Biosup is a program designed to automate the sourcing and downloading of BIOS/UEFI from Various vendor websites. Using the config file, a user can manually set what chipset’s and vendor’s (between ASUS, ASROCK, GIGABYTE and MSI) they wish to download.

https://github.com/Rexzarrax/Biosup

See-also: UEFI-Spider

tool review: uefi-spider (and firmware_vault)

Began curating a list of Hyper-V exploitation resources, hope it can be of use to anyone interested in starting Hyper-V security research: https://t.co/uWJZo9Flh0 #ExploitDev #HyperV pic.twitter.com/fS6jAmajin

— Shogun Lab (@shogun_lab) August 15, 2019

https://github.com/shogunlab/awesome-hyper-v-exploitation

Sadly we routinely find Secure Boot issues in hardware boot ROMs. We have other boot ROM findings in the queue and we are working hard for public release.

I am thankful to Xilinx for their fast response, it is quite good that Reference Manual for the P/Ns will be updated. https://t.co/pVzwOPSaSE

— Andrea Barisani (@AndreaBarisani) August 12, 2019

https://blog.f-secure.com/hardware-security-team-says-flawed-secure-boot-schemes-becoming-too-common/

https://www.xilinx.com/support/answers/72588.html

#ScrewedDrivers: Common Design Flaw In Dozens (40+) of Device Drivers Allows Widespread Windows Compromisehttps://t.co/RDGG8iw8Sp

DEF CON slides: https://t.co/jO6EEoFebZ [PDF] pic.twitter.com/JQm2MH96KD

— Yuriy Bulygin (@c7zero) August 10, 2019

https://github.com/eclypsium/Screwed-Drivers

Yep, drivers, in general, are screwed. 🙂 Certified Windows drivers merely mean the drivers passed some basic tests. There are lots of gaps in how drivers are tested on Windows. (If Microsoft has open-sourced these tests, it would be helpful for researchers to find coverage gaps.) The UEFI SCTs are a minimum bar at feature testing, and have no security tests …and CHIPSEC only helps with security testing on Intel systems, not AMD nor ARM vendors. Does Linux have any equivalent tests for drivers, last time I looked into the LTP and some related projects it did not. Does Apple have tests like this for drivers?

Richard Hughes, of the Linux FWUpd project, has a new blog post about the new Microsoft UEFI update mechanism, CFU (Component Firmware Update):

https://twitter.com/hughsient/status/1161946736551780353

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Musings on the Microsoft Component Firmware Update (CFU) Protocol

https://github.com/microsoft/CFU

Musings on the Microsoft Component Firmware Update (CFU) Protocol

PS: When you see duplicate URLs in a post, like above, it is because the WordPress web UI for pasting URLs is broken. 😦

The security of computer systems is a very important topic for many years. It has been taken into the account in the OSes and applications for a long time. However, security of the firmware and boot process has not been taken so seriously until recently. Now that is changing. Firmware is more often being designed with security in mind. Boot processes are also evolving. There are many security solutions available there and even some that are now becoming common. However, they are often not complete solutions and solve problems only partially. So, it is good time to integrate various approaches and build full top-down solutions. There is a lot happening in that area right now. New projects arise, e.g. TrenchBoot, and they meet various design, implementation, validation, etc. obstacles. The goal of this microconference is to foster a discussion of the various approaches and hammer out, if possible, the best solutions for the future. Perfect sessions should discuss various designs and/or the issues and limitations of the available security technologies and solutions that were encountered during the development process. […]Expected topics: TPMs, SRTM and DRTM, Intel TXT, AMD SKINIT, attestation, UEFI secure boot, IMA, Intel SGX, boot loaders, firmware, OpenBMC, etc.

https://linuxplumbersconf.org/event/4/page/21-lpc-2019-overview

https://linuxplumbersconf.org/event/4/page/34-accepted-microconferences#security

Some presentation abstracts are online, eg:

Non-UEFI-aware measured boot using coreboot, GRUB and TPM2.0
https://linuxplumbersconf.org/event/4/contributions/517/

Secure and Trusted boot in OpenBMC
https://linuxplumbersconf.org/event/4/contributions/515/

FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation by Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu and Limin Sun at USENIX Security'19.https://t.co/iPfh9yjVhL

— Emmanuel Fleury (@perr0r) August 13, 2019

By: Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun

Cyber attacks against IoT devices are a severe threat. These attacks exploit software vulnerabilities in IoT firmware. Fuzzing is an effective software testing technique for vulnerability discovery. In this work, we present FIRM-AFL, the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called augmented process emulation. By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility assystem-mode emulation and high throughput as user-mode emulation. Our evaluation results show that (1) FIRM-AFL is fully functional and capable of finding real-world vulnerabilities in IoT programs; (2) the throughput of FIRM-AFL is on average 8.2 times higher than system-mode emulation based fuzzing; and (3) FIRM-AFL is able to find 1-day vulnerabilities much faster than system-mode emulation based fuzzing, and is able to find 0-day vulnerabilities.

https://www.cs.ucr.edu/~heng/pubs/FirmAFL.pdf

https://www.usenix.org/conference/usenixsecurity19/presentation/zheng

https://github.com/zyw-200/FirmAFL

[Have not found the source code to this; if you do, please put the URL in a Comment to this blog post. Thanks.]

