https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20workshops/
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/
See-also:
Author: hucktech
Brian on UEFI security
Brian Richardson of Intel recently gave a talk about UEFI security at BSides Asheville, NC. Slides are on the below blog URL:
What you don’t know about firmware might get you 0wn3d
Following firmware developers on social media during Black Hat & Def Con can be a bit bewildering. Firmware is becoming more important in the realm of cybersecurity research. Most of the work I do is working with other firmware developers to make sure they understand current capabilities and trends, but that work may take months or years to hit the market. The people on the front lines of computer security need some understanding of what they can do today to help secure their systems. While many of my colleagues spent a very hot and crowded week in Las Vegas, I had a much cooler weekend at the Bsides conference in Asheville, NC. My “What you don’t know about firmware might get you 0wn3d” presentation is designed to describe the importance of firmware in computer security, and what can be done today to mitigate and detect common attacks against firmware. There are practical methods to prevent a number of common bootkit/rootkit attacks, platform security features to consider when purchasing new systems, and responsible ways to research firmware issues.[…]
CrowdStrike seeks UEFI/hypervisor researcher
Researcher – Strategic Research Initiatives (SRI):
As the core research and development arm of the CrowdStrike Falcon product, the Strategic Research Initiatives (SRI) Team is at the forefront of cutting-edge research into security-related systems and techniques. The team strives to deliver cross-platform features for mid to long-term, visionary projects that expand the capabilities of Falcon Sensor. New EDR techniques and data sources, UEFI/Hypervisor capability, PnP and network stack visibility, containerization, scripting engine introspection, and emulation/sandboxing are just a few examples of SRI projects.[…]
https://jobs.jobvite.com/careers/crowdstrike/job/oAlo4fw7?__jvst=Job%20Board
cellular baseband vulnerability for Nissan/Infinity/BMW/Ford
Advisory (ICSA-17-208-01)
Continental AG Infineon S-Gold 2 (PMB 8876)
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Continental AG
Equipment: Infineon S-Gold 2 (PMB 8876)
Vulnerabilities: Stack-Based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer
AFFECTED PRODUCTS: All telematics control modules (TCUs) built by Continental AG that contain the S-Gold 2 (PMB 8876) cellular baseband chipset are affected. The S-Gold 2 (PMB 8876) is found in the following vehicles: <see full announcement for list of Nissan, Infinity, BMW, Ford, etc models.>
An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU. A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU.
Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee have reported the vulnerabilities.
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01
https://github.com/HackingThings/Publications/tree/master/2017
https://github.com/HackingThings/CAN-Bus-Arduino-Tool
AMI Intel Boot Guard S3 vulnerability?
Click on the image in the above tweet for more information. Hopefully we’ll see more information about this in the near future…
Betraying the BIOS: slides available
Alex and Yuriy form Eclypsium, Inc.
WOW! I just heard that Alex and Yuriy have left Intel Advanced Threat Research (McAfee) and have started Eclypsium, Inc.
Alex Bazhaniuk is the “Founder and VP of Technology at Eclypsium, Inc.”
Yuriy Bulygin is the “Founder and CEO at Eclypsium, Inc.”
http://www.eclypsium.com/
Twitter: @ABazhaniuk
Twitter: @c7zero/
https://github.com/chipsec/chipsec/blob/master/AUTHORS
MEITools: tools for communicating with Intel ME via MEI (HECI)
Tools for communicating with Intel Management Engine through MEI (HECI)
Zydis: x86/x64 disassembler C library
Zyan Disassembler Engine (Zydis)
Fast and lightweight x86/x86-64 disassembler library.
https://github.com/zyantific/zydis
sandsifter: x86 fuzzer
s a n d s i f t e r : the x86 processor fuzzer
The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.[…]
Intel AMT PoC for CVE-2017-5698
Intel AMT authentication bypass example: This is a Proof-of-Concept code that demonstrates the exploitation of the CVE-2017-5689 vulnerability. It is essentialy a mitmproxy script that simply blanks an Authorization header “response” field. Example usage:
mitmdump -p 8080 -dd –no-http2 -s blank_auth_res
https://github.com/embedi/amt_auth_bypass_poc
Look here for presentation and white paper links:
https://www.embedi.com/news/intel-amt-some-new-stealth-vector-attacks-and-good-old-vulnerabilities
Black Hat Briefings: some presentations available
PreOS Security releases CHIPSEC quickref for SysAdmins
[Disclaimer: I work for PreOS Security.]
