MuSupport: A VS Code extension to support Project Mu

Matthew Carlson has written a Visual Studio Code plugin for Microsoft’s Project Mu.

https://github.com/matthewfcarlson/musupport

Matthew: if you’re reading this, please consider also supporting Tianocore/EDK2, not just Project Mu, as there is no Tianocore extension for VSCode, so your project would be useful to another community as well.

For other open source IDE support for UEFI, there’s an Eclipse plugin and Visual Studio-based VisualUEFI. For closed-source IDE support, there is Intel ISS and ARM DS-5. Maybe others, I’m not aware of, if you know of one, please leave a Comment.

https://firmwaresecurity.com/2015/08/15/new-tool-visual-uefi-for-windows/

https://firmwaresecurity.com/2015/10/12/eclipse-edk2-plugin/

checkm8: permanent unpatchable bootrom exploit for hundreds of millions of iOS devices

There is an interesting iOS bootloader exploit that is causing excitement in the iPhone security researcher community:

https://github.com/axi0mX/ipwndfu

DMTF releases SPDM (Security Protocol and Data Model) 0.95 spec

DMTF has a new version of the Security Protocol and Data Model (SPDM) spec.

“The SPDM Specification provides message exchange, sequence diagrams, message formats, and other relevant semantics for authentication, firmware measurement, and certificate retrieval.”

https://www.dmtf.org/content/dmtf-releases-new-wip-update-its-security-protocol-and-data-model-spdm-specification

https://www.dmtf.org/content/dmtf-shares-plans-session-keys-spdm-11
https://www.dmtf.org/sites/default/files/standards/documents/DSP0275_0.95a.zip

Intel: A New Memory Type against Speculative Side Channel Attacks

Intel has a new paper on side channel attacks:

A New Memory Type against Speculative Side Channel Attacks

https://github.com/intelstormteam/Papers/blob/master/2019-A_New_Memory_Type_Against_Speculative_Side_Channel_Attacks_v1.42.pdf

Linaro works with Riscure to secure the TEE ecosystem

Linaro Ltd, the open source collaborative engineering organization developing software for the Arm® ecosystem, today announced together with Riscure their collaboration enabling developers to deliver secure and robust TEE-based solutions. Under the terms of this partnership, Riscure, the globally recognized expert in embedded security research, will contribute to OP-TEE security with regular code review and fuzzing campaigns. OP-TEE is an open source project maintained by the Trusted Firmware project. Both projects are hosted by Linaro and work to provide security for Arm-based solutions. Riscure has created an open-source fuzzing tool specifically designed for OP-TEE.[…]

https://www.linaro.org/news/linaro-works-with-riscure-to-secure-the-tee-ecosystem/

https://www.riscure.com/news/linaro-works-with-riscure-to-secure-the-tee-ecosystem/

SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering

https://github.com/leveldown-security/SVD-Loader-Ghidra

https://leveldown.de/blog/svd-loader/

Nighthawk: Transparent System Introspection from Ring -3

[…]In this paper, we propose an introspection framework called Nighthawk that transparently checks system integrity at runtime. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.[…]

https://link.springer.com/chapter/10.1007%2F978-3-030-29962-0_11

Multiboot-Toolkit: create a multiboot device which works in UEFI or BIOS.

This looks interesting: a boot disk that does a few things. But I’m not sure what this fully does. Little documentation, most of the binaries are provided without source and come pre-zipped. (Be careful with binary-only releases, they might contain malware…) Windows-centric. But it includes multiple bootloaders, dozens of scripts and executables…

The source code (Github site) appears to be new, but there are 2 blog posts >1year old on the topic:

https://github.com/niemtin007/Multiboot-Toolkit

https://niemtin007.blogspot.com/2018/01/how-to-build-multiboot-toolkit-2.html
https://translate.google.com/translate?u=https://niemtin007.blogspot.com/2018/01/how-to-build-multiboot-toolkit-2.html

https://niemtin007.blogspot.com/2017/08/how-to-build-multiboot-toolkit.html
https://translate.google.com/translate?u=https://niemtin007.blogspot.com/2017/08/how-to-build-multiboot-toolkit.html

UEFI-QEMU-Communicator: Talk with UEFI running in QEMU through named pipes

The script can run any arbitrary command and retrieve its exit code, wait for boot and skip the 5-second prompt (and optionally skip startup.nsh), or send reset/shutdown commands. Code written in (almost) pure BASH with no subprocesses spawned. Only print function calls ‘sed’ once.

https://github.com/artem-nefedov/uefi-qemu-communicator

PS: The author also wrote UEFI-GDB.
https://github.com/artem-nefedov/uefi-gdb

INTEL-SA-00290: Intel® Data Direct I/O Technology (Intel® DDIO) and Remote Direct Memory Access (RDMA): VUSec’s NetCAT

From the VUSec site:

NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Intel agrees this is a significant vulnerability, having awarded NetCAT a bounty and recommending users to “limit direct access from untrusted networks when DDIO & RDMA are enabled“. This essentially means that in untrusted network environments DDIO and/or RDMA should be disabled to provide security. To the best of our knowledge, this is the first time a major hardware vendor like Intel cautions against using a CPU feature in untrusted local networks.

https://software.intel.com/security-software-guidance/insights/more-information-netcat

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

VuSec info:

Roadmap to TPM documentation from UEFI POV

William Leara, a UEFI firmware engineer, has a new blog post giving a roadmap to the TCG’s TPM specs:

A Roadmap to TCG’s TPM Documentation: The Trusted Platform Module (TPM) found in most computers today is a device governed by the specifications of the Trusted Computing Group (TCG). Truly grokking how a TPM operates is a daunting task: the specification for the TPM, called the TPM Library Specification, currently comes in four parts, totaling 2237 pages. (!) However, even those 2237 pages aren’t the whole story. This article provides a roadmap to the various specifications that define the TPM, in order to provide the reader with a comprehensive picture of what documentation is available, and what must be studied to acquire TPM mastery.[…]

https://www.basicinputoutput.com/2019/09/a-roadmap-to-tcgs-tpm-documentation.html

KLEE-Native, a fork of KLEE that operates on binary program snapshots by lifting machine code to LLVM bitcode

Binary symbolic execution with KLEE-Native

by Sai Vegasena, New York University, and Peter Goodman, Senior Security Engineer

KLEE is a symbolic execution tool that intelligently produces high-coverage test cases by emulating LLVM bitcode in a custom runtime environment. Yet, unlike simpler fuzzers, it’s not a go-to tool for automated bug discovery. Despite constant improvements by the academic community, KLEE remains difficult for bug hunters to adopt. We’re working to bridge this gap! My internship project focused on KLEE-Native, a fork of KLEE that operates on binary program snapshots by lifting machine code to LLVM bitcode. […]

https://github.com/trailofbits/klee