In this work, we present AFLtar, a coverage-guided fuzzer for embedded firmware. AFLtar leverages avatar 2 , an orchestration framework for dynamic analysis, along with the American Fuzzy Lop coverage-guided fuzzer and the AFL-Unicorn CPU emulator. The goal of AFLtar is to reduce the cost of embedded fuzzing by providing a platform that can be used to quickly setup a firmware fuzzing job, while reaping the benefits of modern, feedback-driven fuzzing strategies.

https://siagas.math.unipd.it/siagas/getTesi.php?id=2030

My latest post: Understanding modern UEFI-based platform boot https://t.co/lG1pfyXVYl
Complete with some possibly half-baked rambling thoughts on DRTM at the end pic.twitter.com/5kpOGNUJGs

— David Kaplan (@depletionmode) August 14, 2019

https://depletionmode.com/uefi-boot.html

Arca Noae, the company that bought OS/2 from IBM, is adding UEFI support:

https://www.arcanoae.com/arca-noae-progress-report-arcaos-on-uefi-only-hardware/

Going off-topic: When OS/2 was created, IBM wanted to move from the OEM-cloneable IBM PC to the PS/2 system, which had ABIOS, a reentrant protect mode BIOS. Microsoft had to do a clean-room reverse engineering of the IBM PS/2 ABIOS. For Microsoft OEMs, ABIOS was a PITA for OEMs who wanted a full clone of OS/2. IBM did not publish a Technical Manual with the source code to ABIOS, unlike BIOS. 🙂

[Builds on Linux, using the GNU-EFI toolchain.]

EFI program printing Intel Message Check errors. The program starts by looking for previous Message Check errors by reading content of Message-Specific Registers (MSRs). Then new Message Check errors are displayed.

https://github.com/emvivre/uefi_message_check_error

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)

https://usbguard.github.io/
https://github.com/dkopecek/usbguard/

A nice paper on using Unicorn+AFL to fuzz arbitrary parsers in OS kernel, without requiring kernel source code.https://t.co/s0LivoLMl6

Tool: https://t.co/y6f5zZihlY

— Unicorn Engine (@unicorn_engine) August 14, 2019

Click to access woot19-paper_maier.pdf

https://github.com/fgsect/unicorefuzz

Because embedded security guys are awesome, they need an awesome list. Here it is: https://t.co/jwx3Wg2X0s
Contributions welcome👍

— FACT_core (@FAandCTool) August 13, 2019

From the makers of the FACT firmware tool:

https://github.com/fkie-cad/awesome-embedded-and-iot-security

See-also: https://github.com/PreOS-Security/awesome-firmware-security and
https://github.com/uefitech/resources and
https://firmwaresecurity.com/2018/11/25/awesome-uefi/ and

This is a monitoring plugin to check components and health status of systems which support Redfish.[…]

https://github.com/bb-Ricardo/check_redfish

[…]Here’s the short answer: you can’t prevent it — at least, not entirely.[…]

How to Prevent Android Rooting

The post-DEF CON/Black Hat queue: 🙂

Intel® Computing Improvement Program Advisory
INTEL-SA-00283
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00283.html

Intel® Processor Identification Utility for Windows* Advisory
INTEL-SA-00281
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00281.html

Intel® Remote Displays SDK Advisory
INTEL-SA-00277
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00277.html

Intel® Driver & Support Assistant Advisory
INTEL-SA-00276
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00276.html

Intel® Authenticate Advisory
INTEL-SA-00275
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00275.html

Intel® NUC Advisory
INTEL-SA-00272
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00272.html

Intel® RAID Web Console 2 Advisory
INTEL-SA-00246
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00246.html

Paged Out! #1 is out! (and it's free to download!)https://t.co/XT3HXa7gH3
There are 57 articles in 12 categories:
Electronics
Programming
Assembly
Reverse Engineering
Sec/Hack
Retro
File Formats
Algorithmics
SysAdmin
Radio
Phreaking
OS Internals
Enjoy! #PagedOut!

— Gynvael Coldwind (@gynvael) August 10, 2019

WOW, the response to #pagedout is amazing 🙂
In a little over 24h we hit 50 000 downloads, and the counter is still spinning (56657 atm).
Awesome 🙂

— Gynvael Coldwind (@gynvael) August 12, 2019

https://pagedout.institute/

Click to access PagedOut_001_beta1.pdf

See-also: related zines like Phrack and POC||GTFO.

Firmware Slap: Automating the discovery of exploitable vulnerabilities in Firmwarehttps://t.co/vEuWCxzDon

— Nicolas Krassas (@Dinosn) August 11, 2019

Firmware slap combines concolic analysis with function clustering for vulnerability discovery and function similarity in firmware. Firmware slap is built as a series of libraries and exports most information as either pickles or JSON for integration with other tools.

https://github.com/ChrisTheCoolHut/Firmware_Slap