Side-Channel Aware Fuzzing


[…]In this paper we present and evaluate a new approach to extract feedback for fuzzing on embedded devices using information the power consumption leaks. Side-channel aware fuzzing is a threefold process that is initiated by sending an input to a target device and measuring its power consumption. First, we extract features from the power traces of the target device using machine learning algorithms. Subsequently, we use the features to reconstruct the code structure of the analyzed firmware. In the final step we calculate a score for the input, which is proportional to the code coverage. We carry out our proof of concept by fuzzing synthetic software and a light-weight AES implementation running on an ARM Cortex-M4 microcontroller. Our results show that the power side-channel carries information relevant for fuzzing.

https://arxiv.org/abs/1908.05012

Alex Matrosov: Breaking Through Another Side: Bypassing Firmware Security Boundaries

This blog post is the first in the series about my joint Black Hat research “Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller” (slides) with Alexandre Gazet presented last week in Vegas. This REsearch took literally 5 months of our spare time to dig into Embedded Controller security and Intel BIOS Guard technology implementation in Lenovo Thinkpad BIOS.[…]

Firmware Manager: Generic framework and GTK UI for firmware updates from system76-firmware and fwupd, written in Rust.

System76 is one Linux distro/OEM that rolled it’s own firmware update mechanism, instead of supporting fwupd. Now they have a new tool that integrates the two solutions:

One of the remaining issues with firmware management on Linux is the lack of options for graphical frontends to firmware management services like fwupd and system76-firmware. For fwupd, the only solutions available were to distribute either GNOME Software, or KDE Discover; which is not viable for Linux distributions which have their own application centers, or frontends to package managers. For system76-firmware, an official GTK application exists, but it only supports updating System76 firmware, when it would be more ideal if it could support updating firmware from both services. fwupd is a system service which connects to LVFS to check for firmware updates to a wide variety of hardware from multiple vendors. system76-firmware is our own system service which connects to System76 to check for firmware updates for System76 hardware. To solve this problem, we’ve been working on the Firmware Manager project, which we will be shipping to all Pop!_OS users, and System76 hardware customers on any other distribution. It supports checking and updating firmware from the fwupd and system76-firmware services, is Wayland-compatible, and provides both a GTK application and library. […]

https://blog.system76.com/post/187072707563/the-new-firmware-manager-updating-firmware-across

https://github.com/pop-os/firmware-manager

Huge Survey of Firmware Finds No Security Gains in 15 Years


August 14, 2019 09:17 by Paul Roberts

A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors.[…]

See-also:
https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-linux-mips.html

imgtool – from Android Internals Volume II

Still working on Volume II of Android Internals. Haven’t forgotten y’all. And there’s updates on EFI file format, etc in the update to Volume I that I am preparing… […]

The imgtool utility is another one of the tools I’m including in my book, this time to accompany the chapter about the Boot process. I deal a lot with the internal format of images there, and realized I needed a quick extractor. This became more important when I started to deal with the L preview, and Google Glass system images I used for research. Included in V1.0 changes:
“[…]

  • Full support for EFI firmware files, SCAP, MacEFI images, etc – so now you can extract QCOM xbl/abl further!
  • ..And Apple’s (yep, Apple’s) T2 EFI images, Firmware.scap,etc:
    […]”

http://newandroidbook.com/tools/imgtool.html#V10

USBSamurai: remotely-controlled USB malware

Re: https://firmwaresecurity.com/2018/06/25/wifi-hid-injector-an-usb-rubberducky-badusb-on-steroids/

USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$

https://github.com/whid-injector/WHID (aka http://whid.ninja/ )

Zoncolan: How Facebook uses static analysis to detect and prevent security issues

https://engineering.fb.com/security/zoncolan/

https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/?verso=true

Hmm, have not found source code, please leave URL in Comment if you do:
https://github.com/facebookresearch?utf8=%E2%9C%93&q=Zoncolan&type=&language=

Intel seeks Offensive Security Researcher

I hadn’t heard of the Intel STORM org before, excerpt of a description from Wired magazine[1]:

Intel’s offensive security research team comprises about 60 people who focus on proactive security testing and in-depth investigations. STORM is a subset, about a dozen people who specifically work on prototyping exploits to show their practical impact.

https://jobs.intel.com/ShowJob/Id/2172583/Offensive%20Security%20Researcher

Apparently this group has a Twitter account but has not tweeted, and has a Github account but has no files:

https://github.com/intelstormteam

[1] https://www.wired.com/story/intel-meltdown-spectre-storm/

BiosUp: Download selected motherboard UEFI and BIOS automatically.

