UefiTool: UEFI Debug Tool

March 7, 2019 ~ hucktech ~ Leave a comment

Gavin Xue has created UefiTool:

A simple UEFI tool for debugging.

Print (L”Help info:\n”);
Print (L” UefiTool.efi -H\n\n”);
Print (L”Read MSR register:\n”);
Print (L” UefiTool.efi RDMSR [MSRIndex] [OPTION: -A | -P]\n\n”);
Print (L”Write MSR register:\n”);
Print (L” UefiTool.efi WRMSR [MSRIndex] [MSRValue]\n\n”);
Print (L”Read CPUID:\n”);
Print (L” UefiTool.efi CPUID [CPUID_Index] [CPUID_SubIndex]\n\n”);
Print (L”Read GDTR resister:\n”);
Print (L” UefiTool.efi -SGDT\n\n”);
Print (L”Read CR resister:\n”);
Print (L” UefiTool.efi -CR\n\n”);

https://github.com/vinxue/UefiTool

Not to be confused with UEFITool:

https://github.com/LongSoft/UEFITool

SMoTherSpectre: transient execution attacks through port contention

March 6, 2019March 6, 2019 ~ hucktech ~ Leave a comment

Paper on new Spectre variant using SMT/HyperThreading: “SMoTherSpectre: exploiting speculative execution through port contention” by @gannimo et al. https://t.co/2AxETmsXSk

— Adrian Rueegsegger (@Kensan42) March 6, 2019

After a long disclosure process we release #SMoTherSpectre, a transient execution attack that uses port contention as a side channel (instead of caches) to leak register/memory data. Details: https://t.co/hEbR2qzJSf paper: https://t.co/CxJFoodRJn PoC: https://t.co/cb99AJn8gt

— Mathias Payer (@gannimo) March 6, 2019

https://arxiv.org/abs/1903.01843

http://nebelwelt.net/blog/20190306-SMoTherSpectre.html

https://github.com/HexHive/SMoTherSpectre

NSA releases Ghidra, a software reverse engineering (SRE) framework

March 6, 2019 ~ hucktech ~ Leave a comment

We join Rob Joyce in announcing that #Ghidra is alive! Download your copy: https://t.co/h7hOPQIChJ and start reversing! #RSAC #RSAC2019 pic.twitter.com/VXUSFopMOk

— NSA/CSS (@NSAGov) March 6, 2019

https://ghidra-sre.org/
https://www.nsa.gov/resources/everyone/ghidra/
https://ghidra-sre.org/CheatSheet.html
https://ghidra-sre.org/InstallationGuide.html
https://github.com/NationalSecurityAgency/ghidra/wiki/Frequently-asked-questions

Hmm, there is a release on their web site, but none on the Github Releases page….
https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

https://www.rsaconference.com/events/us19/agenda/sessions/16608-Come-Get-Your-Free-NSA-Reverse-Engineering-Tool

Ghidra Dragon Logo

Finnbarr releases UEFI-Utilities-2019

March 5, 2019 ~ hucktech ~ Leave a comment

Finnbarr P. Murphy has been working on a collection of UEFI Utilities for Intel systems for multiple years. It is somewhat like a UEFI version of Norton Utilities for MS-DOS or SysInternals for Windows NT, multiple small command line tools that dump out low-level system information.

UEFI-Utilities was built with — I believe — GNU-EFI,and probably only had 32-bit binaries.
https://github.com/fpmurphy/UEFI-Utilities

UEFI-Utilities-2016 is built against UDK2015. And I think may only have 32-bit binaries.
https://github.com/fpmurphy/UEFI-Utilities-2016

UEFI-Utilities-2018 is built against UDK2017. Includes X64 binaries.
https://github.com/fpmurphy/UEFI-Utilities-2018

The 2019 edition is now out:

UEFI-Utilities-2019 is built against UDK2018. Includes X64 binaries.
https://github.com/fpmurphy/UEFI-Utilities-2019

Some tools are only in one collection. Also, you need to watch Finnbarr’s blog, as sometimes he does a blog post on a new (or revised tool) and sometimes the tool is only published in the blog, not in the UEFI Utilities. At least it seemed like that for one of his tools in the past….

