https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-offer.php
Author: hucktech
CHIPSEC class at CanSecWest
CHIPSEC training at RECon Montreal
CHIPSEC training at RECon Montreal:
https://recon.cx/2017/montreal/training/trainingfirmware.html
TacNetSol secure IoT questions
U-Root: firmware solution written in Go
From 2015, something I missed because I didn’t know Go then. ;-(
U-root: A Go-based, Firmware Embeddable Root File System with On-demand Compilation
Ronald G. Minnich, Google; Andrey Mirtchovski, Cisco
U-root is an embeddable root file system intended to be placed in a FLASH device as part of the firmware image, along with a Linux kernel. The program source code is installed in the root file system contained in the firmware FLASH part and compiled on demand. All the u-root utilities, roughly corresponding to standard Unix utilities, are written in Go, a modern, type-safe language with garbage collection and language-level support for concurrency and inter-process communication. Unlike most embedded root file systems, which consist largely of binaries, U-root has only five: an init program and 4 Go compiler binaries. When a program is first run, it and any not-yet-built packages it uses are compiled to a RAM-based file system. The first invocation of a program takes a fraction of a second, as it is compiled. Packages are only compiled once, so the slowest build is always the first one, on boot, which takes about 3 seconds. Subsequent invocations are very fast, usually a millisecond or so. U-root blurs the line between script-based distros such as Perl Linux and binary-based distros such as BusyBox; it has the flexibility of Perl Linux and the performance of BusyBox. Scripts and builtins are written in Go, not a shell scripting language. U-root is a new way to package and distribute file systems for embedded systems, and the use of Go promises a dramatic improvement in their security.
Video and audio on first URL.
https://www.usenix.org/conference/atc15/technical-session/presentation/minnich
SUSE on UEFI -vs- BIOS
I missed this blog post from SuSE from last year:
[…]One UEFI topic that I noticeably did not address in this blog is secure boot. This was actually covered extensively in three previous blogs. To read those blogs do a search for “Secure Boot” at suse.com. I also did not address the comparison of UEFI and BIOS from the operating systems perspective in this blog. That is a separate blog that was released at the same time as this one (Comparison of UEFI and BIOS – from an operating system perspective). Please read it too. Hopefully this gives you some helpful information about the transition from BIOS to UEFI, on the hardware side. You can find more information about SUSE YES Certification at https://www.suse.com/partners/ihv/yes/ or search for YES CERTIFIED hardware at https://www.suse.com/yessearch/. You can also review previous YES Certification blogs at YES Certification blog post[…]
https://www.suse.com/communities/blog/comparison-uefi-bios-hardware-perspective/
UEFI-D: D language bindings for UEFI
D bindings for UEFI specifications, based on the headers from EDK II 2015. They allow to compile fully functional EFI executables without assembly or C bootstrapping, it boots directly to D 🙂 They can be used to build UEFI-compatible applications and drivers in the D Programming Language. Sample “Hello, world” program is provided, with source and a linux script to compile[…]
http://forum.dlang.org/thread/kjmjtauonvlxhdaqcpij@forum.dlang.org
https://github.com/kubasz/uefi-d
http://code.dlang.org/packages/uefi-d
https://github.com/kubasz/uefi-d/blob/master/sample/photo.jpg?raw=true
Intel MPX Explained
https://twitter.com/kayseesee/status/832664911578664960
Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches
Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, Christof Fetzer
(Submitted on 2 Feb 2017)
Memory-safety violations are a prevalent cause of both reliability and security vulnerabilities in systems software written in unsafe languages like C/C++. Unfortunately, all the existing software-based solutions to this problem exhibit high performance overheads preventing them from wide adoption in production runs. To address this issue, Intel recently released a new ISA extension – Memory Protection Extensions (Intel MPX), a hardware-assisted full-stack solution to protect against memory safety violations. In this work, we perform an exhaustive study of the Intel MPX architecture to understand its advantages and caveats. We base our study along three dimensions: (a) performance overheads, (b) security guarantees, and (c) usability issues. To put our results in perspective, we compare Intel MPX with three prominent software-based approaches: (1) trip-wire – AddressSanitizer, (2) object-based – SAFECode, and (3) pointer-based – SoftBound. Our main conclusion is that Intel MPX is a promising technique that is not yet practical for widespread adoption. Intel MPX’s performance overheads are still high (roughly 50% on average), and the supporting infrastructure has bugs which may cause compilation or runtime errors. Moreover, we showcase the design limitations of Intel MPX: it cannot detect temporal errors, may have false positives and false negatives in multithreaded code, and its restrictions on memory layout require substantial code changes for some programs.
https://arxiv.org/abs/1702.00719
See also:
https://intel-mpx.github.io/
https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
Hackaday on SPI on Linux
Hackaday has a good article on Linux SPI:
https://fosdem.org/2017/schedule/event/kernel_spi_subsystem/
tg165-tools: FLIR TG165 thermal camera firmware hacking tools
TG165 Tools: This repostiory contains tools for extending the functionality of the low-end FLIR TG165 thermal camera. With these tools, you can add alternate functionality to your TG165 without having to replace its original firmware.
