programming interfaces

December 4, 2019 ~ hucktech ~ Leave a comment

Are you into hacking #hardware or #firmware or know someone who is? The SEC Xtractor just went #opensource ❤ https://t.co/f2SU3Jxeo6 PS: test them out today at #BHEU @BlackHatEvents Arsenal pic.twitter.com/iQtj9xOrGO
— SEC Consult (@sec_consult) December 4, 2019

We have just made the “SEC Xtractor” tool (SEC Consult’s hardware exploitation and firmware extraction tool) open-source! It comes with an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). As its firmware and hardware are completely open-source, it can be easily extended. Interface identification is another requirement that was fulfilled by integrating JTAG brute-forcing and UART scanning. It can also be used as an OpenOCD adapter and it provides two UART-to-USB bridges. Most devices require anything between 1.8 and 5.5 volts, which is supported by the SEC Xtractor.[…]

https://sec-consult.com/en/blog/2019/12/winning-the-interface-war-extracting-information-from-electronic-devices-with-the-sec-xtractor/

SEC Xtractor (Hardware)

https://github.com/sec-consult/SEC-Xtractor_Hardware

SEC Xtractor (Firmware)

https://github.com/sec-consult/SEC-Xtractor_Firmware

UefiGame: Bare metal game using EDK2

December 2, 2019 ~ hucktech ~ Leave a comment

There is another UEFI game available, that’s over a dozen I think:

https://github.com/IyadHamid/UefiGame

https://raw.githubusercontent.com/IyadHamid/UefiGame/master/sprites.bmp

riscv_exploitation: Collection of RISC-V exploits

December 2, 2019 ~ hucktech ~ Leave a comment

I finally pushed my RISC-V exploitation examples, have fun!: https://t.co/ENR9npHh7P
— chrysh (@binarychrysh) November 10, 2019

For those getting into RISC-V security, here’s some examples that might be useful:

https://github.com/chrysh/riscv_exploitation

UL offering IoT security ratings

December 2, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/alfredwkng/status/1197615746920136704

The IoT Security Rating, which is based on UL’s IoT Security Top 20 Design Principles, aims to serve two purposes:

1) Help manufacturers and developers improve the security posture of their solutions by leveraging proven security best practices

2) Rate the security posture of IoT solutions in order to make security more transparent and accessible to consumers.

https://ims.ul.com/IoT-security-rating

I wish these logos had more specifics, like what boot security technologies are available.

Redfish-Tacklebox: Python based utilities for performing common management operations with Redfish

December 2, 2019 ~ hucktech ~ Leave a comment

DMTF has a relatively-new Redfish project, with tools (currently 6 Python-based tools) that’re useful for security researchers, system administrators, and firmware testers:

Sensor List (rf_sensor_list.py): walk a Redfish service and list sensor info

System Inventory (rf_sys_inventory.py): walk a Redfish service and list component information

Power/Reset (rf_power_reset.py): perform a power/reset operation of a system

Boot Override (rf_boot_override.py): perform a one time boot override of a system

Accounts (rf_accounts.py): manage user accounts on a Redfish service

Update (rf_update.py): perform an update with a Redfish service

https://github.com/DMTF/Redfish-Tacklebox

TPM.dev

December 2, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/tomov_eu/status/1201290548843307010

https://www.tpm.dev/

https://developers.tpm.dev/

There is a new web site with multiple TPM resources, many things to see. And a physical event, if you are based in Germany.

Tastless CTF: tee-challenges: an exploitation challenge based on the Open Portable Trusted Execution Environment (OP-TEE)

December 2, 2019 ~ hucktech ~ Leave a comment

I just pushed sources and exploits for my tee-challenges! If you are interested in an exploitation challenge based on the Open Portable Trusted Execution Environment (OP-TEE), go check it out: https://t.co/LJKftv48mW 🙂 https://t.co/75A5rk4972
— nSinus-R (@nsr@infosec.exchange) (@nSinusR) October 29, 2019

https://github.com/tastelessctf/ctf2019

Offered with no further comments, I’ve not yet had a chance to play this CTF yet…

coreboot 4.11 released

December 2, 2019 ~ hucktech ~ Leave a comment

“[…]Since 4.10 there were 1630 new commits by over 130 developers. Of these, about 30 contributed to coreboot for the first time.[…]
Verified Boot: The vboot feature that Chromebooks brought into coreboot was extended to work on devices that weren’t specially adapted for it: In addition to its original device family it’s now supported on various Lenovo laptops, Open Compute Project systems and Siemens industrial machines. Eltan’s support for measured boot continues to be integrated with vboot, sharing data structures and generally working together where possible.[…]”

