Month: January 2016

Intel updates SGX documentation

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/686664051582210049

https://software.intel.com/en-us/isa-extensions/intel-sgx

Click to access 319433-022.pdf

Click to access 329298-002.pdf

https://software.intel.com/en-us/sgx-sdk/documentation
https://software.intel.com/en-us/sgx-sdk-support/documentation

Click to access Software-Guard-Extensions-Enclave-Writers-Guide.pdf

Click to access Intel-SGX-SDK-Users-Guide-for-Windows-OS.pdf

Click to access Intel-SGX-SDK-Release-Notes-for-Windows-OS.pdf

Click to access Intel-SGX-SDK-Installation-Guide-for-Windows-OS.pdf

Alas, Windows only, no Linux or FreeBSD release, AFAICT. 😦

 

Nikcon camera firmware tools

~ hucktech ~ Leave a comment

https://github.com/simeonpilgrim/nikon-firmware-tools
https://nikonhacker.com/wiki/Main_Page#Firmware_information
https://nikonhacker.com/index.php

Tools used during the reversing of the Nikon D5100, D7000 firmware.
This site is primary files hosting service used for Nikon Hacker team efforts.
The forums are at NikonHacker.com Forums
The main wiki we use is at hosted on NikonHacker.com Wiki
The online patch tool is hosted Online Patch Tool

Clang hardening

~ hucktech ~ Leave a comment

While improving the documentation (d’oh!) of our home grew obfuscator based on LLVM, we wrote a cheat sheet on clang’s hardening features, and some of ld ones. It turns out existing hardening guides generally focus on GCC, while Clang also has an interesting set of hardening features. So let’s share it in this blog post!
Note0: Everything in this post is based on Clang/LLVM 3.7
Note1: Debian provides a very interesting hardening guide here: https://wiki.debian.org/Hardening
Note2: This post does not cover the use of Asan. Unlike the options presented here, it’s unlikely to go into release build, rather in debug builds.

http://blog.quarkslab.com/clang-hardening-cheat-sheet.html

Virt-Manager updated with UEFI (OVMF/AVMF) support

~ hucktech ~ Leave a comment

Virt-Manager, as of 1.2, has support for UEFI’s OVMF/AVMF format!

http://www.phoronix.com/scan.php?page=news_item&px=UEFI-OVMF-Virt-Manager-1.2
http://blog.wikichoon.com/2016/01/uefi-support-in-virt-install-and-virt.html
http://www.phoronix.com/scan.php?page=news_item&px=Virt-Manager-1.2-Released
https://www.redhat.com/archives/virt-tools-list/2015-May/msg00010.html
https://virt-manager.org/

I missed this news, but luckily Phoronix did not…

BTW, Virt-Manager is a SPICE client, and UEFI has some SPICE support. I don’t know what that means, I’ve been meaning to learn… 🙂 There is information on this in the below OVMF whitepaper:

http://www.spice-space.org/
http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt

bunnie seeking feedback on lowRISC usage

~ hucktech ~ Leave a comment

Quoting bunnie’s forum post:
It’s not quite got the specs to make a decent laptop — it’s missing graphics and SATA. The effective performance of a system built around this would feel much more sluggish than a Novena, which means it’ll be tough to use on a daily basis for productivity work. It does have tagged memory and minion cores, which means it’ll be great for security and some types of I/O; but there is no integrated Ethernet controller, so application in network stacks is limited. It is also going to be the first open-to-the-RTL processor you can buy, so maybe despite the limitations some people would prefer to use it as a primary computing solution, but wondering if there aren’t other niches this can occupy.

http://www.kosagi.com/forums/viewtopic.php?pid=2556
https://twitter.com/hashtag/lowRiscWish?src=hash

RISC-V/LowRISC update

~ hucktech ~ Leave a comment

The recent RISC-V workshop is over, presentations are online, videos are not yet online:

http://riscv.org/workshop-jan2016.html
http://riscv.org/

RISC-V and coreboot:

Click to access Tues1345%20riscvcoreboot.pdf

RISC-V and UEFI:

