D. Mantz et al., “InternalBlue – Bluetooth Binary Patching and Experimentation Framework” […we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware…]https://t.co/hmTdTc31eV

— Arrigo Triulzi (@cynicalsecurity) July 16, 2019

Our @reconmtl slides on InternalBlue and binary patching for Broadcom Bluetooth firmware are available online. //@dennismantz https://t.co/7zSS1Nj4OI pic.twitter.com/Iv0Lz3I3J6

— @seemoo@infosec.exchange (@seemoolab) July 2, 2019

https://github.com/seemoo-lab/internalblue

https://arxiv.org/abs/1905.00631

https://drive.google.com/file/d/1Ze3s7_1n0mIl5odiUvbkPk-vywVZMtKq/view

Several Broadcom/Cypress Bluetooth firmwares and their firmware update mechanism have been reverse engineered. Based on that we developed a Bluetooth experimentation framework which is able to patch the firmware and therefore implement monitoring and injection tools for the lower layers of the Bluetooth protocol stack.

Finite State supply chain assessment of Huawei devices.
76 firmware had default root user w/hardcoded password that could log in over the SSH protocol. 8 firmware had pre-computed authorized_keys hardcoded. 424 firmware contained hardcoded private SSH keyshttps://t.co/MvGBM4szy6

— Chris Wysopal (@WeldPond) July 16, 2019

Some have pointed out that this may not be much different from any other device supplier with thousands of different models/versions of equipment.

— Chris Wysopal (@WeldPond) July 16, 2019

Click to access Finite-State-SCA1-Final.pdf

Fuzz Driver Generation at Scale!

Check out the preprint of our @FSEconf paper at: https://t.co/cssYnAND5E

work w/ D. Babic, @sbucur, Y. Chen, @fivancic, T. King, M. Kusano, @cestlemieux, W. Wang.

See you at @FSEconf in August! #esecfse #google #fuzzing #ossfuzz

— László Szekeres (@lszekeres) July 15, 2019

At Google we have found tens of thousands of security and robustness bugs by fuzzing C and C++ libraries. To fuzz a library, a fuzzer requires a fuzz driver—which exercises some library code—to which it can pass inputs. Unfortunately, writing fuzz drivers remains a primarily manual exercise, a major hindrance to the widespread adoption of fuzzing. In this paper, we address this major hindrance by introducing the Fudge system for automated fuzz driver generation. Fudge automatically generates fuzz driver candidates for libraries based on existing client code. We have used Fudge to generate thousands of new drivers for a wide variety of libraries. Each generated driver includes a synthesized C/C++ program and a corresponding build script, and is automatically analyzed for quality. Developers have integrated over 200 of these generated drivers into continuous fuzzing services and have committed to address reported security bugs. Further, several of these fuzz drivers have been upstreamed to open source projects and integrated into the OSS-Fuzz fuzzing infrastructure. Running these fuzz drivers has resulted in over 150 bug fixes, including the elimination of numerous exploitable security vulnerabilities.

Click to access pub48314.pdf

https://ai.google/research/pubs/pub48314

My fuzzer framework is now public! https://t.co/ePcqkHpuUs

It's still a WIP, but is usable in its current form for easy mutation and binary serialization of data structures.

— lander (@landaire) July 15, 2019

https://github.com/microsoft/lain

Announcing my next book: BPF Performance Tools: Linux System and Application Observability, for which I developed over 100 new tools https://t.co/GiYiBPICo5 pic.twitter.com/FOWr4mG05U

— Brendan Gregg (@brendangregg) July 15, 2019

Brendan has maintained an EXCELLENT web site resource for Linux perf for years:

http://www.brendangregg.com/linuxperf.html

and now there is an upcoming 700-page book on the topic:

http://www.brendangregg.com/blog/2019-07-15/bpf-performance-tools-book.html

but it is not yet for sale:

http://www.informit.com/store/bpf-performance-tools-9780136554820

Did y'all hear that Python 3.8 is gonna have audit hooks that allow for security transparency?

