Dropbox/OCP RunBMC: the first open source hardware spec for the BMC

https://www.opencompute.org/documents/ocp-runbmc-daughterboard-card-design-specification-v1-4-1-pdf

https://blogs.dropbox.com/tech/2019/08/runbmc-ocp-hardware-spec-solves-data-center-bmc-pain-points/

https://blog.dropbox.com/topics/technology/dropbox-contributes-runbmc-spec-to-the-open-compute-project0

Qiling: binary emulation framework

Qiling is an advanced binary emulation framework, with the following features:

  • Cross platform: Windows, MacOS, Linux, BSD
  • Cross architecture: X86, X86_64, Arm, Arm64, Mips
  • Multiple file formats: PE, MachO, ELF
  • Emulate & sandbox machine code in a isolated enviroment
  • Provide high level API to setup & configure the sandbox
  • Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
  • Allow dynamic hotpatch on-the-fly running code, including the loaded library
  • True framework in Python, make it easy to build customized security analysis tools on top

https://github.com/qilingframework/qiling

Qualcomm Secure Boot

[…]In 2017, we released our first public whitepaper describing the philosophy and implementation of the Qualcomm Technologies’ Secure Boot solution. Since then, the solution has been improved and we are pleased to make available a new release of the “Secure Boot and Image Authentication” technical overview whitepaper.[…]

https://www.qualcomm.com/news/onq/2019/08/21/secure-boot-and-image-authentication-improvements

https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview-v20

MELoader: Linux i386 tool to load and execute ME modules

[…]This tool requires a rom library dump from the ME to use. See https://github.com/ptresearch/IntelTXE-PoC for a means of acquiring one, though that will yield a ROM for a different chipset (BXT). That chipset shares most core ME peripherals with SPT so changing the code will mostly mean tweaking addresses.

https://github.com/peterbjornx/meloader

Side-Channel Aware Fuzzing


[…]In this paper we present and evaluate a new approach to extract feedback for fuzzing on embedded devices using information the power consumption leaks. Side-channel aware fuzzing is a threefold process that is initiated by sending an input to a target device and measuring its power consumption. First, we extract features from the power traces of the target device using machine learning algorithms. Subsequently, we use the features to reconstruct the code structure of the analyzed firmware. In the final step we calculate a score for the input, which is proportional to the code coverage. We carry out our proof of concept by fuzzing synthetic software and a light-weight AES implementation running on an ARM Cortex-M4 microcontroller. Our results show that the power side-channel carries information relevant for fuzzing.

https://arxiv.org/abs/1908.05012

Alex Matrosov: Breaking Through Another Side: Bypassing Firmware Security Boundaries

This blog post is the first in the series about my joint Black Hat research “Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller” (slides) with Alexandre Gazet presented last week in Vegas. This REsearch took literally 5 months of our spare time to dig into Embedded Controller security and Intel BIOS Guard technology implementation in Lenovo Thinkpad BIOS.[…]

Firmware Manager: Generic framework and GTK UI for firmware updates from system76-firmware and fwupd, written in Rust.

System76 is one Linux distro/OEM that rolled it’s own firmware update mechanism, instead of supporting fwupd. Now they have a new tool that integrates the two solutions:

One of the remaining issues with firmware management on Linux is the lack of options for graphical frontends to firmware management services like fwupd and system76-firmware. For fwupd, the only solutions available were to distribute either GNOME Software, or KDE Discover; which is not viable for Linux distributions which have their own application centers, or frontends to package managers. For system76-firmware, an official GTK application exists, but it only supports updating System76 firmware, when it would be more ideal if it could support updating firmware from both services. fwupd is a system service which connects to LVFS to check for firmware updates to a wide variety of hardware from multiple vendors. system76-firmware is our own system service which connects to System76 to check for firmware updates for System76 hardware. To solve this problem, we’ve been working on the Firmware Manager project, which we will be shipping to all Pop!_OS users, and System76 hardware customers on any other distribution. It supports checking and updating firmware from the fwupd and system76-firmware services, is Wayland-compatible, and provides both a GTK application and library. […]

https://blog.system76.com/post/187072707563/the-new-firmware-manager-updating-firmware-across

https://github.com/pop-os/firmware-manager

Huge Survey of Firmware Finds No Security Gains in 15 Years


August 14, 2019 09:17 by Paul Roberts

A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors.[…]

