If you use the LLVM LLDB debugger, you should also be using lldbinit, and there’s an updated release out!
Author: hucktech
Lenovo-u1-tool: Lenovo Uone Tool for Updating machine's Serial and Model information in UEFI/BIOS
Binary-only, no source code, so be careful if you use experiment with this tool:
JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms
https://arxiv.org/abs/1912.11523
[…]Further, we demonstrate JackHammer, a novel and efficient Rowhammer from the FPGA to the host’s main memory. Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer attack from the CPU on the same system and causes around four times as many bit flips as the CPU attack. We demonstrate the efficacy of JackHammer from the FPGA through a realistic fault attack on the WolfSSL RSA signing implementation that reliably causes a fault after an average of fifty-eight RSA signatures, 25% faster than a CPU rowhammer attack. In some scenarios our JackHammer attack produces faulty signatures more than three times more often and almost three times faster than a conventional CPU rowhammer attack.
TPM-Fail: TPM-Fail Attack code and data available
QASan: custom QEMU which detects memory errors using clang's AddressSanitizer
[…]I created QASan (QEMU-AddressSanitizer), a fork of user-mode QEMU that introduce AddressSanitizer for heap objects into QEMU. QASan not only enables AddressSanitizer on COTS x86/x86_64/ARM/ARM64 binaries on Linux/*BSD but allows also the instrumentation of code generated at runtime (e.g. JIT) that is, of course, not supported by source-level ASAN. Note also that at the time of writing AddressSanitizer doesn’t support ARM/ARM64 on Linux and QASan enables that for this class of binaries.[…]
https://github.com/andreafioraldi/qasan
https://andreafioraldi.github.io/articles/2019/12/20/sanitized-emulation-with-qasan.html
ACPI Tables: collection of ACPI tables generated by Linux Hardware Database's HW-Probe tool.
This is a project to collect hardware details of Linux-powered computers over the world and help Linux users and developers to collaboratively debug hardware related issues, check for Linux-compatibility and find drivers.
The web site has a tool, HW-Probe, and a Github repo of uploaded ACPI tables:
This is a repository of decoded ACPI tables for various computers collected by Linux users […] Everyone can contribute to this repository by uploading probes of their computers by the hw-probe tool:
https://github.com/linuxhw/ACPI
https://github.com/linuxhw/hw-probe
https://linux-hardware.org/?view=timeline
uefidoom: Port of Doom to UEFI
Cacodemon345’s UEFI-DOOM (forked from warfish’s DOOM repo)
A port of DOOM to UEFI systems. Tested with: QEMU with OVMF.
[…]
Planned: Audio support (using GoldFish64’s AudioDxe driver). Help is accepted!
Apple: UEFI firmware security overview
https://support.apple.com/guide/security/uefi-firmware-overview-seced055bcf6/web
In addition to above apple.com-hosted content, there are slides and videos from the last BlackHat USA on Apple security:
dotEFI: A C# library for reading and writing UEFI variables
A new C# UEFI library:
Microsoft: UEFI Signing Requirements updated
BlackHat-USA-2019: videos online
The videos from BlackHat-US-2019 are on Youtube now:
https://twitter.com/BlackHatEvents/status/1205203178431619072
https://www.blackhat.com/us-19/briefings/schedule/
For example:
SmmBackdoor: bugfixes
Re: https://firmwaresecurity.com/2015/07/06/uefi-smm-vulnerability-research-smmbackdoor/
this project has been updated recently. Only a few checkins for 2015 and 2016. Now some bugfixes for 2019:
Tianocore C codebase: Rust branch forked
There is a branch of the Tianocore UEFI C codebase that is being ported to Rust!!
https://github.com/tianocore/edk2-staging/tree/edkii-rust
http://vzimmer.blogspot.com/2019/12/rust-oxide-corrosion.html
Interesting! I wonder how this will turn out. There is not a lot of Rust knowledge in the existing Firmware engineer community, but there is a lot of talk about Rust replacing C for low-level systems projects. While one Microsoft security researcher has posted a blog about Rust, I really don’t see Microsoft embracing Rust. They have to retrain their existing C developers to use a new language, and they’d need a language that they could control the direction of. I suspect the Microsoft systems team, if forced to migrate from their C89-era compiler to something modern, would probably use their CheckedC or Project Verona. I would love to be proven wrong. 🙂
Go-Attestation: abstracts remote attestation operations across a variety of platforms and TPMs, enabling remote validation of machine identity and state
Go-Attestation abstracts remote attestation operations across a variety of platforms and TPMs, enabling remote validation of machine identity and state. This project attempts to provide high level primitives for both client and server logic.[…]
https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md
Intel INTEL-SA-00289: Plundervolt
Intel releases 9 new security advisories
Today Intel released 9 new security advisories:
Intel® NUC® Firmware Advisory
INTEL-SA-00323
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html
Unexpected Page Fault in Virtualized Environment Advisory
INTEL-SA-00317
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html
Intel® SCS Platform Discovery Utility Advisory
INTEL-SA-00312
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00312.html
Intel® Quartus® Prime Pro Edition Advisory
INTEL-SA-00311
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00311.html
Control Center-I Advisory
INTEL-SA-00299
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00299.html
Intel® Processors Voltage Settings Modification Advisory
INTEL-SA-00289
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
Intel® Ethernet I218 Adapter Driver for Windows* Advisory
INTEL-SA-00253
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00253.html
Linux Administrative Tools for Intel® Network Adapters Advisory
INTEL-SA-00237
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00237.html
Intel® Dynamic Platform and Thermal Framework Advisory
INTEL-SA-00230
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00230.html
Using an Option ROM to overwrite SMM/SMI handlers in QEMU
This article explores PCI Expansion ROM (or Option ROM) execution within UEFI and walks through a practical scenario of using Option ROM code to modify SMM. In order to accomplish this goal we relax the security within EDK2. Note that this article does not reveal any security weaknesses. We begin with how to create a QEMU/OVMF/iPXE testing environment that boots Fedora with UEFI Secure Boot enabled and measures the pre-OS environment using a software TPM2. We then install an SMI handler by modifying our iPXE EFI Option ROM, which is the same as a DXE driver run during Boot Device Select (BDS). Finally, we again modify our Option ROM code and overwrite and reliably ‘shim’ an existing SMI’s handler with our own.[…]
https://casualhacking.io/blog/2019/12/3/using-optionrom-to-overwrite-smmsmi-handlers-in-qemu
Security Engineering, 3rd edition: new side-channel attack chapter, now online
Bitleaker: decrypts BitLocker-locked partition with the TPM vulnerability (CVE-2018-6622)
BitLeaker is a new tool for extracting the VMK and mounting a BitLocker-locked partition. BitLeaker uses the TPM vulnerability, CVE-2018-6622 for a discrete TPM and related vulnerability for a firmware TPM. They are related to the S3 sleeping state of Advanced Configuration and Power Interface (ACPI) and can reset the TPMs. If you want the detailed information about CVE-2018-6622 and a vulnerability checking tool, please read our USENIX paper, A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping and Black Hat Asia presentation, Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with Napper.
PCI Express DIY hacking toolkit
This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. To demonstrate applied use cases of the design, there’s a tool for pre-boot DMA attacks on UEFI based machines which allows executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.
Firmware Security 
You must be logged in to post a comment.