Month: February 2018

A witch-hunt for trojans in our chips: on hardware-trojans and defenses

~ hucktech ~ Leave a comment

A witch-hunt for trojans in our chips
A Hardware Trojan (HT) is a malicious modification of the circuitry of an integrated circuit. A malicious chip can make a device malfunction in several ways. It has been rumored that a hardware trojan implanted in a Syrian air-defense radar caused it to stop operating during an airstrike, thus instantly minimizing the country’s situational awareness and threat response capabilities. In other settings, hardware trojans may leak encryption keys or other secrets, or even generate weak keys that can be easily recovered by the adversary. This article introduces a new trojan-resilient architecture, discusses its motivation and outlines how it differs from existing solutions. The full paper (Vasilios Mavroudis, Andrea Cerulli, Petr Svenda, Dan Cvrcek, Dusan Klinec, George Danezis) has been presented in several academic and industrial venues including DEF CON 25, and ACM Conference on Computer and Communications Security 2017.[…]

A witch-hunt for trojans in our chips

 

pwrtest.efi – UEFI Shell developer tool to test Intel/AMD RTC wake function

~ hucktech ~ Leave a comment

The pwrtest.efi is an UEFI Shell tool that help developer to confirm RTC wake function from a system(Support on both Intel and AMD platform). Usage:

pwrtest -s3 -t 10 -w 60 ; 系統會在10 sec delay 後進入S3,然後在60 sec 後喚醒(Wake up)
pwrtest [-h|-s3|-s4|-s5|-s|-ss|-sx|-cb|-r]
-h help
-s3|-s4|-s5 ;選擇系統的Sx State (Intel platform)
-cb ;做coldboot ,我是透過 gRT->ResetSystem() 方式去做的
-ss ; 做Shutdown,我是透過 gRT->ResetSystem() 方式去做的
-sx value ; 支援AMD platform去做Sx State,因為填的SLP_TYP值不同.
value = 3/4/5 for AMD platform(S3/S4/S5)
value = 5/6/7 for Intel Platform (S3/S4/S5)
e.g,
pwrtest -sx 4 -t 5 -w 30 ; For AMD Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -sx 6 -t 5 -w 30 ; For INTEL Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -s3 -t 5 -w 30 ; For INTEL Platform, Put system to S3 after 5 sec, then wake after 30 sec.
pwrtest -r ; Warm boot
pwrtest -cb ; Cold boot
[…]

See URL to password-protected live.com-hosted zip containing freeware binary (not open source) in blog post.

http://biosengineer.blogspot.com/2018/02/uefi-shell-utility-pwrtestefi.html

 

Intel-SA-00088: Microcode updates for NUC/Compute Stick/Compute Card

~ hucktech ~ Leave a comment

Intel-SA-00088 for Intel® NUC, Intel® Compute Stick, and Intel® Compute Card
Last Reviewed: 02-Feb-2018
Article ID: 000026620

In response to the recent Intel Security Advisory regarding Software/Side Channel Analysis, Kernel Memory Leak:

Intel has observed rare incidences of system reboots and other unpredictable system behavior after updating to microcode mitigating CVE-2017-5715 a.k.a. Spectre.
We have identified the root cause and made good progress in developing a solution to address it.
We have removed any BIOS posted recently that included the first microcode update and will post new BIOS updates as soon as they are ready.
If you have already updated BIOS with the first microcode update and you experience reboots or unstable system behavior, you can downgrade your BIOS to the previous version.
We will provide an update on this issue by February 15, 2018.

See Facts About Side-Channel Analysis for complete information and Frequently Asked Questions.[…]

https://www.intel.com/content/www/us/en/support/articles/000026620/mini-pcs.html

Not listed on the Intel Security Advidsory page, only listed on the NUC support page. 😦

https://security-center.intel.com/default.aspx

HP SureStart firmware protection

~ hucktech ~ Leave a comment

Click to access 4AA6-9339ENW.pdf

Click to access coprocessor-based-behavior-monitoring-acsac-chevalier-2017.pdf

 

 

Jon Masters FOSDEM2018 Keynote on Spectre/Meltodown uploaded

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/02/04/jom-masters-at-fosdem-exploiting-modern-microarchitectures/

 

slides from yesterday’s BSides Seattle presentation (and seeking archive of lost Intel ATR blog on Hacking Team)

~ hucktech ~ Leave a comment

Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.

I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.

Below is copy of slides:

There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.

bsidesseattle2018.fisher.defending-firmware

Bsides didn’t record audio/video of their event.

I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.

