Happy to announce that you now can find the lecture notes for my Hardware and Embedded Systems Security course online, including tex sources: https://t.co/XkufWUU4Ra

— David Oswald (@sublevado) January 20, 2020

These are my notes for an introductory lecture covering efficient implementation as well as implementation attacks (side channels, faults). It is by far not completely covering this much more complex field, but should give a decent overview and pointers for further reading.

https://github.com/david-oswald/hwsec_lecture_notes

https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.uqdo8h

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html

https://software.intel.com/security-software-guidance/software-guidance

Acknowledgements: Intel would like to thank the following individuals for finding, reporting and coordinating these vulnerabilities to us. Intel thanks TU Graz and KU Leuven for disclosure of CVE-2020-0549. Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss. KU Leuven: Jo Van Bulck. Intel thanks VU Amsterdam, for disclosure of CVE-2020-0548 and CVE-2020-0549. VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida. Researchers from TU Graz and Ku Leuven provided Intel with a Proof of Concept (POC) in May 2019 and researchers from VU Amsterdam provided Proof of Concept (POC) in October 2019. Intel subsequently confirmed each submission demonstrates CVE-2020-0549 individually.

https://cacheoutattack.com/

Finally, the disclosure is over! We present CacheOut, a new speculative execution attack to leak data on Intel CPUs via cache eviction despite current mitigations: https://t.co/ruHkCY2eiQ #intel #cacheout #l1des @MarinaMinkin, Andrew Kwong, Daniel Genkin and @yuvalyarom

— Stephan van Schaik (@themadstephan) January 27, 2020

Just published a blog on INTEL-SA-00329 concerning L1D Eviction Sampling. This vulnerability has little to no impact in virtual environments that have applied L1 Terminal Fault mitigations. https://t.co/4SD1GXHOI6

— Jerry Bryant (@jerry_Intel) January 27, 2020

There’s a project which collects ACPI tables from Microsoft Surface devices. It appears to be a Linux distro for Surface, unclear how they’re being used.

https://github.com/linux-surface/acpidumps

See-also:
https://github.com/linux-surface/surface-ipts-firmware
https://github.com/linux-surface/surface-firmware

I wish OEMs had hashes for the ACPI tables they ship. I wish FWTS or CHIPSEC or someone else had some security-centric test tool that’d examine these ACPI tables for malware. There is this tool:
https://firmwaresecurity.com/2019/11/09/acpi-rootkit-scan-volatility-plugin-to-detect-acpi-rootkits/
And there’s also a collection of ACPI tables on:
https://firmwaresecurity.com/2019/12/31/acpi-tables-collection-of-acpi-tables-generated-by-linux-hardware-databases-hw-probe-tool/

Mortar is an attempt to take the headache and fragmented processes out of joining Secureboot, TPM keys, and LUKS. Through the “Mortar Model” everything on disk that is used is either encrypted, signed, or hashed. The TPM is used to effectively whitelist certain boot states. Disks are automatically unlocked once the boot sequence has been validated. This makes full-disk encryption dramatically more convenient for end-users and viable on servers (as they can automatically unlock on reboot). Mortar aims to support both TPM 1.2 (via its own implementation) and TPM 2 (via clevis). LUKS1 and LUKS2 are both supported by intelligently selecting different implementation paths based on your current setup. Mortar aims to be distribution agnostic. Initial developments are on Arch Linux and Debian Linux.

https://github.com/noahbliss/mortar

Google has a new (or updated?) white paper on Enterprise Android, with mention of Verified Boot, and other Android security features:

https://www.blog.google/products/android-enterprise/security-whitepaper/

Fifty shades darker: no safe wor(l)d in SMM by @BrunoPujos https://t.co/H8TDjIzsiX

— Synacktiv (@Synacktiv) January 14, 2020

Written by Bruno – 2020-01-14

Last summer, I finally started reversing the firmware of a computer I had since quite some times: a Lenovo ThinkPad P51s.[…]The problem of calling this function from SMM is that the EFI_BOOT_SERVICES is a table of services located in the normal world. An attacker can simply change the address in the EFI_BOOT_SERVICES table and get an arbitrary call. This type of vulnerability is usually named a callout of SMRAM and they are basically equivalent to calling userland code from kernelland.[…]

https://www.synacktiv.com/posts/exploit/through-the-smm-class-and-a-vulnerability-found-there.html

Intel has released 6 new security advisories:

SNMP Subagent Stand-Alone Advisory for Windows INTEL-SA-00300
Chipset Device Software Advisory INTEL-SA-00306
RWC 3 for Windows Advisory INTEL-SA-00308
Processor Graphics Advisory INTEL-SA-00314
VTune Amplifier for Windows Advisory INTEL-SA-00325
DAAL Advisory INTEL-SA-00332

And a blog post about it:

https://blogs.intel.com/technology/2020/01/ipas-security-advisories-for-january-2020-2/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IntelTechnology+%28Technology%40Intel%29&utm_content=FeedBurner#gs.snb2i7

https://www.intel.com/content/www/us/en/security-center/default.html

https://www.us-cert.gov/ncas/current-activity/2020/01/14/intel-releases-security-updates

