Meltdown And Spectre, One Year Later

About this time last year, reports surfaced about security attacks on today’s most popular microprocessors (μPs). Researchers called them Meltdown, Spectre gaining widespread attention. Today, however, the industry and especially μP vendors have made some progress toward stemming these vulnerabilities. Here is my analysis as we enter into 2019.[…]

https://semiengineering.com/meltdown-and-spectre-one-year-later/

Practical Enclave Malware with Intel SGX

Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel’s threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user’s behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.

 

https://arxiv.org/abs/1902.03256

FreeBSD gets ASLR

Implement Address Space Layout Randomization (ASLR)

With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.[…]

https://svnweb.freebsd.org/base?view=revision&revision=343964

 

Matthew Garrett: Firmware security, why it matters and how you can have it

https://2019.linux.conf.au/schedule/presentation/110/

How to Debug the Linux Kernel with QEMU and Libvirt

[…In this article, we explain how you can debug your Linux kernel and its modules during runtime. This article will be useful for Linux kernel developers who want to speed up the time to market of their software.[…]

https://www.apriorit.com/dev-blog/597-debug-linux-kernel-qemu-libvirt

Duo Labs: Deciphering the Messages of Apple’s T2 Coprocessor

In 2018, we released two whitepapers exploring Apple’s T2 coprocessor. The first paper explored the new system architecture of the late 2017 iMac Pro and 2018 MacBook Pro and how the inclusion of the T2 coprocessor enabled the secure boot and encrypted storage capabilities of this new platform. The second paper performed a deep-dive into the Secure Boot process and raised the concern that the T2 coprocessor, running a full version of BridgeOS, may expose a large attack surface. In this article, we explore the exposed services, identify the communications transport and decipher the protocols macOS uses to communicate with the T2 coprocessor. It will shock nobody that the T2 coprocessor communicates with macOS using Apple’s XPC interprocess communication mechanism. However, since the low-level workings of this communication mechanism are documented sparsely or not at all, this article aims to record not only the standard message format, but also how the T2’s use of XPC messaging appears to differ from conventional use of XPC. Building upon this understanding of the low-level communication channel, we demonstrate how one may analyze the network traffic between a macOS client and a T2 server and use this to exercise additional T2 functionality. […]

https://github.com/duo-labs/apple-t2-xpc

https://duo.com/labs/research/apple-t2-xpc

 

OMG Cable: Offensive MG kit, open source malicious USB cable

This page will continue to be updated with info about the cable as things progress. My intent is to make these available for many of you, and open source as much as possible.[…]

http://mg.lol/blog/omg-cable/

ACPI 6.3 spec released

The UEFI Forum has released the latest version of the ACPI spec.

Some input from Nikolaj:

UEFI PI spec updated

The UEFI Forum has released a new version of the PI spec. William’s blog entry has a copy of the relevent section of the release notes:

https://uefi.org/specifications
https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.pdf

https://www.basicinputoutput.com/2019/02/uefi-forum-releases-pi-spec-17.html

Some input from Nikolaj:

5 new security advisories from Intel

INTEL-SA-00222: Intel OpenVINO 2018 for Linux Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00222.html

INTEL-SA-00215: Intel Data Center Manager SDK Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00215.html

INTEL-SA-00214: Intel Unite Privilege Escalation Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00214.html

INTEL-SA-00200: Intel USB 3.0 eXtensible Host Controller Driver Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00200.html

INTEL-SA-00169: Intel PROSet Wireless Driver Denial of Service Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00169.html

NSA Updated Guidance on Side Channel Vulnerabilities

Re: https://firmwaresecurity.com/2019/01/28/nsa-hardware-and-firmware-security-guidance-updated/

In addition to the Markdown-based documents on Github, NSA has an updated PDF on side channel attacks, mentioned in this US-CERT announcement:

https://www.us-cert.gov/ncas/current-activity/2019/02/01/NSA-Releases-Updated-Guidance-Side-Channel-Vulnerabilities

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/CSA_Updated_Guidance_For_Vulnerabilities_Affecting_Modern_Processors_20190130.pdf?ver=2019-01-30-142631-553

PS: Re: https://firmwaresecurity.com/2019/01/28/nsa-lojax-guidance-incorrectly-still-says-secure-boot-is-a-mitigation/
the NSA updated the Lojax guidance w/r/t Secure Boot: 🙂

https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/commit/e2a0241cdee446fbd55a3249167a072e1bbcbce7

Indiana Innovation Institute: Trusted Microelectronics

Semiconductors are the key components that drive the operation of critical electronic systems in both the commercial and military sectors. However, the security and integrity of the microelectronics that control our electronics is under increasing hardware and software-based attacks which puts large portions of our economy and national security at risk. The Indiana Innovation Institute is working on technologies which help to counter these attacks, increases resistance to counterfeiting, and has applications in nearly all electronic devices. The technologies under development by our team in trusted microelectronics have a number of applications including increasing reliability, anti-counterfeiting, anti-tamper, and hardware security.

https://news.iu.edu/stories/2019/02/iub/01-martin-swany-in3-indiana-innovation-institute.html

https://in3indiana.com/what-we-do/projects/trusted-microelectronics/

Fortanix: SGX enclave dev platform

https://edp.fortanix.com/