Month: June 2015

Joe Grand: Tools of the Hardware Hacking Trade

~ hucktech ~ Leave a comment

Joe Grand of Grand Idea Studio gave a presentation on “Tools of the Hardware Hacking Trade” a few weeks ago at RSA Conference:

“Embedded systems are pervasive in our society and many contain design flaws that can lead to exploitable vulnerabilities. In this session, Joe Grand examines common hardware tools used during the hacking and reverse engineering of electronic products, including those that monitor/decode digital communications, extract firmware, inject/spoof data, and identify/connect to debug interfaces.”

Joe Grand, a former member of the hacker collective L0pht Heavy Industries, is the founder of Grand Idea Studio, Inc, a company that specializes in the invention and licensing of consumer devices and modules for electronics hobbyists. The presentation is a nice look at current tools available for firmware/hardware hacking, from the security researcher perspective, for those of you who haven’t already created your ‘hardware hacking lab’. 🙂

I don’t know of any better resource lists of this kind, with a security focus. For books, there’s a chapter in Wiley’s “Android Hacker’s Handbook” that is similar. Alas, I didn’t find any audio/video archives, only the presentation. Most other hardware tools documentation I’ve found is mostly Maker-focused, not security focused.

More Information:

http://www.grandideastudio.com

Click to access hta-w04-tools-of-the-hardware-hacking-trade_final.pdf

https://www.rsaconference.com/events/us15/agenda/sessions/1619/tools-of-the-hardware-hacking-trade

More Info on UEFI 2.5 HTTP Boot Implementations

~ hucktech ~ 1 Comment

Earlier, I made this blog post on UEFI 2.5’s new HTTP Boot feature. At that time, I was unaware of some details, like if this feature will be implemented in TianoCore, or only in commercial products. HP gave a talk at the Spring UEFI Forum on UEFI 2.5 HTTP Boot (to replace PXE) and DMTF Redfish (to replace IPMI), so I presume some new HP products will have these new features soon, if not already. On the EFI development list, I asked a question about Tianocore and vendor support of UEFI HTTP boot, as well as DMTF Redfish, and got 2 replies, one from Intel and one from HP.

Ye Ting of Intel replied and said:

“Intel is working on implementation of UEFI 2.5 HTTP boot support.”

Samer El-Haj-Mahmoud of HP also replied, and said:

“Both HTTP Boot and Redfish are very new standards. HTTP Boot got standardized as part of UEFI 2.5 in March. Redfish is still not even 1.0 (last published spec is 0.96.0a, with a target 1.0 spec sometime this month according to DMTF). It is expected that implementation will take some time to catch up to the spec. At the same time, PXE and IPMI have been there for quite some time, are implemented across the board on servers (and many clients), and are already in wide use. I do not expect them to go away anytime soon. But the goal is to switch over to HTTP and Redfish/REST over time, especially as they enable new use cases and capabilities that were not possible (or easy to do) before. The first step though is to get the specs implemented. As Ting explained, Intel is working on UEFI 2.5 HTTP Boot implementation (that I expect will show up in EDK2. I see the header files submitted already). DMTF is also working on a Redfish mockup/simulator that can be used to exercise clients. HP ProLiant Gen9 servers already support proprietary flavors of both HTTP Boot (or “Boot from URL”) and Redfish (or the “HP RESTful API”). I do not know of any other servers that implement such technologies at this time.”

So, it sounds like HP is the only vendor that supports UEFI HTTP Boot at the moment, and Intel is working on an implementation. If Intel’s implementation is part of TianoCore, other vendors may use it.

I’m looking forward to a TianoCore implementation, as well as DMTF’s Redfish simulator.

Thanks to Ye Ting and Samer El-Haj-Mahmoud for the answers!

CHIPSEC v1.2.0 Released

~ hucktech ~ 3 Comments

The Intel CHIPSEC team just posted the latest version of CHIPSEC, 1.2.0. Release notes excerpt below, see the full text on the github site, with known issues:

New/updates modules:
* Merged common.secureboot.keys module into common.secureboot.variables module
* Updated tools.secureboot.te module to be able to test PE/TE issue on Linux or UEFI shell
* Updated tools.smm.smm_ptr module

Updates:
* Added the *controls* abstraction. Modules are encouraged to use “get_control“ and “set_control“ when interacting with platform registers. This permits greater flexibility in case the register that controls a given feature or configuration changes between platform generations. The controls are defined in the platform XML file. At this time, only a small number of controls are defined. We plan to move existing modules over to this new mechanism.
* Added XML Schema for the XML configuration files
* Support for reading, writing, and listing UEFI variables from the UEFI Shell environment has been added.
* Added support for decompression while SPI flash parsing via “decode“ or “uefi decode“ commands in Linux
* Added basic ACPI table parsing to HAL (RSDP, RSDT/XSDT, APIC, DMAR)
* Added UEFI tables searching and parsing to HAL (EFI system table, runtime services table, boot services table, DXE services table, EFI configuration table)
* Added DIMM Serial Presence Detect (SPD) ROM dumping and parsing to HAL
* Added “uefi s3bootscript“ command parsing the S3 boot script to chipsec_util.py
* Added virtual-to-physical address translation function to Linux/EFI/Windows helpers
* Added support of server platforms (Haswell server and Ivy Town) to chipset.py

