https://github.com/HexHive/T-Fuzz
Click to access 18Oakland-presentation.pdf
Author: hucktech
TPM 2.0 in QEMU
If you want to test software which exploits TPM 2.0 functionality inside the qemu-kvm emulator, this can be challenging because the software stack is still quite new. Here is how I did it.[…]
ZFS-on-Root-Installer: Install ZFS on Root with Ubuntu
A Bare Metal Installer for ZFS on Root
This repository is intended to produce a bootable UEFI image that allows installing a full bare system with ZFS disks. Be aware that it is not intended for building dual-boot systems. While you are given the ability to choose which disks are used, the EFI boot system will wipe other OS entries. It uses an Ubuntu kernel and a minimal ramdisk builder to host the scripts used to perform the actual install.[…]
https://github.com/symmetryinvestments/zfs-on-root-installer
UEFI_Python: python tool to prase uefi as fv/ffs/variable/Hii
windows2usb: Windows ISO to Flash drive burning utility for Linux
eWeek: Processor Flaws Force Chip Producers to Make Security Top Priority
[…]Here are five of the most serious that were reported in the past year.
1. Spectre, Meltdown variants post triple threat
2. Researchers find flaws related to Speculative Store Bypass
3. Intel acknowledges flaws in ME, AMT subsystems
4. When 140 years is not long enough: the ROCA flaw
5. Insensitive disclosure of sensitive issues: AMD PSP flaws
http://www.eweek.com/security/processor-flaws-force-chip-producers-to-make-security-top-priority
Intel releases SMM-free processor! :-)
Time to stock up new FreeDOS-capable hardware, while you have a chance. 😉
Actually, I’m not sure, maybe this limited edition processor *DOES* have SMM, that’d be interesting in other ways.
https://www.intel.com/content/www/us/en/products/processors/core/i7-processors/i7-8086k.html
https://game.intel.com/8086sweepstakes/
Two random tweets
Virtualization-based security (VBS) memory enclaves: Data protection through isolation
I’m glad that Virtualization-Based Security has replaced VisualBasic Script as the new acronym for VBS. 🙂
The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks. Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.[…]
Duo Labs: organizations can be “software secure but firmware vulnerable”
Duo Labs, who has EFIgy, an EFI firmware update status tool for Mac, is interviewed by InfoSecurity Magazine on the topic of EFI security:
[…]Although efforts to compromise EFI are most often carried out as part of highly targeted attacks, they remain a major threat to organizations, he warned. […] Smith revealed newly updated research from Duo Security which details shortcomings in Apple’s EFI update processes. Drawing on data collected from 73,000 customer machines, the findings show that 4.2% were running the wrong EFI version – much higher than the 1% or so expected. That rose to nearly 43% for the oldest Mac model on the market, dating back to 2015. The results also showed that organizations could be “software secure but firmware vulnerable.” […] He called on tech firms to introduce “the same degree” of transparency into the firmware update process as they do with software updates. Duo Security chose to study Apple because the firm’s singular ecosystem made it easier to analyze, but Smith warned that failings in the Wintel space are arguably even more acute.[…]
https://www.infosecurity-magazine.com/news/infosec18-experts-in-efi-update/
Rufus: 2 unspecified vulnerabilities hinted-at
Stefan Kanthak has submitted a bug against Pete Batard’s Rufus, a Win32 GDI tool that helps create USB thumbdrives. Rufus is — these days — somewhat of a rarity, an open source tool that is a native Win32 GDI GUI C application. These days, most open source GUI tools are Qt or GTK. Even Microsoft has basically given up on Win32. Old School Windows tool. 🙂
I wish Stefan was less of an <EXPLETIVE> in how he reported it.
Pete has been writing EFI-centric Free Software for a long time, not many people can write UEFI file system drivers and Win32 GDI GUI applications. Thanks for creating all these tools for people, Pete!
https://rufus.ie/
https://pete.akeo.ie/
https://skanthak.homepage.t-online.de/home.html
https://github.com/pbatard/rufus
http://www.openwall.com/lists/oss-security/2018/05/31/1
Mr. IoT’s IoT Security 101
CopperheadOS company problems
PT Security: new Intel ME research
Eclypsium on BloombergTV
Re: https://firmwaresecurity.com/2018/05/17/eclypsium-in-bloomberg/
Eclypsium was on BloombergTV today! Hmm, I can’t find the URL of the video, if you can, please add it as a Comment to this blog.
