The leakage of sensitive information is a fast-growing concern among computer users. Side- and covert channels have particularly gained attention recently due to their potential to reveal sensitive data to untrusted parties. Side channels are information leakage channels where an adversary can decipher victim’s data through silently monitoring the computing activity via physical effects such as timing, power or electromagnetic analysis. Covert channels, in contrast, work by having a malicious insider, or trojan, who intentionally colludes with the adversary to exfiltrate secrets. Side and covert channels have become major concerns for the computer industry. In early 2018, the Meltdown and Spectre attacks demonstrated that hardware implementation effects in commercial processor hardware enabled new, previously undiscovered side-channel and covert-channel leakage. These attacks highlight the notoriety of information leakage channels, and they stress the immediate need to address the security risks resulting from them.[…]

NSF Workshop Report on Side and Covert Channels in Computing Systems

7 new security advisories from Intel on March 12th:

Intel® Accelerated Storage Manager in RSTe Advisory
INTEL-SA-00231
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00231.html

Intel® USB 3.0 Creator Utility Advisory
INTEL-SA-00229
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00229.html

Intel® Software Guard Extensions SDK Advisory
INTEL-SA-00217
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html

Intel® Matrix Storage Manager Advisory
INTEL-SA-00216
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00216.html

Intel Firmware 2018.4 QSR Advisory
INTEL-SA-00191
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00191.html

Intel® Graphics Driver for Windows* 2018.4 QSR Advisory
INTEL-SA-00189
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00189.html

Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology 2018.4 QSR Advisory
INTEL-SA-00185
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00185.html

[…]Multiple potential security vulnerabilities in Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology may allow users to potentially escalate privileges, disclose information or cause a denial of service. Intel is releasing Intel® CSME, Server Platform Services, Trusted Execution Engine and Intel® Active Management Technology updates to mitigate these potential vulnerabilities.[…]

Last year the Journal of Cyber Policy did a survey on firmware security:

Firmware is a cyberattack vector. While public attention focuses on cyberattacks and data breaches conducted over networks with software-borne malware, the risk of malicious code embedded in the firmware of millions of digital devices poses a potentially more serious threat to cybersecurity. This report reviews how security professionals view the firmware threat as well as their impression of the tech industry’s readiness to detect and prevent a firmware-based attack.

.

https://journalofcyberpolicy.com/2018/02/05/take-firmware-security-survey/
https://journalofcyberpolicy.com/2018/04/20/firmware-vulnerable-hacking-can-done/
https://journalofcyberpolicy.com/2018/10/12/the-firmware-risk/
https://journalofcyberpolicy.com/2018/01/29/understanding-the-firmware-threat/
https://journalofcyberpolicy.com/firmware-threat-report/
https://journalofcyberpolicy.com/?s=firmware

Click to access FirmwareReportFinal.pdf

wprintf(L”| xtu.exe(XPM-image To UEFI-GOP-Blt-Buffer) v1.0.1 |\n”);
wprintf(L”| –MSI-RD-Krishna,2019.03.11 |\n”);
wprintf(L”Usage:\n”);
wprintf(L” xtu.exe -i [file1] -o [file2]\n”);
wprintf(L”Options:\n”);
wprintf(L” -i [file1] //input a xpm image file.\n”);
wprintf(L” -o [file2] //output to another file.\n”);
wprintf(L” -h //show this help.\n”);
wprintf(L”Sample:\n”);
wprintf(L” xtu.exe -i image.xpm -o buffer.c //convert image.xpm to buffer.c\n”);

https://github.com/krishna116/xtu

see-also:

https://en.wikipedia.org/wiki/X_PixMap

BootDiskCreator_PS

A powershell script to create a UEFI Boot Disk

I use a Windows 10 ISO file to create a UEFI boot disk.

https://github.com/ratanGit/BootDiskCreator_PS

Including talks such as:
Malware Buried Deep Down the SPI Flash: Sednit’s First UEFI Rootkit Found in the Wild
Straight Outta VMware: Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
BLEEDINGBIT: Your APs Belong to Us
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

Rapid7 gave a presentation about IoT Security at RSA, focusing on U-Boot.

