Hardware Trojans – Attack Models

June 20, 2018 ~ hucktech ~ Leave a comment

Great article by @systemWbudowany

Hardware Trojans – Attack Models https://t.co/YLxUxJCjrt

— Dani Goland (@DaniGoland) June 19, 2018

How realistic are attack scenarios involving hardware trojans? What would a professional attack look like?? https://t.co/L0sKanxgUZ
this article was written in response to questions and feedback after the @CONFidence_news conference thx to @MichalPurzynski

— Adam Kostrzewa (@systemWbudowany) June 19, 2018

Hardware Trojans – Attack Models

Whenever I am involved in a discussion about Hardware Trojans most questions are focused on the following topics / problems:
what would a professional attack look like?
how realistic is the attack by interfering with an integrated circuit?
and finally, is it even a real threat?

These questions will be discussed in that order. The Trojan-related attack models for integrated circuits are closely linked to the supply chain and the contractors in the silicon production process. Currently, microelectronics uses the so-called foundry model, which separates the production of chips (silicon) from the design of integrated circuits. The manufacturing is carried out by separate companies or business units within the same organization. This model takes its name from a similar process in the automotive industry (and heavy industry) where the design of the vehicle (machine) is done by companies and institutions other than steelworks and foundries. Sometimes a very large car company can afford to buy a steelwork, or a steelwork has shares of a car company. An example of analogy in the world of electronics would be Intel, which does both, designs and manufactures integrated circuits.[…]

https://adamkostrzewa.github.io/jekyll/update/2018/06/19/fabless-companies-en.html

REcon U-Boot talk, slides uploaded [temporarily]

June 20, 2018 ~ hucktech ~ Leave a comment

.@bxsays did a really awesome talk on her work on instrumenting uboot memory writes in order to express memory policies to harden bootloaders at @reconmtl and the slides (missing during the talk due to technical issues) are now available and pretty spectacular clarifying things. https://t.co/1ckEJvxhEL

— Mallory Moore (@Chican3ry) June 19, 2018

The slides I created for my @reconmtl talk are now available at: https://t.co/1OhVVQO7PC
Get them before the school deletes my account ; )

— @bxsays@infosec.exchange (@bxsays) June 16, 2018

Click to access recon.pdf

EFI3M: EFI Multi-boot Menu Maker

June 20, 2018 ~ hucktech ~ Leave a comment

EFI3M builds a Multi-boot menu for computers with an EFI firmware. The menu will be displayed when booting the computer and allows the user to start any of the installed system from its EFI boot loader: not only Linux distributions, but also BSD distributions, Microsoft Windows, Apple OS X, pretty much any system that has a boot loader in an ESP (EFI System Partition) on any drive of the computer, be it a hard disk, a SSD, a NVMe, whatever. The multi boot menu is installed in an internal ESP as /EFI/efibootmenu/BOOTx64.EFI alongside its configuration file grub.cfg and also, optionally, in /EFI/BOOT/ which is the fall back directory looked at by the firmware, if it is not not already busy. It can also be installed on an USB stick, to allow booting any installed system if for some reason booting would otherwise fail.

https://github.com/DidierSpaier/EFI3M

tpmtool: A Linux only tool for TPM interaction

June 19, 2018 ~ hucktech ~ Leave a comment

tpmtool is a tool for #TPM interaction and disk #encryption. It is written in pure #Golang. #Security #infosec https://t.co/uZW5orbgbW

— ～￣▽￣～ (@_cibo_) June 18, 2018

https://www.tpmtool.org/

https://github.com/systemboot/tpmtool

Cyberus Tech: more info on Intel Lazy Floating Point vuln

June 19, 2018June 19, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/06/15/cyberus-tech-intel-lazyfp-vulnerability-exploiting-lazy-fpu-state-switching/

the PDF that was not previously available appears to be available…

Click to access lazyFP.pdf

We updated our Intel #lazyFP blog article again. All attack variants and the paper are now online: https://t.co/W8jLpDKFHa

— Cyberus Technology (@CyberusTech) June 19, 2018

https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

OpenBSD: adds option to disable Hyper-Threading

June 19, 2018 ~ hucktech ~ Leave a comment

"Since many modern machines no longer provide the ability to disable Hyper-threading in the BIOS setup, provide a way to disable the use of additional processor threads in our scheduler."https://t.co/Fin1GAYNI7