More Information:

https://github.com/chipsec/chipsec

UEFI Advanced Security Settings for Microsoft Surface devices

~ hucktech ~ Leave a comment

A while ago, Mark Morowczynski of Microsoft wrote a blog post, “How to Manage Surface Pro 3 UEFI Through PowerShell”. In the post, he describes advanced UEFI security configuration options for the Microsoft Surface, such as enable/disable cameras, WiFi, Blootooth, Network Boot. There’s also information about using PowerShell to configure UEFI settings, scaling to control “tends of thousands” of Surface devices.

IMO, this is a nice use of UEFI to configure security settings, I hope other OEMs and OS vendors enable this kind of granularity to configure their systems. I also hope malware authors don’t exploit this ability to scale to all Surface devices in an enterprise with a single PowerShell command. 🙂
More information:

http://blogs.technet.com/b/askpfeplat/archive/2015/04/20/how-to-manage-surface-pro-3-uefi-through-powershell.aspx
https://technet.microsoft.com/en-us/windows/dn965440

VMWare partners with Intel Security for cloud IPS service

~ hucktech ~ Leave a comment

A few days ago, VMWare announced a solution with Intel/McAfee for additional security. McAfee Network Security Platform (NSP) service will be providing Intrusion Prevension Services (IPS) for their data center. McAfee was acquired by Intel Security. It wasn’t clear from the press release how virtual firmware is impacted with this new security service.

“This collaboration between VMware and Intel Security delivers clear value for our mutual customers, enabling them to have consistently high levels of threat protection for traffic both inside the data center and at the data center perimeter. The tight integration between VMware NSX and Intel Security’s McAfee NSP means security controls follow application workloads, allowing customers to dynamically scale security services,” said Tom Corn, Senior Vice President, Security Products, VMware.

“With the Intel Security and VMware integration, McAfee NSP provides integration within VMware NSX to allow customers to apply advanced security capabilities for the protection of east-west traffic in the data center, which makes up the majority of traffic in these environments.  The McAfee NSP takes advantage of the VMware NSX platform’s distributed micro-segmentation enforcement and simplified automated provisioning, creating a zero-trust environment to automatically help protect organizations’ assets against advanced threats,” said Raja Patel, General Manager for the Network Security Business Unit, Intel Security.

More Information:

http://www.vmware.com/company/news/releases/vmw-newsfeed/Intel-Security-and-VMware-Announce-Intgrated-Solution-For-Automating-And-Accelerating-Advanced-Security-Services-Deployment/2892242-manual

VZ recent blog posts

~ hucktech ~ Leave a comment

Vincent Zimmer of Intel has been busy blogging the last few days… 🙂

His personal blog has a few topics related to UEFI. He talks about evolving EFI-based procotols, using hardware interrupts in the polled driver model-based UEFI OS, and MdePkg library design, and Intel TXT along with Secure Boot and Measured Boot, and member of a recently former Intel employee, George Cox, who recently passed on.

At work, Vincent wrote a blog for the Intel Firmware blog. In this blog post, he covers some background on the “Beyond BIOS” white paper series that they’ve been doing for a decade.

(These are both blogs I follow, and I’ll list on the blogroll once I figure out how to use WordPress to expose the blogroll.)

There are MANY links in these two blog posts, a few of them are new. Worth reading, if you care about UEFI on Intel.

More Information:

http://vzimmer.blogspot.com/2015/06/guids-revisions-interrupts.html
http://vzimmer.blogspot.com
http://firmware.intel.com/blog/beyond-bios
http://firmware.intel.com/blog

LegbaCore Summer Tour announced

~ hucktech ~ Leave a comment

LegbaCore, one of the main BIOS security research firms around, has updated their web site to include calendar information about their upcoming presentations and training for the Summer and early Fall.

They will be at HITB Singaport giving BIOS training in October. They’ll be speaking at BlackHat/DEFCON on Mac firmware attacks. They’ll be giving “Understanding x86-64 Assembly for Reverse Engineering and Exploits” training at BlackHat USA. They’ll be talking at SummerCon, entitled “How Many Million BIOSes Would You Like to Infect?”. “This talk will detail the result of our 1 month effort to infect the BIOS of every business class system we could get our hands on.”