Detailed blog post:
https://blogs.coreboot.org/blog/2019/11/19/announcing-coreboot-4-11/

Open Source Firmware Conference 2019: videos available

December 2, 2019 ~ hucktech ~ Leave a comment

#OSFC2019 videos are out now! Have fun!😄https://t.co/yLxAlThCF7
— Open Source Firmware Conference (@osfc_io) December 2, 2019

Videos for OSFC 2019, the Open Source Firmware Conference, are now online:

https://www.youtube.com/channel/UCUVk2lv2h2VbP3Dx4k2axyA/playlists

Slides are on the main site (on the schedule page, not yet on the archive page):

https://osfc.io/schedule

PrimeG2Pkg: UEFI for HP Prime G2 calculator

November 25, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/imbushuo/status/1197191079251992576

[…]Basically the UEFI consists a set of device drivers and core components from TianoCore. ACPI tables are copied from the Windows IoT iMX Project Mu Repo and stripped down. I chainload the UEFI from U-Boot. iMX does not enable unaligned memory access by default and this causes a lot of troubles in UEFI DXE and BDS phases.[…]

https://github.com/imbushuo/PrimeG2Pkg

blog post:

https://www.imbushuo.net/blog/archives/725

edk2-vscode: Visual Studio Code plugin for EDKII files

November 23, 2019 ~ hucktech ~ 1 Comment

There is a Visual Studio Code plugin for working with Microsoft Project Mu:

MuSupport: A VS Code extension to support Project Mu

There is also another VS Code plugin for working with EDK2, which appears to be about 3 months old:

Develop smoothly EDKII/UEFI:
* Add FDF syntax highlight and destionation
* Add DSC syntax highlight and destionation
* Add DEC syntax highlight and destionation
* Add INF syntax highlight and destionation
* Add UNI syntax highlight
* Add VFR syntax highlight

https://github.com/WalonLi/edk2-vscode

Sourcetrail source code explorer for C/C++/Python/Java has been open-sourced

November 22, 2019 ~ hucktech ~ Leave a comment

Coatia Software’s Sourcetrail is a source explorer for Linux/Windows/Mac which “uses static analysis on C, C++, Java and Python source code and lets you navigate the collected information within a user interface that interactively combines graph visualization and code display.” This closed-source codebase is now open-source.

https://github.com/CoatiSoftware/Sourcetrail
https://www.sourcetrail.com/
https://www.sourcetrail.com/blog/open_source/
https://www.patreon.com/sourcetrail

Intel ATR training: no longer publicly-available

November 22, 2019 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/

Does anyone have the UEFI security training content which was open sourced? Cant find it online. Github gives me 404 😦 cc @chipsec @_m46s
— Aseem Jakhar (@aseemjakhar) November 11, 2019

It appears training materials that used to be on Github are no longer there, unsure why. Hopefully it has moved (from the “Advanced-Threat-Research” top-level Github project and moved to some Intel/McAfee/Eclypsium project, and I just don’t know the new URL.

As I understand it, the training was created by Intel employees, mostly from the CHIPSEC team, before many of the CHIPSEC team left to create Eclypsium, and also during the Intel/McAfee split of Intel Advanced Threat Research. I have a copy of the Github project that’s been taken down somewhere, in case the authors at (Intel, McAfee, Eclypsium) mistakenly deleted it and want a copy.

https://github.com/advanced-threat-research/firmware-security-training

The current CHISPEC team offers training, but appears to use a different set of of materials, which are online:

https://github.com/chipsec/chipsec/wiki/BSidesPDX-2018-Workshop

The MinnowBoard Chronicles: A Journey into x86, UEFI, and Linux

November 22, 2019 ~ hucktech ~ Leave a comment

Even if you don’t have a SourcePoint hardware debugger, you’ll probably still get a benefit from reading this 45-chapter blog post series.

https://blog.asset-intertech.com/test_data_out/2019/10/the-minnowboard-chronicles-a-journey-into-x86-uefi-and-linux.html

Over the last two and a half years, I’ve intermittently chronicled my explorations into some fairly esoteric technical topics, using the MinnowBoard Turbot board as a platform. And yes, time flies, and I’ve covered a lot of ground. All 45 chapters are listed below. Enjoy!

