Month: March 2017

Apple EFI firmware update spreadsheet

~ hucktech ~ Leave a comment

This is an interesting twitter thread, if you have a Mac:

https://support.apple.com/en-us/HT201518

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

See-Also Firmware_Vault: https://firmwaresecurity.com/2015/07/15/tool-review-uefi-spider-and-firmware_vault/

CHIPSEC 1.3.0 released

~ hucktech ~ Leave a comment

New/updated modules:
* tools.uefi.whitelist – The module can generate a list of EFI executables from (U)EFI firmware file or extracted from flash ROM, and then later check firmware image in flash ROM or file against this list of [expected/whitelisted] executables
* tools.uefi.blacklist – Improved search of blacklisted EFI binaries, added exclusion rules, enhanced blacklist.json config file
* tools.smm.rogue_mmio_bar – Experimental module that may help checking SMM firmware for MMIO BAR hijacking vulnerabilities described in “BARing the System: New vulnerabilities in Coreboot & UEFI based systems” (http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf) by Intel Advanced Threat Research team at RECon Brussels 2017
* tools.uefi.uefivar_fuzz – The module is fuzzing UEFI Variable interface. The module is using UEFI SetVariable interface to write new UEFI variables to SPI flash NVRAM with randomized name/attributes/GUID/data/size.

New/updated functionality:
* Debian packaging support
* Compiling in setup.py and automated loading of chipsec.kext kernel module on macOS
* Internal Graphics Device support including software DMA via Graphics Aperture
* Improved parsing andsearch within UEFI images including update capsules
* Export of extracted EFI firmware tree in JSON format
* Export of CHIPSEC results in JSON format via –json command-line argument
* EFI (de-)compression ported from uefi-firmware-parser project
* Decompression to macOS helper to parse Mac EFI firmware images
* Support of command-line arguments in chipsec_util.py
* SMI count command
* Improved platform dependent Flash descriptor parsing
* ReadWriteEverything helper to work with RWE driver
* map_io_space to improve SPI read performance on Linux
* Native (OS based) access PCI, port I/O and CPU MSR to Linux helper
* Improved chipsec_util.py unit testing

See full announcement for list of bugfixes.

https://github.com/chipsec/chipsec/releases/tag/v1.3.0

 

Gigabyte UEFI firmware advisory

~ hucktech ~ Leave a comment

It must be big if CERT notices a UEFI issue! 🙂

https://twitter.com/osxreverser/status/847870483525754880

https://twitter.com/osxreverser/status/847848364058312704

https://twitter.com/osxreverser/status/847847913590059008

https://www.cylance.com/en_us/blog/uefi-ransomware-full-disclosure-at-black-hat-asia.html

 

6-part Youtube BIOS system architecture series

~ hucktech ~ Leave a comment

 

BIOS Session 1 – System Memory Map
BIOS Session 2 – Legacy Region
BIOS Session 3 – HIgh Level Overview of the BOOT flow
BIOS Session 4 – Transaction flows and address decoding part 1
BIOS Session 5 – Transaction flows and address decoding part 2
BIOS Session 6 – PCI Basics and Bus Enumeration

 

 

 

UEFI Plugfest slides uploaded

~ hucktech ~ Leave a comment

https://uefi.blogspot.com/2017/03/uefi-plugfest-2017-in-nanjing.html

Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!

 State of UEFI – Mark Doran (Intel)
 Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
 The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
 ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
 SMM Protection in EDK II – Jiewen Yao (Intel)
 Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
 A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
 UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
 Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
 Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
 Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
  UEFI Development Anti-Patterns – Chris Stewart (HP)

http://www.uefi.org/learning_center/presentationsandvideos

TPM firmware updates (and BiosSledgehammer)

~ hucktech ~ Leave a comment

The below tweet made me realize I’ve not been looking enough for TPM utilities. I’ve seen tools from HP, Dell, and Lenovo. Still looking for tools from other OEMs. The only community tool I can find is BiosSledgehammer, which only works on HP systems.

https://github.com/texhex/BiosSledgehammer

BiosSledgehammer: Automated BIOS update, TPM firmware update and BIOS settings for HP devices.

http://h20566.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05381064

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291

http://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=2105J

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291

http://support.lenovo.com/us/en/downloads/ds038226

https://www.dell.com/support/article/us/en/04/SLN300914/trusted-platform-module–tpm–upgrade-downgrade-process-for-windows-7-and-10-operating-system-upgrade-downgrade?lang=EN

PEXternalizer (and USB Sanitizer)

~ hucktech ~ Leave a comment

Pci Express eXternalizer lets you pull a PCIE1x port outside of your case using a usb3 cable.