Click to access Tues1415%20RISC-V%20and%20UEFI.pdf

There is some post-workshop coverage here:
https://blog.riscv.org/2016/01/3rd-risc-v-workshop-presentations-breakouts/
http://www.lowrisc.org/blog/2016/01/third-risc-v-workshop-day-one/
http://www.lowrisc.org/blog/2016/01/third-risc-v-workshop-day-two/

Why I will be using RISC-V in my next chip


http://www.eetimes.com/document.asp?doc_id=1328620&

LowRISC, a related project to RISC-V is also making progress. From the below EE Times article:

“The LowRISC project at the University of Cambridge is attracting interest as the likely first source of real development hardware. The team which includes members of the Raspberry Pi project hopes to have first silicon this year and plans to make development boards available in 2017, likely for $50-100.”

http://www.lowrisc.org/

http://www.eetimes.com/document.asp?doc_id=1328620&

I missed this news, it is interesting to see Google, HP, and Oracle getting involved with RISC-V.

http://www.eetimes.com/document.asp?doc_id=1328561&

 

Intel Skylake bug

~ hucktech ~ Leave a comment

Don’t do any “complex workloads” on your Skylake boxes until you get a BIOS update…

https://communities.intel.com/mobile/mobile-access.jspa#jive-content?content=%2Fapi%2Fcore%2Fv3%2Fcontents%2F524553

BIOS updates on the way to fix problem says Intel

Four days ago Intel reported that its engineering department had identified the issue which “only occurs under certain complex workload conditions… [when] the processor may hang or cause unpredictable system behaviour”. It has released a fix for the issue to hardware partners which will be distributed via BIOS updates for Skylake compatible motherboards. Now users will just have to wait for their motherboard vendors to publish BIOS updates with the Intel fix incorporated.

Full story:

http://hexus.net/tech/news/cpu/89636-intel-skylake-bug-seizes-pcs-running-complex-workloads/

You might want to check here for updates from Intel-based devices:

https://security-center.intel.com/SearchResults.aspx

interview with AMI founder, Subramonian Shankar

~ hucktech ~ Leave a comment

http://www.basicinputoutput.com/2016/01/must-see-tvs-shankar.html

As reported by William Leara, a BIOS engineer at Dell, the “This Week In Tech” (TWIT episode 226) podcast did an inteview with Mr. Subramonian Shankar, founder of AMI in November. Excerpting from William’s blog post:

The interview discusses everything from how Shankar started AMI, to what he’s up to today, with lots of colorful anecdotes along the way.  I especially appreciated all the old Michael Dell stories, among other great stories.  It turns out Dell Inc. and AMI were allies from their infancy and helped each other grow to be the large, successful companies they are today.  It was also interesting to hear about the new Android products AMI is working on, especially AMIDuOS—and it’s only $10!

https://twit.tv/shows/triangulation/episodes/226?autostart=false

U-Boot and UEFI at Seattle Hardware Startups event

~ hucktech ~ Leave a comment

The January 2016 Seattle Hardware Startups event will be firmware focused, hosted by our local group, the Pacific NorthWest FirmWare Hackers (PNWFWH), topics will be on U-Boot and UEFI, Meetup announcement below. If you are in the Seattle area later this month, drop by!

http://www.meetup.com/Seattle-Hardware-Startups/events/227429885/

What: Seattle Hardware Startup: Kirkland Edition
When: Thursday, January 28, 2016, 6:00 PM to 8:00 PM
Where: Nytec Innovation Center, 416 6th Street South, Kirkland, WA

This month we are welcoming Pacific NorthWest FirmWare Hackers. PNWFHW meets randomly at various places, speaking on development and security topics of modern system firmware (UEFI, U-Boot, core boot, etc.). I am pleased to have them lead an event for us.

Speakers:

1. The first speaker is Emergency Mexican (his DEF CON goon nym). He works at a local hardware startup working on ARM32 systems. He’ll be speaking on using building custom payloads with the U-Boot boot loader.

2. The second speaker is Vincent Zimmer, a senior principal engineer at Intel, working on UEFI. Vincent chairs the UEFI Forum network and security subteams. Vincent will talk about the latest updates in the UEFI specifications for security and networking. He’ll also discuss open source community updates.

Please RSVP early so we call the pizza man and make proper arrangements.