They’ve also updated their Training resources. They now have *SIX* full days of BIOS/UEFI training!

More Information:

http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://www.blackhat.com/us-15/training/understanding-x86-64-assembly-for-reverse-engineering-and-exploits.html
http://www.legbacore.com/News.html

http://www.legbacore.com/Training.html
http://www.summercon.org/presentations.html#bioses

PC Advisor article on BIOS Updating for Windows users

~ hucktech ~ Leave a comment

Jim Martin wrote an article in PC Advisor earlier this week:

“How to update your BIOS: get the latest features and fixes for your PC and laptop.”

The article is a beginner’s introduction to how to update your BIOS, for Windows users. If you’re new to updating your BIOS, you might benefit from reading this!

More Information:

http://www.pcadvisor.co.uk/how-to/pc-upgrades/how-update-your-bios-3428662/

 

SecuringHardware.com courses

~ hucktech ~ Leave a comment

I just became aware of another training resource for hardware security: Portland, Oregon-based Hardware Security Resources, LLC, run by Joe FitzPatrick.

“Before starting SecuringHardware.com, he was a Security Researcher with Intel’s Security Center of Excellence where he conducted hardware penetration testing of desktop and server microprocessors, as well as security validation training for functional validators worldwide.”

I hope I get to see some of this training, the course catalog looks impressive!

More Information:

https://securinghardware.com/course-catalog/

Fedora proposal for UEFI 2.5 Capsule Update support

~ hucktech ~ Leave a comment

As reported on Fedora devel-announce and on Softpedia, a proposal for Red Hat’s Fedora has been added to support UEFI Capuse Updates via UEFI 2.5’s ESRT.

“This adds the ability to perform updates of system firmware, as well as some peripheral firmware, on machines supporting the UEFI Capsule Update mechanism and UEFI 2.5’s “ESRT” feature. Right now this is generic support—the number of machines for which we actually have firmware updates available is very small, as the underlying technology is quite new—and it doesn’t include any actual delivery mechanism for such firmware images. But if they’re put at the right place for fwupd to notice them, and the system supports the right features, they’ll show up as updates in gnome-software.”

It will very be interesting to see how different distributions expose firmware updates to users.

More Information:

http://news.softpedia.com/news/Fedora-23-Linux-Might-Allows-Users-to-Perform-Firmware-Updates-on-UEFI-Machines-483390.shtml
https://lists.fedoraproject.org/pipermail/devel-announce/2015-June/001595.html
https://fedoraproject.org/wiki/Changes/SystemFirmwareUpdates

 

AMI MegaRAC SP-X for POWER8

~ hucktech ~ Leave a comment

AMI (American Megatrends, Inc.), one of the original PC BIOS vendors, just joined the OpenPOWER Foundation. AMI’s “MegaRAC SP-X for POWER8” product was launched in support of TYAN’s first non-IBM branded OpenPOWER commercial server, which they’re demoing at COMPUTEX TAIPEI this week. MegaRAC SP-X for POWER8 includes server firmware technology. Excerpts from their PR:

“AMI joins a growing roster of technology organizations working collaboratively to build advanced server, networking, storage and acceleration technology as well as industry-leading open source software aimed at delivering more choice, control and flexibility to developers of next-generation, hyperscale and cloud data centers. The group makes POWER hardware and software available to open development for the first time, as well as making POWER intellectual property licensable to others, greatly expanding the ecosystem of innovators on the platform. AMI has been working with IBM and other OpenPOWER Foundation members like Tyan to develop enterprise server and networking solutions for next-generation data centers that integrate IBM POWER CPUs and AMI MegaRAC(R) Remote Management Firmware / Software Solutions. “

“MegaRAC(R) SP-X for POWER8 is a powerful development framework for server management solutions composed of firmware and software components, based on industry standards like IPMI 2.0, SMASH, Serial over LAN (SOL) and key serviceability features like remote presence, CIM profiles and advanced automation. MegaRAC SP-X features a high level of modularity, with the ability to easily configure and build the firmware image by selecting features using an intuitive graphical development tool chain. These features are available in independently maintained packages, for superior manageability of the firmware stack.”

More Information:

http://www.openpowerfoundation.org
http://www.ami.com

http://www.ami.com/news/press-releases/?PressReleaseID=314&/American%20Megatrends%20Joins%20OpenPOWER%20Foundation,%20Brings%20Expertise%20on%20Server%20and%20Data%20Center%20Management%20to%20COMPUTEX%20TAIPEI/

Firmware Test Suite 15.06.00 released

~ hucktech ~ Leave a comment

Today Alex Hung of Canonical announced the availability of FWTS (FirmWare TestSuite) version 15.06.00. FTWS is useful to determine if your system has operational hardware/firmware. Besides command line tests, it has a curses front-end UI, and a FTWS-live distribution; FWTS tests are also included in LUVos, though I’m not sure if LUV is synced to the latest FWTS yet.

