The LinuxBoot project has a new subproject, ACPITools, with 2 commands so far: acpicat and acpigrep.
Month: April 2020
AMD: Change log for AGESA 1005:
AMD provides vendors with AGESA updates, but end-users have to hope that their vendor includes this data. In other words, AMD doesn’t directly provide end-users with AGESA information, at least AFAICT. However, this latest one may be different, AMD has provided a brief changelog for latest AGESA release on Reddit. Let’s hope they continue this trend, and be more verbose in the future:
Change log for AGESA 1005:
* Rollup of 1004a, ab, abb, abba patches into a single release
* Fixed a PCIe® lane configuration issue on the AMD Ryzen™ 3 PRO 2100GE
* Resolved an intermittent virtual memory error with Realtek onboard LAN
* Improved POST with select Micron DDR4-3200 memory ICs
* Optimized PCIe® firmware to improve stability and interoperability
GRUB2-FileManager: GRUB2-based file manager (UEFI application)
NIST draft whitepaper: Hardware-Enabled Security for Server Platforms
Hardware-Enabled Security for Server Platforms:
Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases
In today’s cloud data centers and edge computing, attack surfaces have significantly increased, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This white paper explains hardware-based security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.
dropWPBT: Disables the Windows Platform Binary Table (WPBT) in your UEFI firmware
Disables the Windows Platform Binary Table (WPBT) in your firmware. This program use a non-permenant, non-destructive method to remove the table from system memory, so it should be executed every time the computer is rebooted before Windows bootloader starts.
https://github.com/Jamesits/dropWPBT
UefiVarMonitor: UEFI runtime driver that monitors access to the UEFI variables
The sample runtime DXE driver (UEFI driver) monitoring access to the UEFI variables by hooking the runtime service table in C and Rust.
https://github.com/tandasat/UefiVarMonitor
Polypyus: Firmware Historian
Polypyus learns to locate functions in raw binaries by extracting known functions from similar binaries. Thus, it is a firmware historian. Polypyus works without disassembling these binaries, which is an advantage for binaries that are complex to disassemble and where common tools miss functions. In addition, the binary-only approach makes it very fast and run within a few seconds. However, this approach requires the binaries to be for the same architecture and have similar compiler options. Polypyus integrates into the workflow of existing tools like Ghidra, IDA, BinDiff, and Diaphora. For example, it can import previously annotated functions and learn from these, and also export found functions to be imported into IDA. Since Polypyus uses rather strict thresholds, it only found correct matches in our experiments. While this leads to fewer results than in existing tools, it is a good entry point for loading these matches into IDA to improve its auto analysis results and then run BinDiff on top.
https://github.com/seemoo-lab/polypyus
Hmm, IDA, Ghidra are supported. I don’t see Radare2. 😦
Minimal LZMA (minlzma) project: new LZMA C library
Alex has written a new LZMA parser library, that works on Linux and Windows.
The Minimal LZMA (minlzma) project aims to provide a minimalistic, cross-platform, highly commented, standards-compliant C library (minlzlib) for decompressing LZMA2-encapsulated compressed data in LZMA format within an XZ container, as can be generated with Python 3.6, 7-zip, and xzutils
BIOSUtilities: updated to supports Dell file format changes
“Dell has started to ship their UEFI/BIOS updates using PFS Revision 2 container format. I’ve added support for it at the latest Dell PFS BIOS Extractor v4.0 release.”
BootKeeper: static analysis toward verifying security properties on boot firmware images
BootKeeper: Validating Software Integrity Properties on Boot Firmware Images
Ronny Chevalier, Stefano Cristalli, Christophe Hauser, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, Danilo Bruschi, Andrea Lanzi
Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware’s loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.
Another Linux-friendly Universal-IFR-Extractor fork
Re: https://firmwaresecurity.com/2017/10/30/universal-ifr-extractor/ and https://firmwaresecurity.com/2015/07/07/two-uefi-form-tools-plus-one-uefi-c-module-complexity-tool/ :
There’s another Universal-IFR-Extractor fork …I think. The original one was Windows-centric, I think motivation for some forks was from non-Windows users. Today’s new fork might have some new/interesting features or — I didn’t study the code — it might be a fork of one of the other Linux-friendly forks.