Adam
PS: Did you know that January 15th is Hardware Freedom Day?
http://www.hardwarefreedomday.org/main/about.html

Code available for new rowhammer research

~ hucktech ~ Leave a comment

More on this recent research:

Skylake and Rowhammer

https://github.com/IAIK/rowhammerjs/tree/master/native

The source is a single C++ file (not Javascript, like the Github project name hints at), built targets for Sandy/Ivy/Haswell/Skylake, works on 64-bit Linux. Usage:

# ./rowhammer[-architecture] [-t nsecs] [-p percent] [-c cores] [-d dimms] [-r row] [-f first_offset] [-s second_offset]
    ”-c” the number of cores (only important with ”#define EVICTION_BASED”)
    ”-p” percent of memory to use
    ”-d” number of dimms (very important)
    ”-r” loop only over the specified row
    ”-f” only test addresses with the specified first aggressor offset
    ”-s” only test addresses with the specified second aggressor offset

 

 

Intel on Intel SGX enclaves

~ hucktech ~ Leave a comment

https://twitter.com/intelswfeed/status/685961977324265472

 

Intel SGX: Debug, Production, Pre-release what’s the difference?

Simon Johnson, Dan Zimmerman, and Derek B., all of Intel, presumably on the Intel SGX team, posted a new article on the Intel blog, on Intel SGX.

Since release the SDK we’ve had a few questions about debug vs pre-release vs release mode (production) enclaves. Part of the security model of Software Guard Extensions is to prevent software from peaking inside and getting at secrets inside the enclave… but no-one writes perfect code the first time round; so how do you debug an enclave?
[…]

Full post:

https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference

 

Intel Memory Encryption Engine (MEE)

~ hucktech ~ Leave a comment

https://drive.google.com/file/d/0Bzm_4XrWnl5zOXdTcUlEMmdZem8/edit?pref=2&pli=1

Real World Cryptography Conference 2016
6-8 January 2016, Stanford, CA, USA
Intel® Software Guard Extensions (Intel® SGX)
Memory Encryption Engine (MEE)
Shay Gueron
Intel Corp., Intel Development Center, Haifa, Israel
University of Haifa, Israel

Skylake and Rowhammer

~ hucktech ~ Leave a comment

 

Reverse Engineering Intel DRAM Addressing and Exploitation
Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, Stefan Mangard

In this paper, we present a method to reverse engineer DRAM addressing functions based on a physical bus probing. Second, we present an automatic and generic method to reverse engineer DRAM addressing functions merely from performing a timing attack. This timing attack can be performed on any system without privileges and even in virtual machines to derive information about the mapping to physical DRAM channels, ranks and banks. We reversed the complex adressing functions on a diverse set of Intel processors and DRAM configurations. Our work enables side-channel attacks and covert channels based on inner-bank row conflicts and overlaps. Thus, our attack does not exploit the CPU as a shared resource, but only the DRAM that might even be shared across multiple CPUs. We demonstrate the power of such attacks by implementing a high speed covert channel that achieves transmission rates of up to 1.5Mb/s, which is three orders of magnitude faster than current covert channels on main memory. Finally, we show how our results can be used to increase the efficiency of the Rowhammer attack significantly by reducing the search space by a factor of up to 16384.

http://arxiv.org/abs/1511.08756

Intel Curie

~ hucktech ~ Leave a comment

Intel announced Curie back in the Summer:

Arduino 101, an Intel Curie-based device

And they’re doing it again at CES:

https://software.intel.com/en-us/articles/intels-newest-wearable-module-intel-curie
http://www.intel.com/content/www/us/en/wearables/wearable-soc.html

Click to access Intel_CURIE_Module_Factsheet.pdf

Click to access intel-curie-module-fact-sheet.pdf

I still can’t tell you that flavor of firmware it uses, UEFI, BIOS, or something else. If you know, please leave a Comment (see left).

