PCILeech v4.0 – Major Release 🔥🔥🔥
Now much more than PCIe DMA attacks!New memory acquisition methods – DumpIt, winpmem and more
Remote memory dumping
Win10 kernel injects stable 😈
New user-mode injects 😈
And much more 😀https://t.co/KuTVVzZc5j— Ulf Frisk (@UlfFrisk) March 8, 2019
Month: March 2019
Vice: The Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code
[…]The thing that his team had been able to analyze for the first time was the iPhone’s Secure Enclave Processor (SEP), which handles data encryption for the iPhone. How they were able to do this was a valid question given Apple’s notorious secrecy, and the fact that the SEP is one of the most important and most closely guarded components of the iPhone, the most secure smartphone on the market. […]
Frogger-Uefi-Boot: UEFI version of Frogger game
Nice to see more classic arcade games being implemented as UEFI Applications… 🙂
Game Frogger implemented in assembly x86 for UEFI boot.
UefiTool: UEFI Debug Tool
Gavin Xue has created UefiTool:
A simple UEFI tool for debugging.
Print (L”Help info:\n”);
Print (L” UefiTool.efi -H\n\n”);
Print (L”Read MSR register:\n”);
Print (L” UefiTool.efi RDMSR [MSRIndex] [OPTION: -A | -P]\n\n”);
Print (L”Write MSR register:\n”);
Print (L” UefiTool.efi WRMSR [MSRIndex] [MSRValue]\n\n”);
Print (L”Read CPUID:\n”);
Print (L” UefiTool.efi CPUID [CPUID_Index] [CPUID_SubIndex]\n\n”);
Print (L”Read GDTR resister:\n”);
Print (L” UefiTool.efi -SGDT\n\n”);
Print (L”Read CR resister:\n”);
Print (L” UefiTool.efi -CR\n\n”);
https://github.com/vinxue/UefiTool
Not to be confused with UEFITool:
SMoTherSpectre: transient execution attacks through port contention
NSA releases Ghidra, a software reverse engineering (SRE) framework
https://ghidra-sre.org/
https://www.nsa.gov/resources/everyone/ghidra/
https://ghidra-sre.org/CheatSheet.html
https://ghidra-sre.org/InstallationGuide.html
https://github.com/NationalSecurityAgency/ghidra/wiki/Frequently-asked-questions
Hmm, there is a release on their web site, but none on the Github Releases page….
https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip
Finnbarr releases UEFI-Utilities-2019
Finnbarr P. Murphy has been working on a collection of UEFI Utilities for Intel systems for multiple years. It is somewhat like a UEFI version of Norton Utilities for MS-DOS or SysInternals for Windows NT, multiple small command line tools that dump out low-level system information.
UEFI-Utilities was built with — I believe — GNU-EFI,and probably only had 32-bit binaries.
https://github.com/fpmurphy/UEFI-Utilities
UEFI-Utilities-2016 is built against UDK2015. And I think may only have 32-bit binaries.
https://github.com/fpmurphy/UEFI-Utilities-2016
UEFI-Utilities-2018 is built against UDK2017. Includes X64 binaries.
https://github.com/fpmurphy/UEFI-Utilities-2018
The 2019 edition is now out:
UEFI-Utilities-2019 is built against UDK2018. Includes X64 binaries.
https://github.com/fpmurphy/UEFI-Utilities-2019
Some tools are only in one collection. Also, you need to watch Finnbarr’s blog, as sometimes he does a blog post on a new (or revised tool) and sometimes the tool is only published in the blog, not in the UEFI Utilities. At least it seemed like that for one of his tools in the past….
Some tools are only in one collection…
Spectre/Meltdown perf on Linux 5.0
Phoronix has a new article with some stats on Spectre/Meltdown mitigation performance impact on Linux 5.0, using their test suite:
[…]Of 57 benchmarks tested on these three systems with the Linux 5.0 kernel, the Core i9 7980XE performance was down by about 13% based upon the geometric mean of all the test results. The Intel Core i7 8086K performance was down by 17% with these out-of-the-box protections for Spectre and Meltdown. The AMD Ryzen 7 2700X performance with its default Spectre mitigations was lower by just 3%. Should you choose to go against the security assessment and wish to recover from these performance losses, reverting the mitigations as tested can easily be done by some boot parameters albeit no single switch. Now with Microsoft shipping Retpolines for revising their Spectre V2 mitigation, some additional Spectre/Meltdown tests will be coming up soon on Phoronix.
https://www.phoronix.com/scan.php?page=article&item=linux50-spectre-meltdown&num=1
Making the LVFS and fwupd work in the enterprise
https://twitter.com/hughsient/status/1102610276577431553
It looks like the Linux firmware update service is about to get some new tools that’ll help enterprise sysadmins!
