Re: https://firmwaresecurity.com/2018/08/10/eclypsium-remotely-attacking-system-firmware/
Click to access DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf
Click to access BH2018_REMOTELY_ATACKING_SYSTEM_FIRMWARE_FINAL.pdf
Author: hucktech
more on Intel-SA-00161
and https://firmwaresecurity.com/2018/08/15/more-on-intel-sa-00161/ :
Update from Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html
https://twitter.com/juanrga/status/1029678537790423040
https://www.amd.com/en/corporate/security-updates
https://www.tenable.com/plugins/nessus/111703
more on Intel-SA-00161
https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html
https://support.microsoft.com/en-us/help/4343909/windows-10-update-kb4343909
https://xenbits.xen.org/xsa/advisory-273.html
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
https://blogs.oracle.com/oraclesecurity/intel-l1tf
https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities
https://kb.vmware.com/s/article/55636
https://blogs.vmware.com/security/2018/08/new-vmware-security-advisory-vmsa-2018-0022-and-updated-security-advisory-vmsa-2018-0019-1.html
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03874en_us
https://blog.rapid7.com/2018/08/14/patch-tuesday-august-2018/
https://lkml.org/lkml/2018/8/14/885
https://www.suse.com/support/kb/doc/?id=7023077
https://marc.info/?l=openbsd-tech&m=153431475429367&w=2
Intel-SA-00161: L1 Terminal Fault (L1TF) speculative execution side-channel attack (Foreshadow)
Security researchers have identified a speculative execution side-channel method called L1 Terminal Fault (L1TF). This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.[…]
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html
https://access.redhat.com/security/vulnerabilities/L1TF
https://www.redhat.com/en/blog/understanding-l1-terminal-fault-aka-foreshadow-what-you-need-know
https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/
https://www.us-cert.gov/ncas/current-activity/2018/08/14/Intel-Side-Channel-Vulnerability
Linux UEFI firmware updates via LVFS at Linaro Connect
System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules
Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images using UEFI Capsules and the Firmware Management Protocol (FMP). This session describes the EFI Development Kit II (EDK II) capsule implementation, implementing FMP using FmpDevicePkg, creating Signed UEFI Capsules using open source tools, and an update workflow based on the Linux Vendor Firmware Service (fwupd.org).
https://yvr18.pathable.com/meetings/740447
USENIX Security presentation on Meltdown uploaded
mOSL: Bash script to audit and fix macOS High Sierra (10.13.x) security settings
https://twitter.com/0x0304/status/1028933297135661056
Settings that can be audited/ fixed:
enable automatic updates
enable gatekeeper
enable firewall
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable ipv6
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check SIP
check kext loading consent
check EFI integrity
check filevault
check firmware password set
https://github.com/0xmachos/mOSL
USB Charging Actually Poses Security Risks – Hacking a Laptop via a USB-C Adapter
Smartphones have been charged over USB for many years, but with the advance of USB type-C now even laptops may be charged over USB, instead of the typical DC power barrel jack.[…]
https://www.cnx-software.com/2018/08/14/usb-charging-security-risks/
UEFI-JITfuck: A JIT compiler for Brainfuck running on x86_64 UEFI
Re: https://firmwaresecurity.com/2015/12/30/brainfuck-for-efi/
There’s a second Brainfuck for UEFI, this one with JIT support:
https://github.com/m4tx/uefi-jitfuck
https://github.com/m4tx/uefi-jitfuck/releases
https://gitlab.com/oytunistrator/uefi-jitfuck (a fork of above, I believe)
(T
ChromeBook CampFire?
