http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html
Click to access Recon%202014%20Skochinsky.pdf
Month: April 2017
AMI adds RNDIS Network Driver Support in Aptio V
American Megatrends Inc. (AMI), a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems is proud to announce Remote NDIS (RNDIS) network driver support for Aptio V UEFI Firmware. The Remote Network Driver Interface Specification (RNDIS) is a Microsoft® specification that allows for remote communication between a host server and RNDIS network device connected using a USB cable. RNDIS messages are sent via the host server to the RNDIS device and the host server can provide support for multiple networking devices connected to a USB bus. The support for RNDIS devices in Aptio V is convenient for hardware vendors because with the standardized interface of RNDIS, the need to develop drivers to support USB LAN adapters conforming to RNDIS specification is eliminated. OEMs including the RNDIS network driver in the BIOS allow end users to plug and play with RNDIS supported USB LAN adapters. Aptio V RNDIS network driver also allows the BIOS to communicate with the Baseboard Management Controller (BMC) that supports the RNDIS specification, commonly referred to as LAN over USB.[…]
https://ami.com/en/news/press-releases/?PressReleaseID=389
Lenovo USB malware
IBM Storwize for Lenovo initialization USB drives contain malware
Lenovo Security Advisory: LEN-14957
Potential Impact: Malware infection on system used to launch initialization tool
Severity: Medium
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems. When the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
Important: While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system. The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.
The affected Initialization USB flash drive looks like the images below, and contains a folder called InitTool.[…]
https://support.lenovo.com/us/en/product_security/len-14957
Peter Jansen’s Tricorder Project: open source CT scanner
Intel SGX Roadshow
Intel has a multi-city roadshow for SGX:
VMWare and UEFI Secure Boot
Stephen J. Bigelow has an article in TechTarget.com on VMWare and Secure Boot:
VMware vSphere 6.5 takes an extra security step, building on UEFI secure boot with added cryptographic validation to all ESXi components. VMware vSphere 6.5 added numerous features designed to improve the security of virtual machines both at rest and…[…]
You’ll have to give TechTarget.com your email address to read the article. 😦
http://searchvmware.techtarget.com/answer/How-does-ESXi-secure-boot-improve-vSphere-security
UEFI-targetting fork of TinyCC
My tinycc fork: hopefully, better OSX support, EFI targets, and ???. This tree adds:
* some bare minimum OSX support.
* support for generating X64, IA32 (untested) and ARM (untested) UEFI images.
fs0:\> foo.efi
Hello from a TinyCC compiled X64 UEFI binary!
fs0:\>
https://github.com/andreiw/tinycc
https://bellard.org/tcc/
Readers of this blog will recognize Andrei as one of the two porters of UEFI to OpenPOWER.
UEFI UDK2017 pre-release available
Brian Richardson of Intel announced a pre-release of UDK2017, a snapshot of the Tianocore.org EDK2 trunk code matching a set of UEFI.org specs.
Information on UDK2017, the next stable snapshot release of EDK II, is available on the TianoCore wiki.
From the release page on the wiki, here’s the list of
UDK2017 Key Features
Industry Standards & Public Specifications
UEFI 2.6
UEFI PI 1.4a
UEFI Shell 2.2
SMBIOS 3.1.1
Intel® 64 and IA-32 Architectures Software Developer Manuals
Storage Technologies
NVMe
RAM Disk (UEFI 2.6, Section 12.17, RAM Disk Protocol)
Compilers
GCC 5.x
CLANG/LLVM
NASM
OpenSSL 1.1.0
UEFI HTTP/HTTPS Boot
Adapter Information Protocol
Regular Expression Protocol
Signed Capsule Update
Signed Recovery Images
SMM Communication Buffer Protections
STM Launch
Memory Allocation/Free Profiler
NX Page Protection in DXE
LZMA Compression 16.04
Brotli Compression
MP Init Library
https://github.com/tianocore/tianocore.github.io/wiki/UDK2017
RISC-V edition of Computer Organization and Design
Computer Organization and Design RISC-V Edition
1st Edition
The Hardware Software Interface
Authors: David Patterson John Hennessy
Paperback ISBN: 9780128122754
Imprint: Morgan Kaufmann
Published Date: 13th April 2017
Page Count: 696
https://www.elsevier.com/books/computer-organization-and-design-risc-v-edition/patterson/978-0-12-812275-4
https://www.elsevier.com/books-and-journals/book-companion/9780128122754
https://textbooks.elsevier.com/web/product_details.aspx?isbn=9780128122754
VM escape – QEMU case study on Phrack
https://twitter.com/_jsoo_/status/857907512908988417
http://www.phrack.org/papers/vm-escape-qemu-case-study.html
I wish more people wrote articles for Phrack.
Invasion of the Hardware Snatchers
https://twitter.com/daniel_bilar/status/857668625536356352
Invasion of the Hardware Snatchers: Cloned Electronics Pollute the Market
Fake hardware could open the door to malicious malware and critical failures
By Mark M. Tehranipoor, Ujjwal Guin, Swarup Bhunia
some recent CHIPSEC presentations
I’m not sure that I’ve pointed to all of the recent CHIPSEC presentations that’ve happened recently. I don’t know that I have a complete list. 😦 Here are two recent ones, maybe some more in below tweets.