Star Wars toy has vulnerable firmware

~ hucktech ~ Leave a comment

I’ve been avoiding news on IoT security, since the New Year has all the news sites full of IoT predictions, most related to security concerns…

Since Star Wars is topical again, there’s a firmware vulnerability in the new movie’s droid toy:

http://www.theregister.co.uk/2016/01/08/star_wars_iot_bb8_toy_vuln/

https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/

 

FSF RYF hardware cert program update

~ hucktech ~ Leave a comment

For a while now, the Free Software Foundation has had it’s RYF (Respects Your Freedom) hardware certification program. Companies send samples of their product to the FSF for testing. If it passes muster, the company is able to use the FSF RYF certification mark. The FSF presumes that people need not fully understand technology, and can instead trust the FSF and this certification mark, and know that this research has been done for them. This year, they’ve certified 6 new devices, half of which are legacy retroffitted hardware, half are new devices:

“The RYF certification program is one of the most important parts of the FSF’s work — and one of the most promising and successful parts. Since announcing our first RYF-certified product in October 2012 (the LulzBot AO-100 3D printer), we have certified a total of eighteen different hardware devices sold by five different companies. In 2015 alone we awarded RYF certification to six new devices:

* 3 laptops: Libreboot X200 and T400 from Minifree, and the Taurinus X200 from Libiquity.
* 2 3D-printers: The LulzBot TAZ 5 and the LulzBot Mini by Aleph Objects.
* 1 wireless router: The Free Software Wireless-N Mini Router (TPE-R1100) sold by ThinkPenguin.”

https://www.fsf.org/blogs/licensing/hardware-we-certified-in-2015-to-respect-your-freedom
https://www.fsf.org/ryf
https://www.fsf.org/resources/hw/endorsement/criteria
https://my.fsf.org/donate/?pk_campaign=2015-appeal&pk_kwd=ryf
https://my.fsf.org/join?pk_campaign=2015-appeal&pk_kwd=ryf

Bluntly, I really don’t understand why the FSF isn’t doing more to push crowdfunding of their “Free Hardware”, or even mentioning their Free Hardware concept in the RYF hardware program, or giving presentations at Embedded Linux Conference and elsewhere to discuss this with OEMs, and not helping any of the open architecture designs (GPL’ed OpenRISC, BSD LowRISC/RISC-V, etc.), or mentioning available and up-and-coming devices (eg, Inverse Path’s USB Armory, Olimex’s OSH ARM64 laptop, some of the new devices that can run Libreboot w/o blobs, etc.. I was hoping for more when RMS blessed CrowdSupply.com as funding source for GPL hardware… It looks like the best we can hope for is the above RYF Donate button. 😦

Ubuntu to opt-out of fwupd?

~ hucktech ~ Leave a comment

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

NVMe tool: SEDutil

~ hucktech ~ Leave a comment

Judith Vanderkay posted an article on the NVM Express blog about an updated release of a tool of theirs:

Drive Trust Alliance adds NVMe support to SEDutil:

Drive Trust Alliance maintains the popular sedutil application (formally called msed), which eases configuration of Self-Encrypting Drives implementing the TCG OPAL specification. Until recently only SATA/SCSI drives were supported by sedutil. As of the 1.10 release, NVMe SEDs are officially supported by the Linux version of sedutil. This paves the way for NVMe OPAL SED adoption across a wide variety of datacenter, workstation, client, mobile, and IoT platforms.”

http://www.nvmexpress.org/blog/drive-trust-alliance-adds-nvme-support-to-sedutil/
https://github.com/Drive-Trust-Alliance/sedutil
https://github.com/r0m30/msed
https://github.com/Drive-Trust-Alliance

VMware vulnerability

~ hucktech ~ Leave a comment

VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability

VMware Security Advisory
Advisory ID:     VMSA-2016-0001
Synopsis:     VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
Updated on:     2016-01-07 (Initial Advisory)
CVE numbers:     CVE-2015-6933

Impacts:
VMware ESXi 6.0 without patch ESXi600-201512102-SG
VMware ESXi 5.5 without patch ESXi550-201512102-SG
VMware ESXi 5.1 without patch ESXi510-201510102-SG
VMware ESXi 5.0 without patch ESXi500-201510102-SG
VMware Workstation prior to 11.1.2
VMware Player prior to 7.1.2
VMware Fusion prior to 7.1.2

VMware would like to thank Dmitry Janushkevich from the Secunia Research Team for reporting this issue to us.

See full announcement for more information, including patch/workarounds.

http://www.vmware.com/security/advisories/VMSA-2016-0001.html
http://kb.vmware.com/kb/2078735