— Alexandre Dulaunoy @adulau@infosec.exchange (@adulau) June 19, 2018

https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html

Circumference: OpenStack Progress with Network Booting

June 19, 2018 ~ hucktech ~ Leave a comment

Circumference is a miniaturised datacentre-in-a-box, complete with programmable power distribution and sequencing, instrumentation, cooling, networking, and a switchable remote console — all packaged in custom-designed desktop enclosures which eliminate cable clutter and give you complete control over the hardware inside.

Chris Dent has a blog post about netbooting the Circumference.

https://www.crowdsupply.com/ground-electronics/circumference
https://groundelectronics.com/products/circumference/

In my previous posting on the Circumference I said that I wanted to get the eight Raspberry Pi nodes to netboot from the front end processor so I could more easily manage the nodes on which I wanted to install nova-compute. This post provides a very quick update on those explorations. Newer Pi 3 B have firmware that can allow them to netboot without any SD card in place, but it requires a fair bit of set up. I was struggling to make headway, never seeing bootpc packets from the nodes. Turns out a newer firmware is needed. Andrew Back, from Ground Electronics the company building the Circumference, pointed to a useful cookbook blog post, Network Booting a Raspberry Pi 3 from an Ubuntu Server, that includes pointers to the new firmware. That got me a bit further. I’m now able to see some nodes, sometimes choosing to send bootpc packets and otherwise talking to the network.[…]

https://anticdent.org/circumference-25-netbooting.html
https://anticdent.org/circumference-25-beta.html
https://www.crowdsupply.com/ground-electronics/circumference/updates/openstack-progress-with-network-booting

GPUTop: a GPU profiling tool

June 19, 2018 ~ hucktech ~ Leave a comment

Intel posted info about a new blog post using GPUTop with Caledon (Intel-flavored Android):

We are excited to bring out a new tutorial for profiling gpu on Android. Gputop exposes many GPU parameters module wise such as frequency, busyness, threads, EU activeness etc. These are very helpful in identifying performance bottlenecks as well as impact of performance improvements on the GPU either through graphics software stack or through the graphics application. If you are learning/ new to gpu, this should attract you even more. Please take a look, try out and feel free to share your feedback.

https://01.org/projectceladon/documentation/tutorials/profiling-gpu

https://github.com/rib/gputop

GPU Top is a tool to help developers understand GPU performance counters and provide graphical and machine readable data for the performance analysis of drivers and applications. GPU Top is compatible with all GPU programming apis such as OpenGL, OpenCL or Vulkan since it primarily deals with capturing periodic sampled metrics. GPU Top so far includes a web based interactive UI as well as a non-interactive CSV logging tool suited to being integrated into continuous regression testing systems. Both of these tools can capture metrics from a remote system so as to try an minimize their impact on the system being profiled. GPUs supported so far include: Haswell, Broadwell, Cherryview, Skylake, Broxton, Apollo Lake, Kabylake, Cannonlake and Coffeelake.

https://lists.01.org/mailman/listinfo/celadon

WooKey: USB Devices Strike Back

June 19, 2018 ~ hucktech ~ Leave a comment

If u are in embedded systems security, #USB, #CortexM, #DFU, secure element and #ukernel our #SSTIC paper[EN] : #WooKey : USB devices strike is online : https://t.co/BRsX8sWZB3

— Mathieu RENARD (@GotoHack) June 18, 2018

WooKey: USB Devices Strike Back
Date : 13 juin 2018 à 17:15 — 30 min.

The USB bus has been a growing subject of research in recent years. In particular, securing the USB stack (and hence the USB hosts and devices) started to draw interest from the academic community since major exploitable flaws have been revealed by the BadUSB threat. The work presented in this paper takes place in the design initiatives that have emerged to thwart such attacks. While some proposals have focused on the host side by enhancing the Operating System’s USB sub-module robustness, or by adding a proxy between the host and the device, we have chosen to focus our efforts on the device side.

https://www.sstic.org/2018/presentation/wookey_usb_devices_strike_back/

Click to access SSTIC2018-Slides-wookey_usb_devices_strike_back-michelizza_lefaure_renard_thierry_trebuchet_benadjila_WUAopX7.pdf

Heap_History_Viewer: A program to draw rectangles from heap traces.