Some tools are only in one collection…

https://blog.fpmurphy.com/

Spectre/Meltdown perf on Linux 5.0

March 5, 2019 ~ hucktech ~ Leave a comment

Phoronix has a new article with some stats on Spectre/Meltdown mitigation performance impact on Linux 5.0, using their test suite:

The Current #Spectre / #Meltdown Mitigation Overhead #Benchmarks On #Linux 5.0 https://t.co/Wr600KmVqQ pic.twitter.com/aFl4qGir7R

— Phoronix (@phoronix) March 3, 2019

[…]Of 57 benchmarks tested on these three systems with the Linux 5.0 kernel, the Core i9 7980XE performance was down by about 13% based upon the geometric mean of all the test results. The Intel Core i7 8086K performance was down by 17% with these out-of-the-box protections for Spectre and Meltdown. The AMD Ryzen 7 2700X performance with its default Spectre mitigations was lower by just 3%. Should you choose to go against the security assessment and wish to recover from these performance losses, reverting the mitigations as tested can easily be done by some boot parameters albeit no single switch. Now with Microsoft shipping Retpolines for revising their Spectre V2 mitigation, some additional Spectre/Meltdown tests will be coming up soon on Phoronix.

https://www.phoronix.com/scan.php?page=article&item=linux50-spectre-meltdown&num=1

https://www.phoronix-test-suite.com/

Making the LVFS and fwupd work in the enterprise

March 5, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/hughsient/status/1102610276577431553

It looks like the Linux firmware update service is about to get some new tools that’ll help enterprise sysadmins!

[…]We’ve started working on some functionality in fwupd to install an optional “agent” that reports the versions of firmware installed to a central internal web service daily, so that the site admin can see what computers are not up-to-date with the latest firmware updates. I’d expect there the admin could also approve updates after in-house QA testing, and also rate-limit the flow of updates to hardware of the same type. The reference web app would visually look like some kind of dashboard, although I’d be happy to also plug this information into existing system management systems like Lenovo XClarity or even Red Hat Satellite. The deliverable here would be to provide the information and the mechanism that can be used to implement whatever policy the management console defines.[…]

Ubuntu whitepaper: Securing IoT device data against physical access

March 5, 2019 ~ hucktech ~ Leave a comment

Ubuntu has a white-paper that discusses Secure Boot, amongst other things. But you have to register for it, it is not publicly-available.

This whitepaper provides a technical overview of how Ubuntu Core with full disk encryption and secure boot can be implemented in IoT devices to provide protection in data sensitive scenarios. #IoT #security https://t.co/xTiDbTZMfc #IoT #Security pic.twitter.com/BhiGEz3UU8

— Ubuntu (@ubuntu) March 1, 2019

https://www.ubuntu.com/engage/iot-disk-encryption

Comparing Linux distribution’s hardening schemes

March 5, 2019 ~ hucktech ~ Leave a comment

How well does each Linux distro really do with security hardening? Here's a detailed data-driven analysis (across millions of binaries) by @theofilospe. Guess I need to upgrade my '90's Slackware install https://t.co/LVMAZxVupp

— John Viega (@viega) February 28, 2019

In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, CentOS and RHEL 6.10 & 7 distributions, as well as the Ubuntu 14.04, 12.04, and 18.04 LTS distributions. Our findings confirm that even basic hardening schemes, such as stack canaries and position independent code, are not fully adopted. The situation is even worse when it comes to other compiler protections like stack clash hardening, which recently came into the spotlight due to last month’s systemd vulnerabilities. However, not all is hopeless.[…]

https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/

Europe in danger of losing ability to update firmware on devices

March 5, 2019March 5, 2019 ~ hucktech ~ Leave a comment

Protect freedom on radio devices: raise your voice today! Europe to make it illegal to install the open source firmware on the wifi router. No more openwrt and other Linux based wifi firmware. https://t.co/LBnSNqsk3F