Grubkit is a demonstration of a very simple trick to deploy your own bootkit on a system that boots with GRUB. The trick is simply to use your own code as the init parameter to the kernel, fork, start systemd as normal and you’re done! PSTree did not detect my bootkit when I did this. Seems like a good and simple method.[…]

https://github.com/mgrube/GRUBKit

Announcing Haybale, a symbolic execution engine for LLVM IR written in @rustlang. Haybale can analyze programs written in C/C++, Rust, or any other language which compiles to LLVM IR. Working on this has been great fun, and I'm excited to release 0.1.0!https://t.co/zzTUI6JrIJ

— Craig Disselkoen (@craigdissel) November 25, 2019

Haybale version 0.2.0 is out! Now with support for:

– LLVM 9
– LLVM extractvalue, insertvalue, invoke, resume, and landingpad instructions
– C++ exceptions
– Rust panics

Plus, now analyze C++ and Rust code using demangled function names!https://t.co/fr3AsKbR54

— Craig Disselkoen (@craigdissel) January 9, 2020

haybale is a general-purpose symbolic execution engine written in Rust. It operates on LLVM IR, which allows it to analyze programs written in C/C++, Rust, Swift, or any other language which compiles to LLVM IR. In this way, it may be compared to KLEE, as it has similar goals, except that haybale is written in Rust and makes some different design decisions. That said, haybale makes no claim of being at feature parity with KLEE.

https://github.com/PLSysSec/haybale

I am glad to announce that we released the source code of KARONTE at https://t.co/4K9z1qAfNd. Our tool tracks information data-flow across the different components of a firmware and finds vulnerabilities. Our paper can be found at https://t.co/DbiT671joS

— Nilo Redini (@badnack) December 17, 2019

The github project site has a link to a 3.3 gigabyte dataset hosted on Google Drive, as well…

https://github.com/ucsb-seclab/karonte

Click to access karonte.pdf

UEFI modules analysing with BinDiff IDA pluginhttps://t.co/vXeP21hHKb

— Nicolas Krassas (@Dinosn) January 11, 2020

https://yeggor.github.io/UEFI_BinDiff/

https://github.com/yeggor/UEFI_BinDiff

The UEFI Forum usually runs 2 plugfest events per year, one in Seattle and one in Asia. This year, it appears that it won’t be in Seattle but rather in Portland.

Where: Embassy Suites by Hilton Portland in Hillsboro, Oregon
When: March 30 – April 3, 2020

More info:

https://uefi.org/Spring2020Plugfest

https://twitter.com/ellbrid/status/1213854693069225984

Krabs is working on booting vmlinux and ELF kernels on legacy 32-bit PCs and is under the development. Krabs also aims to support only the minimal Linux boot protocol. This allows you to specify the kernel command line and manipulate the behavior of the kernel at boot time. Another feature is that in order to save space, the ELF format kernel is compressed using bzip2 before use and uses libbzip2 library for decompressing.
[…]Krabs is an experimental x86 bootloader written in Rust. Krabs can boot the ELF formatted kernel which compressed with bzip2. Krabs decompresses the bz2 image and relocate the ELF image, then boot the kernel. Some of the source code uses libbzip2 C library for decompressing, but the rest is completely Rust only.

https://github.com/ellbrid/krabs

Executing custom Option ROM on D34010WYK and persisting code in UEFI Runtime Services https://t.co/VdZ7917Qaq

— Anderson Nascimento (@andersonc0d3) January 5, 2020

In this post we’ll explore running unsigned Option ROM code on an Intel D34010WYK NUC, solely for testing purposes. We will verify that unsigned/unverified Option ROM code is not run when UEFI Secure Boot is enabled. We will demonstrate how to persist code at runtime using UEFI Runtime Services, and use a small signalling protocol to allow an unprivileged userland process to fake the contents of UEFI variables such as the SecureBoot variable.[…]

https://casualhacking.io/blog/2020/1/4/executing-custom-option-rom-on-nucs-and-persisting-code-in-uefi-runtime-services

Reverse engineering UEFI firmware updaterhttps://t.co/WKWOqXyY6A

— Nicolas Krassas (@Dinosn) January 5, 2020

[…]I wanted to reverse engineer the UEFI code running on my own laptop (a Lenovo Y520-15IKBN). To do this, I will first need to obtain the firmware. This should be extractable from a firmware update, so I downloaded the firmware updater from the Lenovo support site.[…]I extracted the contents of the flash ROM with UEFIExtract in the new_engine branch of UEFITool. This resulted in a folder containing over 300 PE images. One of them sounded interesting: SecureBackDoorPeim, but I think this blog post is long enough, so it may be the topic of another post.[…]

https://redfast00.github.io/12-31-2019/reverse-engineering-uefi.html

New blog post. ARM hardware bug. In the specification.https://t.co/nUDLGmuMQb

— @siguza@infosec.space (@s1guza) January 7, 2020

CPUs these days have a feature that prevents inadvertent memory accesses from the kernel to userland memory. Intel calls this feature “SMAP” (Supervisor Mode Access Prevention) while ARM calls it “PAN” (Privileged Access Never). Apple’s A10 chips and later have this feature,[…]

https://siguza.github.io/PAN/

My latest little 1-day project: generating a Z3 SAT model of x86 intrinsics from Intel's documentation. This can help prove SIMD code correct, find lookup table values, etc. https://t.co/9LHTdr5wk6

— Zach Wegner (@zwegner) December 17, 2019

This is a rudimentary attempt to build an autogenerated formal-ish model of x86 intrinsics by interpreting Intel’s instruction pseudocode, transforming it into a model for Z3.

https://github.com/zwegner/x86-sat