Python 3.8 gets more security

PEP 578 — Python Runtime Audit Hooks

PEP 551 — Security transparency in the Python runtime

EU Patent Office refuses secure booting patent

The European Patent Office refused to grant a software patent on a method of managing booting of secure devices with untrusted software. The decision was appealed successfully and the case was remitted to the Examining Division. Here are the practical takeaways of the decision T 1563/17 (Booting untrusted software) of 7.5.2019:[…]

Don’t read this if you’re an engineer at a company which has a policy that requires employees not read anything about other company’s patents:

P1 Security: QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!). Today, we are proud to present QCSuper, an open-source tool that will enable you to passively capture raw 2G/3G/4G frames produced by your rooted Qualcomm-based Android phone or dongle, and produce a PCAP analyzable using Wireshark (in addition to a couple other input/output formats).[…]

Rompar: Semi-automatic extraction of data from microscopic images of Masked ROM

Rompar is an interactive tool for extracting bianry data out of mask ROM images. The computer vision method implemented is rather simple, but has proven useful in several projects. There is still a lot that can be added to rompar, and pull requests are welcome.

pyba2: Python tools for Beyond Architecture 2 firmware analysis

Aleph Research has another blog post on ZigBee, and they’ve created a Radare2 plugin to help!

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation

OS fuzzers primarily test the system call interface between the OS kernel and user-level applications for security vulnerabilities. The effectiveness of evolutionary OS fuzzers depends heavily on the quality and diversity of their seed system call sequences. However, generating good seeds for OS fuzzing is a hard problem as the behavior of each system call depends heavily on the OS kernel state created by the previously executed system calls. Therefore, popular evolutionary OS fuzzers often rely on hand-coded rules for generating valid seed sequences of system calls that can bootstrap the fuzzing process. Unfortunately, this approach severely restricts the diversity of the seed system call sequences and therefore limits the effectiveness of the fuzzers. In this paper, we develop MoonShine, a novel strategy for distilling seeds for OS fuzzers from system call traces of real-world programs while still maintaining the dependencies across the system calls. MoonShine leverages light-weight static analysis for efficiently detecting dependencies across different system calls. We designed and implemented MoonShine as an extension to Syzkaller, a state-of-the-art evolutionary fuzzer for the Linux kernel. Starting from traces containing 2.8 million system calls gathered from 3,220 real-world programs, MoonShine distilled down to just over 14,000 calls while preserving 86% of the original code coverage. Using these distilled seed system call sequences, MoonShine was able to improve Syzkaller’s achieved code coverage for the Linux kernel by 13% on average. MoonShine also found 14 new vulnerabilities in the Linux kernel that were not found by Syzkaller.

nanoprintf: a tiny embeddable printf replacement written in C89/C99

nanoprintf is an implementation of snprintf and vsnprintf for embedded systems that aims for C11 standard compliance. nanoprintf makes no memory allocations, uses less than 100 bytes of stack, and is smaller than 5KB of ARM Cortex-M object code when optimized with all the bells and whistles turned on (slightly larger on x64, where you don’t want to use it anyway). nanoprintf is a single header file in the style of the stb libraries. The rest of the repository is tests and scaffolding and not required for use. nanoprintf is written in C89 for maximal compiler compatibility. C99 or C++11 compilers are required (for uint64_t and other types) if floating point conversion or large modifiers are enabled. nanoprintf does include standard headers but only uses them for types and argument lists; no calls are made into stdlib / libc, with the exception of any internal double-to-float conversion ABI calls your compiler might emit. nanoprintf is statically configurable so users can find a balance between size, compiler requirements, and feature set. […]

Debian 10 released, with Secure Boot

[…]The UEFI (“Unified Extensible Firmware Interface”) support first introduced in Debian 7 (code name “wheezy”) continues to be greatly improved in Debian 10 “buster”. Secure Boot support is included in this release for amd64, i386 and arm64 architectures and should work out of the box on most Secure Boot-enabled machines. This means users should no longer need to disable Secure Boot support in the firmware configuration.[…]

Hmm, above URL generates an error on the resulting page, but the MARC and Mail-Archive links work, the latter rendered better. The Debian page also wrongly points to the now-dead GMane site, two Debian bugs that need to get fixed…

Which smart bulbs should you buy (from a security perspective)

Matthew has a new blog post about smart lightbulb security:

People keep asking me which smart bulbs they should buy. It’s a great question! As someone who has, for some reason, ended up spending a bunch of time reverse engineering various types of lightbulb, I’m probably a reasonable person to ask. So. There are four primary communications mechanisms for bulbs: wifi, bluetooth, zigbee and zwave. There’s basically zero compelling reasons to care about zwave, so I’m not going to.[…]

QEMU gets new machine type: microvm

Re: and

Microvm is a machine type inspired by both NEMU and Firecracker, and constructed after the machine model implemented by the latter. It’s main purpose is providing users a KVM-only machine type with fast boot times, minimal attack surface (measured as the number of IO ports and MMIO regions exposed to the Guest) and small footprint (specially when combined with the ongoing QEMU modularization effort). Normally, other than the device support provided by KVM itself, microvm only supports virtio-mmio devices. Microvm also includes a legacy mode, which adds an ISA bus with a 16550A serial port, useful for being able to see the early boot kernel messages.[…]

The Advanced Threats Evolution: REsearchers Arm Race, slides online

Alex Matrosov’s presentation is now online:’2019/offzone2019_keynote_public.pdf