See-also:
https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-linux-mips.html

imgtool – from Android Internals Volume II

Still working on Volume II of Android Internals. Haven’t forgotten y’all. And there’s updates on EFI file format, etc in the update to Volume I that I am preparing… […]

The imgtool utility is another one of the tools I’m including in my book, this time to accompany the chapter about the Boot process. I deal a lot with the internal format of images there, and realized I needed a quick extractor. This became more important when I started to deal with the L preview, and Google Glass system images I used for research. Included in V1.0 changes:
“[…]

  • Full support for EFI firmware files, SCAP, MacEFI images, etc – so now you can extract QCOM xbl/abl further!
  • ..And Apple’s (yep, Apple’s) T2 EFI images, Firmware.scap,etc:
    […]”

http://newandroidbook.com/tools/imgtool.html#V10

USBSamurai: remotely-controlled USB malware

Re: https://firmwaresecurity.com/2018/06/25/wifi-hid-injector-an-usb-rubberducky-badusb-on-steroids/

USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$

https://github.com/whid-injector/WHID (aka http://whid.ninja/ )

Zoncolan: How Facebook uses static analysis to detect and prevent security issues

https://engineering.fb.com/security/zoncolan/

https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/?verso=true

Hmm, have not found source code, please leave URL in Comment if you do:
https://github.com/facebookresearch?utf8=%E2%9C%93&q=Zoncolan&type=&language=

Intel seeks Offensive Security Researcher

I hadn’t heard of the Intel STORM org before, excerpt of a description from Wired magazine[1]:

Intel’s offensive security research team comprises about 60 people who focus on proactive security testing and in-depth investigations. STORM is a subset, about a dozen people who specifically work on prototyping exploits to show their practical impact.

https://jobs.intel.com/ShowJob/Id/2172583/Offensive%20Security%20Researcher

Apparently this group has a Twitter account but has not tweeted, and has a Github account but has no files:

https://github.com/intelstormteam

[1] https://www.wired.com/story/intel-meltdown-spectre-storm/

BiosUp: Download selected motherboard UEFI and BIOS automatically.

Biosup is a program designed to automate the sourcing and downloading of BIOS/UEFI from Various vendor websites. Using the config file, a user can manually set what chipset’s and vendor’s (between ASUS, ASROCK, GIGABYTE and MSI) they wish to download.

https://github.com/Rexzarrax/Biosup

See-also: UEFI-Spider

https://firmwaresecurity.com/2015/07/15/tool-review-uefi-spider-and-firmware_vault/

Xilinx: Design Advisory for Zynq UltraScale+ MPSoC/RFSoC: Encrypt Only Boot Mode – Unauthenticated Boot and Partition Headers

https://blog.f-secure.com/hardware-security-team-says-flawed-secure-boot-schemes-becoming-too-common/

https://www.xilinx.com/support/answers/72588.html

Eclypsium on Windows drivers

https://github.com/eclypsium/Screwed-Drivers

Yep, drivers, in general, are screwed. 🙂 Certified Windows drivers merely mean the drivers passed some basic tests. There are lots of gaps in how drivers are tested on Windows. (If Microsoft has open-sourced these tests, it would be helpful for researchers to find coverage gaps.) The UEFI SCTs are a minimum bar at feature testing, and have no security tests …and CHIPSEC only helps with security testing on Intel systems, not AMD nor ARM vendors. Does Linux have any equivalent tests for drivers, last time I looked into the LTP and some related projects it did not. Does Apple have tests like this for drivers?

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Richard Hughes, of the Linux FWUpd project, has a new blog post about the new Microsoft UEFI update mechanism, CFU (Component Firmware Update):

https://github.com/microsoft/CFU

PS: When you see duplicate URLs in a post, like above, it is because the WordPress web UI for pasting URLs is broken. 😦