[…]This could allow an attacker who gains access to several signatures to reconstruct the private key.[…]
Author: hucktech
Platbox: UEFI Assessment Tool
No docs. The sources are in MASM-based Intel assembler, C, C++. The build environment requires Visual Studio and Windows.
IDA 7.3 released
[…]You can also debug the UEFI firmware part of the boot process or even custom UEFI modules with source level debugging. Please check our XNU kernel debugging howto for more details on this feature. […]
BUT the URL referenced above is invalid (404). 😦
https://www.hex-rays.com/products/ida/support/tutorials/xnu_debugger_tutorial.pdf
Eclypsium on firmware FISMA compliance
William Leara on NIST 193
[…]The content of SP 800-193 should be considered required reading for professional BIOS/firmware engineers.[…]
William, a firmware engineer at Dell, has a new blog post summarizing NIST 193, NIST’s latest firmware security standard. It is nice to see someone else talking about it, other than myself. 😉 🙂
https://www.basicinputoutput.com/2019/06/nist-sp-800-193-platform-firmware.htm
coreboot Coverity security fixes!
It appears the coreboot project has 2 Google Summer of Code projects going, one is this project, addressing security issues found by Coverity!
[…]My project is on making coreboot Coverity clean. Coverity is a free static-analysis tool for open source projects that searches for common coding mistakes and errors, such as buffer overruns, null pointer dereferences, and integer overflow. Coverity automatically analyzes the coreboot codebase and flags issues it finds, and my job is to classify them into bugs and false-positives and patch them if I can. You can check the Coverity overview for coreboot here, though seeing the issue tracker itself requires registration. At the beginning of the summer, coreboot had over 380 flagged issues, but it’s now down to 303, so we’re making progress! I plan to address 20-30 issues per week depending on the source component, which so far has gone surprisingly well (surprising, in the sense that coming into the summer I knew very little about coreboot or firmware development in general).[…]
Make magazine shuts down, Wayback Machine creates archive of issues
Make Magazine shuts down.
(AFAICT, no mention of this news on the official web site, but the Subscribe page is still taking orders.)
The Wayback Machine has started to create an archive.
Side Channel Attack Testbench Estimator (SCATE)
The US DoD has a new grant offered for a side-channel attack tool:
The Defense Advanced Research Projects Agency (DARPA) Small Business Programs Office (SBPO) is issuing an SBIR/STTR Opportunity (SBO) inviting submissions of innovative research concepts in the technical domain of side channel security. In particular, DARPA is interested in the feasibility of effective pre-silicon side channel and fault injection estimation. These vulnerabilities are of interest to this program only in the context of emissions from the parts of the design that perform on-chip cryptographic functions. This would permit these vulnerabilities to be identified and reduced to acceptable constraints at design time rather than with a costly chip re-spin after fabrication and test.
[…]The DARPA Common Evaluation Platform (CEP) is a publicly available RISC-V based System-on-a-Chip (SoC). It will be used as a reference design and may have to be extended for the purposes of this program. The reference point for the current state of the art of side channel attack simulation technology will be based on transistor level simulation with SPICE. All the baseline metrics will be based on leakage sources found with SPICE simulation of a meaningful number of traces on the cryptographic block(s) within the CEP.[…]
https://www.fbo.gov/spg/ODA/DARPA/CMO/HR001119S0035-05/listing.html
GUSTAVE – Embedded OS kernel fuzzer
GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications. Thanks to QEMU, it is multi-platform. One can see GUSTAVE as a AFL forkserver implementation inside QEMU, with fine grain target inspection.
CLang sanitizer: ARM Memory Tagging Extension
Invaders game, Intel BIOS bootloader-based
More on UEFI 2.8 release
Re: https://firmwaresecurity.com/2019/04/04/uefi-2-8-released/
William has a blog post that shows Nikolaj’s Tweets on the release:
https://www.basicinputoutput.com/2019/05/uefi-28-courtesy-of-nikolaj.html
and a few days ago someone (I presume the UEFI Forum) sent a press release to BusinessWire.com (but they didn’t bother to update uefi.org’s content):
11 new security advisories from Intel
A few interesting things in this batch, SGX, rowhammer, OpenAttestation, etc.
