Author: hucktech

more on Meltdown and Spectre

~ hucktech ~ Leave a comment

Intel advisory:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Intel tool for Linux:
https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools
Intel tool for Windows:
https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://meltdownattack.com/
https://spectreattack.com/

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://www.freebsd.org/news/newsflash.html#event20180104:01

http://blog.dustinkirkland.com/2018/01/ubuntu-updates-for-meltdown-spectre.html

https://www.us-cert.gov/ncas/alerts/TA18-004A

http://www.commitstrip.com/en/2018/01/04/reactions-to-meltdown-and-spectre-exploits/?

https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR

more on Meltdown and Spectre

~ hucktech ~ Leave a comment

https://developer.arm.com/support/security-update

https://www.amd.com/en/corporate/speculative-execution

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

Mitigations landing for new class of timing attack

https://support.google.com/chrome/answer/7623121?hl=en

https://github.com/ionescu007/SpecuCheck

https://lists.vmware.com/pipermail/security-announce/2018/000397.html

https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

Meltdown and Spectre

~ hucktech ~ Leave a comment

Intel says issue impacts other chip vendors, not just Intel:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

https://spectreattack.com/
says: At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

A few news sources are saying Apple has a fix in place:
http://appleinsider.com/articles/18/01/03/apple-has-already-partially-implemented-fix-in-macos-for-kpti-intel-cpu-security-flaw

Official T-Shirts: coming soon…

Embedded Linux Japan Technical Jamboree 63 slides/videos uploaded

~ hucktech ~ Leave a comment

Status of Embedded Linux, Tim Bird
Review of ELC Europe 2017, Tim Bird
mplementing state-of-the-art U-Boot port, 2017 edition, by Marek Vasut
Linux カーネルのメモリ管理の闇をめぐる戦い(協力者募集中, Tetsuo Handa (NTT Data)
Request for your suggestions: How to Protect Data in eMMC on Embedded Devices, Gou Nakatsuka (Daikin)
Fuego Status and Roadmap, Tim Bird
Multicast Video-Streaming on Embedded Linux environment, Daichi Fukui (TOSHIBA)
From 1 to many Implementing SMP on OpenRISC, Stafford Horne
Core Partitioning Technique on Multicore Linux systems, Kouta Okamoto (TOSHIBA)
Debian + YoctoProject Based Projects: Collaboration Status, Kazuhiro Hayashi (TOSHIBA)

https://elinux.org/Japan_Technical_Jamboree_63#Agenda

See-also: Septemer 2017 Jamboree 62:

Status of Embedded Linux, Tim Bird
EdgeX Foundry: Introduction and demonstration of end to end IoT system, Victor Duan, Linaro
Lighting Talk: Integration between GitLab and Fuego, Tomohito Esaki, IGEL Co., Ltd.
DebConf17 Report, Kazuhiro Hayashi, TOSHIBA
Lightning Talk : About the LTS now, Shinsuke kato, Panasonic Corporation
Kernel Recipes 2015 – Linux Stable Release process, Greg KH
Lightning Talk: IPv6 Ready Logo Test for LTSI 4.9 and introduction about CVE-2016-5863 and CVE-2017-11164, Fan Xin, Fujitsu Computer Technologies Limited

https://elinux.org/Japan_Technical_Jamboree_62#Agenda

Intel KPTI issue

~ hucktech ~ Leave a comment

 

https://twitter.com/BryanLunduke/status/948430797266042880

https://twitter.com/aionescu/status/948580581406748673

 

https://lkml.org/lkml/2017/12/27/2

https://twitter.com/aionescu/status/948576989622882304

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Windows adds TXT-supported MLE to boot security

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/944286540984827904

Interesting to hear that Microsoft has added TXT support alongside MLE. Sorry, no more info on it than above tweet….

From Wikipedia: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, Cloud Raxak, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.

 

Intel adds ROP-detection Branch Monitoring support to Linux

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/947990492062420992

https://lwn.net/Articles/738166/

Date: Fri, 3 Nov 2017 11:00:03 -0700

This patchset adds support for Intel’s branch monitoring feature. This feature uses heuristics to detect the occurrence of an ROP(Return Oriented Programming) or ROP like(JOP: Jump oriented programming) attack. These heuristics are based off certain performance monitoring statistics, measured dynamically over a short configurable window period. ROP is a malware trend in which the attacker can compromise a return pointer held on the stack to redirect execution to a different desired instruction. Currently, only the Cannonlake family of Intel processors support this feature. This feature is enabled by CONFIG_PERF_EVENTS_INTEL_BM. Once the kernel is compiled with CONFIG_PERF_EVENTS_INTEL_BM=y on a Cannonlake system, the following perf events are added which can be viewed with perf list:
intel_bm/branch-misp/ [Kernel PMU event]
intel_bm/call-ret/ [Kernel PMU event]
intel_bm/far-branch/ [Kernel PMU event]
intel_bm/indirect-branch-misp/ [Kernel PMU event]
intel_bm/ret-misp/ [Kernel PMU event]
intel_bm/rets/ [Kernel PMU event]

A perf-based kernel driver has been used to monitor the occurrence of one of the 6 branch monitoring events. There are 2 counters that each can select between one of these events for evaluation over a specified instruction window size (0 to 1023). For each counter, a threshold value (0 to 127) can be configured to set a point at which an interrupt is generated. The entire system can monitor a maximum of 2 events(either from the same or different tasks) at any given time. Apart from the kernel driver, this patchset adds CPUID of Cannonlake processors to Intel family list and the Documentation/x86/intel_bm.txt file with some information about Intel Branch monitoring.

