Passmark’s memtest86 issues [with Minnowboards]

September 4, 2017 ~ hucktech ~ Leave a comment

You might want to re-run memtest on some machines before discarding systems as broken. Some Minnowboards were failing memory tests. Intel looked into it and says:

We have tracked down the issue and found that memtest86 tool is using a function call with rare but legitimate NULL value which causes memory test failure.
Currently we are working to update BIOS firmware with fix to prevent this memory test function call failure from memtest86 tool.
Again this is protocol interface issue between memtest86 and our FW driver, there is no hardware issue found with memory on Minnowboard.

See elinux-minnowboard thread for details:

https://www.memtest86.com/troubleshooting.htm

https://www.memtest86.com/technical.htm

http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20170828/thread.html

Dmitry on macOS and external USB drives

September 4, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/nedos/status/904579391195414528

https://twitter.com/nedos/status/904284980632748032

http://www.grivet-tools.com/blog/2016/target-disk-mode-firmware-password/

dbxparser: PowerShell script to parse UEFI DBX blacklist

September 3, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/mattifestation/status/904401354256334849

dbxparser.ps1 is a PowerShell script that: dumps SHA256 hashes of blacklisted UEFI bootloaders from the ‘dbx’ UEFI variable.

Darn, Github chokes on Github Gist URLs. Remove the 3 spaces from the below URL, or click on the above Tweet.

https:// gist. github. com/mattifestation/991a0bea355ec1dc19402cef1b0e3b6f

Oracle kills off SPARC/Solaris

September 3, 2017 ~ hucktech ~ Leave a comment

For those unaware, Oracle laid off ~ all Solaris tech staff yesterday in a classic silent EOL of the product. https://t.co/ibs2REGRmj

— Simon Phipps (@webmink) September 2, 2017

If you haven't started moving off Solaris/SPARC years ago it's definitely time to start now.

— John Bellone (@johnbellone) September 3, 2017

https://www.theregister.co.uk/2017/08/31/oracle_stops_prolonging_inevitable_layoffs/

https://www.thelayoff.com/t/P23GpT5

https://www.thelayoff.com/t/P2twa2w

MEAnalyzer 1.18.0 released

September 3, 2017 ~ hucktech ~ Leave a comment

ME Analyzer v1.18.0 adds IFWI support & unpacking, BPDT parsing & region display, ME 12.0 CNP support & other fixes https://t.co/Snttp8fULE pic.twitter.com/qWEHOiMIPZ

— Plato Mavropoulos (@platomaniac) September 1, 2017

https://github.com/platomav/MEAnalyzer

SlickEdit bindings for UEFI

September 3, 2017 ~ hucktech ~ Leave a comment

If you use the SlickEdit editor, there is some support for UEFI here:

https://github.com/wujingbo/SlickEdit-2013-for-edk2

https://hackmd.io/s/HkLsi7Qge#

https://www.slickedit.com/

static analysis of Linux kernel

September 3, 2017 ~ hucktech ~ Leave a comment

Colin has a new blog post about static source analysis of the Linux kernel:

Static analysis on the Linux kernel
There are a wealth of powerful static analysis tools available nowadays for analyzing C source code. These tools help to find bugs in code by just analyzing the source code without actually having to execute the code. Over that past year or so I have been running the following static analysis tools on linux-next every weekday to find kernel bugs: cppcheck, smatch, sparse, clang scan-build, CoverityScan, and The latest gcc. Typically each tool can take 10-25+ hours of compute time to analyze the kernel source; fortunately I have a large server at hand to do this. The automated analysis creates an Ubuntu server VM, installs the required static analysis tools, clones linux-next and then runs the analysis. The VMs are configured to minimize write activity to the host and run with 48 threads and plenty of memory to try to speed up the analysis process.[…]

http://smackerelofopinion.blogspot.com/2017/09/static-analysis-on-linux-kernel.html

SisyphOS: UEFI-based Rust kernel

September 3, 2017 ~ hucktech ~ Leave a comment

sisyphos-kernel-uefi-x86_64: UEFI-based Rust kernel

A Rust kernel running on bare UEFI (no separate bootloader). Very early stage. Basically, the eventual goal is to build a non-opinionated microkernel that can load regular ELF64 programs as kernel “modules”. Actually, just fairly conventional processes, except running in kernel space (they are assumed to be written in Rust and reproducible, so that hardware protections are unnecessary, similar but unrelated to Microsoft’s Singularity project). The core micro/nano/whateverkernel will link up the loaded applications with a builtin dynamically linked library that exposes its functionality, moving the responsibility for higher-level problems (such as syscalls) into these loadable binaries, and also allowing simple emulation without virtualization for debugging purposes.[…]

https://github.com/le-jzr/sisyphos-kernel-uefi-x86_64
https://github.com/le-jzr/sisyphos-kernel-uefi-x86_64/wiki/Random-notes