In recent months US-CERT is getting a bit faster at noticing HW/FW issues, which is nice. It seems Intel manages to update their security announcements page right after I look at it for the day… 😦
Intel® NUC Firmware Advisory
INTEL-SA-00264
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00264.html
Intel® RAID Web Console 3 for Windows* Advisory
INTEL-SA-00259
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00259.html
Intel® Omni-Path Fabric Manager GUI Advisory
INTEL-SA-00257
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00257.html
Open Cloud Integrity Technology and OpenAttestation Advisory
INTEL-SA-00248
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00248.html
Partial Physical Address Leakage Advisory
INTEL-SA-00247
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00247.html
Intel® Turbo Boost Max Technology 3.0 Advisory
INTEL-SA-00243
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00243.html
Intel® SGX for Linux Advisory
INTEL-SA-00235
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00235.html
Intel® PROSet/Wireless WiFi Software Advisory
INTEL-SA-00232
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html
Intel® Accelerated Storage Manager in Intel® Rapid Storage Technology Enterprise Advisory
INTEL-SA-00226
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00226.html
Intel® Chipset Device Software (INF Update Utility) Advisory
INTEL-SA-00224
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00224.html
ITE Tech* Consumer Infrared Driver for Windows 10 Advisory
INTEL-SA-00206
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00206.html
RAMBleed: Reading Bits in Memory Without Accessing Them
Apple: Product security certifications, validations, and guidance for SEP: Secure Key Store
This is a new product support document from Apple:
This article contains references for key product certifications, cryptographic validations, and security guidance for Secure Enclave Processor (SEP): Secure Key Store. Contact us at security-certifications@apple.com if you have any questions.[…]
Ghidra tools for reversing firmware
Alex James is participating in the Google Summer of Code for the coreboot project, writing Ghidra tools that work with coreboot! Initial status report is now available:
https://github.com/al3xtjames/ghidra-firmware-utils
https://summerofcode.withgoogle.com/projects/#6413737605464064
LVFS: checking for expired certs in UEFI
Richard Hughes has two new blog posts, one with an update to LVFS, and one on how it parses firmware ‘blobs’:
[…]Specifically, firmware is now being checked for expired Authenticode certificates which expired more than 3 years before the upload date of the firmware. The LVFS is also looking for test signing certificates that really should not exist in production firmware. All existing firmware on the LVFS is being tested, and the test backlog should be complete by this afternoon. All test failures are currently waivable.[…]
Debug UEFI code by single-stepping your Coffee Lake-S hardware CPU
Teddy Reed of Facebook has a new blog post on using Intel DCI, UEFI Tool, Intel System Studio, and other tools:
TL;DR, if you have a newer CPU & chipset you can purchase a $15 off-the-shelf cable and single-step your hardware threads. The cable is a USB 3.0 debugging cable; and is similar to an ethernet crossover cable in the sense that the internal wiring is crossed. Be careful with this cable as unsupported machines will have undefined behavior due to the electronics of USB.
Debug ACPI Tables with FWTS
Alex Hung of Canonical has another blog post on debugging ACPI using FWTS. FWTS is the most extensive ACPI tool available, definately worth learning!
https://blog.ubuntu.com/2019/06/04/debug-acpi-tables-with-firmware-test-suite-fwts
a 3rd Pong game for UEFI
There’s a 3rd Pong game for UEFI, a bare-metal UEFI Shell version of the game:
A one person pong played against a simple ai (but there’s no scoring at the moment)
https://gitlab.com/DrNochi/uefi-projects
For the other 2 UEFI pong games, see: https://firmwaresecurity.com/2017/05/03/another-uefi-pong-game/ and https://firmwaresecurity.com/2016/12/15/efi-pong/
Firmware Security 
You must be logged in to post a comment.