June 19, 2018 ~ hucktech ~ Leave a comment

Minor update to the 64-bit heap visualizer under https://t.co/5AB0lfMvex – now features highlighting of blocks of a given size. pic.twitter.com/sL7VenxECT

— Halvar Flake (@halvarflake) June 19, 2018

https://github.com/thomasdullien/heap_history_viewer

Colin Walls: More handy embedded software tips

June 19, 2018 ~ hucktech ~ Leave a comment

Some C and C++ embedded codign advise:

Blogging about some more embedded software programming tips – https://t.co/1y7oe3eluk

— Colin Walls (@colin_walls) June 19, 2018

https://www.mentor.com/embedded-software/blog/post/more-handy-embedded-software-tips-fc5ccfc5-9cd8-485c-acc4-ad36a2f29ad0?cmpid=8625

Writing simple BIOS bootloaders using NASM

June 19, 2018 ~ hucktech ~ Leave a comment

x86 assembly doesn’t have to be scary! I've written up a small but interactive (built in NASM and x86 emulator in the browser) to show you how easy it is to write simple boot loaders!https://t.co/003KKyWiLX pic.twitter.com/RQUJwlXHCG

— Ben Cox (EOL @benjojo@benjojo.co.uk) (@Benjojo12) June 18, 2018

https://blog.benjojo.co.uk/post/interactive-x86-bootloader-tutorial

The tutorial ends with a pointer to some BIOS interrupts. It should have mentioned Ralph Brown’s classic list.

http://www.cs.cmu.edu/~ralf/files.html

https://en.wikipedia.org/wiki/Ralf_Brown%27s_Interrupt_List

memory loading

QuarksLab: intro to TEE: ARM’s TrustZone

June 19, 2018 ~ hucktech ~ 1 Comment

[BLOG] Introduction to Trusted Execution Environment: ARM's TrustZone : https://t.co/yzFt8DuQU4 To be followed…

— quarkslab (@quarkslab) June 19, 2018

[…]This starts a series of two blogposts discussing hardware technologies that can be used to support TEE implementations:
* TrustZone from ARM
* SGX from Intel
As suggested by the title, this blogpost tells you more about TrustZone.[…]

https://blog.quarkslab.com/introduction-to-trusted-execution-environment-arms-trustzone.html

Facebook BOLT: Binary Optimization and Layout Tool, used for optimizing performance of binaries

June 19, 2018 ~ hucktech ~ Leave a comment

We are open-sourcing BOLT, a binary optimization and layout tool. BOLT optimizes placement of instructions in memory, thereby reducing CPU execution time by as much as 15%. https://t.co/ZbamliKuF5

— Engineering at Meta (@fb_engineering) June 19, 2018

https://code.facebook.com/posts/605721433136474/accelerate-large-scale-applications-with-bolt/

https://github.com/facebookincubator/BOLT

MouseJack + Jackit: Vulnerable Wireless Keyboards

June 19, 2018 ~ hucktech ~ Leave a comment

Vulnerable Wireless Keyboards = PC PWNage (Tutorial) – MouseJack + Jackit https://t.co/BoMbOGAJ7T

— Spiros Fraganastasis (@m3g9tr0n) June 18, 2018

https://gameofpwnz.com/?p=739

https://github.com/insecurityofthings/jackit

https://www.mousejack.com/

https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices

Hardware Trojan Attacks on Neural Networks

June 18, 2018 ~ hucktech ~ Leave a comment

J. Clements and Y. Lao, “Hardware Trojan Attacks on Neural Networks” https://t.co/JBuieo1TDr

— Arrigo Triulzi (@cynicalsecurity) June 18, 2018

This paper opens an interesting discussion about the possibility of hardware trojans being implemented not as backdoors but as attacks against a specific algorithm.

