https://twitter.com/aionescu/status/770845155444166656
He also mentions the project here:
Month: August 2016
Pinczakko on BMCs
The post is on BMC security in general, and looks at the OpenBMC project, among others:
http://bioshacking.blogspot.com/2016/08/base-board-management-controller-bmc.html
Intel Multi-byte NOP opcode made official
The latest version of IA-32 Intel Architecture Software Developers Manual Volume 2B: Instruction Set Reference, N-Z contains the opcode for a multi-byte NOP instruction. The opcode is
0F 1F mod-000-rm
The multi-byte NOP can have any length up to 9 bytes. Quite useful for alignment. […]
Ugh, how do you track changes like this? Diffing those PDFs? Is there any ‘changelog’ for things like this?
ftp://download.intel.com/design/Pentium4/manuals/25366719.pdf
https://software.intel.com/en-us/forums/watercooler-catchall/topic/307174
NMVe updates whitepapers
I think the first 2 links on their whitepaper section, on NVMe and NVMe over Fabrics, have been revised:
Intel SGX tutorial part3 published today
Thanks to John M. of Intel for noting on this blog that part 3 of his tutorial is now available:
https://software.intel.com/en-us/articles/software-guard-extensions-tutorial-series-part-3
“In Part 3 of the Intel® Software Guard Extensions (Intel® SGX) tutorial series we’ll talk about how to design an application with Intel SGX in mind. We’ll take the concepts that we reviewed in Part 1, and apply them to the high-level design of our sample application, the Tutorial Password Manager, laid out in Part 2. We’ll look at the overall structure of the application and how it is impacted by Intel SGX and create a class model that will prepare us for the enclave design and integration.”[…]
The SMM Rootkit Revisited: Fun with USB (from ARES’15)
http://ieeexplore.ieee.org/document/6980293/?reload=true&arnumber=6980293
System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.
Cook on status of Linux’s Kernel Self Protection Project
A few days ago at the Linux Security Summit (LSS), Kees Cook of the Chromium project gave a presentation about the current status of the Kernel Self-Protection Project. Slides are available, I’m not sure about any A/V archives.
Status of the Kernel Self Protection Project
Linux Security Summit 2016
Kernel Self Protection Project
http://www.openwall.com/lists/kernel-hardening/
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
CaptainHook
CaptainHook is hooking framwork for x86/x64 arch, it’s based on capstone disassembler engine. CaptainHook equipped with smart engine (TO FINISH). CaptainHook is easy to using, and very freandly. the hook engine is much like MS Detours, so why to choose it?
* its support x64 (Detours x64 is commerical – $10,000~)
* CaptainHook will know where to locate your hook in real time, its analyze the code, and find if small API redirection (Wow64 hook on kernelbase for example, or on protector like VMP or Themida) was occurred
* in the next release, CaptainHook will contain an engine for jmp/conditional jmp repair – if your hook corrupt sensitive code
* in the next release, CaptainHook will contain more hook type, like PageGuard hooking etc.
[…]
ACPICA shipping acpidump.efi
In recent news on the ACPICA site is:
“AcpiDump for UEFI is now available at Downloads/uefi-support – 26 August, 2016 – 13:57”
The tool acpidump now targets UEFI, in addition to OSes. In addition to shipping source via Github, they ship a zip with prebuilt Intel 32- and 64-bit .efi binaries, no ARM binaries.
https://github.com/acpica/acpica/tree/master/source/tools/acpidump
https://acpica.org/downloads/uefi-support
If there is a place where the above web site’s ‘recent news’ is delivered via RSS or Atom or Twitter or NNTP or some announce mailing list or even Facebook, please leave a Comment. I think I’m not on the right ACPI list or something… Thanks.
UEFI BIOS Updater (UBU) updated
I wish I could tell you the official home page of UEFI BIOS Updater (UBU), but I am not sure where it is. Decades ago, I used to trust some freeware, but these years I am more hesitant. I wish UBU was open source. 😦
http://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html
https://twitter.com/freewareactive/status/769501789280501760
https://twitter.com/freewareactive/status/769523790460100608
Alex’s SimpleVisor now supports EPT and VPID
Re: Alex’s Intel x64 Windows-based hypervisor:
it now supports more features:
https://twitter.com/aionescu/status/769280829805645824
https://github.com/ionescu007/SimpleVisor/commit/fd1d7e043a24fd4afd72dc5f040d04475f9e5acd
https://github.com/ionescu007/SimpleVisor
https://twitter.com/aionescu/status/769726204387602437
I hope he targets UefiVisor next. I am guessing that UEFI will get more interesting as an OS — and not just a bootloader — once someone ports a VM to a UEFI app.
PeiBackdoor: new UEFI payload/backdoor tool
Dmytro Oleksiuk (aka Cr4sh) has created a new UEFI security researcher tool: PeiBackdoor, which hooks into the init code of UEFI. (PEI is the Pre-uEfi-Init phase, before all the UEFI protocols are in place, the init code of UEFI.) It uses Capstone, and requires Windows.
