Intel ATR releases UEFI firmware training materials!

Good news: the Intel Advanced Threat Research (ATR) team has release some of their UEFI security training materials!

This repository contains materials for a hands-on training ‘Security of BIOS/UEFI System Firmware from Attacker and Defender Perspectives’. A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

0 Introduction to Firmware Security
1 BIOS and UEFI Firmware Fundamentals
2 Bootkits and UEFI Secure Boot
3 Hands-On Platform Hardware and Firmware
4 System Firmware Attack Vectors
5 Hands-On EFI Environment
6 Mitigations
7 System Firmware Forensics
N Miscellaneous Materials



FWTS 17.05.00 released

Ivan Hu of Canonical announced the 17.05.00 release of FWTS.

New Features:
  * Support SMBIOS 3.1.1 tests
  * dmi: dmicheck: check new offset in spec 3.11
  * dmi: dmicheck: check reserved bits of Type 7 offset 0x5
  * dmi: dmicheck: check reserved bits of Type 7 offset 0xd
  * dmi: dmicheck: add a function to verify reserved bits
  * dmi: dmicheck: add a helper function to check word min/max value
  * dmi: dmicheck: check pci(e) slot and segment, bus and dev/func
  * dmi: dmicheck: check reserved bits of offset 0x5 in type 13
  * dmi: dmicheck: add a helper function to check a reserved offset
  * dmi: dmicheck: check reserved bits in type 15 & type 17
  * dmi: dmicheck: check reserved fields in type 22, 23, 30, 32, 38 and 39
  * dmi: dmicheck: add 64-bit integer to dmi_reserved_bits_check
  * dmi: dmicheck: add checks for new type 43
  * dmi: dmicheck: check reserved bits in Type 0
  * fwts/opal: Power management DT Validation tests.
  * fwts/opal: Reserved memory DT validation tests.
  * Add snapcraft rules to build a fwts snap

See the list of bugfixes in the full announcement.



NEZHA fuzzer open-sourced

NEZHA is an evolutionary-based efficient and domain-independent differential testing framework developed at Columbia University. NEZHA exploits the behavioral asymmetries between multiple test programs to focus on inputs that are more likely to trigger semantic bugs. NEZHA features several runtime diversity-promoting metrics used to generate inputs for multi-app differential testing.[…]




initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection

initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
By Roee Hay (@roeehay)
In the May 2017 Android Security Bulletin, Google released a patch to a critical and unique vulnerability CVE-2016-10277 in the Nexus 6 bootloader we had found and responsibly disclosed. By exploiting the vulnerability, a physical adversary or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device (such as PC malware awaiting for an ADB-authorized developer’s device to be hooked via USB) could break the Secure/Verified Boot mechanism, allowing him to gain unrestricted root privileges, and completely own the user space (which may also lead much more), by loading a tampered or malicious initramfs image. Moreover, exploitation does not lead to a factory reset hence user data remains intact (and still encrypted). It should be noted that we do not demonstrate an untethered attack. During this research we also uncovered a 18-year-old Linux Kernel bug (not affecting Nexus 6 and probably does not affect any Android device): CVE-2017-1000363[…]



MASCAB: a Micro-Architectural Side-Channel Attack Bibliography

MASCAB: a Micro-Architectural Side-Channel Attack Bibliography
Cryptography is a fast-moving field, which is enormously exciting but also quite challenging: resources such as the IACR eprint archive and CryptoBib help, but even keeping track of new results in certain sub-fields can be difficult, let alone then making useful contributions. The sub-field of micro-architectural side-channel attacks is an example of this, in part as the result of it bridging multiple disciplines (e.g., cryptography and computer architecture). I’ve found this particularly challenging (and so frustrating) over say the last 5 years; the volume of papers has expanded rapidly, but the time I’d normally allocate to reading them has been eroded by other commitments (as evidenced by a pile of printed papers gathering dust on my desk). In the end, I decided to tackle this problem by progressively a) collating papers I could read, then b) reading them one-by-one, but in no particular order, and attempting to summarise their contribution (and so organise the sub-field as a whole in my head). MASCAB is the result: after starting to advise MSc and PhD students on how to navigate the sub-field, it seems likely to be of use to others as well.[…]



PCILeech 2.0 released