webcast: The SNIA Persistent Memory Security Threat Model

July 11, 2018 ~ hucktech ~ Leave a comment

SNIA Webcast: Tuesday, August 21 – 10:00 am PT / 1:00 pm ET

The SNIA Persistent Memory Security Threat Model
What new security requirements apply to Persistent Memory (PM)? While many existing security practices such as access control, encryption, multi-tenancy and key management apply to persistent memory, new security threats may result from the differences between PM and storage technologies. The SNIA PM security threat model provides a starting place for exposing system behavior, protocol and implementation security gaps that are specific to PM. This in turn motivates industry groups such as TCG and JEDEC to standardize methods of completing the PM security solution space.

https://www.brighttalk.com/webcast/663/327137

https://www.snia.org/node/4037

Existing SNIA security resources include:
https://www.snia.org/security
https://www.google.com/search?q=security+site%3Asnia.org+filetype%3Apdf

NoStarch PoC||GTFO Volume II coming out this Summer

July 11, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/tag/pocgtfo/

https://www.alchemistowl.org/pocorgtfo/

PoC || GTFO Volume II is coming. This is only a printer sample — but it's real, and real gorgeous. @nostarch @travisgoodspeed pic.twitter.com/uW3kblIDZX

— Bill Pollock — nostarch@infosec.exchange (@billpollock) July 4, 2018

Yup, our second volume comes out next month from @nostarch press, available wherever fine books are sold.https://t.co/MMSIl6zhfT

— Travis Goodspeed (@travisgoodspeed) July 11, 2018

Microsoft: C++ Developer Guidance for Speculative Execution Side Channels

July 11, 2018 ~ hucktech ~ Leave a comment

Updated: Microsoft C++ developer guidance for speculative execution side channels in response to the great research by Vladimir Kiriansky & Carl Waldspurger on Bounds Check Bypass Store (BCBS). https://t.co/M8lHLl0ody

— Matt Miller (@epakskape) July 11, 2018

https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution

Intel releases a DOZEN new security advisories!

July 11, 2018 ~ hucktech ~ 3 Comments

I’ve only seen them release 1 or 2 at a time, a dozen new advisories in a day is a LOT:

https://www.intel.com/content/www/us/en/security-center/default.html

Insecure Handling of BIOS and AMT Passwords
EDK II Untested memory not covered by SMM page protection
Platform firmware included insecure handling of certain UEFI variables
Intel® Quartus® Prime Pro
Firmware Authentication Bypass
Intel® Quartus Family of Tools Privilege Escalation Vulnerability
Insufficient Input Validation in Intel® VTune Amplifier, Intel® Advisor and Intel® Inspector products before version 2018 Update 3 potentially allows an unprivileged user to trigger a Denial of Service via local vector
BMC Firmware Vulnerability Intel Server Boards, Compute Modules and Systems
Insufficient Input Validation in Bleach module in Intel® Distribution for Python (IDP) version IDP 2018 Update 2 potentially allows an unprivileged user to bypass URI sanitization and cause a Denial of Service via local vector
Intel® Converged Security Management Engine (Intel® CSME) 11.x issue
Intel® Optane™ memory module update
Intel Q1’18 Intel® Active Management Technology 9.x/10.x/11.x Security Review Cumulative Update

Intel updates PCIe security spec

July 11, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/03/17/intel-publishes-pcie-device-security-enhancements-spec/

We've just released the PCIe Device Security Enhancements Specification 0.7 (https://t.co/cux3jtAJ0w). Feedbacks are, as usual, very welcome.

— Rodrigo Branco (@bsdaemon) July 10, 2018

The PHY Interface for the PCI Express* (PIPE) Architecture Revision 5.1 is an updated version of the PIPE spec that supports PCI Express, SATA, USB, DisplayPort, and Converged I/O architectures.

