DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. DeepState currently targets Linux, with macOS support in progress.
Month: February 2018
EnclaveDB: A Secure Database using SGX
https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html
EnclaveDB: A Secure Database using SGX
Christian Priebe , Imperial College London
Kapil Vaswani , Microsoft Research
Manuel Costa , Microsoft Research
We propose EnclaveDB, a database engine that guarantees confidentiality, integrity, and freshness for data and queries. EnclaveDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, and when the database runs in an untrusted host in the cloud. EnclaveDB achieves this by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware (such as Intel SGX). EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures. A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads. Our experiments using standard database benchmarks and a performance model that simulates large enclaves show that EnclaveDB achieves strong security with low overhead (up to 40% for TPC-C) compared to an industry strength in-memory database engine.
https://www.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405-abs.html
Windows AMSI (AntiMalware Scan Interface) bypass
SHA_Performance_Review_In_UEFI: UEFI SHA1/SHA256 perf tests with C (and asm)
Background of The work: To compare the SHA1/SHA-256 performance in different implementation, different optimization flags and with different compilers(GCC48/GCC5). See how the performance difference in UEFI(Pre-boot environment). As a UEFI developer, while using these CPU intensive algorithms, we need to take into account the performance between them.
https://github.com/tsunghowu/SHA_Performance_Review_In_UEFI
UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)
UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)
Some of UEFI Toys by me. Taken from my early forked of Clover and ‘others’ below. No sources available yet, just binary (EAT that!).
ShellOpt: Port of GNUEFI Finnbarr P. Murphy ShellOpt (>>>) to EDK2, to set / delete various Shell options.
ShellExpand: To eliminate known Shell bugs edit command by translating TABS to SPACES with custom size.
DBounce: An UEFI driver to load all required drivers first before finally calling a chainloader. Originally introduced by Christoph Pfisterer (rEFIts author). The original source can be found here. Later I port this module to work with EDK2 with following changes (compared to original):
KernextPatcher: KernextPatcher (stand for Kernel & Kext Patcher) is an Darwin kernel & extensions patcher UEFI driver based on Clover Memfix by dmazar. This driver try to hook ExitBootServices event and patching kernelcache including kernel it self and kexts.
AcpiPatcher: AcpiPatcher is an Darwin ACPI patcher UEFI driver. Yes, its a MEGA stripped version compare to original one. At least, we can now get rid from some of complexity to load custom ACPI tables with some fixes. This driver try to hook ExitBootServices event and patching ACPI as below.
https://github.com/cecekpawon/UEFTW
Careful, these are closed-source binaries. Freeware is hard to trust, these decades… I have not tried them.
LinuxJournal article on LinuxBoot
F-Secure’s Guide to Evil Maid Attacks
Windows 10: storing system-tracking data in UEFI variables
https://twitter.com/dakotathekat/status/963086883621408768
https://docs.microsoft.com/en-us/uwp/api/Windows.System.Profile.SystemIdentification
As one comment above notes, make sure you know how to reset this firmware-stored data before you dispose of any such systems.
Interesting, I would have guessed that this data would be stored in UEFI SMM LockBox, but some forms of UEFI variables are also hard to access. Ah, but this is for persistent data…
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
I’d swear I saw some MacOSX (before change to macOS) components moved from system libraries up into Apple EFI, I wonder if Apple also implements SmmLockBox?
Windows: enable BIOS and UEFI boot for PXE in DHCP
There’s an URL to a live.com download in the blog, as well as PowerShell script inline with blog text:
https://ittherapist.net/2018/02/10/enable-bios-and-uefi-boot-for-pxe-in-dhcp/
FreeBSD bhyve UEFI support improved
https://twitter.com/lattera/status/963126671963557888
MFC: r316746 Add UEFI support to vmrun.sh
Adds:
-E: Use UEFI mode
-f: path to UEFI firmware image (default: path to uefi-edk2-bhyve package)
-F: UEFI framebuffer size (default: w=1024,h=768)
-L: IP to listen for VNC connections on (default: 127.0.0.1)
-P: Port to listen for VNC connections on (default: 5900)
-T: Enable tablnet device (for VNC)
-v: Wait for VNC client before booting VM
https://svnweb.freebsd.org/base?view=revision&revision=329178
Dell Sputnik systems disable Secure Boot
“Dell ship their Sputnik systems with a pre-populated MokSB variable that disables Secure Boot, so this is working as intended on the Fedora side.”
adding BIOS Mode and Secure Boot state to BGInfo
Intel updates bug bounty program
Updates to our program include
+ Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
+ Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
+ Raising bounty awards across the board, with awards of up to $100,000 for other areas.
https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/
dtrace for linux; Oracle does the right thing
dtrace for linux; Oracle does the right thing
Posted on February 14, 2018, 11:13.
[…]This changeset integrates DTrace module sources into the main kernel source tree under the GPLv2 license. Sources have been moved to appropriate locations in the kernel tree. That is right, dtrace dropped the CDDL and switched to the GPL![…]
Attacks Against Windows PXE Boot Images
Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018
If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]
https://blog.netspi.com/attacks-against-windows-pxe-boot-images/
Nintendo NES ROM Disassembler 1.0
Microsoft Windows Analytics now helps assess Meltdown and Spectre protections
To help IT professionals everywhere, we have added new capabilities to our free Windows Analytics service1 to report the status for all the Windows devices2 that they manage. These new capabilities include:
[…]
Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.
[…]
HPE MSA firmware site created
Two suggestions: 1) use HTTPS not HTTP for web site. 2) Include a hash for the blobs.
Getting HPE MSA Storage firmware just got easier
HPEStorageGuy yesterday
Making things easier for customers is always a good idea. Kipp Glover from our HPE Storage Total Customer Experience & Quality team has been working to do that. Kipp wanted to make the process easy for HPE MSA Storage customers to get the latest firmware and related information like release notes and the firmware history for each of the last three generations of MSA models. Kipp and his team worked with our hpe.com people to create the website to make getting the latest MSA firmware easy. The website is hpe.com/storage/MSAFirmware. Kipp also created a short video that shows how to navigate the site so I wanted to share that with you.
http://h41111.www4.hpe.com/storage/msafirmware.html
IETF draft-irtf-t2trg-iot-seccons: State-of-the-Art and Challenges for the IoT Security
State-of-the-Art and Challenges for the Internet of Things Security
The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication. The security needs for IoT systems are well-recognized and many standardization steps to provide security have been taken, for example, the specification of Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS). However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities. In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats. Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems. This document can be used by IoT standards specifications as a reference for details about security considerations applying to the specified protocol.
Razer doesn’t care about Linux [Firmware]
Re: https://firmwaresecurity.com/2018/01/29/linux-oems-support-fwupd-org/
here’s the latest blog post by the fwupd developer, regarding the OEM Razer:
https://fwupd.org/lvfs/vendorlist#razer
This also pretty much sums things up:
Firmware Security 
You must be logged in to post a comment.