New Features:
  * lib: acpi: add an acpi category
  * live-image/fwts-frontend-text: add selections of acpi and uefi tests
  * acpi: add tests to acpi category
  * acpi: fwts-tests: Remove redundant tailing space and update fwts-tests
  * auto-packager: mkpackage.sh: remove lucid
  * auto-packager: mkpackage.sh: add wily
  * acpi: Add SPCR ACPI table check (LP: #1433604)
  * dmi: dmicheck: add 4 new DMI chassis types

More Information:

http://fwts.ubuntu.com/release/fwts-V15.06.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.06.00
https://launchpad.net/ubuntu/+source/fwts

Spring Plugfest presentations uploaded

~ hucktech ~ Leave a comment

The PDFs of the presentations from last months’ UEFI Forum plugfest have been uploaded to uefi.org.

http://www.uefi.org/learning_center/presentationsandvideos
(scroll about half-way through the page, after the Youtube videos…)

* System Prep Applications – Powerful New Feature in UEFI 2.5 – Kevin Davis (Insyde Software)
* Filling UEFI/FW Gaps in the Cloud – Mallik Bulusu (Microsoft) and Vincent Zimmer (Intel)
* PreBoot Provisioning Solutions with UEFI – Zachary Bobroff (AMI)
* An Overview of ACPICA Userspace Tools – David Box (Intel)
* UEFI Firmware – Securing SMM – Dick Wilkins (Phoenix Technologies)
* Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot – Gabe Stocco, Scott Anderson and Suhas Manangi (Microsoft)
* Porting a PCI Driver to ARM AArch64 Platforms – Olivier Martin (ARM)
* Firmware in the Data Center: Goodbye PXE and IPMI. Welcome HTTP Boot and Redfish! – Samer El-Haj-Mahmoud (Hewlett Packard)
* A Common Platforms Tree – Leif Lindholm (Linaro)

This’ll be a very short blog, as I’m busy reading 9 new PDFs… 🙂 I’ll do blogs on some these specific presentations in the coming days.

 

 

Apple UEFI bootkit

~ hucktech ~ Leave a comment

There’s stories in multiple news sites today about a UEFI firmware bug in Apple systems, by security researcher Pedro Vilaça (@osxreverser), that is somewhat similar to Thunderstrike.

According to Dennis Fisher’s story at Threatpost, “The vulnerability can be exploited remotely, Vilaca said.” Threatpost also states: “He added that he believes Apple may know about this vulnerability already, as it doesn’t seem to be present on machines sold after about the middle of 2014.

If you have Apple — or perhaps other UEFI-based — hardware, you should follow this story!

More information:

Firmware Bug in OSX Could Allow Installation of Low-Level Rootkits


http://www.pcworld.com/article/2929172/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html
http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher

coreboot and Chrome OS upstreaming

~ hucktech ~ Leave a comment

I mainly work with UEFI technology, and don’t know much about coreboot, nor Chrome OS. I’m new to these tech, and learning them… 🙂

For a while, I thought coreboot was pretty inactive, but I now realize much of the coreboot activity has been taking place in Chrome OS. It appears that some of this work is now being upstreamed to the main coreboot.

From the coreboot blog:

“In the last months there was lots of activity in the coreboot repository due to upstreaming the work that was done in Chrome OS’ branch. We’re happy to announce that both code bases are again relatively close to each other. In the last 7 months, about 1500 commits that landed in coreboot originated in Chrome OS’ repository (of about 2600 total). Those came from 20 domains, which represent pretty much every part of the coreboot community: well known private and commercial coreboot contributors, but also BIOS and silicon developers as well as device manufacturers. Significant contributions that went into the tree recently were written with active support by Broadcom, Imagination Technologies, Intel, Marvell, Nvidia, Qualcomm, and RockChip.”

“In the future, Chrome OS will move over to a new branch point from upstream, and work on strategies to avoid diverging for two long years again. Instead, we’re looking for ways to keep the trees closer while also avoiding flooding the coreboot.org developer base with hundreds of patches. More on that as it is implemented.”

Some features that’ve been recently added include:
* new MIPS support
* improved ARM support, for SoCs by Broadcom, Marvell, Qualcomm, and RockChip
* an improved, safer method to declare the memory map on devices
* effort to get Chrome OS’ verified boot support
* update the flash image format to allow for safer incremental updates

This looks like great news for coreboot! I’ll have more blog entries about coreboot and Chrome OS in the near future.

More Information:

Report on Chrome OS upstreaming


http://coreboot.org/
http://www.chromium.org/chromium-os/2014-firmware-summit
https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot