Month: June 2017

Avatar redesigned as Avatar2

~ hucktech ~ Leave a comment

First there was S2E, then there was Avatar. Now there is Avatar2:

Avatar is an orchestration framework designed to support dynamic analysis of embedded devices. Avatar² is the second generation of the framework, which has been completely re-designed and re-implemented from scratch to improve performance, usability, and support for advanced features. An Avatar² setup consists of three parts: A set of targets,  A memory layout, and An execution plan. Targets are responsible for the execution and the analysis of the firmware code. While it is possible to run Avatar² with a single target, most configurations will have at least two (typically an emulator and a physical device). The memory layout describes the different regions of memory and their role in the system (e.g., the fact that may be mapped to an external peripheral or connected to a file) as well as the memory access rules, i.e., how memory read and write operations needs to be forwarded between targets. Finally, the execution plan tells Avatar² how the actual execution of the firmware needs to be divided among the targets in order to achieve the analyst goal. If this sounds complex, it is because Avatar² is an extremely powerful and flexible framework designed to adapt to different scenarios and support complex configurations. However, a simple Avatar² example is quite straightforward to write and understand.[…]

https://github.com/avatartwo/

https://github.com/avatartwo/avatar2/blob/master/handbook/0x01_intro.md

RackHD

~ hucktech ~ Leave a comment

https://twitter.com/BrettJohnson008/status/867239045675581441

RackHD is a technology stack created for enabling hardware management and orchestration, to provide cohesive APIs to enable automated infrastructure. In a Converged Infrastructure Platform (CIP) architecture, RackHD software provides hardware management and orchestration (M&O). It serves as an abstraction layer between other M&O layers and the underlying physical hardware. Developers can use the RackHD API to create a user interface that serves as single point of access for managing hardware services regardless of the specific hardware in place.

https://github.com/RackHD/RackHD

http://rackhd.io/

Toshiba adds security features to firmware

~ hucktech ~ Leave a comment

Toshiba has added firmware-level security to their Mobile Zero Client:

[…]How Toshiba Mobile Zero Client works
* Power on: User powers on the device, which connects to pre-configured LAN or Wi-Fi
* Boot permission: Device requests boot permission from Toshiba Boot Control Service*
* Big Core download: When boot permission is granted, your unique, secure, Big Core package is encrypted, downloaded and unpacked in the RAM
* Ready to go: Your Big Core, with Linux and the VDI client, is executed – establishing its connection to your VDI server

[…]Beyond supporting the storage of data securely away from the device, TMZC can provide added protection through Toshiba’s uniquely developed BIOS, which is designed and built in–house to help remove the risk of third-party interference.[…] We’re one of the only manufacturers that creates our own BIOS and UEFI’s.[…]

http://us.toshiba.com/solutions/tmzc

http://www.businesswire.com/news/home/20170613005346/en/Toshiba-Expands-Portfolio-Security-Solutions-Addition-Mobile

CrashOverride malware

~ hucktech ~ Leave a comment

US-CERT Alert (TA17-163A)
CrashOverride Malware
Systems Affected: Industrial Control Systems
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine.[…]

Click to access Win32_Industroyer.pdf

https://www.dragos.com/blog/crashoverride/

https://www.us-cert.gov/ncas/alerts/TA17-163A

EFI Swiss Knife: IDA plugin

~ hucktech ~ 1 Comment

https://twitter.com/osxreverser/status/874636697841152001

EFI Swiss Knife – An IDA plugin to improve (U)EFI reversing
Today I am finally releasing one of the EFI reversing tools I built when I was working on the SCBO post. Yesterday there were some tweets about IDA improving its support for EFI binaries (although I’m not sure it’s the same thing as in here) so I decided to finally release this one. Tested with IDA 6.9 and IDA 6.95 OS X versions, might work in Windows with just paths modification. It is based on Snare’s work, https://github.com/snare/ida-efiutils. Since I hate Python I rewrote it in C and added some extra features.[…]

https://reverse.put.as/2017/06/13/efi-swiss-knife-an-ida-plugin-to-improve-uefi-reversing/

https://github.com/gdbinit/EFISwissKnife

Evil Chambermaids in the era of Travel 2.0

~ hucktech ~ Leave a comment

Does the OEMs have any proactive effort to help verify the silicon of a system against a profile, in effect to ‘hash’ the hardware? Maybe vendors need to make a verifiable device that can be used on an airline (and other places where users would like to verify their hardware). OEMs need to build verifiable systems, not sit back and let politicians and criminals destroy their market. Who is doing research to help here? Simply banning devices is not a solution. When you check a laptop, you lose physical access to the device, and it can no longer be trusted, given the current firmware/hardware designs by vendors. OEMs need to build solutions that work in this Travel 2.0 era. The Stateless Laptop by Joanna Rutkoska is a start.