GospelRoom: Data Storage in UEFI NVRAM Variables

November 22, 2019November 23, 2019 ~ hucktech ~ Leave a comment

Here's an implementation of a persistence technique found in Vault 7 that stores data in NVRAM variables. Data can survive OS re-imaging and cannot be enumerated with OS-level APIs. Requires admin.https://t.co/zyc4OnUZMO pic.twitter.com/58xeVkb9e3
— Jackson T. (@Jackson_T) November 17, 2019

Click on the URL in the above Twitter URL, as WordPress chokes on Github Gist URLs.

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

Stealthy way to store secrets and other data in UEFI.
Will survive a reimaging of the operating system.
NVRAM variables cannot be directly enumerated with OS-level APIs.
- Enumeration requires exact knowledge of variable names and their GUIDs.

Caveats

Computer must have UEFI enabled, legacy BIOS will not work.
Administrative access required (SE_SYSTEM_ENVIRONMENT_NAME privilege).
Buffer size is limited up to the size of the flash chip.
Possible to enumerate from kernel mode.

Example Output

[SET] TestVariable: Hello, NVRAM!
[GET] TestVariable: Hello, NVRAM!

References

view raw _README.md hosted with ❤ by GitHub

	/**
	* Codename: GospelRoom
	* Technique: Data Storage in UEFI NVRAM Variables
	* Author: @Jackson_T
	*
	* Behaviour: Persist data in UEFI NVRAM variables.
	*
	* Benefits:
	* 1. Stealthy way to store secrets and other data in UEFI.
	* 2. Will survive a reimaging of the operating system.
	* 3. NVRAM variables cannot be directly enumerated with
	* OS-level APIs. Enumeration requires exact knowledge of
	* variable names and their GUIDs.
	*
	* Caveats:
	* 1. Computer must have UEFI enabled, legacy BIOS will not work.
	* 2. The user account that the app is running under must have
	* the SE_SYSTEM_ENVIRONMENT_NAME privilege (admin required).
	* 3. Buffer size is limited up to the size of the flash chip.
	*
	* Example output:
	* – [SET] TestVariable: Hello, NVRAM!
	* [GET] TestVariable: Hello, NVRAM!
	*
	* References:
	* – https://wikileaks.org/ciav7p1/cms/page_31227915.html
	* – https://wikileaks.org/ciav7p1/cms/page_26968084.html
	* – https://docs.microsoft.com/en-us/windows/desktop/api
	* /winbase/nf-winbase-getfirmwareenvironmentvariablea
	* – https://www.youtube.com/watch?v=q2KUufrjoRo
	* – https://github.com/perturbed-platypus
	*/


	#include "stdafx.h"
	#include <Windows.h>

	// Caveat #1: Check if system supports UEFI.
	int IsFeatureSupported()
	{
	int buffer;
	GetFirmwareEnvironmentVariable(L"", L"{00000000-0000-0000-0000-000000000000}", &buffer, sizeof(buffer));
	return (GetLastError() == ERROR_INVALID_FUNCTION) ? 0 : 1;
	}

	// Caveat #2: SeSystemEnvironmentPrivilege needs to be set.
	int SetSystemEnvironmentPrivilege()
	{
	typedef NTSTATUS(WINAPI* RTLADJUSTPRIVILEGE)(
	_In_ ULONG Privilege,
	_In_ BOOLEAN Enable,
	_In_ BOOLEAN CurrentThread,
	_Out_ PBOOLEAN Enabled);

