http://www.springer.com/us/book/9781430265832
It looks like this APress Open Book is also (or only) available via Springer now.
See also: https://firmwaresecurity.com/2016/12/19/apress-tpm-book-free-ebook-option/
Author: hucktech
checksec: x64dbg plugin to check security settings
https://twitter.com/_jsoo_/status/845830955839307778
Initial Release supports checking of
SafeSEH
DEP
ASLR
/GS (Not 100% reliably)
Control Flow Guard
Signature
TPM firmware updates (and BiosSledgehammer)
The below tweet made me realize I’ve not been looking enough for TPM utilities. I’ve seen tools from HP, Dell, and Lenovo. Still looking for tools from other OEMs. The only community tool I can find is BiosSledgehammer, which only works on HP systems.
https://github.com/texhex/BiosSledgehammer
BiosSledgehammer: Automated BIOS update, TPM firmware update and BIOS settings for HP devices.
http://h20566.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05381064
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291
http://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=2105J
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291
PEXternalizer (and USB Sanitizer)
Pci Express eXternalizer lets you pull a PCIE1x port outside of your case using a usb3 cable.
https://github.com/securelyfitz/PEXternalizer
https://www.securinghardware.com/
Joe is always making fun toys.
Wikileaks: Vault 7: Dark Matter
Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware. Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. “DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants. Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0. Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
https://wikileaks.org/vault7/darkmatter/?cia
https://wikileaks.org/vault7/darkmatter/document/SonicScrewdriver_1p0/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_DOC/
https://wikileaks.org/vault7/darkmatter/document/DerStarke_v1_4_RC1_IVVRR_Checklist/
https://wikileaks.org/vault7/darkmatter/document/Triton_v1_3_DOC/
https://wikileaks.org/vault7/darkmatter/document/DarkSeaSkies_1_0_URD/
awesome-safety-critical
This is a list of resources about programming practices for writing safety-critical software. Disclaimer: I don’t work on safety-critical software so the resources presented here are not necessarily authoritative or latest documents on topic.
https://github.com/stanislaw/awesome-safety-critical
On a related note, SEI just made their Secure C and Secure C++ books freely-available (registration required), those are worth reading:
http://www.sei.cmu.edu/news/article.cfm?assetID=495412
Tianocore gets Brotli compression support
BinX Song of Intel has submitted a patch to EDK2 with support for Google’s Brotli compression algorithm.
[PATCH 0/4] MdeModulePkg/BaseTools: Add Brotli algorithm support
Brotli algorithm has a little less compress ratio than Lzma, but has better decompress performance than it. Add Brotli algorithm support, include Brotli decompression library and tool set.
Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.
More info:
https://lists.01.org/mailman/listinfo/edk2-devel
https://github.com/google/brotli
https://www.ietf.org/rfc/rfc7932.txt
https://groups.google.com/forum/#!forum/brotli
Siemens industrial plant firmware malware
Quoting the Register article:
[…]Malware posing as legitimate firmware for Siemens control gear has apparently infected industrial equipment worldwide over the past four years. The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected firmware, a study by industrial cybersecurity firm Dragos claims. According to the Texas-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as “crimeware”. […]
The Dragos blog post is worth reading:
https://www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/
https://dragos.com/blog/mimics/
UTTOS: UEFI testing research
A paper from October 2016 that I just noticed:
UTTOS: A Tool for Testing UEFI Code in OS Environment
Unit tests are one of the most widely used tools to assure a minimal level of quality and compliance during development. However, they are not used in many projects where development takes place at low-level contexts. The main reason is that unit test development itself demands more time and becomes expensive in this context and tools that assist test creation are rare or absent. In UEFI development this scenario matches the reality of most teams and unit testing as well as other testing techniques are often not used. To address this fault we propose UTTOS, a tool that parses EDKII build configuration files, mocks the UEFI-specific functions for C development and enables UEFI test suite code to run in the operating system. We show that UTTOS is able to run the test suit in the operating system and save development time.
https://www.researchgate.net/publication/313074852_UTTOS_A_Tool_for_Testing_UEFI_Code_in_OS_Environment
https://www.researchgate.net/publication/307547569_UTTOS_A_Tool_for_Testing_UEFI_Code_in_OS_Environment
http://link.springer.com/chapter/10.1007/978-3-319-47443-4_14/fulltext.html
Did not find any source code… 😦 If you do, please leave a Comment!