— nixCraft 🐧 (@nixcraft) March 5, 2019

Make your voice heard! New EU regulation would make it impossible to install custom firmware on embedded devices, WiFi routers and smartphones. We have until midnight on monday!! https://t.co/GjnnDewRAy

— Massimo Banzi (@mbanzi) March 3, 2019

https://blog.mehl.mx/2019/protect-freedom-on-radio-devices-raise-your-voice-today/

Mobile Systems and Smartphone Security course, slides online

March 5, 2019 ~ hucktech ~ Leave a comment

I'm releasing all the slides (~800!) of my Mobile Security class: https://t.co/TAAnBMCBqB! They are not perfect, but students learned how to reverse apps, find&exploit real-world bugs, reason about threat modelling / system security, etc. Very proud of them 🙂 👶 => 👨‍💻👩‍💻

— Yanick Fratantonio (@reyammer@infosec.exchange) (@reyammer) March 4, 2019

This website hosts material and resources for the Mobile Systems and Smartphone Security (aka Mobile Security, aka MOBISEC) course, first taught in Fall 2018 at EURECOM. This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. It is widely regarded as the best class on the topic (according to the world-renowned survey “top mobile security classes of the French riviera”).[…]

https://mobisec.reyammer.io/

https://mobisec.reyammer.io/slides

Eclypsium ships their firmware security product!

March 4, 2019 ~ hucktech ~ Leave a comment

It's awesome to demo our product, now generally available, at #RSAC today. I'm really grateful to our team that made this happen. https://t.co/1MYhkxvrjB pic.twitter.com/SUcOMf23Lz

— John Loucaides (@JohnLoucaides) March 4, 2019

Woohoo! Eclypsium Platform 1.0 is generally available. Go team @eclypsium! https://t.co/sAruwZe1lr

— Yuriy Bulygin (@c7zero) March 4, 2019

https://eclypsium.com/2019/03/04/announcing-general-availability-of-eclypsium-platform-1-0/

VeraCrypt 1.24-Beta3 released

March 4, 2019 ~ hucktech ~ Leave a comment

VeraCrypt has been updated, with multiple UEFI fixes and a few security features:

* Erase system encryption keys from memory during shutdown/reboot to help mitigate some cold boot attacks
* Add option when system encryption is used to erase all encryption keys from memory when a new device is connected to the system.
* Several enhancements and fixes for EFI bootloader:
* Implement timeout mechanism for password input. Set default timeout value to 3 minutes and default timeout action to “shutdown”.
* Implement new actions “shutdown” and “reboot” for EFI DcsProp config file.
* MBR Bootloader: dynamically determine boot loader memory segment instead of hardcoded values (proposed by neos6464)
* MBR Bootloader: workaround for issue affecting creation of hidden OS on some SSD drives.
* Fix issue related to Windows Update breaking VeraCrypt UEFI bootloader.

https://www.veracrypt.fr/en/Release%20Notes.html

Thunderbolt3 -> USB4

March 4, 2019 ~ hucktech ~ Leave a comment

[…]Today, Intel announced that it contributed the Intel Thunderbolt protocol specification to the USB Promoter Group, enabling other chip makers to build Thunderbolt compatible silicon, royalty-free. In addition, the USB Promoter Group announced the pending release of the USB4 specification, based on the Thunderbolt protocol. […]

https://newsroom.intel.com/news/intel-takes-steps-enable-thunderbolt-3-everywhere-releases-protocol/

https://arstechnica.com/gadgets/2019/03/thunderbolt-3-becomes-usb4-as-intels-interconnect-goes-royalty-free/

Intel shares Thunderbolt with USB Promoter Group, and USB4 is on the way

With USB 4, Thunderbolt and USB will converge

Star LabTop Mk III: Open Source Edition (with coreboot)

March 4, 2019 ~ hucktech ~ Leave a comment

Interesting, StarLabs makes a laptop with coreboot and optionally includes Windows. It this the only OEM/VAR system with coreboot+Windows?? 🙂

StarLabsTheme 0.47, US keyboards, 16GB RAM, Coreboot and more – https://t.co/wfRrPe875K pic.twitter.com/7Iwm0HcC7V

— Star Labs (@starlabsltd) March 3, 2019

https://mailchi.mp/ff0ba15366de/osc-edition

https://starlabs.systems/

Exploitation from malicious PCI Express peripherals

March 4, 2019 ~ hucktech ~ Leave a comment

C. Rothwell, “Exploitation from malicious PCI Express peripherals” […we designed and built a new PCIe attack platform…we made the attack platform emulate in detail the behaviour of an Intel 82574L NIC…]https://t.co/XdymBMLk50

— Arrigo Triulzi (@cynicalsecurity) February 27, 2019

Exploitation from malicious PCI Express peripherals
Colin L. Rothwell
February 2019, 108 pages

The thesis of this dissertation is that, despite widespread belief in the security community, systems are still vulnerable to attacks from malicious peripherals delivered over the PCI Express (PCIe) protocol. Malicious peripherals can be plugged directly into internal PCIe slots, or connected via an external Thunderbolt connection.[…]

https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-934.html

VisualEDK2: build TianoCore EDK2 with Visual Studio 2017

March 4, 2019 ~ hucktech ~ Leave a comment

This appears more than just adding a new compiler to the default EDK2 Build command, and different from Alex’s VisualUEFI. Windows-centric.

Allow building official TianoCore EDK2 with Visual Studio 2017

https://github.com/dung11112003/VisualEDK2

UefiParser: UEFI Payload parser tool

March 4, 2019 ~ hucktech ~ Leave a comment

Can be used to parsing the following payload: (Include but not limit):
* Microcode Payload
* Capsule Payload

https://github.com/chenc2/UefiParser

UEFI-Framebuffer-Example: Rust UEFI framebuffer sample

March 4, 2019 ~ hucktech ~ Leave a comment

A UEFI Rust sample that uses framebuffers. No docs, only a few hours old, still under development.

https://github.com/Richard-W/uefi-framebuffer-example

CPU-vulnerabiility-collections: basically another awesome-cpu-vulns list

March 4, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/hjy79425575/status/1101402318778466305

https://github.com/houjingyi233/CPU-vulnerabiility-collections

Speculative Load Hazards Boost Rowhammer and Cache Attacks (SPOILER)

March 4, 2019 ~ hucktech ~ Leave a comment

S. Islam et al., “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks” […we … show that the dependency resolution logic that serves the speculative load can be exploited to gain information about the physical page mappings…] https://t.co/wAfDpfAaOe

— Arrigo Triulzi (@cynicalsecurity) March 4, 2019

Modern microarchitectures incorporate optimization techniques such as speculative loads and store forwarding to improve the memory bottleneck. The processor executes the load speculatively before the stores, and forwards the data of a preceding store to the load if there is a potential dependency. This enhances performance since the load does not have to wait for preceding stores to complete. However, the dependency prediction relies on partial address information, which may lead to false dependencies and stall hazards. In this work, we are the first to show that the dependency resolution logic that serves the speculative load can be exploited to gain information about the physical page mappings. Microarchitectural side-channel attacks such as Rowhammer and cache attacks rely on the reverse engineering of the virtual-to-physical address mapping. We propose the SPOILER attack which exploits this leakage to speed up this reverse engineering by a factor of 256. Then, we show how this can improve the Prime+Probe attack by a 4096 factor speed up of the eviction set search, even from sandboxed environments like JavaScript. Finally, we improve the Rowhammer attack by showing how SPOILER helps to conduct DRAM row conflicts deterministically with up to 100% chance, and by demonstrating a double-sided Rowhammer attack with normal user’s privilege. The later is due to the possibility of detecting contiguous memory pages using the SPOILER leakage.

https://arxiv.org/abs/1903.00446