Paged Out! new zine calls for papers

A new zine is calling for content for their first issue. I’m hoping this’ll be like Phrack and POC||GTFO, but who knows…

https://gynvael.coldwind.pl/?lang=en&id=707

https://pagedout.institute/?page=cfp.php

GRUB 2.04-rc1 released

Quoting LinuxJournal:

“[…]GRUB 2.04-rc1 has been released. Phoronix reports that after nearly two years of development, this release will bring tons of changes, including “supporting multiple early initrd images, support for the F2FS file-system, a verifier framework, RISC-V support, UEFI Secure Boot shim support, Btrfs Zstd improvements, Btrfs RAID5/RAID6 support, Xen PVH support, UEFI TPM 1.2/2.0 support, and a lot of other work.[…]”

http://git.savannah.gnu.org/cgit/grub.git/

https://www.linuxjournal.com/content/grub-204-rc1-released-mozilla-designing-better-security-messages-back-door-discovered

https://www.phoronix.com/scan.php?page=news_item&px=GRUB-2.04-Release-Candidate

The Death Metal Suite: a toolkit designed to exploit Intel AMT’s legitimate features

[…]Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software. I liken AMT to “lolbins,” which is a short form of “living off the land binary,” but instead of operating at a software level, Death Metal operates from a hardware level. With the Death Metal suite, we are essentially misusing and abusing mainstream commercial functionality in unexpected ways. Within the information security community, attacks against AMT itself are not news; however, Death Metal will introduce new ways to begin attacking the AMT framework in a practical, red-team fashion.[…]

https://github.com/Coalfire-Research/DeathMetal/blob/master/README.md

https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite

4 security advisories from Intel

INTEL-SA-00239
Intel® NUC Advisory
A potential security vulnerability in system firmware for Intel NUC may allow escalation of privilege, denial of service, and/or information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00239.html

INTEL-SA-00238
Intel® Core Processors Memory Mapping Advisory
A potential security vulnerability in some microprocessors may allow information disclosure.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00238.html

INTEL-SA-00236
Intel® Graphics Performance Analyzer for Linux Advisory
A potential security vulnerability in Intel® Graphics Performance Analyzer for Linux may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00236.html

INTEL-SA-00201
Intel® Media SDK Advisory
A potential security vulnerability in Intel® Media SDK may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00201.html

Bushwacking your way around a bootloader (U-Boot)

 

Bushwacking your way around a bootloader
Rebecca (.bx) Shapiro

Even when you have access to some binary’s source code, it can still be challenging to un- derstand said software. In this talk, I will discuss the techniques and tools I developed in order to understand and navigate the pile of code that is the open-source Das U-Boot bootloader. The tools I developed do not rely on proprietary software and instead make use of free and powerful debugging tools such as Capstone, Unicorn, and the GDB Python plugin API. My approach strives to highlight the temporal and mechanical connections that exist between higher-level behaviors and regions of the code base/binary by instrumenting, tracing, and analyzing all memory writes with respect to the software’s current execution path. This technique allows us to develop and test our understanding of the relationships between code and objects (data structures and/or regions of memory). I will discuss how these tools and techniques can be used to identify and distinguish between different phases of U-Boot execution (including distinct phases of initialization and relocation) and then show how such information can be used to design a coarse-grained memory region-based access control policy.

https://kernelcon.org/agenda#bushwacking

https://typedregions.com/kernelcon-bx.pdf

LeachAgent: related tool for PCILeech

The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments. The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system – perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously.[…]

http://blog.frizk.net/2019/04/LeechAgent.html

Nikolaj summarizes UEFI 2.8 spec changes in 9 tweets

Re: https://firmwaresecurity.com/2019/04/04/uefi-2-8-released/

Nikolaj is right on schedule with his analysis of the changes in this spec. Click on the below tweet, there are about a series of 9 tweets with his highlights of the UEFI 2.8 spec:

 