Attify’s Firmware Analysis Toolkit and AttifyOS VM

September 3, 2017 ~ hucktech ~ Leave a comment

Attify has a Firmware Analysis Toolkit (FAT). Apparently they include a pre-built version of it in their AttifyOS VM, and use it in their IoT training:

Firmware Analysis Toolkit: FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware. This is built in order to use for the “Offensive IoT Exploitation” training conducted by Attify. As of now, it is simply a script to automate Firmadyne which is a tool used for firmware emulation. In case of any issues with the actual emulation, please post your issues in the firmadyne issues.

Attify OS – Distro for pentesting IoT devices: Instead of spending time installing, configuring and setting up various tools required for IoT pentesting, here is a pre-made distro for you containing the tools that would come handy during any Internet of Things Security Assessment or Penetration testing.

From training site:
Firmware analysis: IoT devices and embedded systems run on firmware, which often hold a lot of secrets and sensitive information. This module will help you analyze and extract firmware, thus helping you identify vulnerabilities in the firmware for IoT devices. We will also look at firmware emulation using FAT, a custom tool built by Attify with which you can emulate firmware and perform all sorts of “non-hardware” based attacks. The tool is fully scriptable and hence can be modified and used according to your preference. You also get access to the API, which will allow you to use the tool for your own further research.

https://github.com/attify/firmware-analysis-toolkit
http://tinyurl.com/attifyos
https://www.attify.com/
Offensive IoT Exploitation
https://github.com/adi0x90/attifyos (unsure if this official or not)

Microsoft Surface seeks UEFI engineer

September 2, 2017 ~ hucktech ~ Leave a comment

Senior Embedded Software Firmware Engineer- Surface

The Surface development team is seeking a talented software development engineer with a strong systems background and experience with hardware and firmware interaction. Job responsibilities will encompass designing and coding drivers, tools and firmware across various technologies in Surface devices within the Surface team as well as with partners to deliver high quality products to market.

A few of the Qualifications:

“High tolerance to ambiguity and ability make progress in the face of it.”

“Ability to quickly ramp-up on complex and unfamiliar code.”

https://careers.microsoft.com/jobdetails.aspx?jid=283564&job_id=1044422

PS: I recently briefly used a Surface Book, USB stopped working after 2 days of use, the only way to get it to work again was to disable UEFI Secure Boot and TPM support. I was expecting a lot more from the modern Microsoft w/r/t hardware QA. I hope the Microsoft OEM unit is also hiring STEs…

CHIPSEC adds RWEverything support on Windows

September 2, 2017 ~ hucktech ~ Leave a comment

https://github.com/chipsec/chipsec/commit/60504da1bc06288ea632378f17e60a0d7df99471

“Use RWE/windows helpers when the corresponding driver is present.”

So, for any defending Windows systems, all of the CHIPSEC caution in WARNING.txt against the CHIPSEC HAL driver should also be applied to the RWEverything driver, “C:\Windows\System32\drivers\RwDrv.sys”.

https://github.com/chipsec/chipsec/blob/master/drivers/win7/readme

RWEverything license excerpt:

This utility comes with ABSOLUTELY NO WARRANTY, it allows you to modify hardware settings, this may damage your system if something goes wrong. Author will not take any responsibility about that, you are on your own risk. This utility should not be used in commercial or consumer products.

Home

coreboot and Intel ME

September 2, 2017 ~ hucktech ~ Leave a comment

INTEL_CHIPSET_LOCKDOWN upstreamed in #coreboot https://t.co/ra484ZaNdR Thanks @coreboot_org community!

— Hardened-GNU/Linux (@hardenedlinux) August 31, 2017

Coreboot now locks down Intel HW with this fix https://t.co/8rHARupuru Ref: https://t.co/4ZcMMaqTjO (slides 42-43) & https://t.co/pG8nUjRdQQ pic.twitter.com/OPnw6MCvca

— Yuriy Bulygin (@c7zero) September 2, 2017

Should make sure MSR_LT_LOCK_MEMORY[0] is set (coreboot/src/soc/intel/skylake/include/soc/msr.h). Will add a module checking it in @CHIPSEC

— Yuriy Bulygin (@c7zero) September 2, 2017

https://www.coreboot.org/

CVE-2017-3753: AMI Lenovo UEFI SMM vulnerability

September 2, 2017September 2, 2017 ~ hucktech ~ Leave a comment

Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.

BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753
Lenovo Security Advisory: LEN-14695
Severity: High
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017

Potential Impact: Execution of code in SMM by an attacker with local administrative access

A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)

https://nvd.nist.gov/vuln/detail/CVE-2017-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3753
https://support.lenovo.com/us/en/product_security/len-14695
AFAICT nothing on the AMI site on this.

Anti-disassembly on ARM with IDA

August 31, 2017 ~ hucktech ~ Leave a comment

Anti-disassembly instruction on ARM #MobileSecurity https://t.co/m8ITpJ2KZ1

— Mobile Security (@mobilesecurity_) August 30, 2017

[…]So what else is cool about this is, this is just one combination of invalid bytes that creates a PLD instruction the processor can ingest. There’s all sorts of combinations that will cause this same thing to happen

https://kbdsmoke.me/anti-disassembly-on-arm-ida-specifically/

FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution

August 31, 2017 ~ hucktech ~ Leave a comment

My paper "FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution" will be appearing at CCS'17 https://t.co/3YL1GRfLbw

— Grant H (@Digital_Cold) August 31, 2017

FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution
Grant Hernandez, Farhaan Fowze, Dave (Jing) Tian, Tuba Yavuz, Kevin R. B. Butler
(Submitted on 30 Aug 2017)

The USB protocol has become ubiquitous, supporting devices from high-powered computing devices to small embedded devices and control systems. USB’s greatest feature, its openness and expandability, is also its weakness, and attacks such as BadUSB exploit the unconstrained functionality afforded to these devices as a vector for compromise. Fundamentally, it is virtually impossible to know whether a USB device is benign or malicious. This work introduces FirmUSB, a USB-specific firmware analysis framework that uses domain knowledge of the USB protocol to examine firmware images and determine the activity that they can produce. Embedded USB devices use microcontrollers that have not been well studied by the binary analysis community, and our work demonstrates how lifters into popular intermediate representations for analysis can be built, as well as the challenges of doing so. We develop targeting algorithms and use domain knowledge to speed up these processes by a factor of 7 compared to unconstrained fully symbolic execution. We also successfully find malicious activity in embedded 8051 firmwares without the use of source code. Finally, we provide insights into the challenges of symbolic analysis on embedded architectures and provide guidance on improving tools to better handle this important class of devices.

https://arxiv.org/abs/1708.09114

Genode 17.08 adds UEFI support

August 31, 2017 ~ hucktech ~ Leave a comment

New Genode 17.08 release brings awesome GPU work! You can now play hw-accelerated Quake on various Microkernels https://t.co/F4kF6h80E1 https://t.co/a1dTdoP42T

— Adrian Rueegsegger (@Kensan42) August 30, 2017

17.08 brings Intel-Gen8 GPU multiplexer and OpenGL support, #sel4 6.0 ARM/x86_64, UEFI support, non-blocking VFS https://t.co/sTYQ0KZGFP

— Genode Labs (@GenodeLabs) August 30, 2017

“Analogously to our work on the seL4 and NOVA kernels in this release, we extended our base-hw kernel to become a Multiboot2 compliant kernel. When used together with GRUB2, it can be started on x86 UEFI machines missing legacy BIOS support (i.e., CSM).”

https://genode.org/documentation/release-notes/17.08

new Apple tools: eficheck (and nvm)

August 31, 2017 ~ hucktech ~ 1 Comment

Apple has apparently created a tool for examining Apple Mac EFI firmware, called eficheck. As I understand things, it was released, then pulled due to some issues (bugs?), and is apparently now avabilable in latest macOS updates. Also, it sounds like there might be another tool for NVMe diagnostics.

It returned in 10.13 b5 after showing up on and off in earlier 10.12 betas: /usr/libexec/firmwarecheckers

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) August 14, 2017

https://twitter.com/al3xtjames/status/874764154745368576

usage: eficheck: [–save -b] [ –cleanup -b] [–generate-hashes [-b] [-p]] [–integrity-check [-h [-b]]] [–show-hashes [-h] | [-b]]

Apple’s eficheck…

https://www.apple.com/macos/sierra/
https://en.wikipedia.org/wiki/MacOS_High_Sierra
https://www.macrumors.com/roundup/macos-10-13/

eficheck

Maybe someday there’ll be more info on eficheck, if you find any manpage or other info, please leave a Comment.
https://www.apple.com/us/search/eficheck
https://twitter.com/search?q=eficheck&src=typd

Google Pawn: Intel firmware dumping tool!

August 30, 2017 ~ hucktech ~ Leave a comment

We ultimately went a different route, so I just released this code to extract #UEFI firmware: https://t.co/gIM2QywXEO

— Christian Blichmann 🇺🇦 @AdmVonSchneider@infosec (@AdmVonSchneider) August 30, 2017

Exciting, Google has a new tool that helps dump the UEFI/BIOS into a rom.bin, like FlashROM and CHIPSEC! Pawn is written in C++/C, Apache-licensed, requires Linux and GCC toolchain. Given 2014-2017 copyright, it has been around for YEARS, only went public 3 months ago, and I just noticed it today. See below, I am still looking for “Bishop”…

Pawn BIOS Dumping Tool
Copyright 2014-2017 Google Inc.
Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.
Pawn is a tool to extract the BIOS firmware from Intel-based workstations and laptops. The name is a play on an internal tool that is also named after a chess piece.
[…]
sudo .build/pawn bios_image.bin
You can then use other tools like UEFITool to process the firmware image further.

https://github.com/google/pawn

What/where is Pawn’s companion utility, Bishop?? From pawn.cc comments:

Pawn, a companion utility to Bishop (go/bishop) to extract BIOS firmware from corp machines.

If you find it, please leave a Comment.

https://github.com/google?utf8=%E2%9C%93&q=Bishop&type=&language=

https://github.com/search?q=topic%3Afirmware-tools+org%3Agoogle&type=Repositories

FWTS 17.08.00 released, many new ACPI tests

August 30, 2017 ~ hucktech ~ Leave a comment

FWTS 17.08.00 is released. New Features:

* ACPICA: Update to version 20170728
* New ACPI tests defined by ACPI 6.2
* acpi: sdei: add ACPI SDEI test (mantis 1714)
* acpi: pcct: refactor subspace to individual functions
* acpi: pcct: update PCCT table to ACPI 6.2 (mantis 1659 & 1755)
* acpi: dppt: add ACPI DPPT test (mantis 1795)
* acpi: pptt: add ACPI PPTT test
* acpi: hmat: add ACPI HMAT test (mantis 1705)
* acpi: method: add _LSI test according to ACPI 6.2 (mantis 1721)
* acpi: madt: Add support for ACPI 6.2
* New tests for SBBR
* acpi: fadt: add SBBR compliance tests
* acpi: madt: add SBBR compliance tests
* acpi: spcr: add SBBR compliance tests
* acpi: xsdt: add SBBR compliance tests
* acpi: dbg2: add SBBR compliance tests
* acpi: gtdt: add SBBR compliance tests
* acpi: acpitables: add SBBR compliance tests
* dmi: dmicheck: add SBBR compliance tests
* acpi: method: add SBBR compliance tests
* acpi: rsdp: add SBBR compliance tests
* acpi: sbbr: sync up with new SBBR tests

http://fwts.ubuntu.com/release/fwts-V17.08.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.08.00
https://launchpad.net/ubuntu/+source/fwts

ME_Cleaner updated to set HAP bit

August 30, 2017 ~ hucktech ~ Leave a comment

Me-cleaner commit after our paper. Good job!!!https://t.co/f9GGCPd8wn

— Maxim Goryachy (@h0t_max) August 28, 2017

UNTESTED: Set the HAP bit:
Positive Technologies discovered the presence of an undocumented HAP bit in the PCHSTRP0 field of the descriptor which, when set to 1, disables completely Intel ME just after the initialization. This is confirmed both by an analysis of the status of Intel ME after the setting of the bit and by reverse engineering the BUP module.

https://github.com/corna/me_cleaner/commit/350903a695851dda20b2be5d6099b58e377653b7

https://github.com/corna/me_cleaner

PTSecurity on Intel ME