Say you fab “general purpose chips” and you know that a certain proportion goes to a company making HPC systems… https://t.co/QrAvnCQa64

— Arrigo Triulzi (@cynicalsecurity) June 18, 2018

With the rising popularity of machine learning and the ever increasing demand for computational power, there is a growing need for hardware optimized implementations of neural networks and other machine learning models. As the technology evolves, it is also plausible that machine learning or artificial intelligence will soon become consumer electronic products and military equipment, in the form of well-trained models. Unfortunately, the modern fabless business model of manufacturing hardware, while economic, leads to deficiencies in security through the supply chain. In this paper, we illuminate these security issues by introducing hardware Trojan attacks on neural networks, expanding the current taxonomy of neural network security to incorporate attacks of this nature. To aid in this, we develop a novel framework for inserting malicious hardware Trojans in the implementation of a neural network classifier. We evaluate the capabilities of the adversary in this setting by implementing the attack algorithm on convolutional neural networks while controlling a variety of parameters available to the adversary. Our experimental results show that the proposed algorithm could effectively classify a selected input trigger as a specified class on the MNIST dataset by injecting hardware Trojans into 0.03%, on average, of neurons in the 5th hidden layer of arbitrary 7-layer convolutional neural networks, while undetectable under the test data. Finally, we discuss the potential defenses to protect neural networks against hardware Trojan attacks.

https://arxiv.org/abs/1806.05768

efivim (Vim for UEFI): updated

June 18, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2016/03/01/vim-port-for-uefi/

Code recently updated, first time since 2016.

Important stuff to some people!

https://github.com/mischief/efivim

SCALE: Side-Channel Attack Lab. Exercises (and: QSCAT, Qt Side Channel Analysis Tool)

June 18, 2018 ~ hucktech ~ Leave a comment

I've just released a suite of open-source teaching material for cryptographic implementation attacks, including some CTF-like challenges and a hardware platform for DPA https://t.co/HQe1rCjWQP

— Dan Page (@danpag3) June 14, 2018

Alongside the implementation of cryptography in hardware and software, attacks on those implementations (plus associated countermeasures) form a central challenge in cryptographic engineering. This topic is sometimes termed physical security, but, either way, it contrasts sharply with traditional cryptanalysis by targeting the concrete implementation (vs. the abstract design, i.e., the underlying theory) via techniques such as side-channel attack. Beyond the obvious motivation, there are many position statements, e.g., see [1,2,3], that outline why this challenge is important. Thus, from an educational perspective, the question is how to equip students with an appropriate, associated skill set? On one hand, it seems obvious a hands-on approach is preferable: this is an applied topic so actually doing it (assuming a background in the underlying or related theory), e.g., via Problem-Based Learning (PBL), would be most effective. Indeed, other initiatives have already used a similar approach, e.g., see [4]. However, on the other hand, our experience is that some practical and/or logistical challenges remain.[…]

https://github.com/danpage/scale

I realised too late that IMPALE (IMPlementation Attack Lab. Exercises) would have been a better choice. Oh well.

— Dan Page (@danpag3) June 14, 2018

PS: From twitter thread, see-also:

https://t.co/qcymj6XRNy

— Benjamin Vernoux (@bvernoux) June 17, 2018

https://github.com/FdLSifu/qscat

Qt Side Channel Analysis Tool to handle signal traces and more

CIRCLean: USB Sanitizer

June 18, 2018 ~ hucktech ~ Leave a comment

Il peut être utile de s’intéresser à des solutions ouvertes pour limiter les risques liés aux clés USB.https://t.co/KbAxa3ziHm https://t.co/eRGGBrOw3w

— Bertrand (@belathoud) June 16, 2018

https://www.circl.lu/projects/CIRCLean/

Malware regularly uses USB sticks to infect victims, and the abuse of USB sticks is a common vector of infection (as an example Lost USB keys have 66% chance of malware). CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick. The focus of CIRCLean is to establish document exchange even if the used transport layer (the USB stick) cannot be trusted or if there is a suspicion about whether the contained documents are free of malware or not. In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick. The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer. CIRCLean can be seen as a kind of air gap between the untrusted USB key and your operational computer. CIRCLean does not require any technical prerequisites of any kind and can be used by anyone. CIRCLean is free software which can be audited and analyzed by third-parties. We also invite all organizations to actively reuse CIRCLean in their own products or contribute to the project.[…]

CIRCLean logo