https://www.crowdsupply.com/alphamax/netv2/updates/second-and-third-stretch-goals
Author: hucktech
more on WebUSB and recent YubiCo vuln
Re: https://firmwaresecurity.com/2018/06/14/yubico-vs-security-researchers/
here’s a bit more on WebUSB and recent YubiKey vuln, latter blog post has great background on WebUSB tech.
http://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html
https://labs.mwrinfosecurity.com/blog/webusb/
https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web
From intro paragraph of Google’s intro to WebUSB (emphasis theirs):
“[…]But most importantly this will make USB safer and easier to use by bringing it to the Web.”
LOL
PS: Anyone here a Wikipedia editor? This page needs an entry for WebUSB:
https://en.wikipedia.org/wiki/Category:USB
and perhaps a dedicated page for WebUSB not just:
https://en.wikipedia.org/wiki/Google_Chrome
Besides WebUSB and Wireless USB, what other scary OOB interfaces to USB exist?! I really need to spend more time learning USB properly…
EFF: Software Updates and Why They’re Important
EFF should have said *BOTH* Software *AND* Firmware Updates.
https://sec.eff.org/articles/software-updates
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation
Submitted on 13 Jun 2018
Speculative execution which is used pervasively in modern CPUs can leave side effects in the processor caches and other structures even when the speculated instructions do not commit and their direct effect is not visible. The recent Meltdown and Spectre attacks have shown that this behavior can be exploited to expose privileged information to an unprivileged attacker. In particular, the attack forces the speculative execution of a code gadget that will carry out the illegal read, which eventually gets squashed, but which leaves a side-channel trail that can be used by the attacker to infer the value. Several attack variations are possible, allowing arbitrary exposure of the full kernel memory to an unprivileged attacker. In this paper, we introduce a new model (SafeSpec) for supporting speculation in a way that is immune to side-channel leakage necessary for attacks such as Meltdown and Spectre. In particular, SafeSpec stores side effects of speculation in a way that is not visible to the attacker while the instructions are speculative. The speculative state is then either committed to the main CPU structures if the branch commits, or squashed if it does not, making all direct side effects of speculative code invisible. The solution must also address the possibility of a covert channel from speculative instructions to committed instructions before these instructions are committed. We show that SafeSpec prevents all three variants of Spectre and Meltdown, as well as new variants that we introduce. We also develop a cycle accurate model of modified design of an x86-64 processor and show that the performance impact is negligible. We build prototypes of the hardware support in a hardware description language to show that the additional overhead is small. We believe that SafeSpec completely closes this class of attacks, and that it is practical to implement.
Oleksandr Bazhaniuk – Software Attacks on Different Type of System Firmware – H2HC 2017
exploit_playground: overly-commented exploits (and Ian Beer’s getvolattrlist bug)
Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented 😉 ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.
https://github.com/externalist/exploit_playground
iSecCon 2018: Intel Security Conference 2018
Re: https://firmwaresecurity.com/2018/06/15/intel-security-conference/
More details are available:
iSecCon 2018: Intel Security Conference 2018
Intel Ronler Acres 4 (RA4), 2501 NW Century Blvd
Hillsboro, OR, United States, December 4-5, 2018
PROGRAM COMMITTEE:
* Rodrigo Branco (BSDaemon), Chief Security Researcher, Intel Corporation (STrategic Offensive Research & Mitigations – STORM, IPAS)
* Deepak K Gupta, Security Researcher, Intel Corporation (Windows OS Group)
* Marion Marschalek, Senior Security Researcher, Intel Corporation (STrategic Offensive Research & Mitigations – STORM, IPAS)
* Martin Dixon, Chief Security Architect, Intel Corporation (IPAS)
* Vincent Zimmer, Senior Principal Engineer, Intel Corporation (Software and Services Group)
* Matt Miller, Partner, Microsoft Corporation
* Cesar Cerrudo, CTO, IOActive
* Thomas Dullien (“Halvar Flake”), Staff Engineer, Google Project Zero
* Shay Gueron, Senior Principal Engineer, Amazon Web Services (AWS)
Cyberus Tech: Intel LazyFP vulnerability: Exploiting lazy FPU state switching
[…]Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.