CHIPSEC is a suite of dozens of tests/tools/utilities, many of which are strictly for security researchers. Timed with SysAdmin Appreciation Day, PreOS Security has created a 1-page quick reference for CHIPSEC for sysadmins. The below message also mentions an upcoming short ebook for sysadmins:
Currently this quickref is only availble by filling out a form:
https://preossec.com/free+ebook/
on the PreOS Security site, with some opt-in stuff to help the new startup.
PS: PreOS Security has joined the Twitosphere(sp), first post above. And we have a LinkedIn page. Please ‘Follow us’. Thanks!
https://twitter.com/PreOS_Security/
https://www.linkedin.com/company/preos-security
Microsoft launches Windows Bounty Program
Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/
CHIPSEC for ARM: to be released at Black Hat
I nearly missed this CHIPSEC announcement in the below Black Hat abstract. Exciting.
Blue Pill for Your Phone
By Oleksandr Bazhaniuk & Yuriy Bulygin
In this research, we’ve explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels. We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.
https://www.blackhat.com/us-17/briefings.html#blue-pill-for-your-phone
Intel SGX elevation of privilege update
Intel SGX security update for Intel Servers/NUC/ComputeStick. Excerpt of announcement:
Intel ID: INTEL-SA-00076
Product family: Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Jul 25, 2017
Intel has released updates that improve the security of Intel® Software Guard Extensions (SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Product Families. This update improves the security of Intel® Software Guard Extensions (SGX) and is strongly recommended. While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information. If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.
Full announcement:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00076&languageid=en-fr
Mac’s Firmware Password
Mac Observer has an article about Apple’s Firmware Password security feature:
Apple on Secure Kernel Extension Loading
https://twitter.com/macOS_adm/status/889901131316559872
https://twitter.com/Contains_ENG/status/889878399195459589
On June 19th, Apple released a document describing how loading secure kernel extensions (.kext) would change with High Sierra and how this would impact enterprise customers.[…]
http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/
https://developer.apple.com/library/content/technotes/tn2459/_index.html
Trust Issues: Exploiting TrustZone TEEs
by Gal Beniamini, Project Zero
Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process a wide range of personal and private information of a sensitive nature, such as biometric identifiers, payment data and cryptographic keys. Additionally, modern content protection schemes demand a high degree of confidentiality, requiring stricter guarantees than those offered by the “regular” operating system. In response to these use-cases and more, mobile device manufacturers have opted for the creation of a “Trusted Execution Environment” (TEE), which can be used to safeguard the information processed within it. In the Android ecosystem, two major TEE implementations exist – Qualcomm’s QSEE and Trustonic’s Kinibi (formerly <t-base). Both of these implementations rely on ARM TrustZone security extensions in order to facilitate a small “secure” operating system, within which “Trusted Applications” (TAs) may be executed. In this blog post we’ll explore the security properties of the two major TEEs present on Android devices. We’ll see how, despite their highly sensitive vantage point, these operating systems currently lag behind modern operating systems in terms of security mitigations and practices. Additionally, we’ll discover and exploit a major design issue which affects the security of most devices utilising both platforms. Lastly, we’ll see why the integrity of TEEs is crucial to the overall security of the device, making a case for the need to increase their defences. […]
https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html
Hagfish: UEFI Bootloader for Barrelfish
Barrelfish is a new research operating system being built from scratch and released by ETH Zurich in Switzerland, originally in collaboration with Microsoft Research and now partly supported by HP Enterprise Labs, Huawei, Cisco, Oracle, and VMware. […]
Hagfish is the Barrelfish/ARMv8 UEFI loader prototype: Hagfish (it’s a basal chordate i.e. something like the ancestor of all fishes). Hagfish is a second-stage bootloader for Barrelfish on UEFI platforms, most importantly the ARMv8 server platform. […]
Firmware Security 
You must be logged in to post a comment.