This article explores PCI Expansion ROM (or Option ROM) execution within UEFI and walks through a practical scenario of using Option ROM code to modify SMM. In order to accomplish this goal we relax the security within EDK2. Note that this article does not reveal any security weaknesses. We begin with how to create a QEMU/OVMF/iPXE testing environment that boots Fedora with UEFI Secure Boot enabled and measures the pre-OS environment using a software TPM2. We then install an SMI handler by modifying our iPXE EFI Option ROM, which is the same as a DXE driver run during Boot Device Select (BDS). Finally, we again modify our Option ROM code and overwrite and reliably ‘shim’ an existing SMI’s handler with our own.[…]
BitLeaker is a new tool for extracting the VMK and mounting a BitLocker-locked partition. BitLeaker uses the TPM vulnerability, CVE-2018-6622 for a discrete TPM and related vulnerability for a firmware TPM. They are related to the S3 sleeping state of Advanced Configuration and Power Interface (ACPI) and can reset the TPMs. If you want the detailed information about CVE-2018-6622 and a vulnerability checking tool, please read our USENIX paper, A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping and Black Hat Asia presentation, Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with Napper.
This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. To demonstrate applied use cases of the design, there’s a tool for pre-boot DMA attacks on UEFI based machines which allows executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.
We have just made the “SEC Xtractor” tool (SEC Consult’s hardware exploitation and firmware extraction tool) open-source! It comes with an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). As its firmware and hardware are completely open-source, it can be easily extended. Interface identification is another requirement that was fulfilled by integrating JTAG brute-forcing and UART scanning. It can also be used as an OpenOCD adapter and it provides two UART-to-USB bridges. Most devices require anything between 1.8 and 5.5 volts, which is supported by the SEC Xtractor.[…]
SEC Xtractor (Hardware)
SEC Xtractor (Firmware)
There is another UEFI game available, that’s over a dozen I think:
For those getting into RISC-V security, here’s some examples that might be useful:
The IoT Security Rating, which is based on UL’s IoT Security Top 20 Design Principles, aims to serve two purposes:
1) Help manufacturers and developers improve the security posture of their solutions by leveraging proven security best practices
2) Rate the security posture of IoT solutions in order to make security more transparent and accessible to consumers.
I wish these logos had more specifics, like what boot security technologies are available.
DMTF has a relatively-new Redfish project, with tools (currently 6 Python-based tools) that’re useful for security researchers, system administrators, and firmware testers:
Sensor List (rf_sensor_list.py): walk a Redfish service and list sensor info
System Inventory (rf_sys_inventory.py): walk a Redfish service and list component information
Power/Reset (rf_power_reset.py): perform a power/reset operation of a system
Boot Override (rf_boot_override.py): perform a one time boot override of a system
Accounts (rf_accounts.py): manage user accounts on a Redfish service
Update (rf_update.py): perform an update with a Redfish service
Offered with no further comments, I’ve not yet had a chance to play this CTF yet…
“[…]Since 4.10 there were 1630 new commits by over 130 developers. Of these, about 30 contributed to coreboot for the first time.[…]
Verified Boot: The vboot feature that Chromebooks brought into coreboot was extended to work on devices that weren’t specially adapted for it: In addition to its original device family it’s now supported on various Lenovo laptops, Open Compute Project systems and Siemens industrial machines. Eltan’s support for measured boot continues to be integrated with vboot, sharing data structures and generally working together where possible.[…]”
Detailed blog post:
Videos for OSFC 2019, the Open Source Firmware Conference, are now online:
Slides are on the main site (on the schedule page, not yet on the archive page):
[…]Basically the UEFI consists a set of device drivers and core components from TianoCore. ACPI tables are copied from the Windows IoT iMX Project Mu Repo and stripped down. I chainload the UEFI from U-Boot. iMX does not enable unaligned memory access by default and this causes a lot of troubles in UEFI DXE and BDS phases.[…]
There is a Visual Studio Code plugin for working with Microsoft Project Mu:
There is also another VS Code plugin for working with EDK2, which appears to be about 3 months old:
Develop smoothly EDKII/UEFI:
* Add FDF syntax highlight and destionation
* Add DSC syntax highlight and destionation
* Add DEC syntax highlight and destionation
* Add INF syntax highlight and destionation
* Add UNI syntax highlight
* Add VFR syntax highlight
Coatia Software’s Sourcetrail is a source explorer for Linux/Windows/Mac which “uses static analysis on C, C++, Java and Python source code and lets you navigate the collected information within a user interface that interactively combines graph visualization and code display.” This closed-source codebase is now open-source.
It appears training materials that used to be on Github are no longer there, unsure why. Hopefully it has moved (from the “Advanced-Threat-Research” top-level Github project and moved to some Intel/McAfee/Eclypsium project, and I just don’t know the new URL.
As I understand it, the training was created by Intel employees, mostly from the CHIPSEC team, before many of the CHIPSEC team left to create Eclypsium, and also during the Intel/McAfee split of Intel Advanced Threat Research. I have a copy of the Github project that’s been taken down somewhere, in case the authors at (Intel, McAfee, Eclypsium) mistakenly deleted it and want a copy.
The current CHISPEC team offers training, but appears to use a different set of of materials, which are online:
Even if you don’t have a SourcePoint hardware debugger, you’ll probably still get a benefit from reading this 45-chapter blog post series.
Over the last two and a half years, I’ve intermittently chronicled my explorations into some fairly esoteric technical topics, using the MinnowBoard Turbot board as a platform. And yes, time flies, and I’ve covered a lot of ground. All 45 chapters are listed below. Enjoy!
Click on the URL in the above Twitter URL, as WordPress chokes on Github Gist URLs.
David Malcolm of Red Hat has submitted a 49-part patch to GCC which gives GCC a static analysis feature:
This patch kit introduces a static analysis pass for GCC that can diagnose various kinds of problems in C code at compile-time (e.g. double-free, use-after-free, etc). The analyzer runs as an IPA pass on the gimple SSA representation. It associates state machines with data, with transitions at certain statements and edges. It finds “interesting” interprocedural paths through the user’s code, in which bogus state transitions happen.[…\