https://twitter.com/coolstarorg/status/1028677996578660352
Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]
https://www.xda-developers.com/chromebooks-chrome-os-windows-10-dual-boot-apple-boot-camp-campfire/
Many Blackhat/DEF CON slides uploaded
Update: there’s also a UEFI one here:
Click to access DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf
https://twitter.com/campuscodi/status/1028720894762524674
https://media.defcon.org/DEF%20CON%2026/
https://www.blackhat.com/us-18/briefings/schedule/index.html
Hmm, I don’t see presentations for BSidesLV yet:
CheckPoint Research: Scout Debugger
“Scout” is an extendable basic debugger that was designed for use in those cases that there is no built-in debugger / gdb-stub in the debugee process / firmware. The debugger is intended to be used by security researchers in various scenarios, such as:
Collecting information on the address space of the debuggee – recon phase and exploit development
Exploring functionality of the original executable by accessing and executing selected code snippets
Adding and testing new functionality using custom debugger instructions
We have successfully used “Scout” as a debugger in a Linux Kernel setup, and in an embedded firmware research, and so we believe that it’s extendable API could prove handy for other security researchers in their research projects.
AppleSupportPkg: ApfsLDriverLoader, AppleLoadImage, AppleDxeImageVerificationLib
ApfsDriverLoader
Open source apfs.efi loader based on reverse-engineered Apple’s ApfsJumpStart driver
Loads apfs.efi from ApfsContainer located on block device.
Apfs driver verbose logging suppressed.
Version system: connects each apfs.efi to the device from which it was retrieved
Supports AppleLoadImage protocol provides EfiBinary signature check
WARNING: Please load AppleLoadImage.efi right before ApfsDriverLoader, or just put it inside drivers64uefi folder of your Clover bootloader
AppleLoadImage
Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware.
It provides safe EFI binary loading into memory by verifiyng it’s signature.
Also gives ability to use native ApfsJumpStart driver from Apple firmware
WARNING: ApplePartitionDriver needed
AppleDxeImageVerificationLib
This library provides reverse-engineered Apple’s crypto signature algorithms.
FireEye: BIOS Boots What? Finding Evil in Boot Code at Scale
https://twitter.com/FireEye/status/1027219284152541184
Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world. Furthermore, since malware that tampers with the boot process (aka bootkits) execute before the operating system, such compromises often persist even after incident responders think the incident has been remediated. This post details the challenges FireEye faced examining boot records at scale and our solution to find evil boot records in large enterprise networks.[…]
Two Spectre, Meltodown, and Rowhammer talks from Blackhat
AndroidHardening’s Auditor app for Android
Re: https://firmwaresecurity.com/2018/06/13/copperheados-and-androidhardening-project/
https://twitter.com/DanielMicay/status/1028402254703820800
Hardware-based attestation app for select Android devices. It can do either local verification with another Android device via QR code or scheduled server-based verification. It primarily relies on Trust On First Use using the hardware-backed keystore and key attestation. The initial unpaired verification relies on key attestation root.
https://github.com/AndroidHardening/Auditor/releases/tag/1
https://github.com/AndroidHardening/Auditor
https://play.google.com/store/apps/details?id=app.attestation.auditor
fiano – LinuxBoot’s Go-based tools for modifying UEFI firmware images
utk: generic UEFI tool kit meant to handle rom images. Usage:
utk parse <rom-file>
utk extract [–force] <rom-file> <directory-to-extract-to>
utk assemble <directory-to-extract-to> <out-rom-file>
fmap: parses flash maps. Usage:
fmap checksum [md5|sha1|sha256] FILE
fmap extract i FILE
fmap jget JSONFILE FILE
fmap jput JSONFILE FILE
fmap summary FILE
fmap usage FILE
fmap verify FILE
NIST Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop, video uploaded
Click to access iot_risk_workshop_agenda.pdf
NIST’s Cybersecurity for IoT Program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale. This workshop will help the program through the development of the Cybersecurity for IoT Program and Privacy Engineering Program’s publication on an introduction to managing IoT cybersecurity and privacy risk for federal systems. This will include work to date identifying typical differences in cybersecurity and privacy risk for IoT systems versus traditional IT systems, considerations for selecting and using technical controls to mitigate IoT cybersecurity and privacy risk, and basic cybersecurity and privacy controls for manufacturers to consider providing in their IoT products. A pre-read document has been posted to help guide conversation.
Firmware Security 
You must be logged in to post a comment.