Matthew announces Shim review process
Redfish and SDI
Redfish Emerges as an Interoperability Standard for SDI
The world’s data centers are working to adopt Software Defined Infrastructure (SDI) – but they are far from reaching their goals. The single biggest challenge in SDI is achieving interoperability between many kinds of hardware. Without that, a data center’s systems become a Tower of Babel, preventing IT system admins from seeing a unified view of all resources – and managing them. Built to leverage virtualized infrastructure, SDI will be easier to achieve if there are more bridges between platforms – leading to better management. This blog focuses on an emerging management standard called Redfish, which is designed to help make SDI a day-to-day reality for hybrid cloud.[…]
http://hurwitz.com/blogs/bozmanblog/entry/redfish-emerges-as-an-interoperability-standard-for-sdi
RevFirmware.ml
Facebook seeks Oculus Firmware Manager
Manager, Firmware (Oculus)
As a Firmware Engineering Manager at Oculus you will lead, manage, and inspire engineering teams developing next-generation platforms for virtual reality. Firmware for VR systems spans multiple target classes, requires deep collaboration across engineering disciplines and the full software stack (from content to RTL), and directly impacts user immersion. You’ll guide architecture and delivery of highly performant and reliable firmware across multiple platforms and product lines. The ideal candidate will have deep embedded system technical knowledge along with a passion for building top teams who deliver great consumer products focused on incredible customer experiences.[…]
John Deere tractors and cracked firmware
US farmers are asking for open source tractor hardware and firmware, resorting to using aftermarket firmware:
[…]A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for “crop loss, lost profits, loss of goodwill, loss of use of equipment … arising from the performance or non-performance of any aspect of the software.” The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and “authorized” repair shops can work on newer tractors.[…]
[…] I went searching for one of the forums where pirated John Deere firmware is sold. After I found it, I couldn’t do much of anything without joining. I was sent an email with instructions, which required me to buy a $25 dummy diagnostic part from a third-party website. Instead of the part, I was sent a code to join the forum. Once I was on it, I found dozens of threads from farmers desperate to fix and modify their own tractors. According to people on the forums and the farmers who use it, much of the software is cracked in Eastern European countries such as Poland and Ukraine and then sold back to farmers in the United States.[…]
[…] Farmers worry what will happen if John Deere is bought by another company, or what will happen if the company decides to stop servicing its tractors. And so they have taken matters into their own hands by taking control of the software themselves. “What happens in 20 years when there’s a new tractor out and John Deere doesn’t want to fix these anymore?” the farmer using Ukrainian software told me. “Are we supposed to throw the tractor in the garbage, or what?”[…]
Companies actively contributing to U-Boot
Here are some statistics on the U-Boot project, from a U-Boot list posting by Wolfgang Denk of DENX Software Engineering. The Full List is at the below URL. The subset list below are just the top contributing companies. The posting by Wolfgang also shows the top individuals.