	HMODULE hnd_module = LoadLibrary(_T("ntdll.dll"));
	RTLADJUSTPRIVILEGE RtlAdjustPrivilege = (RTLADJUSTPRIVILEGE)GetProcAddress(hnd_module, "RtlAdjustPrivilege");
	ULONG SeSystemEnvironmentPrivilege = 22;
	BOOLEAN enabled = false;
	RtlAdjustPrivilege(SeSystemEnvironmentPrivilege, true, false, &enabled);

	return (int)enabled;
	}

	// Convert the variable name to GUID for convenience.
	// Modify this function as appropriate.
	wchar_t* ConvertNameToGuid(wchar_t* name)
	{
	// Compute DJB2 hash of name.
	DWORD hash = 5381, c;
	while (c = *name++)
	hash = ((hash << 5) + hash) + c;

	wchar_t* guid = (wchar_t*)malloc(100);
	swprintf_s(guid, 100, L"{%08X-1337-1337-1337-1337%08X}", hash, hash);

	return guid;
	}

	// Persist a buffer in NVRAM.
	int SetVariable(wchar_t* name, void* buffer, size_t size)
	{
	wchar_t* guid = ConvertNameToGuid(name);
	return SetFirmwareEnvironmentVariable(name, guid, buffer, (DWORD)size);
	}

	// Retrieve a buffer from NVRAM.
	size_t GetVariable(wchar_t* name, void* buffer, size_t size)
	{
	wchar_t* guid = ConvertNameToGuid(name);
	return GetFirmwareEnvironmentVariable(name, guid, buffer, (DWORD)size);
	}

	int main()
	{
	wprintf(L"GospelRoom: Data Storage in UEFI NVRAM Variables\n\n");

	if (IsFeatureSupported())
	{
	SetSystemEnvironmentPrivilege();

	wchar_t* set_buffer = L"Hello, NVRAM!";
	wchar_t* get_buffer = (wchar_t*)calloc(wcslen(set_buffer), sizeof(wchar_t));

	SetVariable(L"TestVariable", set_buffer, wcslen(set_buffer) * sizeof(wchar_t));
	wprintf(L"[SET] TestVariable: %ls\n", set_buffer);

	GetVariable(L"TestVariable", get_buffer, wcslen(set_buffer) * sizeof(wchar_t));
	wprintf(L"[GET] TestVariable: %ls\n", get_buffer);
	} else {
	printf("ERROR: This feature is not supported.");
	}

	return 0;
	}

view raw gospelroom.cpp hosted with ❤ by GitHub

Static analysis framework for GCC by Red Hat

November 22, 2019 ~ hucktech ~ Leave a comment

Take a look at the fantastic, new static analysis framework for #GCC from David Malcolm. Continually improving. https://t.co/C7Tibvr9w5
— GCC – GNU Toolchain / gnutools@fosstodon.org (@gnutools) November 16, 2019

David Malcolm of Red Hat has submitted a 49-part patch to GCC which gives GCC a static analysis feature:

This patch kit introduces a static analysis pass for GCC that can diagnose various kinds of problems in C code at compile-time (e.g. double-free, use-after-free, etc). The analyzer runs as an IPA pass on the gimple SSA representation. It associates state machines with data, with transitions at certain statements and edges. It finds “interesting” interprocedural paths through the user’s code, in which bogus state transitions happen.[…\

https://gcc.gnu.org/ml/gcc-patches/2019-11/msg01543.html

Paged Out! #2 released

November 22, 2019 ~ hucktech ~ Leave a comment

Paged Out! #2https://t.co/o4CGqi4T1s
Thanks to all the authors and the institute!
Enjoy!
— PagedOut (@pagedout_zine) November 15, 2019

The second edition of the zine “Paged Out!” is out.

https://pagedout.institute/

ANSSI: Hardware security requirements for x86 platforms (and bootable CHIPSEC thumbdrive)

November 15, 2019 ~ hucktech ~ Leave a comment

Hardware Security Requirements for x86 platforms.

The intended goal is to enforce security of new hardware acquired by an IT department.https://t.co/TDkYxJX28q

Tools to generate a Debian Linux distribution with chipsec to test hardware requirements:https://t.co/d0XVA9Qx9Z pic.twitter.com/9V92uH9idB
— 2*yo (@2xyo) November 15, 2019

This guide presents some security features and configuration options applying to hardware devices. These features are defined in the form of requirements and can apply to a provider of these hardware configurations. The intended goal is to enforce security of new hardware acquired by an IT department. Each requirement is followed by a security objective specifying the goal.[…]

Provided tools can be used to build two bootable USB keys:

* the first around the chipsec tool edited by Intel, integrated in a Debian live distribution, which can be used to check the platform configuration registers.

