Uncategorized

Microsoft launches Windows Bounty Program

Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]

https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/

https://aka.ms/BugBounty

Standard
Uncategorized

CHIPSEC for ARM: to be released at Black Hat

I nearly missed this CHIPSEC announcement in the below Black Hat abstract. Exciting.

Blue Pill for Your Phone
By Oleksandr Bazhaniuk & Yuriy Bulygin

In this research, we’ve explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels. We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.

https://www.blackhat.com/us-17/briefings.html#blue-pill-for-your-phone

Standard
Uncategorized

Intel SGX elevation of privilege update

Intel SGX security update for Intel Servers/NUC/ComputeStick. Excerpt of announcement:

Intel ID: INTEL-SA-00076
Product family: Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Jul 25, 2017

Intel has released updates that improve the security of Intel® Software Guard Extensions (SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Product Families. This update improves the security of Intel® Software Guard Extensions (SGX) and is strongly recommended. While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information. If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.

Full announcement:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00076&languageid=en-fr

Standard
Uncategorized

Apple on Secure Kernel Extension Loading

On June 19th, Apple released a document describing how loading secure kernel extensions (.kext) would change with High Sierra and how this would impact enterprise customers.[…]

System Extension Blocked

http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/

https://developer.apple.com/library/content/technotes/tn2459/_index.html

 

Standard
Uncategorized

Trust Issues: Exploiting TrustZone TEEs

by Gal Beniamini, Project Zero

Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process a wide range of personal and private information of a sensitive nature, such as biometric identifiers, payment data and cryptographic keys. Additionally, modern content protection schemes demand a high degree of confidentiality, requiring stricter guarantees than those offered by the “regular” operating system. In response to these use-cases and more, mobile device manufacturers have opted for the creation of a “Trusted Execution Environment” (TEE), which can be used to safeguard the information processed within it. In the Android ecosystem, two major TEE implementations exist – Qualcomm’s QSEE and Trustonic’s Kinibi (formerly <t-base). Both of these implementations rely on ARM TrustZone security extensions in order to facilitate a small “secure” operating system, within which “Trusted Applications” (TAs) may be executed. In this blog post we’ll explore the security properties of the two major TEEs present on Android devices. We’ll see how, despite their highly sensitive vantage point, these operating systems currently lag behind modern operating systems in terms of security mitigations and practices. Additionally, we’ll discover and exploit a major design issue which affects the security of most devices utilising both platforms. Lastly, we’ll see why the integrity of TEEs is crucial to the overall security of the device, making a case for the need to increase their defences. […]

 

https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html

Standard
Uncategorized

Hagfish: UEFI Bootloader for Barrelfish

Barrelfish is a new research operating system being built from scratch and released by ETH Zurich in Switzerland, originally in collaboration with Microsoft Research and now partly supported by HP Enterprise Labs, Huawei, Cisco, Oracle, and VMware. […]

Hagfish is the Barrelfish/ARMv8 UEFI loader prototype: Hagfish (it’s a basal chordate i.e. something like the ancestor of all fishes). Hagfish is a second-stage bootloader for Barrelfish on UEFI platforms, most importantly the ARMv8 server platform. […]

http://www.barrelfish.org/

https://github.com/BarrelfishOS/hagfish

https://github.com/BarrelfishOS/uefi-sdk

Standard