Month: May 2018

Expect More Spectre, Meltdown Variants Until Updated Chips Arrive

~ hucktech ~ Leave a comment

[…]For a company like Intel, testing would cost several million dollars and take two to three months for each iteration.

“Flat out, that’s [a complete rewrite] not gonna happen,” said Joe FitzPatrick, a hardware security researcher and trainer.[…]

https://duo.com/decipher/expect-more-spectre-meltdown-variants-until-updated-chips-arrive

 

SEVered: Subverting AMD’s Virtual Machine Encryption

~ hucktech ~ Leave a comment

AMD SEV is a hardware feature designed for the secure encryption of virtual machines. SEV aims to protect virtual machine memory not only from other malicious guests and physical attackers, but also from a possibly malicious hypervisor. This relieves cloud and virtual server customers from fully trusting their server providers and the hypervisors they are using. We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine. We verify the effectiveness of SEVered on a recent AMD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines. With these examples, we demonstrate that SEVered reliably and efficiently extracts all memory contents even in scenarios where the targeted virtual machine is under high load.

ROMsplit: split UEFI/BIOS files into two or more binary chunks

~ hucktech ~ Leave a comment

A quick and dirty tool written in C to split UEFI/BIOS files into two or more binary chunks, which can then be flashed onto a chip using flashrom or something similar. This was born out of the necessity of needing a UEFI and an EC (embedded controller) image to be reflashed manually on a laptop where the UEFI was 2MB and the EC was 128K, but seperate images were not available.

printf(“romsplit – split binary files into two or more seperate chunks\n”);
printf(“Usage: %s <filename> <size of chunk 1> <size of chunk 2> … <size of chunk n>\n\n”, argv[0]);
printf(“You must specify a filename and at least two chunk sizes\n”);

https://github.com/mode13h/romsplit

The Evil Mouse Project

~ hucktech ~ Leave a comment

Conclusion: Never trust USB devices (and not only storage devices…)

https://blog.rootshell.be/2018/05/22/evil-mouse-project/

The Evil Mouse

Redfish releases new schema and spec

~ hucktech ~ Leave a comment

DMTF Redfish has updated their schema and specs.

New Redfish Schema, Specification and Developer Resources Now Available. New items just released include:

* 2018.1 Redfish Schema Bundle: A .zip file that contains the current versions of all Redfish schema, including a new ExternalAccountProvider schema for LDAP/ActiveDirectory support. Additional schema updates enable support for Server Sent-Eventing (SSE), provide additional information for Processors and Settings, and more.

* Redfish Specification v1.5.0:  Adds new support for SSE, enabling the streaming of events to web-based GUIs and other clients. Other specification updates in this release include a mechanism for specifying deterministic behavior for the application of Create, Delete or Action (POST) operations.

* Redfish Resource and Schema Guide: New for 2018, this human-readable guide to the Redfish Schema is designed to help educate users of Redfish. Application developers and DevOps personnel creating client-side software to communicate with a Redfish service, as well as other consumers of the API, will benefit from the explanations in this resource.

* Redfish 2018.1 Overview: Provides detailed descriptions of each revision in the latest version of the Redfish Schema and Specification.

https://www.dmtf.org/sites/default/files/standards/documents/DSP8010_2018.1.zip

Click to access DSP0266_1.5.0.pdf

Click to access DSP2046_2018.1_0.pdf

Click to access Redfish_2018_Release_1_Overview.pdf

http://redfish.dmtf.org/
http://www.dmtf.org/standards/redfish

 

KVM Forum 2018: Call For Participation

~ hucktech ~ Leave a comment

KVM Forum 2018: Call For Participation
October 24-26, 2018
Edinburgh, UK

KVM Forum is an annual event that presents a rare opportunity for developers and users to meet, discuss the state of Linux virtualization technology, and plan for the challenges ahead. We invite you to lead part of the discussion by submitting a speaking proposal for KVM Forum 2018. […] This year, KVM Forum is joining Open Source Summit in Edinburgh, UK. Selected talks from KVM Forum will be presented on Wednesday October 24 to the full audience of the Open Source Summit. Also, attendees of KVM Forum will have access to all of the talks from Open Source Summit on Wednesday.[…]

https://events.linuxfoundation.org/events/kvm-forum-2018/program/cfp/

http://www.linux-kvm.org/page/KVM_Forum_2018_BOF

https://events.linuxfoundation.org/events/kvm-forum-2018/

https://mail.coreboot.org/pipermail/seabios/2018-May/012272.html

MicroRenovator: Pre-OS microcode updater

~ hucktech ~ 1 Comment

https://github.com/syncsrc/MicroRenovator

https://www.blackhat.com/us-18/arsenal/schedule/#micro-renovator-bringing-processor-firmware-up-to-code-12081

Lenovo ACPI bug – affects X1C6, X1Y3, X280, T480s, T480, T580, P52s, possibly more. ‎

~ hucktech ~ Leave a comment

“This bug deserves more attention than it is currently receiving. It should be pinned in every forum with an affected machine, so that owners of those machines will be aware that it exists. It is currently squirreled away in the T series forum, under the outdated title “T480s – ACPI bug”. I have asked that the title be updated and received no response, which is why I’m posting this here.[…]

There’s a bug in the ACPI tables that affects all of the machines listed in the title. The bug causes heavy CPU usage on one thread due to frequent ACPI interrupts. The symptoms are a slow system, and high CPU temperatures (idles around 65 degrees Celsius). Some operating systems may mitigate the symptoms, but the bug is present regardless.