* the second one is built around the keytool.efi binary which can be use to inspect and modify the SecureBoot key list. The key can be used to check that the platform will accept new, custom SecureBoot keys

https://www.ssi.gouv.fr/en/guide/hardware-security-requirements-for-x86-platforms/

https://github.com/ANSSI-FR/chipsec-check

AMD: AGESA update (on Reddit)

November 12, 2019 ~ hucktech ~ Leave a comment

I often see news about AMD AGESA in the news, often starting on Gamer web sites talking about gamer-centric boxes. I wish there was a primary source of this data, but it appears that AMD tells it’s vendors and the vendors tell the media about the updates, and there was no direct AMD source of this information. At least that’s what I thought until a few days ago. The “AMD Official” user on Reddit has posted a status update on the next AGESA release:

An Update on the AM4 Platform & AGESA 1004

AMD has recently released a new AGESA to manufacturers, version 1004. With over 150 changes, this is a significant milestone release in the development of the AM4 platform. We wanted to share some background in support of our release and particularly in advance of the AMD Ryzen 9 3950X processor launch on Nov. 25th.[…]

An Update on the AM4 Platform & AGESA 1004
byu/AMDOfficial inAmd

Let’s hope there are regular updates on AGESA on this Reddit site:

https://www.reddit.com/user/AMDOfficial/

More info:
https://en.wikipedia.org/wiki/AGESA

Intel’s equivalent to AMD AGESA is FSP. By comparision, there is a bit more metadata to see what’s happening with FSP, I wish AMD had similar resources for AGESA:
https://github.com/IntelFsp/FSP/commits/master
https://github.com/IntelFsp/FSP/issues

18 new security advisories from Intel

November 12, 2019 ~ hucktech ~ Leave a comment

Latest batch since October.

https://www.intel.com/content/www/us/en/security-center/

INTEL-SA-00313: Intel® BMC Advisory
INTEL-SA-00309: Nuvoton* CIR Driver for Windows® 8 for Intel® NUC Advisory
INTEL-SA-00293: 2019.2 IPU – Intel® SGX Advisory
INTEL-SA-00288: Intel® PROSet/Wireless WiFi Software Security Advisory
INTEL-SA-00287: Intel® WIFI Drivers and Intel® PROSet/Wireless WiFi Software extension DLL Advisory
INTEL-SA-00280: 2019.2 IPU – UEFI Advisory
INTEL-SA-00271: 2019.2 IPU – Intel® Xeon® Scalable Processors Voltage Setting Modulation Advisory
INTEL-SA-00270: 2019.2 IPU – TSX Asynchronous Abort Advisory
INTEL-SA-00260: 2019.2 IPU – Intel® Processor Graphics Update Advisory
INTEL-SA-00255: 2019.2 IPU – Intel® Ethernet 700 Series Controllers Advisory
INTEL-SA-00254: 2019.2 IPU – Intel® Processor Graphics SMM Advisory
INTEL-SA-00242: 2019.2 IPU – Intel® Graphics Driver for Windows* Advisory
INTEL-SA-00241: 2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory
INTEL-SA-00240: 2019.2 IPU – Intel® Processor Security Advisory
INTEL-SA-00220: 2019.2 IPU – Intel® SGX and TXT Advisory
INTEL-SA-00219: 2019.2 IPU – Intel® SGX with Intel® Processor Graphics Update Advisory
INTEL-SA-00210: 2019.2 IPU – Intel® Processor Machine Check Error Advisory
INTEL-SA-00164: 2019.2 IPU – Intel® TXT Advisory

I think I’ll stop looking for updates on this site, no changes since January. I think the security team doesn’t update it and the marketing team has forgotten about it:

https://newsroom.intel.com/press-kits/security-exploits-intel-products/

No changes yet for the above security issues on the Tianocore advisories:

https://edk2-docs.gitbooks.io/security-advisory/content/

I may’ve missed them, but I don’t see any new CHIPSEC detections for some of above issues:

https://github.com/chipsec/chipsec/commits/master