Visual Forms Representation (VFR) is the “source code” to UEFI forms-based app, IVR is the Internal Forms Representation that is included in binaries, and of interest to reverse engineers and modders. An example of how a modder uses it:
https://github.com/roncapat/W230SD-Unlocked-AMI-BIOS
I don’t think the security researcher community has done much research in IFR-based attacks to this binary format that includes multiple complex structures in C that impact control flow.
Original tool: https://github.com/donovan6000/Universal-IFR-Extractor
Forks of tool:
https://github.com/LongSoft/Universal-IFR-Extractor
https://github.com/tomrus88/Universal-IFR-Extractor
https://github.com/therealgudv1n/Universal-IFR-Extractor-Linux (this latest one)
I suspect one of the more recent forkers didn’t first check if there was another Linux-friendly fork already exists. Besides this tool “family”, there’s also a few other IFR tools, one is:
IfrViewer: Viewer for IFR structures
I’m pretty sure I blogged on another one, but I’m not great at adding tags to blog posts, so I can’t find it at the moment. 😦
umap: UEFI bootkit for driver manual mapping
Windows UEFI bootkit that loads a generic driver manual mapper without using a UEFI runtime driver.
grub-mod-setup_var: a modified GRUB allowing tweaking hidden BIOS settings
There is a fork of GRUB that lets BIOS modders access the BIOS using “CFG Lock”.
I didn’t know about “CFG Lock” before today; it appears common knowledge in the modding community. Does CHIPSEC check for this? If not, should it?
https://github.com/datasone/grub-mod-setup_var
There’s another Github project, documentation-only guide for some Insyde BIOS users, which relies on this GRUB fork.
Little guide on how to show all the settings in clevo insyde_h20 uefi.
https://github.com/eebssk1/clevo-insyde-uefi-settings-show-all
Dell SafeBIOS: enhanced BIOS verification utility
[…]Dell Technologies is enhancing its Dell SafeBIOS offering with a new utility for off-host BIOS verification and integrations with CrowdStrike, Secureworks and VMware Workspace ONE for off-host BIOS verification with their tools.[…]
Airbreak: CPAP firmware update to enable emergency COVID19 use as a temporary ventilator
Another reason why firmware should be Open Source, not Closed Source.
Intel April advisories: more info
Re: https://firmwaresecurity.com/2020/04/14/6-new-security-advisories-from-intel-2/
I guess I need to wait now for the monthly blog post to go along with the list of advisories. I guess that’s good, there’s now a blog post with hopefully more information.
Platbox: UEFI Assessment Tool
Windows-centric. Visual Studio-centric. Intel-centric. Mostly C, a bit of asm.
No docs.
Most of the code on this new Github project is 10 hours old, but some of files are 10 months old.
“\DosDevices\PlatboxDev” device is created, and some IOCtls are enabled. List of IOCTLs roughly resembles the CHIPSEC kernel mode driver API.
ISSUE_SW_SMI
EXECUTE_SHELLCODE
READ_PCI_HEADER
READ_PCI_BYTE
READ_PCI_WORD
READ_PCI_DWORD
WRITE_PCI_BYTE
WRITE_PCI_WORD
WRITE_PCI_DWORD
GET_PCI_BAR_SIZE
READ_PHYSICAL_MEM
WRITE_PHYSICAL_MEM
READ_MSR
WRITE_MSR
PATCH_CALLBACK
RESTORE_CALLBACK
REMOVE_ALL_CALLBACKS_HOOKS
6 new security advisories from Intel:
INTEL-SA-00363: Intel NUC Firmware Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00363.html
INTEL-SA-00359: Intel Binary Configuration Tool for Windows Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00359.html
INTEL-SA-00351: Intel Modular Server Compute Module Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00351.html
INTEL-SA-00344: Intel Driver and Support Assistant Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00344.html
INTEL-SA-00338: Intel PROSet/Wireless WiFi Software Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00338.html
INTEL-SA-00327: Intel Data Migration Software Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00327.html
AMI Announces New AMI FirST Firmware Security Testing Suite for x86/x64
Abridged first paragraph of PR:
AMI announcees AMI FirST™ Firmware Security Testing Suite, a set of integrated security test tools that provide dependable verification of production firmware security for x86/x64 architectures. AMI FirST tests stay current with the latest critical developments in mitigating firmware security threats and CHIPSEC for comprehensive testing, vulnerability protection and prevention of security defect regression.[…]
https://ami.com/en/products/security-services-and-solutions/ami-first-firmware-security-testing/
Firmware Security 
You must be logged in to post a comment.