Month: June 2017

Hardware Forensic Database (HFDB)

~ hucktech ~ Leave a comment

https://twitter.com/_jsoo_/status/878065564157190144

The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools. This database provides multiple guides to collect valuable information from various smart/connected devices, as well as dedicated tools. These guides allows quick information extraction and provides all the required material to perform a forensic analysis on specific devices.[…]

http://hfdb.io/

Xen 4.9 multiboot2 support increased

~ hucktech ~ Leave a comment

At least one UEFI change in this release:

Boot Xen on EFI platforms using GRUB2 (x86):
From Xen Project 4.9 and GRUB2 2.02 onwards, the Xen Project Hypervisor can be booted using the multiboot2 protocol on legacy BIOS and EFI x86 platforms. Partial support for the multiboot2 protocol was also introduced into network boot firmware (iPXE). This makes the Xen Project boot process much more flexible. Boot configurations can be changed directly from within a bootloader (without having to use text editors) and boot configurations are more portable across different platforms.

https://blog.xenproject.org/2017/06/28/whats-new-in-the-xen-project-hypervisor-4-9/

 

Reverse Engineering Samsung S6 SBOOT – Part II

~ hucktech ~ Leave a comment

Reverse Engineering Samsung S6 SBOOT – Part II
By Fernand Lone Sang

In my previous article, I explained how to load Samsung’s proprietary bootloader SBOOT into IDA Pro. The journey to the TEE OS continues in this second article which describes two techniques to locate Trustonic’s TEE <t-base in the binary blob. A few months back, I started digging into various TEE implementations and that led me to reverse engineer Samsung’s proprietary bootloader SBOOT [1]. At that time, I suspected that the Trustonic’s TEE <t-base was somehow embedded in the bootloader’s image of Exynos-based smartphones, and it turned out that my assumptions were good. Back then, I used two techniques to locate <t-base in SBOOT but I did not find enough time to cleanup my notes and blog about it until now. This article describes the two techniques I used.[…]

https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html

https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html

EFI Boot Guard from Siemens

~ hucktech ~ Leave a comment

EFI Boot Guard

Simple UEFI boot loader with support for safely switching between current and updated partition sets. A bootloader based on UEFI. Provides the following functionality:

* Arm a hardware watchdog prior to loading an OS
* Provides a simple update mechanism with fail-save algorithm

The following watchdog drivers are implemented: Intel Quark, Intel TCO, and Intel i6300esb.

 

https://github.com/siemens/efibootguard

Microsoft Windows Defender ATP

~ hucktech ~ Leave a comment

What’s new in Windows Defender ATP Fall Creators Update:
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving. We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents. Here are some highlights of the Windows Fall Creators Update:[…]

https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/

https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

 

Summer reading list for UEFI security

~ hucktech ~ Leave a comment

I’ve seen a large number of ‘Summer reading list’ posts on various social media forums in the last few days. I’ll add my own.

http://www.timeglider.com/timeline/5ca2daa6078caaf4

https://github.com/advanced-threat-research/firmware-security-training

https://www.nostarch.com/rootkits

https://www.degruyter.com/view/product/484477

https://www.degruyter.com/view/product/484468

https://blog.invisiblethings.org/2015/10/27/x86_harmful.html

https://blog.invisiblethings.org/2015/12/23/state_harmful.html

Regarding the No Starch Press book above, most chapters available via ebook, hardcopy book apparently due later this Summer, autographed edition at DEF CON.

IoT Liability

~ hucktech ~ Leave a comment

 

When safety and security become one
What happens when your car starts getting monthly upgrades like your phone and your laptop? It’s starting to happen, and the changes will be profound. We’ll be able to improve car safety as we learn from accidents, and fixing a flaw won’t mean spending billions on a recall. But if you’re writing navigation code today that will go in the 2020 Landrover, how will you be able to ship safety and security patches in 2030? In 2040? In 2050? At present we struggle to keep software patched for three years; we have no idea how to do it for 30. Our latest paper reports a project that Éireann Leverett, Richard Clayton and I undertook for the European Commission into what happens to safety in this brave new world. Europe is the world’s lead safety regulator for about a dozen industry sectors, of which we studied three: road transport, medical devices and the electricity industry.[…]

When safety and security become one

Click to access weis2017.pdf

Aditya Gupta: Firmware Analysis for IoT Devices

~ hucktech ~ Leave a comment

Firmware Analysis for IoT Devices

Aditya Gupta

This is the second blog related to IoT Exploitation and Penetration Testing. In this blog we are going to have a look at a key component in an IoT device architecture – firmware‍. Any IOT‍ device you use, you will be interacting with firmware, and this is because firmware can be thought of as the actual code that runs on an IoT or embedded device‍ . For this post, we will start by looking at various ways to extract file system from firmware, and then move into going deeper into analysing binaries for vulnerabilities. The most common architectures for IoT devices are ARM‍ and MIPS‍ , which is also something we will cover later in this series. Before starting digging deep into the firmware, we would have a look at the components and related aspects, such as file system types, compression‍ , encryptions, and bootladder‍.[…]

https://www.peerlyst.com/posts/firmware-analysis-for-iot-devices-aditya-gupta

Dell PowerEdge 14G firmware updates

~ hucktech ~ Leave a comment

Dell/EMC has a new Tech Note, written by Wei Liu and Seamus Jones, summarizing some of the new firmware security features available in their new server:

Cyber-Resiliency Starts at the Chipset and BIOS

2-page Tech Note covering new BIOS features introduced with PowerEdge 14G servers, offering unique resiliency to malicious intent or user error. The two features highlighted, BIOS Recovery and integration of Intel Boot Guard, respectively, are further demonstration of PowerEdge engineering commitment to ensuring the security and stability of enterprise infrastructures.

http://en.community.dell.com/techcenter/extras/m/white_papers/20444061

 

sicherboot: systemd Secure boot integration

~ hucktech ~ Leave a comment

systemd Secure boot integration

sicher*boot automatically installs systemd-boot and kernels for it into the ESP, signed with keys generated by it. The signing keys are stored unencrypted and only protected by the file system permissions. Thus, you should make sure that the file system they are stored (usually /etc) in is encrypted. After installing sicherboot, you can adjust a number of settings in /etc/sicherboot.conf and should set a kernel commandline in /etc/kernel/cmdline. Then run ‘sicherboot setup’ to get started.

 

https://github.com/julian-klode/sicherboot

Intel Skylake/Kaby Lake: broken hyper-threading

~ hucktech ~ Leave a comment

Henrique de Moraes Holschuh  of the Debian project posted a message about an Intel hyper-threading issue:

[WARNING] Intel Skylake/Kaby Lake processors: broken hyper-threading

This warning advisory is relevant for users of systems with the Intel processors code-named “Skylake” and “Kaby Lake”. These are: the 6th and 7th generation Intel Core processors (desktop, embedded, mobile and HEDT), their related server processors (such as Xeon v5 and Xeon v6), as well as select Intel Pentium processor models.

TL;DR: unfixed Skylake and Kaby Lake processors could, in some situations, dangerously misbehave when hyper-threading is enabled. Disable hyper-threading immediately in BIOS/UEFI to work around the problem. Read this advisory for instructions about an Intel-provided fix.

[…]

Full message:

https://lists.debian.org/debian-devel/2017/06/msg00308.html

EFI variable support for U-Boot

~ hucktech ~ Leave a comment

Rob Clark has an RFC patch to U-Boot, with UEFI variable support:

[RFC] efi: variable support

Mapping from EFI variables to grub variables. Still almost as many TODOs as lines of code, but just figured I’d send out an early version for comments. I was thinking of it as a useful way for u-boot to pass values to grub (although grub is still missing a way for grub scripts to retrieve UEFI variables). The rough idea is to encode GUID + variable name plus “efi_” prefix (to avoid unintended u-boot variables leaking into the UEFI world). And then encode the type (and attributes?) in the string value of the variable. Ie. something like:

setenv efi_8be4df6193ca11d2aa0d00e098032b8c_OsIndicationsSupported (u64)0

Full patch/thread:
https://lists.denx.de/listinfo/u-boot

 

Adaptiva Secure 10: BIOS to UEFI

~ hucktech ~ Leave a comment

New registration-required freeware from Adaptiva:

Adaptiva’s free Secure 10 is a complete automation solution for ConfigMgr admins to make the BIOS to UEFI conversion process simple and unattended. With Secure 10, migrations take much less time and no IT staff need to be on-site during the process. Now including support for new MBR2GPT.exe tool for retaining data while making the switch, as well as ConfigMgr 1610+ WinPE boot image pre-staging. Also new: two complete task sequences to save time integrating into your deployments! […] The open solution includes detailed documentation to help SCCM system administrators overcome the complexities of automating the conversion from:

* BIOS to UEFI – Secure 10 automates the conversion process from the legacy BIOS firmware typically used in Windows 7/8 systems to the more powerful Unified Extensible Firmware Interface (UEFI) technology. UEFI is required to enable key enterprise security features available in Windows 10.

* MBR to GPT – Secure 10 now includes support for the MBR2GPT.exe tool, which helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). The new tool is the only Microsoft-supported tool to convert a production disk from MBR to GPT without data loss, greatly speeding in-place upgrades to Windows 10.