The following circumstances trigger it:
-powering on the laptop
-waking from suspend (and possibly hibernate – untested)

The following actions prevent it:
-reboot the laptop (temporary fix)
-disable thunderbolt in the UEFI settings (permanent fix – with latest UEFI updates)

The official UEFI update changelogs for all of these machines make explicit mention of this issue: “-(Fix) Fix an issue where system may become hot by system interrupts when Thundrebolt is disabled in ThinkPad Setup – Security – I/O Port Access.”[…]

https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/ACPI-bug-affects-X1C6-X1Y3-X280-T480s-T480-T580-P52s-possibly/td-p/4084521

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T480s-ACPI-bug/m-p/4064963#M124889

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T480s-ACPI-bug/m-p/4067181#M124936

https://download.lenovo.com/pccbbs/mobiles/n22ur05w.txt

 

Spectre Variant 4 released

~ hucktech ~ Leave a comment

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://www.us-cert.gov/ncas/alerts/TA18-141A

https://www.us-cert.gov/ncas/alerts/TA18-004A

https://blogs.technet.microsoft.com/srd/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

https://twitter.com/daniel_bilar/status/998861828087275520

https://twitter.com/aionescu/status/998675842724069376

 

Alex keynoting at CARO’18, Portland in May!

~ hucktech ~ Leave a comment

Closing Keynote: Betraying the BIOS: Where are the limits of AV for modern UEFI Firmware?
Alex Matrosov

For UEFI firmware, the barbarians are at the gate — and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants — by HackingTeam and state-sponsored actors alike — hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS? In this presentation, I’ll explain UEFI security from the competing perspectives of attacker and defender. I’ll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.

Keynote Speakers

 

 

 

Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101

~ hucktech ~ Leave a comment

https://twitter.com/fdiskyou/status/998133894351343616

Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101

May 19, 2018 • By rui

Finding bugs is hard, reverse engineering is hard. Constraint solvers are the heart of many program analysis techniques, and can aid Fuzzing, and software verification.

This post contains a few hands-on experiments with Z3, a high performance theorem prover developed at Microsoft Research by Leonardo de Moura and Nikolaj Bjorner. With KLEE, a Symbolic Execution Engine built on top of the LLVM compiler infrastructure developed by Cristian Cadar, Daniel Dunbar, and Dawson Engler. And, angr, a binary analysis framework developed by the Computer Security Lab at UC Santa Barbara and their associated CTF team, Shellphish.[…]

http://deniable.org/reversing/symbolic-execution

 

VolInfo: tool to dump the contents of a UEFI firmware volume (FV)

~ hucktech ~ Leave a comment

Tianocore includes UEFI developer tools for creating ‘blobs’. But it also includes one tool useful for security researchers to examine existing Firmware Volumes. It is an OS-present tool that works on Mac/Windows/Linux, not a UEFI Shell tool.

https://github.com/tianocore/edk2/blob/master/BaseTools/Source/C/VolInfo/VolInfo.c
https://github.com/tianocore/edk2/tree/master/BaseTools/Source/C/VolInfo
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Tools-List
https://github.com/tianocore/edk2/tree/master/BaseTools/UserManuals
https://raw.githubusercontent.com/tianocore/edk2/master/BaseTools/UserManuals/VolInfo_Utility_Man_Page.rtf
https://edk2-docs.gitbooks.io/edk-ii-build-specification/content/v/release/1.27/2_design_discussion/22_uefipi_firmware_images.html
http://wiki.phoenix.com/wiki/index.php/EFI_FIRMWARE_VOLUME_HEADER

Usage: VolInfo [options] <input_file>
Display Tiano Firmware Volume FFS image information
   -h, –help — Show this help message and exit
   –version — Show program’s version number and exit
   -d [DEBUG], –debug [DEBUG] — Output DEBUG statements, where DEBUG_LEVEL is 0 (min) – 9 (max)
   -v, –verbose — Print informational statements
   -q, –quiet — Returns the exit code, error messages will be displayed
   -s, –silent — Returns only the exit code; informational and errorvmessages are not displayed
   -x XREF_FILENAME, –xref XREF_FILENAME — Parse the basename to file-guid cross reference file(s)
  -f OFFSET, –offset OFFSET — The offset from the start of the input file to start processing an FV
  –hash — Generate HASH value of the entire PE image

Qualcomm iZat and baseband location tracking

~ hucktech ~ Leave a comment

https://twitter.com/zackwhittaker/status/996758911989567488

https://news.ycombinator.com/item?id=17081684

https://www.qualcomm.com/products/izat

http://xt.qsp.qualcomm.com/privacy/privacy_policy.html

https://twitter.com/projectgus/status/996903073925623811

https://developer.qualcomm.com/comment/7260

https://copperhead.co/android/docs/usage_guide#default-connections-made-by-copperheados