http://pages.arm.com/iot-security-manifesto.html
Registration required to download document. 😦
Month: October 2017
Reptile: Linux LKM rootkit
Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes. Features:
Give root to unprivileged users
Hide files and directories
Hide files contents
Hide processes
Hide himself
Boot persistence
Heaven’s door – A ICMP/UDP port-knocking backdoor
Client to knock on heaven’s door 😀
http://www.kitploit.com/2017/10/reptile-lkm-linux-rootkit.html
https://github.com/f0rb1dd3n/Reptile
gdb-symbolic: symbolic execution for GDB
gdb-symbolic – symbolic execution extention for gdb
Commands
* symbolize argv Make symbolic
* memory [address][size]
* target address Set target address
* triton Run symbolic execution
* answer Print symbolic variables
* debug symbolic gdb Show debug message
https://github.com/SQLab/symgdb
https://bananaappletw.github.io/2016/02/23/symbolic-exection-introduction.html
Chipsec v1.3.4 released
New or Updated Functionality:
* Updated support for 7th/8th generation Intel processors
* Added ability to undefine a configuration entry
* Added HAL and utilcmd for TPM Event Log
* Added utilcmd for TPM commands
* Added support for Apollo Lake
* added utilcmd to inspect PCI command/control registers
https://github.com/chipsec/chipsec/commits/master
https://github.com/chipsec/chipsec/releases/tag/v1.3.4
ESET adds UEFI Scanner
ESET’s internet security just keeps getting better thanks to new IoT protection and UEFI Scanner
October 24, 2017
ESET, a global leader in cybersecurity celebrating 30 years of continuous IT innovation, today launched its latest consumer security product portfolio for Windows. The enhanced solutions are designed to protect people from an expanding array of cyberthreats, data theft, malware and viruses. The features released today enhance the security capabilities of ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security Premium. The Unified Extensible Firmware Interface (UEFI) Scanner, included in all three products, adds elevated levels of malware protection by detecting and removing threats that potentially launch before the operating system boots up. Threats, including rootkits and ransomware, target vulnerabilities in the UEFI and are highly persistent, even surviving after an operating system is reinstalled. ESET’s UEFI Scanner prevents these types of attacks.[…]
Embedi: UEFI BIOS holes. So much magic. Don’t come inside.
24 October, 2017
UEFI BIOS holes. So Much Magic. Don’t Come Inside.
In recent years, embedded software security has become a red-hot topic, attracting the attention of high profile security researchers from all around the globe. However, the quality of code is still far from perfect as long as its security is considered. For instance, the CVE-2017-5721 SMM Privilege Elevation vulnerability in the firmware could affect such scope of vendors like Acer, ASRock, ASUS, Dell, HP, GIGABYTE, Lenovo, MSI, Intel, and Fujitsu. This white paper is intended to describe how to detect a vulnerability in a motherboard firmware with the help of the following tools: Intel DAL, UEFITool, CHIPSEC, RWEverything, and how to bypass the patch that fixes this vulnerability.[…]
https://embedi.com/blog/uefi-bios-holes-so-much-magic-dont-come-inside
ARM Innovator Program launched
Arm is pleased to announce the launch of the Arm Innovator Program in collaboration with Hackster.io, the leading community dedicated to learning hardware. The Arm Innovator Program is a new initiative to help support the global ecosystem of Arm developers, highlight the impressive work happening around the world based on Arm technology and share key domain knowledge from top technical experts building solutions on Arm with a wider audience. Without further ado, we’re excited to announce the first group of Arm Innovators below; you’ll learn more about them later in the blog:
John Teel, President of Predictable Designs
Laura Kassovic, President and Co-founder of MbientLab
Forrest Iandola, CEO and Founder of DeepScale
Amit Moran, VP of Innovation at temi – the personal robot
Laurent Itti, Computational Neuroscientist, creator of the JeVois
Orlando Hoilett, PHD student and founder of Calvary Engineering
Renee Love, Open-source roboticist
Azeria – Independent Security Researcher, Founder of Azeria Labs
Andrew Dresner, Open-source roboticist
Honggang Li, Co-founder of Maker Collider
https://community.arm.com/company/b/blog/posts/introducing-the-arm-innovator-program-in-collaboration-with-hackster-io
https://www.arm.com/innovation/meet-innovators
MSI-GT7x-VGA-Switch: toggle Intel/Nvidia VGA from UEFI Shell
MSI-GT7x-VGA-SWITCH: Selects VGA from LINUX or EFI!