The review draft PCI Express* Device Security Enhancements Specification Revision 0.7 defines PCIe* Device Firmware Measurement and PCIe* Device Authentication that enable a Host to query and verify the identity and capability of a PCIe* Device, to improve system security.

https://www.intel.com/content/www/us/en/io/pci-express/pci-express-architecture-devnet-resources.html

TLBleed: side channel attack on Intel CPUs

July 10, 2018 ~ hucktech ~ Leave a comment

Overview and full details on #TLBleed including paper is online at https://t.co/GYHRDXImv6 cc @kavehrazavi @vu5ec @c_giuffrida @herbertbos

— Ben Gras (@bjg) July 10, 2018

https://www.vusec.net/projects/tlbleed/

TLBleed is a new side channel attack that has been proven to work on Intel CPU’s with Hyperthreading (generally Simultaneous Multi-threading, or SMT, or HT on Intel) enabled. It relies on concurrent access to the TLB, and it being shared between threads. We find that the L1dtlb and the STLB (L2 TLB) is shared between threads on Intel CPU cores.

https://www.vusec.net/projects/tlbleed/

Click to access tlbleed-author-preprint.pdf

Intel Open Source Security Incident Response Team

July 10, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/vpikhur/status/1016783086325940224

This appears to be a separate group than the Intel group that does the main security advisories. And for big stories, the main Intel PR team does announcements. This group appears to have 4 announcements so far. So there’s at least 3 places you have to check Intel for security updates now. 😦

https://01.org/security/advisories

https://01.org/security/advisories/intel-oss-10002

Intel Open Source Security Incident Response Team

Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
Intel ID: INTEL-OSS-10002
Last revised: 07/10/2018

ARM pulls RISC-V web site?

July 10, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/10/arm-basics-com-arm-architecture-understand-the-facts/

and https://firmwaresecurity.com/2018/07/09/arm-on-risc-v-five-things-to-consider-before-designing-a-system-on-chip/

it appears ARM pulled the site. I can’t see this site anymore:

https://www.riscv-basics.com/

But the Wayback Machine appears to have made a snapshot:

https://web.archive.org/web/20180710134510/https://riscv-basics.com/

https://www.theregister.co.uk/2018/07/10/arm_riscv_website/

U-Boot v2018.07 released …with Spectre work-arounds

July 10, 2018 ~ hucktech ~ Leave a comment

Tom Rini announced the latest release of U-Boot, on the u-boot mailing list:

[…]On the ARM side of things, we have the framework in, and in some cases, it is now enabled, what portion of the “Spectre” work-arounds. Since dealing with the issues entirely is a system-level problem and not just “whack some bits once and you’re good” I want to stress that to deal with the issue entirely you’re going to need more than just these changes enabled.[…]

[IMO, the U-Boot project has terse release announcements; to really understand what is new in U-Boot, you have to diff the sources and track all the current patches and issues on the mailing list, and the list is high-traffic and one of the main posters does not have an email client that properly supports threading…]

More info:
https://lists.denx.de/pipermail/u-boot/2018-July/334014.html
http://git.denx.de/?p=u-boot.git
ftp://ftp.denx.de/pub/u-boot/
https://www.denx.de/wiki/U-Boot/

PS: Most recent set of U-Boot release stats:

https://www.denx.de/wiki/U-Boot/UbootStat_2018_07

NSA using Qubes-like SecureView?

July 10, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/DrWhax/status/1016290493297242112

https://distrowatch.com/table.php?distribution=tens

https://www.ncst.com/solutions/secureview

https://www.ainfosec.com/innovative-products/secureview/

PS: US Mil also has another security distro, LiPoSe (Lightweight Portable Security). For years they did not release source code, but later did. Now it is called TENS. Last time I looked, it had no firmware-level security.

https://spi.dod.mil/LPS-Public_for_DoD.htm

https://www.spi.dod.mil/lipose.htm

https://en.wikipedia.org/wiki/Lightweight_Portable_Security

Alexandre Adamski: Overview of Intel SGX – Part 1, SGX Internals

July 10, 2018 ~ hucktech ~ Leave a comment

Overview of Intel SGX – Part 1, SGX Internals https://t.co/nW1XJ38IsP

— Nicolas Krassas (@Dinosn) July 5, 2018

This blog-post provides the reader with an overview of the Intel SGX technology. In this first part, we explore the additions made to Intel platforms to support SGX, focusing on the processor and memory. We then explain the management and life cycle of an enclave. Finally, we detail two features of enclaves: secret sealing and attestation.[…]

https://blog.quarkslab.com/overview-of-intel-sgx-part-1-sgx-internals.html

Android: emulator gets AMD & Hyper-V support

July 10, 2018 ~ hucktech ~ Leave a comment

Android Emulator – AMD Processor & Hyper-V Support#MobileSecurity #AndroidSecurity https://t.co/JfOR4XrJOf

