Linux kernel v4.19 was released today and some security things I'm excited about are the L1TF fixes, O_CREAT protection in /tmp, syscall register clearing, even more VLA removals, and the new shift overflow helper: https://t.co/DNmBmPHsCR
— Kees Cook (@kees_cook) October 22, 2018
Author: hucktech
Build Your Own Hardware Implant
Bloomberg’s story about an alleged hardware implant […] Several people were pointing out the fact that the BMC (Baseboard Management Controller – the component allowing an out-of-band access to the server) could be tampered with, allowing an implant to control the BMC to gain access to the network card. But how does it work in practice? Let’s see if we can reproduce this.[…]
3mdeb: BITS and CHIPSEC as coreboot payloads
ARM releases EBBR 0.7 spec
The Embedded Base Boot Requirements (EBBR) specification defines requirements for embedded systems to enable inter-operability between SoCs, hardware platforms, firmware implementations, and operating system distributions. The aim is to establish consistent boot ABIs and behaviour so that supporting new hardware platforms does not require custom engineering work.
https://github.com/ARM-software/ebbr/releases/tag/v0.7
https://github.com/ARM-software/ebbr
https://github.com/ARM-software/ebbr/wiki
see-also:
UEFIfuzzing: UEFI applications and libraries for AFL fuzzing
This edk2 pkg contains UEFI applications used to control AFL fuzzing.
These applications are for use with this version of TriforceAFL.
William on VisualUEFI
William Leara of Dell has a new blog post reviewing Alex Ionescu’s VisualUEFI tool:
https://www.basicinputoutput.com/2018/10/alex-ionescus-visualuefi.html
ToshibaComExtractor: tool to extract Toshiba .COM firmware files
Multiple new FreeRTOS network vulns
Intel seeks Security Researcher
Responsible for secure design, development and operation of Intel’s hardware and software products and services. Responsibilities may include threat assessments, design of security components, and vulnerability assessment.
4+ years of experience in the field of system security research and exploring software and hardware techniques as a method of attack against targets within compute systems.
In-depth experience with security threats, vulnerability research, physical attack techniques (power analysis, fault injection, reverse engineering, etc.), side-channel attack methods.
Knowledge of security technologies: authentication, cryptography, secure protocol, etc.
Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others
https://jobs.intel.com/ShowJob/Id/1826346/Security%20Researcher
MIT: DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors
[…]As a playful counterpoint to Intel’s CAT system, the researchers dubbed their method “DAWG”, which stands for “Dynamically Allocated Way Guard.” (The “dynamic” part means that DAWG can split the cache into multiple buckets whose size can vary over time.)[…]
https://www.csail.mit.edu/news/better-approach-preventing-meltdownspectre-attacks
Click to access dawg-micro18.pdf
EPT-Based Sub-page Write Protection On Xen
custom_nvram: Shared Library to intercept nvram get/set/match calls for emulating libnvram.so used by many IoT firmware software
Protocol: a tool to display ASCII RFC-like protocol header diagrams for protocols
boot-lab: learn about OS booting using BIOS and UEFI (in Russian)
fb-ask-pass-rs: asks the user for a password on the framebuffer showing the firmware image
Primary usage: run it from a initcpio hook (on archlinux) to ask for the LUKS passphrase, while showing the firmware picture. The passphrase is saved in a file (/crypto_keyfile.bin) which the encrypt hook uses to unlock LUKS volumes.
https://github.com/gdamjan/fb-ask-pass-rs
get-efi-images: dump all UEFI images (PE-files) from firmware
https://github.com/yeggor/get-efi-images
It uses UEFI Firmware Parser:
macOS EFI Unlocker V1.0 for VMware: allows non-server versions of MacOS to be run with VMWare
The macOS EFI Unlocker removes the check for server versions of Mac OS X verisons:
* 10.5 Leopard
* 10.6 Snow Leopard
allowing the non-server versions of Mac OS X to be run with VMware products. Later versions of Mac OS X and macOS
do not need the modified firmware due to Apple removing the restrictions imposed on 10.5 and 10.6.
EFI Unlocker 1 is designed for the following products:
* VMware Workstation and Player versions 14/15
* VMware Fusion versions 10/11
The checks for the server versions are done in VMware’s virtual EFI firmware and looks for a file called
ServerVersion.plist in the installation media and the installed OS. The patch modifies the firmware to check
for a file present on all versions of Mac OS X called SystemVersion.plist.
The patch uses a tool called UEFIPatch to make the modifications.
Please note you may need to use macOS Unlocker version 3 to run on non-Apple hardware.
Automatically Mapping Binaries with Debug Print using IDAPython
This blog gives a short overview on a script I wrote that replaces the default function names in IDA with names constructed from debug prints, hopefully it will also provide the basic knowledge for you to create one of your own.[…]
Redfish-finder: utility to parse dmidecode output for Host Management Controllers, and setup canonically named access to them
One of the difficulties of using the Redfish host api is the translation of the SMBIOS data above into meaningful application configuration data.[…]redfish-finder: parses the smbios data for Redfish access, translates the device specification to an OS interface name, uses NetworkManager to configure the network interface with the appropriate settings, and adds an entry to /etc/hosts mapping the name redfish-localhost to the Discovered Redfish service address.[…]
https://github.com/nhorman/redfish-finder
Microcode Updates for the USENIX 2017 paper: Reverse Engineering x86 Processor Microcode
Re: https://firmwaresecurity.com/2017/08/19/new-x86-microcode-tool/
x86 Microcode Framework and Example Programs
This repository contains the framework used during our work on reverse engineering the microcode of AMD K8 and K10 CPUs. It includes an assembler and disassembler as well as example programs implemented using these tools. We also provide our custom written minimal operating system that can rapidly apply and test microcode updates on AMD CPUs.[…]
Firmware Security 
You must be logged in to post a comment.