These programs or batch scripts will let you swtch the VGA from INTEL to NVIDIA (or the opposite). This is possible at the moment only from Windows (bad choice MSI!). Now it will also be possible from Linux or directly from an EFI SHELL! Intel.nsh and nvidia.nsh are two EFI Shell scripts that can be run directly from EFI shell. Just “make intel” and “make nvidia” to compile the 2 C sources. A reboot is needed afterwards because the VGA is switched by BIOS at boot time.[…]
ShellQ: load the UEFI Shell more quietly
https://github.com/rcpao-enmotus/ShellQ
“ShellQ – UDK2017 UEFI Shell with a more quiet transition to startup.nsh”
I wish this was a feature in the main shell, not a new wrapper to the shell.
Microsoft renames VBS
https://twitter.com/aionescu/status/922539069292400640
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
It is funny and also sad to see the new MSFT docs include data about how long it’ll take to read the page, for those potential readers who’re worried it’ll be too long to read. “4 minutes to read”. I wonder what the current attention span is, that forces writers to dumb down documents for reduced attention spans of modern readers? 😦
Eclypsium funding news
Congratulations to Eclypsium for getting funded! Here’s some more recent news stories on this:
http://altolawgroup.com/2017/10/06/eclypsium-inc-closes-2-3-million-seed-round-financing/
https://www.nwinnovation.com/eclypsium_finds_funding_from_intel_for_security_software/s-0072416.html
http://www.oregonlive.com/silicon-forest/index.ssf/2017/10/intel_capital_boosts_startup_i.html
Data is the name of the game, as Intel Capital puts $60M in 15 startups, $566M in 2017 overall
Why no firmware blob audits?
Recently, Kaspersky has had some trust issues with their OS-present binaries. Now they’re opening up their sources to 3rd party auditors. When I hear this, I wonder why we IT industry doesn’t have something like this in place for ALL criticial closed-source binaries, OS-present as well as firmware binaries. Most firmware binaries by vendors are closed-source, not bothering to audit the firmware yet being concerned about some OS-present software seems like wasted effort. I’d love to see an international group of security researchers, from commercial, academic, and government sectors, who have regular/ongoing audits of the closed-source firmware of Intel/ARM/AMD/etc. as well as all OEMs/ODMs/IHVs. Multiple overlapping audits, with some mechanism — like a WoT — to get aggregated results of each of these audits. All SMM code, any IPMI, Redfish, iLo, etc code, all AMT firmware, the ME sources (the Minix team should be one of the ME source reviewers), Intel FSP, AMD AGESA should be high on the list of audited code. If I have to trust the international vendor supply chain for hardware, I’d like to have some method to better trust the blobs on my system. If there is no open source firmware solution, where I can re-build my blobs from sources that I can audit, then I’d like some third parties to help add trust to the current closed-source blob situation. It is not just free-as-in-Freedom people that care about blobs anymore, it is a base security concern. Given how the military of some countries already ban hardware from other countries, you’d think these governments would have required some firmware auditing procedure like this already. Today, you don’t even get hashes of the blobs from the vendors. No third party audits. Code signing, and trusting a CA is best you can hope for, if at all. The recent downstream issues of Infineon’s TPM firmware, the password issues with Intel AMT, do you think a third party security audit could have helped with those issues?
https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack?utm_source=mbtwitter
ARM releases Platform Security Architecture
ARM has announced a Platform Security Architecture.
As well, they’ve announced the ARM CryptoIsland family of TrustZone family.
And they’ve announced the ARM CoreSight SDC-600 Secure Debug Channel, which provides a dedicated path to a debugged system for authenticating debug accesses.
https://www.arm.com/news/2017/10/a-common-industry-framework
https://developer.arm.com/products/architecture/platform-security-architecture
https://developer.arm.com/products/system-ip/trustzone-security-ip/cryptoisland-family
more on Infineon TPM issue
Simple PowerShell script to check whether a computer is using an Infineon TPM chip that is vulnerable to CVE-2017-15361.
https://github.com/lva/Infineon-CVE-2017-15361
Windows tool that analyzes your computer for Infineon TPM weak RSA keys (CVE-2017-15361)
https://github.com/jnpuskar/RocaCmTest
Infineon Embedded Linux TPM Toolbox 2 (ELTT2) for TPM 2.0
https://github.com/Infineon/eltt2
Google response:
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update
Toshiba response:
https://support.toshiba.com/sscontent?contentId=4015874
Lenovo response:
https://support.lenovo.com/us/en/product_security/len-15552
HPE response:
https://support.hp.com/us-en/document/c05792935
gnu-efi-applets
The GNU-EFI-Applets project appears to be about a month old. There are a LOT of UEFI applications ported in this project, including a LISP interpreter. It also includes “efilibc”, another LibC implementation from musl or the EADK libraries. These build with GNU-EFI, not Tianocore/EDK2 build environment.