Attacking hypervisors through hardware emulation
Click to access TR17_Attacking_hypervisor_through_hardwear_emulation.pdf
Exploring your system deeper
Click to access opcde_ExploringYourSystemDeeper_updated.pdf
Click to access csw2017_ExploringYourSystemDeeper_updated.pdf
—–begin slideshare.net stuff—–
—–end slideshare.net stuff—–
Debian Live images now include UEFI support
Steve McIntyre gave an update on Debian official images to the debian-(cd, devel-announce,live,cloud) mailing lists. There’s a UEFI update on Debian Live images:
Live images – now including UEFI support
After a hiatus, weekly builds of live images for testing are now happening again. These cover amd64 and i386, and there is a separate image for each of the common desktop environments. Thanks to great work by Neil Williams, Iain Learmonth and Ana Custura on new tools (vmdebootstrap and live-wraper), these also include support for UEFI booting as a new feature. Please help test the images and give feedback:
http://get.debian.org/cdimage/weekly-live-builds/
See Steve’s message to the above-listed lists for the full post.
https://lists.debian.org/msgid-search/20170428012707.GJ28360@einval.com
Debian 9 defers UEFI Secure Boot support
From the latest “Bits from the Release Team” message, it appears that Debian 9 will probably defer Secure Boot support to later.
Secure Boot
At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 “stretch” would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support. We appreciate that this will be a disappointment to many users and developers. However, we need to balance that with the limited time available for the volunteer teams working on this feature, and the risk of bugs being introduced through rushed development. It’s possible that Secure Boot support could be introduced at some point in stretch’s lifetime.
Full message:
https://lists.debian.org/debian-devel-announce/2017/04/msg00013.html
https://wiki.debian.org/SecureBoot
https://wiki.debian.org/UEFI
Windows 10 new preboot security features
There’s a few new preboot-related features in recent builds of Microsoft Windows, excerpt of some of them below.
New features in Windows 10, version 1511:
* Credential Guard: Enable Credential Guard without UEFI lock. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
* Bitlocker: DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
* Bitlocker: New Group Policy for configuring pre-boot recovery. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the Configure pre-boot recovery message and URL section in “BitLocker Group Policy settings.”
* New BCD events: Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): DEP/NEX settings, Test signing, PCAT SB simulation, Debug, Boot debug, Integrity Services, Disable Winload debugging menu
* New PNP events: Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
* TPM: Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
* TPM: The following sections describe the new and changed functionality in the TPM for Windows 10: Device health attestation, Microsoft Passport support, Device Guard support, Credential Guard support […]
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511
https://technet.microsoft.com/en-us/windows/release-info
The Open Source Toolkit: open source hardware for science
The Open Source Toolkit features articles and online projects describing hardware and software that can be used in a research and/or science education setting across different fields, from basic to applied research. The channel editors aim to showcase how open source tools can lead to innovation, democratisation and increased reproducibility. The Open Source movement revolutionized the way computer systems were developed and how companies made their businesses. Its philosophy requires that all source code should be freely shared, so that as many people as possible can use, change, learn, and improve upon it. This movement made its way into academia and several open source packages are available for scientists. In recent years, the increasing availability and low cost of electronic components, processors and 3D printers meant that an open model of development has taken root also in the world of hardware, including the development of scientific lab equipment. The implications for research can hardly be overstated: “Open Labware” designs are almost always cheaper than “closed source” ones, allow for distributed development and, critically, customization by the end user, the lab scientist.
PLOS was founded in 2001 as a nonprofit Open Access publisher, innovator and advocacy organization with a mission to accelerate progress in science and medicine by leading a transformation in research communication.
https://channels.plos.org/open-source-toolkit
http://collections.plos.org/open-source-toolkit-hardware
https://www.plos.org/core-principles
Maze game for UEFI
There’s one UEFI-based game I have not mentioned: Maze, by Tim Lewis. He’s got multiple blog posts on how the code works. He just relicensed it to BSD:
https://uefi.blogspot.com/2017/04/maze-game-source-code.html
https://uefi.blogspot.com/search/label/Maze
https://svn.code.sf.net/p/syslibforuefi/code/trunk/
Look at the game/games tags for other UEFI-based games.
20+ China-based companies join UEFI Forum
They could have at least included the list of the 20+ companies in the press release. ;-(
In anticipation of the first China-based UEFI event in ten years, over 20 new members in China joined the UEFI Forum—indicating significant interest in UEFI technology in the greater China region. Additionally, in attendance from the region were prominent member companies including H3C and Inspur, Lenovo, Loongson Technology Corporation Limited, and Sugon.
http://finance.yahoo.com/news/20-china-based-companies-join-020000847.html
naken_asm: lightweight assembler/disassembler
naken_asm is lightweight assembler / disassembler with a focus on being easy to compile (no dependencies) and easy to use. It was originally called naken430asm, but since it has been expanded to support many more CPUs it has been renamed to naken_asm. Additionally, there is a simulator for of the supported CPUs.
https://github.com/mikeakohn/naken_asm
https://github.com/mikeakohn/naken_asm/tree/master/docs
http://www.mikekohn.net/micro/naken_asm.php
DMTF updates SMBIOS
As William points out, the DMTF updated SMBIOS, and the Tianocore project updated EDK2 appropriately.
http://www.basicinputoutput.com/2017/04/small-updates-to-smbios.html
http://www.dmtf.org/standards/smbios
https://github.com/tianocore/edk2/commit/043026ac12c29703bb7e3c19b9ae5e8177bb554b
Firmware Security 
You must be logged in to post a comment.