Uncategorized

Manticore 0.1.4 released

https://github.com/trailofbits/manticore/blob/master/CHANGELOG.md#014—2017-08-18

https://github.com/trailofbits/manticore

Manticore: Symbolic execution for humans

Standard
Uncategorized

New x86 microcode tool

https://github.com/RUB-SysSec/Microcode

“This repository contains a collection of x86 CPU microcode samples in binary and rtl form. The samples are compiled from scratch and specifically work with AMD’s K10 processor family.”

Standard
Uncategorized

LLVM can now emit/parse/diff Windows PDBs

PDBs are the sidecar symbol files for Windows. The spec used to be private, now is public, and now it is great to see Clang supporting them. Last time I looked, GCC does not support them.

http://blog.llvm.org/2017/08/llvm-on-windows-now-supports-pdb-debug.html

Standard
Uncategorized

Cr4sh’s DmaHvBackdoor.c: Hyper-V backdoor for UEFI

Cr4sh is having fun with Windows Device Guard:

DmaHvBackdoor.c comments:

Part of UEFI DXE driver code that injects Hyper-V VM exit handler backdoor into the Device Guard enabled Windows 10 Enterprise. Execution starts from new_ExitBootServices() — a hook handler for EFI_BOOT_SERVICES.ExitBootServices() which being called by winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) by calling winload!HvlpTransferToHypervisor(). To transfer execution to Hyper-V winload.efi uses a special stub winload!HvlpLowMemoryStub() copied to reserved memory page at constant address 0x2000. During runtime phase this memory page is visible to hypervisor core at the same virtual and physical address and has executable permissions which makes it a perfect place to store our Hyper-V backdoor code. VMExitHandler() is a hook handler for VM exit function of hypervisor core, it might be used for interaction between hypervisor backdoor and guest virtual machines.

WordPress chokes on Github gist-based URLs, so click on initial Tweet above for URL. Or look for entry that matches date:

Standard
Uncategorized

TPM microconf at 2017 Linux Plumbers Conference

Matthew Garrett has announced a TPM microconference at the upcoming Linux Plumbers Conference:

I’m pleased to say that after the success last year, there will be another TPM microconference at this year’s Linux Plumbers Conference. The current schedule has this taking place on Wednesday the 13th of September, so just under 4 weeks from now. We have a list of proposals for discussion at http://wiki.linuxplumbersconf.org/2017:tpms but please feel free to add more! I intend to finalise the schedule by the end of next week, so please do so as soon as you can. For those of you who weren’t there, the Linux Plumbers conference is an event dedicated to bringing together people working on various infrastructural components (the plumbing) of Linux. Microconferences are 3 hour long events dedicated to a specific topic, with the focus on identifying problems and having enough people in the room to start figuring out what the solutions should be – the format is typically some short presentations coupled with discussion.

From James Bottomley’s comments on the LPC entry on this microconf:

Following on from the TPM Microconference last year, we’re pleased to announce there will be a follow on at Plumbers in Los Angeles this year. The agenda for this year will focus on a renewed attempt to unify the 2.0 TSS; cryptosystem integration to make TPMs just work for the average user; the current state of measured boot and where we’re going; using TXT with TPM in Linux and using TPM from containers.

http://wiki.linuxplumbersconf.org/2017:tpms

http://www.linuxplumbersconf.org/2017/trusted-platform-module-microconference-accepted-into-the-linux-plumbers-conference/

Full text of Matthew’s email:
https://lists.sourceforge.net/lists/listinfo/linux-ima-devel

Standard
Uncategorized

kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

Ser­gej Schu­mi­lo, Cor­ne­li­us Ascher­mann, Ro­bert Gaw­lik, Se­bas­ti­an Schin­zel, Thors­ten Holz

26th USE­NIX Se­cu­ri­ty Sym­po­si­um, Van­cou­ver, Ca­na­da, Au­gust 2017

Many kinds of me­mo­ry sa­fe­ty vul­nerabi­li­ties have been end­an­ge­ring soft­ware sys­tems for deca­des. Amongst other ap­proa­ches, fuz­zing is a pro­mi­sing tech­ni­que to un­veil va­rious soft­ware faults. Re­cent­ly, feed­back-gui­ded fuz­zing de­mons­tra­ted its power, pro­du­cing a steady stream of se­cu­ri­ty-cri­ti­cal soft­ware bugs. Most fuz­zing ef­forts—es­pe­ci­al­ly feed­back fuz­zing—are li­mi­ted to user space com­po­n­ents of an ope­ra­ting sys­tem (OS), alt­hough bugs in ker­nel com­po­n­ents are more se­ve­re, be­cau­se they allow an at­ta­cker to gain ac­cess to a sys­tem with full pri­vi­le­ges. Un­for­t­u­n­a­te­ly, ker­nel com­po­n­ents are dif­fi­cult to fuzz as feed­back me­cha­nis­ms (i.e., gui­ded code co­ver­a­ge) can­not be ea­si­ly ap­p­lied. Ad­di­tio­nal­ly, non-de­ter­mi­nism due to in­ter­rupts, ker­nel thre­ads, sta­te­ful­ness, and si­mi­lar me­cha­nis­ms poses pro­blems. Fur­ther­mo­re, if a pro­cess fuz­zes its own ker­nel, a ker­nel crash high­ly im­pacts the per­for­mance of the fuz­zer as the OS needs to re­boot. In this paper, we ap­proach the pro­blem of co­ver­a­ge-gui­ded ker­nel fuz­zing in an OS-in­de­pen­dent and hard­ware-as­sis­ted way: We uti­li­ze a hy­per­vi­sor and Intel’s Pro­ces­sor Trace (PT) tech­no­lo­gy. This al­lows us to re­main in­de­pen­dent of the tar­get OS as we just re­qui­re a small user space com­po­nent that in­ter­acts with the tar­ge­ted OS. As a re­sult, our ap­proach in­tro­du­ces al­most no per­for­mance over­head, even in cases where the OS cras­hes, and per­forms up to 17,000 exe­cu­ti­ons per se­cond on an off-the-shelf lap­top. We de­ve­lo­ped a frame­work cal­led ker­nel-AFL (kAFL) to as­sess the se­cu­ri­ty of Linux, macOS, and Win­dows ker­nel com­po­n­ents. Among many cras­hes, we un­co­ver­ed se­ver­al flaws in the ext4 dri­ver for Linux, the HFS and APFS file sys­tem of macOS, and the NTFS dri­ver of Win­dows.

https://www.syssec.rub.de/research/publications/kafl/

https://github.com/RUB-SysSec/kAFL

Standard