The mysterious case of the Linux Page Table Isolation patches

~ hucktech ~ Leave a comment

WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.

https://twitter.com/revskills/status/947894765126934528

The mysterious case of the Linux Page Table Isolation patches

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.

See-also: https://firmwaresecurity.com/2017/12/07/tu-graz-story-on-rowhammer/

ToySMT – simple SMT solver under ~1500 SLOC of pure C.

~ hucktech ~ Leave a comment

https://twitter.com/yurichev/status/947598373057585152

ToySMT – simple SMT solver under ~1500 SLOC of pure C.

It’s very early sneak preview. It supports only bools and bitvecs. No integers, let alone reals and arrays and tuples and whatever. However, it can serve as education tool (hopefully). It parses input SMT-LIB file (see “tests” and “examples”), constructs digital circuit, which is then converted to CNF form using Tseitin transformations. This is also called “bitblasting”. minisat is then executed, as an external SAT solver. Stay tuned, it will be evolved. Aside from SMT-LIB standard, I also added two more commands: (get-all-models) and (count-models) (see “tests”). Since it’s early preview, it was only checked on “tests” and “examples” you can find here. Anything else can fail. Also, error reporting is somewhat user-unfriendly. First, you can check your .smt files using other SMT solver (I used z3, Boolector, STP, Yices, CVC4).[…]

https://github.com/DennisYurichev/ToySMT

 

macOS vuln in IOHIDFamily

~ hucktech ~ Leave a comment

Siguza, 01. Dec 2017 (published 31. Dec 2017)
IOHIDeous

“IOHIDFamily once again.”
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user. IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.[…]

https://siguza.github.io/IOHIDeous/
https://github.com/Siguza/IOHIDeous/blob/master/docs/index.md

https://github.com/Siguza/iokit-utils
https://github.com/Siguza/hsp4
https://github.com/Siguza/ios-kern-utils

bootoption – Create a new EFI RT variable like BootXXXX but store the data in a property list

~ hucktech ~ Leave a comment

bootoption: A program to create and save an EFI boot load option – so that it might be added to the firmware menu later. May be used to work around situations where it is problematic to modify BootOrder, BootXXXX in NVRAM, while targeting a given instance of a loader from the booted OS: during loader installation, for example.

Usage: bootoption -p path -d description -o file
-p path to EFI executable
-d boot option description
-o file to write to (XML property

https://github.com/vulgo/bootoption

pcie_injector – PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip

~ hucktech ~ Leave a comment

Latest commit: 2 days ago

PCIe Injector Gateware

The PCIe bus is now the main high speed communication bus between a processor and its peripherials. It is used in all PC (sometime encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on PCIe systems can requires very expensive tools (>$50k) and packet generaration for such tools is not a common feature. PCIe Injector provides a such tool at a more reasonable price. Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.

The PCIe injector is based on a Artix7 FPGA from Xilinx connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI. It allows:
* Having a full control of the PCIe core.
* Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
* Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, …)

https://github.com/enjoy-digital/pcie_injector

http://www.enjoy-digital.fr/

http://pcisig.com/

ps4-namedobj-exploit: Playstation 4 Kernel Exploit

~ hucktech ~ Leave a comment

https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/

https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit

https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md

A fully implemented kernel exploit for the PS4 on 4.05FW.  In this project you will find a full implementation of the “namedobj” kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

 

 

oppo_decrypt – Oppo/Oneplus .ops Firmware decrypter

~ hucktech ~ Leave a comment

oppo_decrypt – Oppo/Oneplus .ops Firmware decrypter

Tested with “MSMDownloadTool V4.0” for Oneplus 5, Frida 10.4 and Windoze
backdoor.py : Enables hidden “readback” functionality
decrypt.py : Decrypts any part of the firmware
Based on Frida.re and python 3.6
Windows only, sorry folks !
Oneplus 5 QD-Loader decryption: ‘python decrypt.py “MsmDownloadTool V4.0.exe” 0 0x92880’
Enable readback mode: ‘python backdoor.py “MsmDownloadTool V4.0.exe”‘

https://github.com/bkerler/oppo_decrypt

http://www.oppo.com/
https://oneplus.net/

 

dump_avb_signature: dump/verify Android Verified Boot signature hash

~ hucktech ~ Leave a comment

Dump/Verify Android Verified Boot Signature Hash
For researching Android Verified Boot issues
To exploit TZ image verification 🙂

python verify_signature.py boot.img

Issues: Might not work with AVB Version 2.0 or higher

https://github.com/bkerler/dump_avb_signature