After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:
Author: hucktech
Apple seeks UEFI engineers
Most job offers are from headhunters. This one comes from one of the pioneers of firmware security research!
Symbolic execution timeline
Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
https://github.com/enzet/symbolic-execution
Udemy IoT security course
Udemy has a course on IoT security. The curriculum includes 23 lectures:
Author Introduction and Table of Content
Introduction to IoT and IoT Foundation
Section 3 : Getting started with IoT Security
Firmware Hacking 101
Automated Firmware Analysis
Conclusion and Discussion
https://www.udemy.com/introduction-to-iot-security-and-hacking-iot-firmware/?platform=hootsuite
Intel: IoT Security in the Developer’s Mind
Ricardo Echevarria of Intel has a new blog post about IoT security:
Internet-enabled smart devices open up a new universe of possibilities for how consumers interact with the world. But those same smart lightbulbs or TVs may pose a serious threat if their designers fail to strengthen the devices’ security protocols. Last year’s Mirai distributed denial-of-service (DDOS) botnet attack was a wake-up call for the computing world. By targeting vulnerable Internet-connected cameras and other Internet of Things (IoT) devices, the massive botnet was able to redirect enough Internet traffic to a DNS provider to crash multiple high-profile websites. It is no surprise then that IoT developers worry more about security than anything else – including interoperability, connectivity, and hardware integration. The Eclipse IoT Working Group’s 2017 IoT Developer Survey shows that security has remained the number one concern among developers for the third straight year.[…]
https://software.intel.com/en-us/blogs/2017/06/07/iot-security-in-the-developers-mind
CrashOS
CrashOS is a tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations. CrashOS is a minimalist Operating System which aims to lead to hypervisor crashs, hence its name. You can launch existing tests or implement your owns and observe hypervisor behaviour towards this unusual kernel.[…]
https://github.com/airbus-seclab/crashos
William Leara on using the UDK
William Leara of Dell has a new blog post, with a tutorial on writing a UEFI hello-world app using the UDK.
“Hello World” Quick-Start with UDK2015
The objective of this post is to explain how to get started with UEFI development by getting the UDK2015 development environment up and running, creating a Hello, World example program, and running it in the UEFI shell. Once you can get a simple application built and running in a UEFI Shell, you can begin extending it to greater and greater sophistication![…]
http://www.basicinputoutput.com/2017/06/hello-world-quick-start-with-udk2015.html
Breaking Samsung Galaxy Secure Boot through Download mode
“A bootloader bug in Samsung Galaxy smartphones allows an attacker with physical access to execute arbitrary code. Protections like OS lock screen and reactivation lock can be defeated. Several attacks are possible, including memory dump. Fortunately countermeasures exist for unpatched devices.”
Click to access SSTIC2017-Article-attacking_samsung_secure_boot-basse.pdf
Microsoft on malware use of Intel AMT
If you thought the recent Intel AMT security issues was just theoretical, here’s an example of malware using AMT.
GBStrings: search strings in Chinese firmware
Quick GB2312 strings tool in Go for Chinese firmware. This is a quick little tool that I tossed together one night for finding GB2312 Chinese strings from the memory of an imported ham radio. You might find it handy when translating old video games, as well. (GB2312 is not Unicode, and far better tools exist for locating Chinese Unicode strings.) I cannot speak Chinese, so it’s quite likely that you can improve upon this tool. Pull requests are welcome.
https://github.com/travisgoodspeed/gbstrings
see-also: UBU-helpers tool
Apple ships development iBoot on AppleTV?
alloc_uefi: Rust allocator for UEFI
There is another new Rust/UEFI project:
alloc_uefi: Rust allocator for UEFI environments.
Usage: Add alloc_uefi as a dependency, and provide the following function as your application’s entry point:
pub extern fn efi_main(sys_table: *const internal_uefi::SystemTable, image_handle: *mut internal_uefi::CVoid)
https://github.com/csssuf/alloc_uefi
Intel Excite project
https://twitter.com/DevZoneBlog/status/872118468262473729
There is a new document out from Intel that describes their Excite project. No URL to source code, AFAICT.
Finding BIOS Vulnerabilities with Symbolic Execution and Virtual Platforms
By Engblom, Jakob (Intel), Added June 6, 2017
Finding BIOS Vulnerabilities With Excite
Finding vulnerabilities in code is part of the constant security game between attackers and defenders. An attacker only needs to find one opening to be successful, while a defender needs to search for and plug all or at least most of the holes in a system. Thus, a defender needs more effective tools than the attacker to come out ahead.[…]
https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite
CreateUEFIBootableUSB
If you use Windows and want a PowerShell script to help with boot USB drives, this might be useful for you.
ARM joins UEFI Forum Board
The UEFI Forum issued a press release today, about ARM joining the board.
UEFI Forum Appoints ARM to Board of Directors Fortifying Its Commitment to Firmware Innovation
ARM Strengthens Its Long-Standing Presence and Contributions to the UEFI Ecosystem
June 06, 2017 11:00 AM Eastern Daylight Time
BEAVERTON, Ore.–(BUSINESS WIRE)–The UEFI Forum, a non-profit industry standards body that champions firmware advancement through industry collaboration and advocacy of firmware technology standards, announced today that ARM has been appointed to the UEFI Forum Board of Directors.[…]
AMI Tech Blog gets active
For the last few days, the AMI blog — and Twitter account — has been getting regular updates.
Peplink Vulnerabilities
https://twitter.com/marver/status/871679588518293505
During a recent penetration test for a customer, Claus and I noticed a Peplink router web interface exposed to the Internet. While I noticed an XSS (CVE-2017-8839) Claus spotted strange behavior with an overly long bauth cookie. This peaked our interest of course. The next logical step was to fingerprint the device, to get to know more about the specific model and firmware version.[…]
USB Armory: High Assurance Boot (HABv4) bypass
Security advisory: High Assurance Boot (HABv4) bypass
The NXP i.MX53 System-on-Chip, main processor used in the USB armory Mk I board [1] design, suffers from vulnerabilities that allow bypass of the optional High Assurance Boot function (HABv4). The HABv4 [2] enables on-chip internal boot ROM authentication of the initial bootloader with a digital signature, establishing the first trust anchor for further code authentication. This functionality is commonly known as Secure Boot [3] and it can be activated by users who require authentication of the bootloader (e.g. U-Boot) to further maintain, and verify, trust of executed code. Quarkslab reported [4] to NXP, and subsequently to Inverse Path, two different techniques for bypassing HABv4 by means of exploiting validation errors in the SoC internal boot ROM [5], which are exposed before bootloader authentication takes place. While the two vulnerabilities have been initially reported for the i.MX6 SoC, Inverse Path evaluated that both issues also apply to the i.MX53 SoC, used on the USB armory Mk I.
[…]
Technical details under embargo until July 18th, by mutual agreement between
reported and NXP.
[…]
American coreboot conference
UEFI updates specs
The UEFI Forum has updated their specs.
UEFI Spec v2.7
Click to access UEFI_Spec_2_7.pdf
PI v1.6
Click to access PI_Spec_1_6.pdf
ACPI v6.2
SCT v2.5A
http://www.uefi.org/testtools
http://uefi.org/specsandtesttools
http://uefi.org/specifications
Firmware Security 
You must be logged in to post a comment.