Biosup is a program designed to automate the sourcing and downloading of BIOS/UEFI from Various vendor websites. Using the config file, a user can manually set what chipset’s and vendor’s (between ASUS, ASROCK, GIGABYTE and MSI) they wish to download.

https://github.com/Rexzarrax/Biosup

See-also: UEFI-Spider

https://firmwaresecurity.com/2015/07/15/tool-review-uefi-spider-and-firmware_vault/

Xilinx: Design Advisory for Zynq UltraScale+ MPSoC/RFSoC: Encrypt Only Boot Mode – Unauthenticated Boot and Partition Headers

https://blog.f-secure.com/hardware-security-team-says-flawed-secure-boot-schemes-becoming-too-common/

https://www.xilinx.com/support/answers/72588.html

Eclypsium on Windows drivers

https://github.com/eclypsium/Screwed-Drivers

Yep, drivers, in general, are screwed. 🙂 Certified Windows drivers merely mean the drivers passed some basic tests. There are lots of gaps in how drivers are tested on Windows. (If Microsoft has open-sourced these tests, it would be helpful for researchers to find coverage gaps.) The UEFI SCTs are a minimum bar at feature testing, and have no security tests …and CHIPSEC only helps with security testing on Intel systems, not AMD nor ARM vendors. Does Linux have any equivalent tests for drivers, last time I looked into the LTP and some related projects it did not. Does Apple have tests like this for drivers?

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Richard Hughes, of the Linux FWUpd project, has a new blog post about the new Microsoft UEFI update mechanism, CFU (Component Firmware Update):

https://github.com/microsoft/CFU

PS: When you see duplicate URLs in a post, like above, it is because the WordPress web UI for pasting URLs is broken. 😦

System Boot and Security Microconference at Linux Plumbers Conference 2019

The security of computer systems is a very important topic for many years. It has been taken into the account in the OSes and applications for a long time. However, security of the firmware and boot process has not been taken so seriously until recently. Now that is changing. Firmware is more often being designed with security in mind. Boot processes are also evolving. There are many security solutions available there and even some that are now becoming common. However, they are often not complete solutions and solve problems only partially. So, it is good time to integrate various approaches and build full top-down solutions. There is a lot happening in that area right now. New projects arise, e.g. TrenchBoot, and they meet various design, implementation, validation, etc. obstacles. The goal of this microconference is to foster a discussion of the various approaches and hammer out, if possible, the best solutions for the future. Perfect sessions should discuss various designs and/or the issues and limitations of the available security technologies and solutions that were encountered during the development process. […]Expected topics: TPMs, SRTM and DRTM, Intel TXT, AMD SKINIT, attestation, UEFI secure boot, IMA, Intel SGX, boot loaders, firmware, OpenBMC, etc.

https://linuxplumbersconf.org/event/4/page/21-lpc-2019-overview

https://linuxplumbersconf.org/event/4/page/34-accepted-microconferences#security

Some presentation abstracts are online, eg:

Non-UEFI-aware measured boot using coreboot, GRUB and TPM2.0
https://linuxplumbersconf.org/event/4/contributions/517/

Secure and Trusted boot in OpenBMC
https://linuxplumbersconf.org/event/4/contributions/515/

FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation

By: Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun

Cyber attacks against IoT devices are a severe threat. These attacks exploit software vulnerabilities in IoT firmware. Fuzzing is an effective software testing technique for vulnerability discovery. In this work, we present FIRM-AFL, the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called augmented process emulation. By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility assystem-mode emulation and high throughput as user-mode emulation. Our evaluation results show that (1) FIRM-AFL is fully functional and capable of finding real-world vulnerabilities in IoT programs; (2) the throughput of FIRM-AFL is on average 8.2 times higher than system-mode emulation based fuzzing; and (3) FIRM-AFL is able to find 1-day vulnerabilities much faster than system-mode emulation based fuzzing, and is able to find 0-day vulnerabilities.

https://www.cs.ucr.edu/~heng/pubs/FirmAFL.pdf

https://www.usenix.org/conference/usenixsecurity19/presentation/zheng

https://github.com/zyw-200/FirmAFL

Coverage-guided fuzzing of embedded firmware with avatar

[Have not found the source code to this; if you do, please put the URL in a Comment to this blog post. Thanks.]

In this work, we present AFLtar, a coverage-guided fuzzer for embedded firmware. AFLtar leverages avatar 2 , an orchestration framework for dynamic analysis, along with the American Fuzzy Lop coverage-guided fuzzer and the AFL-Unicorn CPU emulator. The goal of AFLtar is to reduce the cost of embedded fuzzing by providing a platform that can be used to quickly setup a firmware fuzzing job, while reaping the benefits of modern, feedback-driven fuzzing strategies.

https://siagas.math.unipd.it/siagas/getTesi.php?id=2030

OS/2 to support UEFI

Arca Noae, the company that bought OS/2 from IBM, is adding UEFI support:

https://www.arcanoae.com/arca-noae-progress-report-arcaos-on-uefi-only-hardware/

Going off-topic: When OS/2 was created, IBM wanted to move from the OEM-cloneable IBM PC to the PS/2 system, which had ABIOS, a reentrant protect mode BIOS. Microsoft had to do a clean-room reverse engineering of the IBM PS/2 ABIOS. For Microsoft OEMs, ABIOS was a PITA for OEMs who wanted a full clone of OS/2. IBM did not publish a Technical Manual with the source code to ABIOS, unlike BIOS. 🙂