Processed 664 csets from 126 developers
26 employers found
A total of 41330 lines added, 31385 removed (delta 9945)
Top changeset contributors by employer
(Unknown) 170 (25.6%)
Socionext Inc. 105 (15.8%)
Google, Inc. 88 (13.3%)
NXP 80 (12.0%)
Konsulko Group 42 (6.3%)
Texas Instruments 28 (4.2%)
Samsung 26 (3.9%)
Xilinx 26 (3.9%)
ARM 20 (3.0%)
DENX Software Engineering 14 (2.1%)
…
Top lines changed by employer
Konsulko Group 21331 (35.5%)
(Unknown) 8685 (14.4%)
Socionext Inc. 8227 (13.7%)
NXP 8112 (13.5%)
Google, Inc. 5308 (8.8%)
DENX Software Engineering 1904 (3.2%)
ST Microelectronics 1801 (3.0%)
Openedev 1105 (1.8%)
Samsung 866 (1.4%)
CompuLab 844 (1.4%)
…
Employers with the most signoffs (total 111)
NXP 28 (25.2%)
Xilinx 16 (14.4%)
DENX Software Engineering 15 (13.5%)
Samsung 13 (11.7%)
(Unknown) 9 (8.1%)
Google, Inc. 9 (8.1%)
Collabora Ltd. 6 (5.4%)
ARM 5 (4.5%)
Intel 4 (3.6%)
Socionext Inc. 3 (2.7%)
…
Employers with the most hackers (total 128)
(Unknown) 65 (50.8%)
NXP 17 (13.3%)
Texas Instruments 7 (5.5%)
Xilinx 4 (3.1%)
DENX Software Engineering 4 (3.1%)
Google, Inc. 3 (2.3%)
Intel 3 (2.3%)
Socionext Inc. 3 (2.3%)
Samsung 2 (1.6%)
Collabora Ltd. 2 (1.6%)
…
More info:
http://www.denx.de/wiki/U-Boot/UbootStat_2017_03
https://lists.denx.de/listinfo/u-boot
Intel Optane
Intel launched Optane hardware recently, and there are a few Optane-related blog posts on Intel.com:
“New era of memory and it’s not a DRAM. I believe March 19th, 2017 is one of the most exiting days in the Non-Volatile industry when Intel® Optane™ SSD DC P4800X was introduced.[…]”
http://itpeernetwork.intel.com/optane-intel-memory-drive-technology
http://itpeernetwork.intel.com/intel-optane-ssds-aerospike-new-level-fast
http://itpeernetwork.intel.com/applying-intel-optane-ssds-to-mysql-part-1-fast-storage/
http://www.intel.com/content/www/us/en/architecture-and-technology/intel-optane-technology.html
mcuboot
MCUBoot is a secure bootloader for 32-bit MCUs. The goal of MCUBoot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade. MCUboot is operating system and hardware independent, and relies on hardware porting layers from the operating system it works with. Currently mcuboot works with both the Apache Mynewt, and Zephyr operating systems, but more ports are planned in the future. The MCUBoot project was originally taken from the Apache Mynewt operating system, which had secure boot and software upgrade functionality instrinsic to it. Currently development is heads down on a first release of MCUboot that works across both the Zephyr operating system and Apache Mynewt operating system.[…]
https://github.com/runtimeco/mcuboot
http://connect.linaro.org/resource/bud17/bud17-100/
AMD updated AGESA?
There are news reports that AMD AGESA has been updated. AMD has a developer section on their web site, but I wish they included a section with news on AGESA, like Intel FSP site does.
https://www.dvhardware.net/article66244.html
https://www.bit-tech.net/news/hardware/2017/03/21/amd-ryzen-fma3-fix-promise/1
https://www.overclock3d.net/news/cpu_mainboard/amd_has_reportedly_released_new_agesa_microcode_for_ryzen/1
https://www.hardocp.com/news/2017/03/20/new_amd_agesa_microcode_in_wild_uefi
airline industry and device physical security
Welcome to Travel 2.0, where all devices are now required to go through a potential Evil Maid Attack by the TSA equivalent of government of each travel you visit, starting with the US. 😦
http://gizmodo.com/the-us-may-have-banned-electronics-on-middle-eastern-fl-1793457809
http://onemileatatime.boardingarea.com/2017/03/20/airplane-electronics-ban/
http://www.reuters.com/article/us-usa-airlines-electronics-idUSKBN16R2JN
Intel Israel seeks Security Researcher
[…] Do you want to get your hands on the most cutting edge technology before it reaches the Market? Intel’s SW group is looking for a talented Security Researcher. In this position you will work on ensuring security aspects of Intel software and firmware products. You will be a member of the security evaluation team, located in Haifa, encompassing all aspects of the architecture, design and implementation. How your day will look like (when you are not working on your own personal initiatives) :Identify flaws and vulnerabilities in complex secure systems.Reverse engineering and white box SW analysis.Working with software, hardware, embedded systems, cryptography etc. […]
http://jobs.intel.com/ShowJob/Id/1038620/Security%20Researcher%20%20Software%20Group
Firmware Security 
You must be logged in to post a comment.