“Evil Maids are believed to be enthusiastic to the new regulation.” –Joanna Rutkowska

Opsec for a world where the laptop ban goes global

https://backchannel.com/what-to-do-if-the-laptop-ban-goes-global-120295a957a4

https://www.wired.com/2017/06/bad-math-trump-laptop-ban/

http://www.securityweek.com/israeli-intelligence-discovered-plans-laptop-ban-report

 

Hacking the Virgin Media Super Hub

~ hucktech ~ Leave a comment

By Jan Mitchell and Andy Monaghan, 12 June 2017
Context’s Research team have looked at a large number of off-the-shelf home routers in the past and found them to be almost universally dreadful in terms of security posture. However, flagship routers from large ISPs such as BT, Sky and Virgin Media are notably absent from the regular stream of router vulnerabilities in the press. We were curious to discover if these routers were significantly more secure than their off-the-shelf cousins, so we decided to dedicate some of our public research time into looking at one of these devices. […]
The output in Figure 1 suggested that U-Boot is executing a boot script, which was definitely something we wanted to investigate. The first step was to obtain a copy of the bootloader by reading the Flash memory. Given we didn’t have the ability to input characters this would be somewhat tricky via software, so we fired up the hot air gun and removed the Spansion (S25FL129P) NAND flash chip. There are a number of ways to read data from a flash chip, all of which we will be detailing in another blog shortly. In our case, as our preferred I2C/Serial Peripheral Interface (SPI) reader was in another office we used a BeagleBone Black and a bit of Python to manually drive the chip’s SPI bus[…]

https://www.contextis.com/resources/blog/hacking-virgin-media-super-hub/

VM_1_uboot

Mike on Windows Config Mgr and Secure Boot

~ hucktech ~ Leave a comment

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

BIOS and Secure Boot State Detection during a Task Sequence Part 1

BIOS and Secure Boot State Detection during a Task Sequence Part 2

 

HardwareSecurityTraining.info gets 4th trainer

~ hucktech ~ Leave a comment

Colin O’Flynn joins Joe+Joe+Dymtry, so ‘power trio’ is no longer appropriate.

https://hardwaresecurity.training/

HardwareSecurity.Training

OEMs still not shipping golden image hashes

~ hucktech ~ Leave a comment

OEMs: you need to ship hashes of your golden images. Read NIST SP 147 (and 193). You should be OpenPGP-signing them, as well.

I want to update the BIOS on my <OEM> motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it’s integrity as neither signed or non-signed checksums are available. I’m extremely uncomfortable with just installing the update without being able to verify it’s integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I’m downloading. What can I do?

https://news.ycombinator.com/item?id=14530302

 

USB attack to Mazda cars: Bad Valet attack

~ hucktech ~ Leave a comment

“Bad Valet is the new Evil Maid” –Joanna Rutkowska

 

“A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made.”

https://github.com/shipcod3/mazda_getInfo

 

CMC-Vboot: investigates Chrome’s Verified Boot

~ hucktech ~ Leave a comment

This project takes Chrome’s Verified Boot (Vboot) process and examines its various security properties using formal logic. This verification is done with a focus on the firmware/hardware boundary. The Vboot process depends on the correct functionality of a Trusted Platform Module (TPM) and a SHA accelerator. Because these hardware accelerators are interacted with through Memory Mapped I/O (MMIO), it is difficult for normal formal methods to capture the interface between the MMIO registers and the workings of the Hardware modules. To explore this boundary I am using a Software TPM Library and passing it through to the QEMU Hardware Emulator. This allows me to use the normal MMIO registers of a TPM with the original Vboot Library.[…]

https://github.com/gilhooleyd/CBMC-Vboot

PNP-ID: Plug and Play Vendor ID tool/library

~ hucktech ~ Leave a comment

PNP-ID: given a PNP (Plug and Play) industry-unique Vendor ID, return the Vendor name. This is C code that, given a PNP (Plug and Play) industry-unique Vendor ID, returns the Vendor name. This file contains a script, update.sh to automatically download the PNP ID REGISTRY from the UEFI Forum body, and generate and compile a C program and a test binary. The C program uses a binary search to efficiently resolve a PNP Vendor ID to the Vendor name.

https://github.com/golightlyb/PNP-ID

 

Green Threads for UEFI

~ hucktech ~ Leave a comment

Green Threads for UEFI: This project is a an alpha version of “green” threads for UEFI. It’s not really like Linux green threads as there is no distinction between user space and kernel space but the different threads are running on the same core

This C-based project has a bit of Intel-centric assembly language code.

Wikipedia defines “Green Threads” as: “threads that are scheduled by a runtime library or virtual machine (VM) instead of natively by the underlying operating system. Green threads emulate multithreaded environments without relying on any native OS capabilities, and they are managed in user space instead of kernel space, enabling them to work in environments that do not have native thread support.”

https://github.com/Openwide-Ingenierie/GreenThreads-UEFI

https://en.wikipedia.org/wiki/Green_threads

Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)

~ hucktech ~ Leave a comment

Today Intel announced a NEW AMT security advisory:

Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017

Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr

 

More on malware use of Intel AMT

~ hucktech ~ Leave a comment

After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:

https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

Symbolic execution timeline

~ hucktech ~ Leave a comment

Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.

https://github.com/enzet/symbolic-execution