— Mobile Security (@mobilesecurity_) July 9, 2018

https://android-developers.googleblog.com/2018/07/android-emulator-amd-processor-hyper-v.html

DIY Root of Trust using ARM Trusted Firmware on the 96Boards Hikey

July 10, 2018 ~ hucktech ~ Leave a comment

This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware’s Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC’s BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.[…]

https://casualhacking.io/blog/2018/7/8/diy-root-of-trust-using-arm-trusted-firmware-on-the-96boards-hikey

https://www.96boards.org/documentation/consumer/hikey/getting-started/

Strengthening and Protecting Linux Servers: Top Ways to Harden Your Boxes

July 10, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/theroxyd/status/1016414766569590784

Click to access linux_strengthening.pdf

ARM-basics.com: ARM architecture : Understand the facts

July 10, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/07/09/arm-on-risc-v-five-things-to-consider-before-designing-a-system-on-chip/

Welcome to the party: https://t.co/1BJ7kejDHe

— Shawn C – citypw@ioc.exchange (@citypw) July 10, 2018

https://github.com/arm-facts/arm-basics.com/blob/master/index.md

ElcomSoft: This $39 Device Can Defeat iOS USB Restricted Mode

July 10, 2018 ~ hucktech ~ Leave a comment

[…]In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May[…]

https://blog.elcomsoft.com/2018/07/this-9-device-can-defeat-ios-usb-restricted-mode/

Apple macOS 10.13.6: UEFI SecureBoot support for iMac Pro

July 10, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/ and https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

there is more info on Apple Secure Boot:

macOS 10.13.6 update brings (limited) UEFI SecureBoot support for iMac Pro, so now if SecureBoot is enabled, Windows detects that and acts accordingly.

PK, KEK, db and dbx are read-only (hence limited), configured to trust MS 1st-party CA only. pic.twitter.com/M81xcJB1RG

— Nikolaj Schlej (@NikolajSchlej) July 9, 2018

UEFI CA is used to sign many things, none of which is supported.
We don't trust MS 1st-party by default too, BootCamp needs to be used to enable that first.

— Nikolaj Schlej (@NikolajSchlej) July 10, 2018

Send a bug report (https://t.co/NLzOFixGG7) stating that you need SecureBoot support for custom keys and/or 3rd-party OSes.

Right now the only way out for such OSes is to disable SecureBoot.

— Nikolaj Schlej (@NikolajSchlej) July 10, 2018

https://support.apple.com/en-us/HT208864
https://support.apple.com/en-us/HT208937

Anti-Evil Maid with UEFI and Xen

July 9, 2018 ~ hucktech ~ Leave a comment

Slides of our recent @platformsec talk: Anti-Evil Maid with UEFI and Xen https://t.co/hi3V0gWHE5

— Tamas K Lengyel (@tklengyel) July 6, 2018

https://docs.google.com/presentation/d/1bJP1I74MjmXdlxxG6MDdipa5bZ9KFyLbcJ5hG2NIAjA/edit#slide=id.g399aaa7d14_8_89

GCC: Mitigation against unsafe data speculation (CVE-2017-5753)

July 9, 2018 ~ hucktech ~ Leave a comment

Do you have an Unsafe Data Speculation Problem? A proposal for #GCC to help fix it. https://t.co/TODhkXuKSX

— GCC – GNU Toolchain / gnutools@fosstodon.org (@gnutools) July 9, 2018

The patches I posted earlier this year for mitigating against
CVE-2017-5753 (Spectre variant 1) attracted some useful feedback, from
which it became obvious that a rethink was needed. This mail, and the
following patches attempt to address that feedback and present a new
approach to mitigating against this form of attack surface.[…]

https://gcc.gnu.org/ml/gcc-patches/2018-07/msg00423.html

INTEL-SA-00127: Intel Direct Connect Interface (DCI) policy update

July 9, 2018 ~ hucktech ~ Leave a comment

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00127.html

Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel® Xeon® Processor E3 Family, Intel® Xeon® Scalable processors, and Intel® Xeon® Processor D Family can potentially allow a limited physical presence attacker to access platform secrets via debug interfaces.