Month: September 2017

more from Duo on Apple EFI security

~ hucktech ~ Leave a comment

Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.

 

Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:

Pepjin’s Apple EFI version spreadsheet:

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

Google Titan trust paper available

~ hucktech ~ Leave a comment

A Vendor-Agnostic Root of Trust for Measurement
Jon McCune, Rick Altherr
We report the success of a project that Google performed as a proof-of-concept for increasing confidence in first-instruction integrity across a variety of server and peripheral environments. We begin by motivating the problem of first-instruction integrity and share the lessons learned from our proof-of-concept implementation. Our goal in sharing this information is to increase industry support and engagement for similar designs. Notable features include a vendor-agnostic capability to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or device-specific integrity mechanisms, thereby providing additional defense-in-depth.

https://research.google.com/pubs/pub46352.html

Click to access 46352.pdf

Yuriy of Eclypsium has a few comments on the doc, click on below tweet for thread:

 

UEFI at SeaGL

~ hucktech ~ Leave a comment

If you are the Seattle area, the Seattle GNU Linux Conference (SeaGL, pronounced “Seagull”) is happening shortly. There’re two UEFI talks, one by PreOS Security, and one by System76.

https://osem.seagl.org/conferences/seagl2017/program/proposals/374

http://seagl.org/news/2017/09/28/QA-penglish.html

https://preossec.com/

https://system76.com/

https://osem.seagl.org/conferences/seagl2017/program/proposals/326

Duo Security on Apple EFI security

~ hucktech ~ Leave a comment

https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research

Click to access Duo-Labs-The-Apple-of-Your-EFI.pdf

https://github.com/duo-labs/EFIgy

https://www.ekoparty.org/charla.php?id=798

VMWare Workstation 14 available

~ hucktech ~ Leave a comment

[…]Workstation 14 Pro builds from the newest vSphere Virtual Hardware Platform, now at version 14, and with it delivers new features such as support for:
– Microsoft Device Guard and Credential Guard “Virtualization Based Security” feature support for Windows 10 Guests (Guests only at this time)
– A new Virtual NVMe device for faster disk access on SSD storage and a requirement for vSAN testing
– UEFI Secure Boot, required for VBS and supported with ESXi 6.5 Virtual Guests.
– A new Virtual Trusted Platform Module which is used to manage keys for guest encryption services such as BitLocker.
– Support for the latest Intel Kabylake and AMD Ryzen CPUs

https://blogs.vmware.com/workstation/2017/09/workstation-14-now-available.html

 

Firmware Test Suite 17.09.00 released

~ hucktech ~ Leave a comment

FWTS 17.09.00 has been released. New UEFI, ACPI, and IPMI features. MANY bugfixes, see the full announcement.

New Features:
* ACPICA: Update to version 20170831
* dmi: dmicheck: Add BMC Interface Type definitions from IPMI spec
* lib: fwts_acpi_tables: add a new function to check Reserved field
* lib: fwts_acpi_tables: add a new function to check reserved bits
* efi_runtime: add resetsystem runtime service

http://fwts.ubuntu.com/release/fwts-V17.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.09.00
https://launchpad.net/ubuntu/+source/fwts

https://lists.01.org/pipermail/luv/2017-September/002089.html

 

Signal use of Intel SGX

~ hucktech ~ Leave a comment

Signal by Open Whisper Systems is one of the modern ‘secure communication applications’ in use today. They recently blogged about how they use Intel SGX tech to help secure their tech:

[…]Huge thanks to Jeff Griffin for doing the heavy lifting and writing all the enclave code, Henry Corrigan-Gibbs for introducing us to SGX, Raluca Ada Popa for explaining ORAM state of the art to us, and Nolan Leake for systems insight.

https://signal.org/blog/private-contact-discovery/

https://github.com/whispersystems/contactdiscoveryservice

Intel seeks senior security researcher

~ hucktech ~ Leave a comment

Job ID: JR0037962
Senior Security Researcher

The Platform Engineering Group (PEG) is responsible for the design, development, and production of system-on-a-chip (SoC) products that go into Intel’s next generation client and mobile platforms. PEG strives to lead the industry moving forward through product innovation and world class engineering. Intel Security Center of Excellence’s goal is to be a prominent leader in the industry to assure security in computing platforms by conducting advanced security research. If you are a seasoned threat, vulnerability and exploit research expert who craves for tons of fun and pride in raising the security bar for ubiquitous computing systems, we would like you to join us as a proud member of Intel’s Advanced Security Research Team. Through your deep vulnerability analysis and mitigation development expertise, you will influence the security of a variety of Hardware, Firmware, Software & Systems spanning a range of products including Devices, Cloud, Auto, IOT, AI, VR, Drones, and Networks. Responsibilities include the following: Own emerging threat analysis, gain insights & know-how of evolving attack techniques, predict and extrapolate attack trends ahead of its occurrence, develop robust counter measures and mitigation. This role requires maintaining substantial knowledge of state-of-the-art security principles, theories, attacks etc. and contribute those insights to internal and external stakeholders. Participation in development or intellectual property is also a responsibility.