Eclypsium: Firmware Needs to Be Part of Your Incident Response Playbook

Eclypsium has a new whitepaper that talks about IR and firmware.

https://eclypsium.com/2019/04/02/firmware-needs-to-be-part-of-your-incident-response-playbook/

Samsung: Knox Deep Dive: Knox Verified Boot

3 Apr 2019
Knox Deep Dive: Knox Verified Boot
By Phil (Programmer Writer)

With the most recent Knox 3.3 version release, the Samsung Knox team is pleased to introduce Knox Verified Boot. Knox Verified Boot (KVB) is a new solution that both extends and enhances Android Verified Boot (AVB). While AVB only checks the integrity of the kernel and platform components, KVB extends those checks to also cover the earlier bootloaders. This provides a more comprehensive guarantee a device is booting using properly signed components that are all from the same expected build. KVB performs the same type of validations as the existing Trusted Boot mechanism, but it is able to do so before the device kernel is booted, and thus provides the same data protection guarantees earlier. KVB component checks are conducted in the bootloader, and validations are made before system services are even started to help provide an even higher level of data protection. KVB is supported on Samsung S10 and above devices running the Android P operating system or later.

https://seap.samsung.com/content/knox-deep-dive-knox-verified-boot

AMI spins-off AmZetta

About AmZetta: Founded in 2019, the AmZetta team has an average of 22 years of experience in leading technologies such as BIOS, Drivers, Firmware, Linux, Networking, RAID, Remote Management, Storage and Virtualization. AmZetta is a spinoff from American Megatrends (better known as AMI) and is focused on Storage, VDI, IoT and Healthcare technologies for the data center. Headquartered in Norcross, Georgia, AmZetta has locations in the U.S. and India to better serve its customers. For more information on AmZetta, its products or services, visit AmZetta.com.

Hmm, the supplied HTTPS link to the new company did not work for me, but it worked without TLS:

https://amzetta.com/
http://amzetta.com/

 

 

Facebook releases Rust-SMT-LIB-API

An API that can be used to expose an SMT-LIB compliant SMT solver to a developer tool written in Rust. This crate provides a generic high-level API for interacting with SMT solvers. The aim of this interface is to be solver-agnostic (i.e. the user can switch between back-end SMT solvers by modifying a single line of code) and to mimic the SMT-LIB standard commands as closely as possible. Currently, Z3 is supported as a back-end. See links below for more information on SMT-LIB and Z3. See tests/test.rs for examples of how to use the interface.

https://github.com/facebookincubator/Rust-SMT-LIB-API

Store-Bench: Benchmark for various store patterns on x86

Various benchmarks mostly for streams of interleaved stores, in support of the blog post “What has your microcode done for you lately?”.

https://github.com/travisdowns/store-bench

https://travisdowns.github.io/blog/2019/03/19/random-writes-and-microcode-oh-my.html

UEFI, bootloaders, and Rust

There was a talk about UEFI programming in Rust at MadRust, the Madrid Rust Meetup:

https://github.com/aruiz/madrust-uefi-skeleton

https://drive.google.com/file/d/19Zv1jbu-leKsa0DaRWEWt0dHSeIwwqVg/view

Rust en primavera: UEFI y GTK

Thursday, Apr 4, 2019, 7:15 PM

Calle de Pradillo, 42
Calle de Pradillo, 42 Madrid, ES

36 Rustaceans Attending

Llegó la primavera, y con ella otra ración de programación de sistemas con Rust. Alberto Ruiz [1] es un Engineering Manager en Red Hat [2] en el equipo de Bootloader. En su charla se sumergirá en UEFI [3], la especificación de firmware estándar en la mayoría de sistemas Intel para consumidores; y mostrará cómo compilar un Hello World básico (y quiz…

Check out this Meetup →

NSA Ghidra becomes an open source software project

NSA has changed Ghidra from freeware to open source software.

https://github.com/NationalSecurityAgency/ghidra

https://ghidra-sre.org/

https://github.com/NationalSecurityAgency/ghidra/commits/master