If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
http://www.intelsecurity.com/advanced-threat-research/blog.html
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html

This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

swissarmy-grubefipxe – A configuration for netbooting various linux distros using PXE/EFI/GRUB

~ hucktech ~ Leave a comment

This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]

https://github.com/vittorio88/swissarmy-grubefipxe

MountEFI – mac tool to select drive containing an EFI to mount

~ hucktech ~ 1 Comment

This Mac-centric bash script has been rewritten as a Mac-centric Python script:

“A more robust edition of my previous MountEFI script. Added my usual collection of disk functions – plus some experimentation with callback functions.

def custom_quit():
     head(“MountEFI”)
     print(“by CorpNewt\n”)
     print(“Thanks for testing it out, for bugs/comments/complaints”)
     print(“send me a message on Reddit, or check out my GitHub:\n”)
     print(“www.reddit.com/u/corpnewt”)
     print(“www.github.com/corpnewt\n”)
     print(“Have a nice day/night!\n\n”)
exit(0)

https://github.com/corpnewt/MountEFI

Linux man pages updated

~ hucktech ~ Leave a comment

I’ve released man-pages-4.15. This release resulted from patches, bug reports, reviews, and comments from 26 contributors. Just over 200 commits changed around 75 pages. In addition, 3 new manual pages were added.

http://linux-man-pages.blogspot.com/2018/02/man-pages-415-is-released.html

https://www.kernel.org/pub/linux/docs/man-pages/

RISC-V dev boards: early access limited pre-order

~ hucktech ~ Leave a comment

https://twitter.com/esden/status/959871470192148480

https://www.crowdsupply.com/sifive/hifive-unleashed

https://abopen.com/news/multi-core-64-bit-linux-capable-risc-v-board-unveiled-available-pre-order/

 

Jom Masters at FOSDEM: Exploiting modern microarchitectures

~ hucktech ~ 1 Comment

Click to access FOSDEM_2018.pdf

https://fosdem.org/2018/news/2018-02-04-first-videos-online/

https://fosdem.org/2018/schedule/speaker/jon_masters/

https://fosdem.org/2018/schedule/event/closing_keynote/

https://www.youtube.com/user/fosdemtalks

Boot Shim: Bootstraps UEFI applications on hacked Lumia phones

~ hucktech ~ Leave a comment

Boot Shim is a small ARM32 Windows Boot Manager Application that intended to chain-load the normal UEFI environment for UEFI application development on hacked Lumias. As Lumia verifies bootarm.efi or whatever on initialization even when Secure Boot is turned off, this application can provide additional image load capabilities, but you have to develop it from the framework provided.[…]

https://github.com/imbushuo/boot-shim

IDA releases Freeware 7.0 update

~ hucktech ~ Leave a comment

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

The freeware version of IDA v7.0 has the following limitations:

no commercial use is allowed
lacks all features introduced in IDA > v7.0
lacks support for many processors, file formats, debugging etc…
comes without technical support

 

Free Electrons becomes Bootlin

~ hucktech ~ Leave a comment

European embedded Linux company Free Electrons renames to Bootlin.

AFAICT they have not changed their Github account name.

https://bootlin.com/

Free Electrons becomes Bootlin

https://github.com/free-electrons

 

David Brown at Linaro Connect: Digital signatures and the beginning of the world (on ARM bootloaders)

~ hucktech ~ Leave a comment

From Linaro Connect 2017 in San Francisco:

Digital signatures and the beginning of the world – SFO17-306
David Brown
The bootloader is where it all begins. This session sums up our experiences with various signature types, data formats, implementations and how to choose.

http://connect.linaro.org/resource/sfo17/sfo17-306/

 

The microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers

~ hucktech ~ Leave a comment

The microarchitecture of Intel, AMD and VIA CPUs
An optimization guide for assembly programmers and compiler makers
By Agner Fog. Technical University of Denmark.
Copyright © 1996 – 2017. Last updated 2017-05-02.

Click to access microarchitecture.pdf

 

Qubes OS 4.0-rc4 released, with Spectre/Meltdown safeguards

~ hucktech ~ Leave a comment

Qubes OS 4.0-rc4 has been released!
Jan 31, 2018 by Andrew David Wong in Releases
We’re pleased to announce the fourth release candidate for Qubes 4.0! This release contains important safeguards against the Spectre and Meltdown attacks, as well as bug fixes for many of the issues discovered in the previous release candidate.[…]

https://www.qubes-os.org/

https://www.qubes-os.org/news/2018/01/31/qubes-40-rc4/

Elcomsoft: how to instantly access BitLocker, TrueCrypt, PGP, and FileVault volumes

~ hucktech ~ Leave a comment

How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes
January 31st, 2018 by Vladimir Katalov
It’s been a long while since we made an update to one of our most technically advanced tools, Elcomsoft Forensic Disk Decryptor (EFDD). With this tool, one could extract data from an encrypted disk volume (FileVault 2, PGP, BitLocker or TrueCrypt) by utilizing the binary encryption key contained in the computer’s RAM. We could find and extract that key by analyzing the memory dump or hibernation files. What Elcomsoft Forensic Disk Decryptor did not do until now was pretty much everything else. It couldn’t use plain text passwords to mount or decrypt encrypted volumes, and it didn’t support escrow (recovery) keys. It didn’t come with a memory imaging tool of its own, making its users rely on third-party solutions. With today’s release, Elcomsoft Forensic Disk Decryptor gets back on its feets, including everything that was missing in earlier versions. Plain text passwords and recovery keys, a Microsoft-signed kernel-level RAM imaging tool, the highly anticipated portable version and support for the industry-standard EnCase .E01 and encrypted DMG images are now available. But that’s not everything! We completely revamped the way you use the tool by automatically identifying all available encrypted volumes, and providing detailed information about the encryption method used for each volume.[…]

https://blog.elcomsoft.com/2018/01/how-to-instantly-access-bitlocker-truecrypt-pgp-and-filevault-2-volumes/

https://www.elcomsoft.com/efdd.html

Elcomsoft Forensic Disk Decryptor key extraction process