 

https://github.com/securelyfitz/PEXternalizer

https://www.securinghardware.com/

Joe is always making fun toys.

https://github.com/securelyfitz/USBSanitizer

https://www.securinghardware.com/

Wikileaks: Vault 7: Dark Matter

~ hucktech ~ Leave a comment

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware. Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. “DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

https://wikileaks.org/vault7/darkmatter/?cia

https://wikileaks.org/vault7/darkmatter/document/SonicScrewdriver_1p0/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_DOC/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_RC1_IVVRR_Checklist/
https://wikileaks.org/vault7/darkmatter/document/Triton_v1_3_DOC/
https://wikileaks.org/vault7/darkmatter/document/DarkSeaSkies_1_0_URD/

 

awesome-safety-critical

~ hucktech ~ Leave a comment

This is a list of resources about programming practices for writing safety-critical software. Disclaimer: I don’t work on safety-critical software so the resources presented here are not necessarily authoritative or latest documents on topic.

https://github.com/stanislaw/awesome-safety-critical

On a related note, SEI just made their Secure C and Secure C++ books freely-available (registration required), those are worth reading:

http://www.sei.cmu.edu/news/article.cfm?assetID=495412

 

Tianocore gets Brotli compression support

~ hucktech ~ Leave a comment

BinX Song of Intel has submitted a patch to EDK2 with support for Google’s Brotli compression algorithm.

[PATCH 0/4] MdeModulePkg/BaseTools: Add Brotli algorithm support

Brotli algorithm has a little less compress ratio than Lzma, but has better decompress performance than it.  Add Brotli algorithm support, include Brotli decompression library and tool set.

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel
https://github.com/google/brotli
https://www.ietf.org/rfc/rfc7932.txt
https://groups.google.com/forum/#!forum/brotli

Siemens industrial plant firmware malware

~ hucktech ~ Leave a comment

Quoting the Register article:

[…]Malware posing as legitimate firmware for Siemens control gear has apparently infected industrial equipment worldwide over the past four years. The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected firmware, a study by industrial cybersecurity firm Dragos claims. According to the Texas-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as “crimeware”. […]

The Dragos blog post is worth reading:

https://www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/

https://dragos.com/blog/mimics/

 

 

UTTOS: UEFI testing research

~ hucktech ~ Leave a comment

A paper from October 2016 that I just noticed:

UTTOS: A Tool for Testing UEFI Code in OS Environment

Unit tests are one of the most widely used tools to assure a minimal level of quality and compliance during development. However, they are not used in many projects where development takes place at low-level contexts. The main reason is that unit test development itself demands more time and becomes expensive in this context and tools that assist test creation are rare or absent. In UEFI development this scenario matches the reality of most teams and unit testing as well as other testing techniques are often not used. To address this fault we propose UTTOS, a tool that parses EDKII build configuration files, mocks the UEFI-specific functions for C development and enables UEFI test suite code to run in the operating system. We show that UTTOS is able to run the test suit in the operating system and save development time.

https://www.researchgate.net/publication/313074852_UTTOS_A_Tool_for_Testing_UEFI_Code_in_OS_Environment
https://www.researchgate.net/publication/307547569_UTTOS_A_Tool_for_Testing_UEFI_Code_in_OS_Environment
http://link.springer.com/chapter/10.1007/978-3-319-47443-4_14/fulltext.html

Did not find any source code… 😦 If you do, please leave a Comment!

Redfish and SDI

~ hucktech ~ Leave a comment

Redfish Emerges as an Interoperability Standard for SDI
The world’s data centers are working to adopt Software Defined Infrastructure (SDI) – but they are far from reaching their goals. The single biggest challenge in SDI is achieving interoperability between many kinds of hardware. Without that, a data center’s systems become a Tower of Babel, preventing IT system admins from seeing a unified view of all resources – and managing them. Built to leverage virtualized infrastructure, SDI will be easier to achieve if there are more bridges between platforms – leading to better management. This blog focuses on an emerging management standard called Redfish, which is designed to help make SDI a day-to-day reality for hybrid cloud.[…]

http://hurwitz.com/blogs/bozmanblog/entry/redfish-emerges-as-an-interoperability-standard-for-sdi

Facebook seeks Oculus Firmware Manager

~ hucktech ~ Leave a comment

Manager, Firmware (Oculus)
As a Firmware Engineering Manager at Oculus you will lead, manage, and inspire engineering teams developing next-generation platforms for virtual reality. Firmware for VR systems spans multiple target classes, requires deep collaboration across engineering disciplines and the full software stack (from content to RTL), and directly impacts user immersion. You’ll guide architecture and delivery of highly performant and reliable firmware across multiple platforms and product lines. The ideal candidate will have deep embedded system technical knowledge along with a passion for building top teams who deliver great consumer products focused on incredible customer experiences.[…]

https://www.facebook.com/careers/jobs/a0I1200000JIZv3EAH/