[…]We’ve started working on some functionality in fwupd to install an optional “agent” that reports the versions of firmware installed to a central internal web service daily, so that the site admin can see what computers are not up-to-date with the latest firmware updates. I’d expect there the admin could also approve updates after in-house QA testing, and also rate-limit the flow of updates to hardware of the same type. The reference web app would visually look like some kind of dashboard, although I’d be happy to also plug this information into existing system management systems like Lenovo XClarity or even Red Hat Satellite. The deliverable here would be to provide the information and the mechanism that can be used to implement whatever policy the management console defines.[…]
Ubuntu whitepaper: Securing IoT device data against physical access
Ubuntu has a white-paper that discusses Secure Boot, amongst other things. But you have to register for it, it is not publicly-available.
Comparing Linux distribution’s hardening schemes
How well does each Linux distro really do with security hardening? Here's a detailed data-driven analysis (across millions of binaries) by @theofilospe. Guess I need to upgrade my '90's Slackware install
https://t.co/LVMAZxVupp
— John Viega (@viega) February 28, 2019
In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, CentOS and RHEL 6.10 & 7 distributions, as well as the Ubuntu 14.04, 12.04, and 18.04 LTS distributions. Our findings confirm that even basic hardening schemes, such as stack canaries and position independent code, are not fully adopted. The situation is even worse when it comes to other compiler protections like stack clash hardening, which recently came into the spotlight due to last month’s systemd vulnerabilities. However, not all is hopeless.[…]
https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/
Europe in danger of losing ability to update firmware on devices
Mobile Systems and Smartphone Security course, slides online
This website hosts material and resources for the Mobile Systems and Smartphone Security (aka Mobile Security, aka MOBISEC) course, first taught in Fall 2018 at EURECOM. This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. It is widely regarded as the best class on the topic (according to the world-renowned survey “top mobile security classes of the French riviera”).[…]
Eclypsium ships their firmware security product!
VeraCrypt 1.24-Beta3 released
VeraCrypt has been updated, with multiple UEFI fixes and a few security features:
* Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
* Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
* Several enhancements and fixes for EFI bootloader:
* Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to “shutdown”.
* Implement new actions “shutdown” and “reboot” for EFI DcsProp config file.
* MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
* MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
* Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.
https://www.veracrypt.fr/en/Release%20Notes.html
Thunderbolt3 -> USB4
[…]Today, Intel announced that it contributed the Intel Thunderbolt protocol specification to the USB Promoter Group, enabling other chip makers to build Thunderbolt compatible silicon, royalty-free. In addition, the USB Promoter Group announced the pending release of the USB4 specification, based on the Thunderbolt protocol. […]
https://newsroom.intel.com/news/intel-takes-steps-enable-thunderbolt-3-everywhere-releases-protocol/
Intel shares Thunderbolt with USB Promoter Group, and USB4 is on the way
Star LabTop Mk III: Open Source Edition (with coreboot)
Interesting, StarLabs makes a laptop with coreboot and optionally includes Windows. It this the only OEM/VAR system with coreboot+Windows?? 🙂
https://mailchi.mp/ff0ba15366de/osc-edition
Exploitation from malicious PCI Express peripherals
Exploitation from malicious PCI Express peripherals
Colin L. Rothwell
February 2019, 108 pages
The thesis of this dissertation is that, despite widespread belief in the security community, systems are still vulnerable to attacks from malicious peripherals delivered over the PCI Express (PCIe) protocol. Malicious peripherals can be plugged directly into internal PCIe slots, or connected via an external Thunderbolt connection.[…]
VisualEDK2: build TianoCore EDK2 with Visual Studio 2017
This appears more than just adding a new compiler to the default EDK2 Build command, and different from Alex’s VisualUEFI. Windows-centric.
Allow building official TianoCore EDK2 with Visual Studio 2017
UefiParser: UEFI Payload parser tool
Can be used to parsing the following payload: (Include but not limit):
* Microcode Payload
* Capsule Payload
Firmware Security 
You must be logged in to post a comment.