PEI stage backdoor for UEFI compatible firmware
This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI). This backdoor might be useful for low level manipulations with the target platform configuration when the most of the platform configuration registers are not locked yet. […]
PEI backdoor project includes:
* PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
* PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
* PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
* PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
* config.h – PEI backdoor build options.
* payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
* src/ – Rest of the PEI backdoor code.
PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.
[…]
Intel Joule
“Today during the Intel Developer Forum (IDF) opening keynote, Intel CEO Brian Krzanich introduced the Intel® Joule™ compute module, a high-performance developer platform with support for Intel® RealSense™ depth-sensing cameras, targeted at Internet of Things (IoT) developers, entrepreneurs and established enterprises. […] The Intel Joule platform enables people to rapidly prototype a concept and then take it into production in a fraction of the time and development cost. Intel Joule is a high performance system-on-module (SOM) in a tiny, low-power package thus making it ideal for computer vision, robotics, drones, industrial IoT, VR, AR, micro-servers and other applications that require high-end edge computing. The Intel Joule module is available in two models – 570x and 550x. The Intel Joule 570x developer kit is available for sale at the 2016 Intel Developer Conference in San Francisco, and will begin shipping in September through Intel reseller partners.”
I’m still reading the docs, not sure what firmware it has, and if developers have ability to revise it. If you know, please leave a Comment. Suggested price is US$379.
https://software.intel.com/en-us/articles/joule-vs-edison
https://software.intel.com/en-us/intel-joule-getting-started
https://software.intel.com/en-us/iot/hardware/joule
https://software.intel.com/en-us/articles/what-is-joule-module
https://software.intel.com/en-us/iot/hardware/joule/dev-kit
http://ark.intel.com/products/series/96419/Intel-Joule-Kits
Click to access intel-joule-fact-sheet.pdf
https://newsroom.intel.com/chip-shots/make-amazing-things-happen-iot-entrepreneurship-intel-joule/
CHIPSEC ported to Apple Mac OS X!
Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.
OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
3. Reboot and load the driver
# kextutil chipsec.kext
4. Within the source/tool directory, run:
# python chipsec_util.py spi info
# python chipsec_util.py spi dump rom.bin
5. Unload the driver
https://github.com/chipsec/chipsec/blob/master/source/drivers/osx/README
https://github.com/chipsec/chipsec/pull/69
https://github.com/chipsec/chipsec/commit/b00c037101523212725c60d35f3f70b168a44e1c
With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂
coreboot adds Intel BootGuard support to Intel ME Tool
“util/intelmetool: Add bootguard information dump support:
With this implementation it’s possible to detect the state of bootguard in intel based systems.
Currently it’s WIP and in a testphase. Handle it with care!”
Talos creates Intel PT driver
Talos Intel PT Driver
This driver implements the Intel Processor Trace functionality in Intel Skylake architecture for Microsoft Windows.
Intel Processor Trace is a high performance hardware supported branch tracing mechanism in Intel Skylake architecure.
[…]
https://github.com/talos-vulndev/TalosIntelPtDriver
Kaitai
Like above, I also just learned about Kaitai Project. It reminds me of Scapy, the 010 Editor.
https://github.com/kaitai-io/kaitai_struct_visualizer/
FirmFlaws
Wow, another firmware tool that I am just now noticing. 😦
Firmware analysis Website and API (JSON)
Upload firmware and run static analysis (parse firmware, grep strings, search for interesting files (conf, certs, db files…), etc.).
Dependencies: Radare2, Binwalk, rats, graphviz, pydot, Django, r2pipe, python-magic, squashfs-tools, python3-openssl
Contributors: MisterCh0c (@MisterCh0c), Ganapati (@G4N4P4T1), Geoffrey (@geoffreyvdberge)
https://github.com/Ganapati/firmflaws
Firminator
I just learned about Firminator. Sad that it has been around for some time and I am just noticing it. 😦 They are looking for donations:
https://twitter.com/Firminat0r/status/757150166348599296
Firminator
The first (afaik) open source (wannabe) firmware vulnerability scanner.
Firminator goal is to provide static & dynamic analysis of firmwares. For the dynamic analysis the firmwares will be emulated using firmadyne.
https://github.com/misterch0c/firminator_backend
https://twitter.com/Firminat0r/
Microsoft OMI: WMI for Linux
WMI, the Windows-centric API wrapper the DMTF CIM standard, has an OMI variant that works outside of Windows. I don’t understand why Microsoft didn’t just submit OMI to DMTF, instead of OpenGroup… 🙂
https://twitter.com/mattifestation/status/768445468925829120
Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance. RPM and DEB packages are provided for the installation of OMI on most enterprise Linux distributions. To install OMI, download the correct package for your Linux computer. […]
https://github.com/Microsoft/omi
http://www.opengroup.org/software/omi
https://blogs.technet.microsoft.com/windowsserver/2012/06/28/open-management-infrastructure/
Firmware Security 
You must be logged in to post a comment.