Here's the first post in a series of how to bypass them! https://t.co/1IMh1OWDvf

— Ohm-I (Oh My) (@mcohmi) July 11, 2019

https://daddycocoaman.dev/posts/bypassing-python38-audit-hooks-part-1/

https://www.python.org/dev/peps/pep-0578/

PEP 578 — Python Runtime Audit Hooks

https://www.python.org/dev/peps/pep-0551/

PEP 551 — Security transparency in the Python runtime

The European Patent Office refused to grant a software patent on a method of managing booting of secure devices with untrusted software. The decision was appealed successfully and the case was remitted to the Examining Division. Here are the practical takeaways of the decision T 1563/17 (Booting untrusted software) of 7.5.2019:[…]

Don’t read this if you’re an engineer at a company which has a policy that requires employees not read anything about other company’s patents:

https://www.lexology.com/library/detail.aspx?g=43d29e5b-fac4-4d12-9a3b-d360e730f3cf

https://www.epo.org/law-practice/case-law-appeals/recent/t171563eu1.html

Vincent has a new blog post with background on Intel FSP, the new UEFI MinPlatform, and some other UEFI things:

http://vzimmer.blogspot.com/2019/07/evolving-infrastructure-takes-time.html

Intel TXT Validation Test Suite https://t.co/A0eGvpQBRQ @_zaolin_ @9elements #txt #tpm #tcg #acm

— Hardened-GNU/Linux (@hardenedlinux) July 13, 2019

https://github.com/9elements/txt-suite

This Golang utility tests whether the platform supports Intel TXT and FIT, TPM boot chain has been configured correctly. The test suite runs on GNU/Linux.

New open source tool for LTE, GSM and 3G mobile radio monitoring and protocol analysis in Python: QCsuper https://t.co/yVomL7KFrT #LTE #GSM #Security #MobileRadio

— P1 Security (@p1security) July 9, 2019

https://labs.p1sec.com/2019/07/09/presenting-qcsuper-a-tool-for-capturing-your-2g-3g-4g-air-traffic-on-qualcomm-based-phones/

https://github.com/P1sec/QCSuper

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!). Today, we are proud to present QCSuper, an open-source tool that will enable you to passively capture raw 2G/3G/4G frames produced by your rooted Qualcomm-based Android phone or dongle, and produce a PCAP analyzable using Wireshark (in addition to a couple other input/output formats).[…]

disassembled the first few bits of the 512 byte "hidden" ROM. this is a factory-set ROM in every Intel 80C51 that's probably used for factory test modes. i think a few bits are flipped so it doesn't make 100% sense. pic.twitter.com/hDvXDyyCgO

— Tube Time (@TubeTimeUS) July 6, 2019

https://github.com/AdamLaurie/rompar

Alex has a new blog post describing how to debug ACPI tables on Ubuntu, using Canonical’s FWTS (FirmWare Test Suite):

Alex Hung @ Canonical wrote an article "Analyze ACPI Tables in a Text File with FWTS". Check it out and let us know what you think! https://t.co/7f62RcuqUA

— Firmware Test Suite (@fwts_team) July 9, 2019

https://ubuntu.com/blog/analyze-acpi-tables-in-a-text-file-with-fwts

Researching obscure architectures sounds challenging to you? We thought so too, so we developed a disassembly and analysis plugin for #radare2 to make things easier! Read on to learn how we did it. https://t.co/cn6jKNGGeZ

— Aleph Research (@alephsecurity) July 9, 2019

Aleph Research has another blog post on ZigBee, and they’ve created a Radare2 plugin to help!

https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/

https://github.com/alephsecurity/pyba2

https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/

Yesterday Intel released 2 new advisories:

Intel® Processor Diagnostic Tool Advisory
INTEL-SA-00268
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00268.html

Intel® SSD DC S4500/S4600 Series Advisory
INTEL-SA-00267
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00267.html

https://www.intel.com/content/www/us/en/security-center/default.html

Hey firmware peeps: Check out nanoprintf, a tiny vsnprintf that aims for C11 compliance and supports floats! Zero dependencies, zero libc calls. No allocations, < 100B stack, < 5KB .o. C89/C99, @nothings STB-style single-file header, public domain.https://t.co/0jca2SI9bY

(WIP)

— @c_nich@mastodon.gamedev.place (@c_nich) July 8, 2019

This bootloader is aimed at simplifying the process of loading a 64bit kernel. It is done by making so all you need to do is compile your kernel with valid physical addresses, and we will make sure (using UEFI) to make sure you have a nice identity mapped area to work with. This will also give you the basics without having to change anything.[…]

https://github.com/kretlim/kretlim-uefi-boot

Blog post explaining how all this System Management Mode hardware emulation stuff works and what I've been doing with it: https://t.co/jX4rNQc6EE

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) July 7, 2019

Matthew has a new blog post on Apple SMC, SMM and coreboot:

https://mjg59.dreamwidth.org/52149.html

How to mitigate #ROCA #vulnerability in the #TPM modules? Here is the answer.

https://t.co/nkUUsrcgdt pic.twitter.com/N3hpw5YsVC

— 3mdeb (@3mdeb_com) July 5, 2019

https://blog.3mdeb.com/2019/2019-04-17-roca/