* A simple utility (fwutil.py) and python module (tg165) that can pack and unpack FLIR Upgrade.bin firmware images.
* A simple utility (compose-fw.py) that can be used to build firmware-upgrade files that contain multiple programs.
* A simple assembly bootstrap (boot_select) that allows you to select between multiple programs on device startup.
* A DFU “alternate-bootloader” (alt_bootloader) that allows you to upload custom programs via USB without distruping the main one. This should enable rapid development!
* An (example) firmware payload that allows you to dump the TG165’s FLIR-provided bootloader.
Verified Boot
Marc Kleine-Budde of Pengutronix gives a talk at the Embedded Linux Conference Europe (ELCE), on using Verified Boot.
Protecting Linux devices with verified boot, from ROM to Userspace
Click to access Verified_Boot.pdf
https://www.linux.com/news/event/elcna/2017/2/verified-boot-rom-userspace
SysInternals updated
Bunnie Reddit March 5th
Android Things
Supported hardware: Intel® Edison, Intel® Joule, NXP Pico i.MX6UL, Raspberry Pi
https://github.com/androidthings
https://developer.android.com/things/hardware/index.html
https://developer.android.com/things/index.html
https://developer.android.com/things/preview/index.html
https://developer.android.com/things/hardware/developer-kits.html
https://android-developers.googleblog.com/2017/02/android-things-developer-preview-2.html
BIOS/UEFI Ransomeware at RSA?
https://www.heise.de/security/meldung/BIOS-UEFI-mit-Ransomware-infiziert-3630662.html
From Google Translate:
[…]”This year’s edition of the “Hacking Exposed”, presented for years at the RSA Conference, filled Cylance boss Stuart McClure and his co-workers with two hacks of a more unusual kind: In one of the live demos, they infected the Unified Extensible Firmware Interface (UEFI) A current Gigabyte motherboard (Intel Skylake) with an encryption trojan. According to McClure are also mainboards of other manufacturers attackable, one only have to adjust the payload to the UEFI variant.”[…]
No pointer to sources AFAICT, please leave a Comment on the blog if you have an URL.
Metasploit’s Hardware Bridge API
[…]We recently announced a new addition to Metasploit to help you do exactly that: the Hardware Bridge API. The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware. From within Metasploit you can now branch out into a Metasploit compatible hardware device to remotely control and use it for your penetration testing needs.[…]
https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix
RU.efi updated
The latest version of the RU has been released. RU is a firmware utility by James Wang, built as a UEFI (ru.efi) or a MS-DOS (ru.exe) binary. It is closed-source freeware, see the blog post for the password to the password-protected ZIP, as well as list of new features.
F-Secure acquires Inverse Path
“Helsinki, Finland – February 16, 2017: Cyber security company F-Secure has acquired privately-held company Inverse Path, an industry leader in providing security services to the avionics, automotive, and industrial control sectors. Inverse Path’s expertise in hardware security and the safety of critical embedded systems strengthens F-Secure’s position as a service provider for businesses in critical sectors with challenging IT infrastructure.[…]”
https://www.f-secure.com/en/web/press_global/news/news-archive/-/journal_content/56/1075444/1906310
Linaro Binary Toolchain Release GCC 6.3-2017.02
Linaro does regular drops of core tools, and these days they’re using GCC v6.x, and GCC has a few new language features and target architecture features recently. Excerpting the Linaro announcement:
The Linaro GCC 6.3-2017.02 Release is now available. […] The Linaro binary toolchain is a collection of x86-hosted GNU cross-toolchains targeting a variety of ARM architecture targets. Linaro TCWG provides these toolchains as a service to our members. Due to hardware availability, system-image availability, validation complexity, and user-base size, not all host and target toolchain combinations can be validated by Linaro with the same rigor. The most rigorously validated targets are little-endian and hardfloat implementations of the 32-bit ARMv7 (arm), 32-bit ARMv8 (armv8), and 64-bit ARMv8 (aarch64) architectures. Linaro recommends those targets to our members. […] The host system upon which the cross-compiler will run requires a minimum of glibc 2.14, because of API changes to glibc’s memcpy API. Linaro recommends using the 64-bit x86_64 host toolchains as the 32-bit i686 host toolchains and the 32-bit mingw host toolchains will only be provided as long as there is sufficient member interest to justify their continued availability. […] The GCC 6 Release series has significant changes from the GCC 5 release series. For an explanation of the changes please see the following website[1]. For help in porting to GCC 6 please see the following explanation[2]. […]
[1] https://gcc.gnu.org/gcc-6/changes.html
[2] https://gcc.gnu.org/gcc-6/porting_to.html
https://gcc.gnu.org/onlinedocs/
http://releases.linaro.org/components/toolchain/gcc-linaro/6.3-2017.02/
http://releases.linaro.org/components/toolchain/binaries/6.3-2017.02/
http://snapshots.linaro.org/components/toolchain/binaries/
See the full announcement for more details:
https://lists.linaro.org/mailman/listinfo/linaro-toolchain
Firmware Security 
You must be logged in to post a comment.