* Applicants should possess at least 10 years of experience in the field of system security research and excel in exploring software and hardware techniques as a method of attack against targets within the computing systems.
* Ability to span security expertise over HW, SW and Firmware domains. Passion for the latest gadgets and building security into these gadgets.
* Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others

 

 

http://jobs.intel.com/ShowJob/Id/1352711/Senior%20Security%20Researcher

 

CLKSCREW: breaking TEEs with energy mgmt

~ hucktech ~ Leave a comment

https://twitter.com/daniel_bilar/status/912003921295618049

CLKSCREW: Exposing the perils of security-oblivious energy management

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang

0x0atang.github.io/files/usenix17_clkscrew_preprint.pdf

https://hacks.hyperspacer.com/app/items/15303894

Microsoft seeks senior embedded Linux firmware engineer

~ hucktech ~ Leave a comment

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services.
This role will be for a highly-motivated Firmware Engineer with a solid background in embedded system design using embedded Linux.
* 5+ years professional experience in one or many of: designing, developing embedded solutions using ARM SoCs and Linux, extensive u-boot customization, Linux kernel internals and adding new hardware drivers.
* 2+ years proven and demonstrable programming skill in C/C++ for resource constrained embedded platforms.
* Experience with debugging tools such as JTAG, oscilloscopes and bus analyzers.

https://careers.microsoft.com/jobdetails.aspx?jid=321602&job_id=1070761

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

Apple macOS automatic EFI checks

~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/912014988608491520

High Sierra automatically checks EFI firmware each week

Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.[…]

High Sierra automatically checks EFI firmware each week

AFAICT, the article references Tweets from earlier today that appear to have subsequently been deleted from Twitter.

Intel Platform Armoring and Resiliency team seeks BIOS intern

~ hucktech ~ Leave a comment

Interesting: Intel SSG has a “Platform Armoring and Resiliency (PAR)” team! Wish I had more details on what they do (besides inferring from job postings). If you’re on the PAR team and you have a home page or more public info, please leave a Comment.

Security BIOS Engineering Intern Hillsboro, OR
Job ID: JR0034895
Job Category: Intern/Student

Intel Corporation’s Software and Services Group (SSG) is looking for an intern to work in the area of platform firmware resiliency. The Platform Armoring and Resiliency PAR team within SSG is responsible for creating a secure firmware capability within Intel and the ecosystem to proactively ensure the standard boot and recovery infrastructure of IA platforms is both usable and secure[…]

* Utilizing fuzzing and symbolic execution tools to explore target binaries
* Prototyping new functionality in UEFI/BIOS
* Developing/supporting software tools in C and Python
* Gathering and analyzing execution traces to identify patterns of interest
* Utilizing QEMU or virtualization environments to analyze target binaries

Preferred:
* 3 months experience with Intel Model-Specific Registers (MSRs) or Configuration Space Registers (CSRs)
* 3 months experience with developing kernel modules or kernel code

http://jobs.intel.com/ShowJob/Id/1352713/Security%20BIOS%20Engineering%20Intern

A bit less interesting: Intel HR webmaster posts URLs with spaces in them. 😦

Intel MeshCentral2 updated with Load Balancer & Peering Support

~ hucktech ~ Leave a comment

Intel has released an updated version of MeshCentral2, an Intel AMT-based management tool for Windows. New version has “server peering” support, which I confess I don’t yet understand what that means, but sounds signficant, something to learn about…

[…]MeshCentral2 is a free open source web-based remote computer management solution allowing administrators to setup new servers in minutes and start remotely controlling computers using both software agent and Intel® AMT. The server works both in a LAN environment and over the Internet in a WAN setup. Now, I just released a new version with support for server-to-server peering allowing for improved fail-over robustness and scaling. Some technical details:

* Servers connect to each-other using secure web sockets on port 443. This is just like browsers and Mesh agents, so you can setup a fully working peered server installation with only port 443 being open.
* Server peering and mesh agent connections use a secondary authentication certificate allowing the server HTTPS public certificate (presented to browser) to be changed. This allows MeshCentral2 peer servers to be setup with different HTTPS certificates. As a result, MeshCentral2 can be setup in a multi-geo configuration.
* All of the peering is real-time. As servers peer together and devices connect to the servers, users see a real-time view on the web page of what devices are available for management. No page refresh required.
* MeshCentral2 supports TLS-offload hardware for all connections including Intel® AMT CIRA even when peering. So, MeshCentral2 servers can benefit from the added scaling of TLS offload accelerators.
* Fully support server peering for Browsers, Mesh Agents and Intel® AMT connections.
* The server peering system does not use the database at all to exchange state data. This boosts the efficiency of the servers because the database is only used for long term data storage, not real time state.
* There is no limit to how many servers you can peer, however I currently only tested a two server configuration.

https://software.intel.com/en-us/blogs/2017/09/21/meshcentral2-load-balancer-peering-support

http://www.meshcommander.com/meshcentral2

https://software.intel.com/sites/default/files/managed/ce/37/MeshCentral2-DualServer.png

 

Ekoparty: analysis of Apple’s EFI security

~ hucktech ~ Leave a comment

https://twitter.com/XenoKovah/status/911110271279628288

The Apple of your EFI: An analysis of the state of Apple’s EFI Security Support

Duo Labs condujo un análisis de información extenso en el estado de seguridad de EFI de Apple desde dos perspectivas. La primera fue analizar todas las actualizaciones de EFI lanzadas por Apple desde OS X 10.10.0 a través de macOS 10.12.6 para caracterizar el soporte de seguridad proporcionado por completo en diferentes modelos de Mac y versiones de OS, esto también proporcionó una línea de base para el estado esperado de los sistemas Mac, para poder comparar el estado actual de su seguridad EFI contra el estado esperado. Nuestros descubrimientos cubren un rango de anomalías y cuestiones de seguridad del soporte de seguridad provisto por Apple para su firmware EFI. Más preocupante aún, nuestro análisis muestra significativas deviaciones en el estado real del firmware EFI en Macs, comparado con el estado esperado, el cual genera sospechas de cuestiones sistemáticas que estén causando las fallas del nuevo firmware de EFI, que supuestamente es instalado automáticamente a lo largo de una actualización OS: Además del análisis de datos discutido anteriormente, nuestra investigación apunta a iluminar los mecanismos utilizados para actualizar EFI de Apple y se discutirá cómo las herramientas del actualizador EFI de Apple operan y los controles que tienen en su lugar. Estas revelaciones vienen del análisis binario de las mismas herramientas y creemos que no han sido discutidas en detalle hasta ahora. Junto a nuestro descubrimiento en la forma de un ensayo técnico, también lanzamos herramientas y APIs para habilitar a administradores y usuarios finales a tener mayor visibilidad del estado del firmware EFI en el sistema de Apple, y a entender las implicaciones de seguridad que puede contener.

 

https://www.ekoparty.org/charla.php?id=798

 

Positive Tech at BlackHat EU: Running Unsigned Code in Intel ME

~ hucktech ~ Leave a comment

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such “God mode” capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools. Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics. In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Intel ME is the new Pandora’s Box…

 

CVE-2015-7837: RHEL UEFI Secure Boot

~ hucktech ~ Leave a comment

 

https://twitter.com/security_de/status/910399697986244609

Vulnerability ID 106841
Red Hat Enterprise Linux UEFI Secure Boot privilege escalation

A vulnerability, which was classified as critical, has been found in Red Hat Enterprise Linux (the affected version is unknown). This issue affects an unknown function of the component UEFI Secure Boot. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability. The weakness was released 09/19/2017 (oss-sec). The advisory is shared for download at openwall.com. The identification of this vulnerability is CVE-2015-7837 since 10/15/2015. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/20/2017).[…]

https://tsecurity.de/de/206729/Reverse-Engineering/Exploits/Red-Hat-Enterprise-Linux-UEFI-Secure-Boot-erweiterte-Rechte-CVE-2015-7837/
https://vuldb.com/?id.106841
http://nakedsecurity.com/cve/CVE-2015-7837/
https://cxsecurity.com/cveshow/CVE-2015-7837
http://www.openwall.com/lists/oss-security/2015/10/15/6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7837
https://www.security-database.com/detail.php?alert=CVE-2015-7837

Comments above seem to incidate a 9/19 update, but I can’t find that, only older messages from 2015-2016. Unclear about current status of this.