* WinPE Pre-staging – Microsoft recently introduced the capability to pre-stage a WinPE boot image to a partition from within an SCCM Task Sequence and have that image persist during the conversion from MBR to GPT. Secure 10 supports this capability for refresh/replace scenarios.

https://www.adaptiva.com/blog/2017/adaptiva-releases-bios-uefi-solution-update-speed-windows-10-migrations/

OpenBSD gets KARL (Kernel Address Randomized Link)

~ hucktech ~ Leave a comment

http://undeadly.org/cgi?action=article&sid=20170613041706

https://marc.info/?l=openbsd-tech&m=149732265506347&w=2

 

Over the last three weeks I’ve been working on a new randomization feature which will protect the kernel. The situation today is that many people install a kernel binary from OpenBSD, and then run that same kernel binary for 6 months or more. We have substantial randomization for the memory allocations made by the kernel, and for userland also of course. However that kernel is always in the same physical memory, at the same virtual address space (we call it KVA). Improving this situation takes a few steps.[…]

http://www.jupiterbroadcasting.com/115961/read-the-source-karl-bsd-now-199/

Apple ACPI _DSD and _DSM

~ hucktech ~ Leave a comment

Lukas Wunner submitted a patch to the Linux-(kernel,ACPI) lists with an ACPI patch to support Apple _DSM properties. Comments included below:

While the rest of the world has standardized on _DSD as the way to store device properties in AML (introduced with ACPI 5.1 in 2014), Apple has been using a custom _DSM to achieve the same for much longer (ever since they switched from DeviceTree-based PowerPC to Intel in 2005, verified with MacOS X 10.4.11).

The theory of operation on macOS is as follows: AppleACPIPlatform.kext invokes mergeEFIproperties() and mergeDSMproperties() for each device to merge properties conveyed by EFI drivers as well as properties stored in AML into the I/O Kit registry from which they can be retrieved by drivers. We’ve been supporting EFI properties since commit 58c5475aba67 (“x86/efi: Retrieve and assign Apple device properties”). The present commit adds support for _DSM properties, thereby completing our support for Apple device properties. The _DSM properties are made available under the primary fwnode, the EFI properties under the secondary fwnode. So for devices which possess both property types, they can all be elegantly accessed with the uniform API in <linux/property.h>.

Until recently we had no need to support _DSM properties, they contained only uninteresting garbage. The situation has changed with MacBooks and MacBook Pros introduced since 2015: Their keyboard is attached with SPI instead of USB and the _CRS data which is necessary to initialize the spi driver only contains valid information if OSPM responds “false” to _OSI(“Darwin”). If OSPM responds “true”, _CRS is empty and the spi driver fails to initialize. The rationale is very simple, Apple only cares about macOS and Windows: On Windows, _CRS contains valid data, whereas on macOS it is empty. Instead, macOS gleans the necessary data from the _DSM properties.

Since Linux deliberately defaults to responding “true” to _OSI(“Darwin”), we need to emulate macOS’ behaviour by initializing the spi driver with data returned by the _DSM.

An out-of-tree driver for the SPI keyboard exists which currently binds to the ACPI device, invokes the _DSM, parses the returned package and instantiates an SPI device with the data gleaned from the _DSM:
https://github.com/cb22/macbook12-spi-driver/commit/9a416d699ef4
https://github.com/cb22/macbook12-spi-driver/commit/0c34936ed9a1

By adding support for Apple’s _DSM properties in generic ACPI code, the out-of-tree driver will be able to register as a regular SPI device, significantly reducing its amount of code and improving its chances to be mainlined.

The SPI keyboard will not be the only user of this commit: E.g. on the MacBook8,1, the UART-attached Bluetooth device likewise returns empty _CRS data if OSPM returns “true” to _OSI(“Darwin”).

The _DSM returns a Package whose format unfortunately deviates slightly from the _DSD spec: The properties are marshalled up in a single Package as alternating key/value elements, unlike _DSD which stores them as a Package of 2-element Packages. The present commit therefore converts the Package to _DSD format and the ACPI core can then treat the data as if Apple would follow the standard.

Well, except for one small annoyance: The properties returned by the _DSM only ever have one of two types, Integer or Buffer. The former is retrievable as usual with device_property_read_u64(), but the latter is not part of the _DSD spec and it is not possible to retrieve Buffer properties with the device_property_read_*() functions due to the type checking performed in drivers/acpi/property.c. It is however possible to retrieve them with acpi_dev_get_property(). Apple is using the Buffer type somewhat sloppily to store null-terminated strings but also integers. The real data type is not distinguishable by the ACPI core and the onus is on the caller to use the contents of the Buffer in an appropriate way.

In case Apple moves to _DSD in the future, this commit first checks for _DSD and falls back to _DSM only if _DSD is not found.