Name: gnu-efi-applets
Version: 3.0.3
Release: 3
Summary: Building Applets using GNU-EFI
Some missing applets for the EFI system.
Building Environment for building GNU-EFI applets.
Tue Sep 19 2017
Wei-Lun Chao <bluebat@member.fsf.org> – 3.0.3
First release
https://github.com/bluebat/gnu-efi-applets
https://github.com/bluebat/gnu-efi-applets/tree/master/efilibc.applets
https://github.com/bluebat/gnu-efi-applets/tree/master/efilibc
Beginner’s Guide to Exploitation of ARM, by Billy Ellis
Scotch: Combining SGX and SMM to Monitor Cloud Resource Usage
First Online: 12 October 2017
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)
The growing reliance on cloud-based services has led to increased focus on cloud security. Cloud providers must deal with concerns from customers about the overall security of their cloud infrastructures. In particular, an increasing number of cloud attacks target resource allocation in cloud environments. For example, vulnerabilities in a hypervisor scheduler can be exploited by attackers to effectively steal CPU time from other benign guests on the same hypervisor. In this paper, we present Scotch, a system for transparent and accurate resource consumption accounting in a hypervisor. By combining x86-based System Management Mode with Intel Software Guard Extensions, we can ensure the integrity of our accounting information, even when the hypervisor has been compromised by an escaped malicious guest. We show that we can account for resources at every task switch and I/O interrupt, giving us richly detailed resource consumption information for each guest running on the hypervisor. We show that using our system incurs small but manageable overhead—roughly 1 μ
s every task switch or I/O interrupt. We further discuss performance improvements that can be made for our proposed system by performing accounting at random intervals. Finally, we discuss the viability of this approach against multiple types of cloud-based resource attacks.
https://link.springer.com/chapter/10.1007/978-3-319-66332-6_18
ChipEasy
Apparently there’s a Windows binary called ChipEasy that helps diagnose USB devices. I can’t find the source code, and am not sure of the official home page. 😦 It appears to be closed source, so take extra care if you dare to risk running freeware these days. Please leave a Comment on this blog post if you can point out a better tool, hopefully something open source.
http://www.upan.cc/tools/test/ChipEasy_EN.html
Linux UEFI Validation Project v2.2-rc1 released
Megha Dey of Intel has taken over the role of LUV maintainer, and announced the 2.2-rc1 release. Excerpts of announcement are below, read full announcement for list of bugfixes.
This is to announce the release of LUV v2.2-rc1. Firstly, I would inform all of you that I have taken over the role of maintainer of this project from Ricardo Neri. I would like to thank Ricardo for all the guidance and support he has provided to make this release possible. This release comes approximately 3 months after our last 2.1-rc2 release and we are further working to have releases more frequently. It mostly includes updates to yocto, meta-oe, various test suites and kernel version. We have also added a new test suite called pstore-test which will run the pstore selftests of the kernel and added some tests in kernel-efi-warnings to detect machine check errors. Given that this is the first time I am doing the release, it is possible for some issues to arise, hence it made sense to have this release as rc1 of v2.2 to allow stabilization towards the next release cycle.
We added a new test suite called pstore-test. This test-suite will check the pstore behavior and are useful to avoid regressions of pstore. This test-suite will cause a reboot during its execution. The necessary groundwork to ensure these type of test suites can be integrated seamlessly into LUV has also been included in this release.
Also, Ricardo added some tests in kernel-efi-warnings to detect machine check errors such as system bus errors, parity errors, cache errors and TLB errors. Linux has support to detect this underlying mechanism and report the error in the kernel message buffer.
We include FWTS V17.09.00 Chipsec 1.3.3 and NDCTL v58, the latest versions available as of this week.
The release images for x86 (disk and network) will be available on 10/23/2017.
https://01.org/linux-uefi-validation/v2.2 (apparently this URL won’t be valid until 10/23?)
https://01.org/linux-uefi-validation
Full announcement:
https://lists.01.org/mailman/listinfo/luv
HP seeks UEFI Firmware Engineer Intern
Responsibilities: Four-year university students who are working in a technical internship role at hp during their study or in summer breaks between university semesters.
Education and Experience Required: High School Degree 3rd Year of University completed–typically a technical degree specialization.
Firmware Security 
You must be logged in to post a comment.