For further details, see the current draft of the lazyFP paper: <Link withheld by request from Intel>
Please check back regularly, we’re going to update this post in coordination with Intel.[…]
http://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html
Kees Cook on Linux kernel 4.17 security features
If you’re not aware, Kees does a good job about blogging on new Linux kernel features. The topic list from current blog post:
Jailhouse hypervisor
Sparc ADI
new kernel stacks cleared on fork
MAP_FIXED_NOREPLACE
pin stack limit during exec
Variable Length Array removals start
Oski Technology: nice infographic of firmare vulns (“SuperBug”)
http://www.oskitechnology.com/dac-superbug-risk-assessment
I don’t know anything about this company and their product, but I like the cover infographic for some of the hardware/firmware topics it covers:
Un-Sexy Headline: USB Restricted Mode Will Improve iPhone User Security
https://twitter.com/Riana_Crypto/status/1007398287622590464
By Riana Pfefferkorn on June 14, 2018 at 4:01 pm
In the upcoming version of the Apple iPhone iOS operating system, iOS 12, the phone’s Lightning cable port (used for charging and data transmission) will be disabled an hour after the phone is locked. The device will still charge, but transferring data to or from the device via the Lightning cable will require entering the device’s password first. Connecting to the data port via Lightning cable is what third-party forensic devices called Cellebrite and GrayKey rely upon to extract data from locked, encrypted iPhones. These tools (made, respectively, by the eponymous Cellebrite and a company called Grayshift) are employed by U.S. law enforcement agencies at federal, state, and local levels. Unsurprisingly, just about everybody covering the story is framing Apple’s move as one that will thwart law enforcement.[…]
att-uefi-boot: UEFI Setup for HTTP Boot of OS image installation
DRAFT
att-uefi-boot
UEFI Setup for HTTP Boot of OS image installation
Currently leveraging IPXE chain loading.
Appears Dell-centric?
https://github.com/gaberger/att-uefi-boot
Intel Security Conference
The above tweet is all I know so far. The URL in that link doesn’t appear to be useful (unless you’re one of the committee).
Please post more details.
Please host it in Seattle!!!! 🙂
grub-bgrt theme: GRUB2 theme which uses UEFI logo (aka BGRT)
grub-bgrt theme: A theme for GRUB2 which uses your system’s UEFI logo (aka BGRT).
I expect this will be popular.
This old blog post is still a commonly-accessed blog post, it seems people like to hack BGRT images on their sysetms:
OEMs, consider making this a user feature via your boot menu.
See-also:
https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/boot-screen-components
https://blog.fpmurphy.com/2015/07/access-bsrt-information-and-boot-logo-from-uefi-shell.html
On Intel not talking to OpenBSD about recent FPU vuln
Chip vendors controlling the security of OSes should be more transparent in their selection process. They should maintain a list of OSVs that they maintain embargoed fixes. Then uses could determine if they want to trust the OS or not, or try to lobby to try and get the ISA vendor to support their OS. Is the OS on the list, ok then they may have some chance at fixing things. If not on the list I expect to be vulnerable until the embargo ends. There are MANY more OSes than Microsoft Windows, Apple macOS, a limited number of Linux distros, and sometimes FreeBSD.
In some forums, Bryan Cantrill is crafting a fiction. He is saying the FPU problem (and other problems) were received as a leak. He is not being truthful, inventing a storyline, and has not asked me for the facts. This was discovered by guessing Intel made a mistake. We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves. Bryan is just upset we guessed right. It is called science.
https://marc.info/?l=openbsd-tech&m=152894815409098&w=2
Apple fixed firmware vulnerability found by Positive Technologies
June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]
http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849
SPIDriver: Hardware Adapter for Controlling SPI Devices from Your Computer
OEMs charge users to enable (or disable) security features
Does the automotive industry charge for seat belts? 🙂
Maybe someone should create an open source project for Tianocore that has boot menu option (UEFI browser form) code to enable/disable everything that Intel/ARM/AMD/etc make configurble, an these menu options should be made available to any IBV/OEM that wants to include them. Having them there reduces friction for vendors who didn’t have those features before, and provides something for customers to point to when they say “I want more control of my security configurability in my firmware.”
VW firmware was used to defeat emission tests
The above 3 tweets apply to EVERYTHING, not just the story that started it, VW firmware. It seems the forensics community still does very little with firmware:
YubiCo -vs- security researchers
Sorry, these tweets are not in chronological order.
https://www.yubico.com/2018/06/webusb-and-responsible-disclosure/
Firmware Security 
You must be logged in to post a comment.