https://www.rsaconference.com/search?q=U-Boot

Click to access sbx1-r4-u-boot-i-hack.pdf

https://reviews.freebsd.org/D19093

https://svnweb.freebsd.org/base?view=revision&revision=344840

The opendtrace repository contains the unified, cross platform, source code for the OpenDTrace system including kernel components and tools for all of the platforms currently supported by the OpenDTrace system.

https://github.com/opendtrace/opendtrace/tree/windows

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/DTrace-on-Windows/ba-p/362902

Guided fuzzing has, in recent years, been able to uncover many new vulnera-
bilities in real-world software due to its fast input mutation strategies guided by path-coverage. However, most fuzzers are unable to achieve high coverage in deeper parts of programs. Moreover, fuzzers heavily rely on the diversity of the seed inputs, often manually provided, to be able to produce meaningful results. In this paper, we present Wildfire, a novel open-source compositional fuzzing framework. Wildfire finds vulnerabilities by fuzzing isolated functions in a C-program and, then, using targeted symbolic execution it determines the feasibility of exploitation for these vulnerabilities. Based on our evaluation of 23 open-source programs (nearly 1 million LOC), we show that Wildfire, as a result of the increased coverage, finds more true-positives than baseline symbolic execution and fuzzing tools, as well as state-of-the-art coverage-guided tools, in only 10% of the analysis time taken by them. Additionally, Wildfire finds many other potential vulnerabilities whose feasibility can be determined compositionally to confirm if they are false-positives. Wildfire could also reproduce all of the known vulnerabilities and found several previously-unknown vulnerabilities in three open-source libraries.

https://github.com/tum-i22/macke

Open Source Firmware Meetup at the 2019 OCP Global Summit – Call for Participation
Wednesday, January 30, 2019 · Posted by Rajeev Sharma

The 2019 OCP Global Summit will be held on March 14th-15th at the San Jose Convention Center. As part of this Summit, we are very excited to announce the first Open Source Firmware Meetup. […] Traditionally, firmware was proprietary and closed, but there is growing interest in collaborating on Open Source firmware alternatives. This trend was also observed within the OCP community, leading to the incubation of multiple sub-projects like OpenRMC, Open System Firmware (OSF) and Security. The purpose of this meetup is to encourage collaboration among firmware engineers working in various OCP workgroups, such as Hardware Management (DMTF, OpenBMC, OpenRMC), Open System Firmware (Coreboot, LinuxBoot, UEFI/EDKII) and Security (Cerberus, PFR solutions). Each of these community projects are encouraged to make use of this Meetup to accelerate progress in their respective areas. We hope to accomplish, with this meetup, among other things: to review and revise requirements/specifications/roadmaps, hack a feature and upstream code, discuss and resolve complex pending issues and work on a make file strategy for Open Compute-hosted GitHub. […]

https://www.opencompute.org/news/open-source-firmware-meetup-at-the-2019-ocp-global-summit-call-for-participation

search for ‘firmware’ on:
https://www.opencompute.org/summit/global-summit/schedule

There is a bit on Android boot process and Verified Boot in this Android Internals and Security course:

http://cecs.wright.edu/~pmateti/Courses/4440/Top/index.html

http://cecs.wright.edu/~pmateti/Courses/4440/Lectures/Security/

 

usage: python analyse_fw_ida.py [-h] [–all] [–pp_guids] [–get_efi_images] [–update_edk2_guids EDK2_PATH] firmware_path

Additional tools:

tools\get_efi_images.py is a script to get all PE-images from firmware file

tools\update_edk2_guids.py is a script to update protocol GUIDs list from conf directory

https://github.com/yeggor/UEFI_RETool

 

OSFC, the Open Source Firmware Conference was in Europe in 2018. The 2019 OSFC will be in California, hosted by Google and Facebook.

https://osfc.io/

setup_var_grub: Modified grub-git PKGBUILD containing custom setup_var patch. This version of the setup_var patch allows users to edit efi variable stores outside of “Setup” for manufacturers with different naming conventions.[…]

https://github.com/XDleader555/grub_setup_var

A Windows Powershell Script that will:

Query the boot mode (EFI vs BIOS) for machines via WinRM and export to CSV

https://github.com/colealtdelete/Get-BootMode

A smallish script that can backup EFI partitions – and eventually restore them (hopefully).

https://github.com/corpnewt/EFI-Backup-Restore

https://github.com/ufrisk/pcileech