https://www.suse.com/communities/blog/revolutionizing-arm-technology-x86_64-option-rom-aarch64/
Author: hucktech
MemoryMonRWX: Windows hypervisor to detect rootkits
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html
RootKits-List-Download
https://github.com/d30sa1/RootKits-List-Download
Nice list. I see at least 2 that aren’t listed, so I guess I need to submit a patch.
RPMB
I learned a new word today: “RPMB” (Replay Protected Memory Block). 🙂
https://github.com/OP-TEE/optee_os/blob/master/documentation/secure_storage_rpmb.md
Leviathan Framework
Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination. The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.[…]
https://github.com/leviathan-framework/leviathan
https://leviathan-framework.org/
Not to be confused with Leviathan Security’s Lotan.
sniffROM
sniffROM: A tool for passive data capture and reconnaissance of serial flash chips. It is used in conjunction with a Saleae logic analyzer to reconstruct flash memory contents and extract contextual information about device operations. Supports SPI and I²C flash chips. Recognizes most flash commands across different chip vendors. Preserves actual memory addresses of captured data. Binary visualization of reconstructed image.
usage: sniffROM.py [-h] [–addrlen [{2,3,4}]] [–endian [{msb,lsb}]] [–filter [{r,w}]] [-o [O]] [–summary] [–graph] [-v] input_file
https://github.com/alainiamburg/sniffROM
UEFI-SecureBoot-SignTool
Aneesh Neelam has written UEFI-SecureBoot-SignTool, a script to sign external Linux kernel modules for UEFI Secure Boot.
UEFI Secure Boot sign tool
The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora (>=18) and perhaps on other distributions as well, won’t load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox’s host/guest kernel driver etc. won’t work. External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). You can use the UEFI Secure Boot Sign Tool to sign kernel modules. This is useful if you can’t or don’t wish to disable Secure Boot on your UEFI-enabled system.[…]
https://github.com/aneesh-neelam/UEFI-SecureBoot-SignTool
Colin on FWTS
Colin King has a new blog post that gives an introduction to the FirmWare Test Suite’s UI.
http://smackerelofopinion.blogspot.com/2017/05/firmware-test-suite-text-based-front-end.html
https://wiki.ubuntu.com/FirmwareTestSuite/Reference
UEFI HTTPS Boot whitepaper moves
European Coreboot Conference: tickets available
Reversing Intel ME’s ROMP module
Reverse-engineering the Intel Management Engine’s ROMP module
Youness Alaoui, Hardware enablement developer
Last month, while I was waiting for hardware to arrive and undergo troubleshooting, I had some spare time to begin some Intel ME reverse engineering work. First, I need to give some shout out to Igor Skochinsky, a Hex-Rays developer, who had been working on reverse engineering the Intel ME for a while, and who has been very generous in sharing his notes and research on the ME with us, which is going to be a huge help and cut down months of reverse engineering and guesswork. Igor was very helpful in getting me to understand the bits that didn’t make sense to me. The first thing I wanted to try and reverse was the ROMP module. It is one of the two modules that me_cleaner doesn’t remove, and given how small it is (less than 1KB of code+data), I thought it would be a good starting point. Turns out my hunch was right, as I finished reverse engineering that module after only a couple of days.[…]
https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/
Xeno updates Low Level PC Attack Papers list
This is the *BEST* index to hardware/firmware attacks for Intel systems. And it has been updated for recent research!!
Low level PC attack papers by Xeno Kovah
Intel AMT, continued
Matthew Garrett has a new tool to check for AMT on Linux:
If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689. Disable AMT in your system firmware.
https://github.com/mjg59/mei-amt-check
A little bird told me some info about Intel AMT and Linux:
* Some BMC/IPMI devices also listen on port 623 because they support the same asf-rmcp protocol. So if you are using nmap to scan networks you may see false positives from these devices.
* The Intel OpenAMT tool can be used on Linux to determine if AMT is enabled. The procedure is something like:
 * build with: ./configure;make
 * on the system to test, load the mei modules with: modprobe mei-me
 * run the src/lms binary (only uses standard libraries, no need to ‘make install’)
 * check daemon.log, not enabled should be something like “LMS: Cannot connect to Intel AMT via MEI driver”
 * clean up by killing the running lms process, removing the lms binary, and unloading the mei modules: rmmod mei-me mei
https://sourceforge.net/projects/openamt/
* On Linux, blacklisting the mei-me/mei modules will prevent local access to AMT, but doesn’t help if it’s already enabled.
Absolute seeks OEM Business Development Director
It is an exciting time for the Absolute and Microsoft partnership! Absolute’s placement in Windows device firmware provides a truly unique position within the Microsoft partner ecosystem. We continue to strengthen this relationship by opening new doors of engagement through our recent product integration announcements. To further support the relationship, we are looking for a tenured Business Development Director[…]
Intel AMT story, continued
A little bit more (warning: a few of these are related to Intel ME hardware, not Intel AMT firmware):
Rumor has it that OpenAMT can also be used for AMT detection:
https://sourceforge.net/p/openamt/wiki/Home/
AMT advisory from ASUS:
https://www.asus.com/News/uztEkib4zFMHCn5r
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/
http://www.govinfosecurity.com/intels-amt-flaw-worse-than-feared-a-9901
https://twitter.com/4Dgifts/status/862326241659150336
modzero Security: keylogger in HP audio driver
https://twitter.com/__ths__/status/862589402140352514
[EN] Keylogger in Hewlett-Packard Audio Driver
Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it’s quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard. A keylogger is a piece of software for which the case of dual-use can rarely be claimed. This means there are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’. A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.[…]There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user[…]
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt
Secure Boot BOF at DebConf17
Helen Koike of Collabora has proposed a BOF on UEFI Secure Boot at DebConf17, this August:
DebConf17 – BoF proposal to discuss secure boot
I want to send a BoF proposal to DebConf17 so we can meet there and discuss about secure boot. I would like to know if you are interested in attending and also which topics you suggest for discussion. I would appreciate if you could put your name and suggestions in this form in case you are interested https://goo.gl/forms/lHoEibY1H6FmSHSJ2 , or just reply to this email thread.
For full message, see the debian-efi mailing list archives.
https://lists.debian.org/debian-efi/2017/05/threads.html
https://debconf17.debconf.org/
Linux kernel EGP_PGT_DUMP build option
Sai Praneeth Prakhya of Intel submitted V2 of an Intel UEFI diagnostic patch for the Linux kernel, the new version adds x86 support.
[PATCH V2] x86/efi: Add EFI_PGT_DUMP support for x86_32, kexec
EFI_PGT_DUMP, as the name suggests dumps efi page tables to dmesg during kernel boot. This feature is very useful while debugging page faults/null pointer dereferences to efi related addresses. Presently, this feature is limited only to x86_64, so let’s extend it to other efi configurations like kexec kernel, efi=old_map and to x86_32 as well. This doesn’t effect normal boot path because this config option should be used only for debug purposes.
Changes since v1:
1. Call efi_dump_pagetable() only once from efi_enter_virtual_mode() – as suggested by Boris
For more info, see the patch on the linux-(kernel,efi) lists.
Windows Internals new edition out
https://twitter.com/aionescu/status/862741520301965312
http://www.alex-ionescu.com/?p=335
Wow, this book has gone a long way from “Inside Windows NT” by Helen Custer, the original author:
uefilog: UEFI keylogger
UEFI keylogger prototype
Firmware Security 
You must be logged in to post a comment.