.0/docs/ReleaseNotes.html
http://releases.llvm.org/7.0.0/tools/clang/docs/ReleaseNotes.html
http://releases.llvm.org/7.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html
http://releases.llvm.org/7.0.0/tools/lld/docs/ReleaseNotes.html
http://lists.llvm.org/pipermail/llvm-announce/2018-September/000080.html

Platform Security Summit 2018, some videos available

Re:  https://firmwaresecurity.com/2018/05/08/platform-security-summit/

Rich Persaud recntly posted a message to the edk2-devel mailing list, with a pointer to the videos of the May Platform Security Summit:

This event was held in May 2018 and hosted by Intel. There were firmware related talks by speakers from Dell, Intel, Oracle and others. Some videos have been posted.

https://www.platformsecuritysummit.com/2018/videos/

UefiPayloadPkg: UEFI Payload Project: supports Coreboot and Slim Bootloader

A freshly-created Github project:

https://github.com/BenjaminYou/UEFIPayload

UEFI Payload (UefiPayloadPkg) aims to be an upgrade to CorebootModulePkg and CorebootPayloadPkg. Features:
– Supporting Slim Bootloader in addition to Coreboot
– Source level configuration using .ini format
– User Extension using simple “C” codes
– Platform support library for adding platform specific codes

UC Irvine open sources their LLVM multicompiler

LLVM-based compiler to create artificial software diversity to protect software from code-reuse attacks.

https://github.com/securesystemslab/multicompiler

BlueHat Israel video: Beyond Belief: The Case of Spectre and Meltdown

http://www.bluehatil.com/files/Beyond%20Belief%20-%20The%20Case%20of%20Spectre%20and%20Meltdown.pdf

https://gruss.cc/

https://meltdownattack.com/

Software-based Microarchitectural Attacks

https://gruss.cc/files/phd_thesis.pdf

https://gruss.cc/files/phd_defense_slides.pdf

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html

Intel releases 17 security advisories!

https://www.intel.com/content/www/us/en/security-center/default.html

Intel® Distribution for Python 2018 for Windows Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00181.html

Intel® Centrino® Wireless-N and Intel® Centrino® Advanced-N products Bluetooth Driver Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00177.html

Intel® NUC Firmware Security Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00176.html

Intel® IoT Developers Kit Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00173.html

OpenVINO™ Toolkit for Windows Permissions Issue Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00172.html

Intel® Data Migration Software Improper Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00170.html

Intel® Driver & Support Assistant and Intel® Software Asset Manager Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00165.html

Intel® Extreme Tuning Utility Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html

Intel® Baseboard Management Controller (BMC) firmware Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00149.html

Intel® Server Board TPM Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html

Intel® Data Center Manager SDK Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00143.html

Intel® Platform Trust Technology (PTT) Update Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00142.html

Intel® Active Management Technology 9.x/10.x/11.x/12.x Security Review Cumulative Update Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00141.html

Power Management Controller (PMC) Security Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html

Intel® CSME Assets Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

INTEL-SA-00086 Detection Tool DLL Injection Issue Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00119.html