Uncategorized

CVE-2017-11472: Linux kernel ACPI KASLR vulnerability

The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.

[…]This causes a security threat because the old kernel (<= 4.9) shows memory locations of kernel functions in stack dump, therefore kernel ASLR can be neutralized. To fix ACPI operand leak for enhancing security, I made a patch which removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for executing the deletion code unconditionally.[…]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11472
https://nvd.nist.gov/vuln/detail/CVE-2017-11472
https://vuldb.com/?id.104315
https://github.com/acpica/acpica/commit/a23325b2e583556eae88ed3f764e457786bf4df6
https://github.com/torvalds/linux/commit/3b2d69114fefa474fca542e51119036dceb4aa6f

 

Standard
Uncategorized

APT monitoring & analysis …below Ring 0

Applying Provenance in APT Monitoring and Analysis Practical Challenges for Scalable, Efficient and Trustworthy Distributed Provenance
Jenkinson G, Carata L, Bytheway T, Sohan R, Watson RNM, Anderson J, Kidney B, Strnad A, Thomas A, Neville-Neil G

[…] Below Ring 0 – hardware primitives can potentially support provenance capture in a number of ways. Trusted Computing primitives such as Intel SGX (Software Guard Extensions) can be used provide stronger non-repudiation (even in the presence of a compromised OS). And new hardware primitives could directly support provenance capture, for example providing an append only log for use by the kernel to store provenance records prior to sending over a network.[…]

https://www.usenix.org/conference/tapp17/workshop-program/presentation/jenkinson
https://www.usenix.org/system/files/conference/tapp2017/tapp17_paper_jenkinson.pdf
https://www.researchgate.net/publication/317827922_Applying_Provenance_in_APT_Monitoring_and_Analysis_Practical_Challenges_for_Scalable_Efficient_and_Trustworthy_Distributed_Provenance

Standard
Uncategorized

UEFI:NTFS

UEFI:NTFS is a generic bootloader, that is designed to allow boot from an NTFS partition, in pure UEFI mode, even if your system does not natively support it. This is primarily intended for use with Rufus, but can also be used independently. In other words, UEFI:NTFS is designed to remove the restriction, which most UEFI systems have, of only providing boot support from a FAT32 partition, and enable the ability to also boot from NTFS partitions. This can be used, for instance, to UEFI-boot a Windows NTFS installation media, containing an install.wim that is larger than 4 GB (something FAT32 cannot support) or to allow dual BIOS + UEFI boot of ‘Windows To Go’ drives. […] Secure Boot must be disabled for UEFI:NTFS to work.[…]

https://github.com/eventus77/uefi-ntfs-boot

http://efi.akeo.ie/
https://rufus.akeo.ie/

 

Standard
Uncategorized

coreboot security slides from REcon available

Digging Into the Core of Boot by Yuriy Bulygin, Oleksandr Bazhaniuk

https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-DiggingIntoTheCoreOfBoot.pdf

https://recon.cx/2017/montreal/slides/

See-also the SGX talk…

Standard
Uncategorized

KLEE 1.4.0 released

Cristian Cadar announced the 1.4.0 release of KLEE.

KLEE 1.4.0 is now available at
https://github.com/klee/klee/releases/tag/v1.4.0

Lots of new changes, in particular a new CMake build system, support for  some missing features for LLVM 3.4 (and partial support for 3.5 and  3.6), better support for MacOS, support for release documentation (as in  http://klee.github.io/releases/docs/v1.4.0/) and many other  optimizations, features and bug fixes.[…]

Full announcement:
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
https://klee.github.io/

https://github.com/klee/klee

 

Standard
Uncategorized

Shut the HAL Up: Isolating Android HALs

Shut the HAL Up
18 July 2017
Jeff Vander Stoep, Senior Software Engineer, Android Security

Updates are essential for security, but they can be difficult and expensive for device manufacturers. Project Treble is making updates easier by separating the underlying vendor implementation from the core Android framework. This modularization allows platform and vendor-provided components to be updated independently of each other. While easier and faster updates are awesome, Treble’s increased modularity is also designed to improve security. A Hardware Abstraction Layer (HAL) provides an interface between device-agnostic code and device-specific hardware implementations. HALs are commonly packaged as shared libraries loaded directly into the process that requires hardware interaction. Security boundaries are enforced at the process level. Therefore, loading the HAL into a process means that the HAL is running in the same security context as the process it’s loaded into.[…]

https://android-developers.googleblog.com/2017/07/shut-hal-up.html

Standard