Intel: Q2 2018 Speculative Execution Side Channel Update
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
INTEL-SA-00115
| Original release: | 05/21/2018 |
| Last revised: | 05/21/2018 |
list of IoT/embedded OS firmware tools
I mostly focus on Platform Firmware, UEFI, ACPI, etc. I usually don’t focus too much on IoT/embedded OS firmware, even though I blog about them. But there’s a lot of tools for the latter, and I’ve not yet added a section for them in Awesome Firmware Security[1]. And I have 2 friends who need such a list. Below is first pass at searching old blog posts for tools. Will refine and add to Awesome Firmware Security later. Please leave a Comment to point out any other major tools of this category that I’ve missed.
https://firmwaresecurity.com/2016/08/25/firminator/ Hmm, it looks like the domain firminator.io is no longer valid.
Tactical Network Solutions unveils firmware evaluation services
ReFirm labs gets 1.5mil in funding, launches Centrifuge Platform
[1] https://github.com/PreOS-Security/awesome-firmware-security/blob/master/README.md
Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications
Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications
Schulz, Matthias
Ph.D. Thesis
Smartphones come with a variety of sensors and communication interfaces, which make them perfect candidates for mobile communication testbeds. Nevertheless, proprietary firmwares hinder us from accessing the full capabilities of the underlying hardware platform which impedes innovation. Focusing on FullMAC Wi-Fi chips, we present Nexmon, a C-based firmware modification framework. It gives access to raw Wi-Fi frames and advanced capabilities that we found by reverse engineering chips and their firmware. As firmware modifications pose security risks, we discuss how to secure firmware handling without impeding experimentation on Wi-Fi chips. To present and evaluate our findings in the field, we developed the following applications. We start by presenting a ping-offloading application that handles ping requests in the firmware instead of the operating system. It significantly reduces energy consumption and processing delays. Then, we present a software-defined wireless networking application that enhances scalable video streaming by setting flow-based requirements on physical-layer parameters. As security application, we present a reactive Wi-Fi jammer that analyses incoming frames during reception and transmits arbitrary jamming waveforms by operating Wi-Fi chips as software-defined radios (SDRs). We further introduce an acknowledging jammer to ensure the flow of non-targeted frames and an adaptive power-control jammer to adjust transmission powers based on measured jamming successes. Additionally, we discovered how to extract channel state information (CSI) on a per-frame basis. Using both SDR and CSI-extraction capabilities, we present a physical-layer covert channel. It hides covert symbols in phase changes of selected OFDM subcarriers. Those manipulations can be extracted from CSI measurements at a receiver. To ease the analysis of firmware binaries, we created a debugging application that supports single stepping and runs as firmware patch on the Wi-Fi chip. We published the source code of our framework and our applications to ensure reproducibility of our results and to enable other researchers to extend our work. Our framework and the applications emphasize the need for freely modifiable firmware and detailed hardware documentation to create novel and exciting applications on commercial off-the-shelf devices.
http://tuprints.ulb.tu-darmstadt.de/7243/
Announcing coreboot 4.8 & 4.8.1
See blog post for full list of changes.
Security
- Start of refactoring the TPM software stack
- Introduced coreboot security section in kconfig
- VBoot & TPM code moved into src/security
BlackHat cancels Intel/Eclypsium CHIPEC training
I notice that the Intel/Eclypsium training at Black Hat USA 2018 is no longer listed. Sounds like not enough people signed up?!
AFAIK, the next opportunity to get Eclypsium CHIPSEC training is at REcon (and REcon appears to have cheaper training rates than Blackhat):
https://recon.cx/2018/montreal/training/trainingfirmware.html
There’s also the training materials from older training from Intel ATR/CHIPSEC team, available here:
Firmware Security 
You must be logged in to post a comment.