Author: hucktech

Chromium: Post-Spectre Threat Model Re-Think

~ hucktech ~ Leave a comment

https://twitter.com/fugueish/status/1001605230583136256

In light of Spectre/Meltdown, we needed to re-think our threat model and defenses for Chrome renderer processes. Spectre is a new class of hardware side-channel attack that affects (among many other targets) web browsers. This document describes the impact of these side-channel attacks and our approach to mitigating them. The upshot of the latest developments is that the folks working on this from the V8 side are increasingly convinced that there is no viable alternative to Site Isolation as a systematic mitigation to SSCAs [speculative side-channel attacks]. In this new mental model, we have to assume that user code can reliably gain access to all data within a renderer process through speculation. This means that we definitely need some sort of ‘privileged/PII data isolation’ guarantees as well, for example ensuring that password and credit card info are not speculatively loaded into a renderer process without user consent. […] In fact, any software that both (a) runs (native or interpreted) code from more than one source; and (b) attempts to create a security boundary inside a single address space, is potentially affected. For example, software that processes document formats with scripting capabilities, and which loads multiple documents from different sources into the same process, may need to take defense measures similar to those described here.[…]

https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md

 

Xeno updates Low Level PC Attack Papers list

~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2017/05/15/xeno-updates-low-level-pc-attack-papers-list/

Xeno has updated it again. Look at his current tweets to see the indivual entries added. Xeno is one of the pioneers of firmware security research, and this is basically the canon list of HW/FW issues.

Required reading for anyone reading a blog like this.

https://timeglider.com/timeline/5ca2daa6078caaf4

I’ll be blunt, I *LOVE* the data, but I wish it was a plain web page, TimeGlider makes the data less useful to me.

Hoping someday the data expands to virtualization-level firmware, in addition to bare-metal.

Pyra (Debian-based gaming console) needs kernel ARM/OMAP experts

~ hucktech ~ Leave a comment

Pyra needs help by kernel and low-level ARM/OMAP experts

W. Martin Borgert posted a message to the Debian kernel/ARM lists, about soliciting kernel dev help for a Debian-based gaming console, successor to OpenPandora.

Borgert quote:

I just read this post by Pyra project leader Michael Mrozek a.k.a. “Evil Dragon”. (Pyra is planned to be a Debian based gaming console, successor of OpenPandora.) They need help by kernel devs and folks who know OMAP etc. Maybe somebody here can help them? There even might be some money in it. No doubt about fame and fun, though!

Evil Dragon quote:

[…]This brings up another important point: Kernel developers! There’s still quite a few things which should be done before the release. We don’t have proper powersaving, the TILER implementation needs to be tidied up, 3D is not yet implemented, Audio needs a better setup, etc. It seems there are less and less kernel developers having the time to work on such things in their spare time. That’s why I decided to hire freelancers to help out as well![…]I know we’ve got quite a lot of OpenSource fans around here. Maybe some know some good kernel developers, who are able to include and improve hardware support and fix various issues. We can provide a test unit as well as the needed datasheets – but it needs someone who is capable of debugging and fixing low-level things.[…]

https://pyra-handheld.com/boards/threads/moving-along.82982/
https://pyra-handheld.com/

 

USB Hub Bug Hunting and Lessons Learned

~ hucktech ~ Leave a comment

In this article I’ll show how a protocol analyzer is used, how my instincts turned out to be very wrong, and along the way dive into arcane USB details you probably won’t see explained anywhere else.[…]

https://www.pjrc.com/usb-hub-bug-hunting-lessons-learned/

Azeria Labs releases new ARM cheat sheet poster

~ hucktech ~ Leave a comment

https://azeria-labs.com/

Open Source Firmware Conference (OSFC) CfP open!

~ hucktech ~ Leave a comment

The Call for Papers is open for the Open Source Firmware Conference:

https://osfc.io/

https://easychair.org/cfp/osfc2018

CheckBIOSDisk: Check uefi/legacy bios and gpt/mbr disk type for WinPE

~ hucktech ~ Leave a comment

This is a Win32 console application for Windows Preinstall Environment system. The gaol is checking PC uses UEFI BIOS (or with CSM) must ensures the disk type is GPT format, otherwise the legacy BIOS must using MBR format for disk layout. C++ code only does windows executing diskpart and reg commands and checks results to improve function, because requester is lazy and having lack knowledge on his job to design commands flow.

https://github.com/sharowyeh/checkbiosdisk

PS: Another tool by author:

https://github.com/sharowyeh/NvGpuUtility

 

Android bootloader flow documentation published

~ hucktech ~ Leave a comment

Alex Deymo notes that the Android project has more documentation on their boot process, and posted about it on the U-Boot mailing list:

“Just an FYI, earlier this month the team spent some time polishing and publishing in source.android.com documentation about the flows the bootloader goes through in Android, specially true for stock Android like in Pixels phones or other devices based of recent AOSP versions. This documentation includes the interaction between userspace and the bootloader such as the properties userspace expects when booting A/B devices, the whole A/B flow, the bootloader message in the misc partition (BCB), how they interact with the “recovery mode” in Android and much more.

https://lists.denx.de/pipermail/u-boot/2018-May/329886.html

https://source.android.com/devices/bootloader/

USB Reverse Engineering: A Universal Guide

~ hucktech ~ Leave a comment

USB Reverse Engineering: A Universal Guide
by: Ben James
May 25, 2018

[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others. His guide is impressively comprehensive, and covers all the necessary areas in hardware and software.[…]

USB Reverse Engineering: A Universal Guide

 

Free ebook: Software Security: Principles, Policies, and Protection

~ hucktech ~ Leave a comment

 

Welcome to Software Security: Principles, Policies, and Protection (SS3P), a free book about software security. SS3P focuses on basic software security principles, secure software development from design over implementation to testing, software security policies (with a focus on memory and type unsafe language like C/C++), defense strategies with a focus on verification, testing, and mitigation, attack vectors, and reverse engineering. The different chapters are augmented with several case studies.
This book is, was, and always will be free and openly accessible in PDF form. If you reference the book, please link to the SS3P PDF directly so that your readers will always get the most recent version.
The intended audience of this book are advanced undergraduate and graduate students interested in software security (e.g., as part of a software security, system security, or information security class) as well as developers working with low level languages such as C/C++.

https://nebelwelt.net/SS3P/

 

Expect More Spectre, Meltdown Variants Until Updated Chips Arrive

~ hucktech ~ Leave a comment

[…]For a company like Intel, testing would cost several million dollars and take two to three months for each iteration.

“Flat out, that’s [a complete rewrite] not gonna happen,” said Joe FitzPatrick, a hardware security researcher and trainer.[…]

https://duo.com/decipher/expect-more-spectre-meltdown-variants-until-updated-chips-arrive

 

SEVered: Subverting AMD’s Virtual Machine Encryption

~ hucktech ~ Leave a comment

AMD SEV is a hardware feature designed for the secure encryption of virtual machines. SEV aims to protect virtual machine memory not only from other malicious guests and physical attackers, but also from a possibly malicious hypervisor. This relieves cloud and virtual server customers from fully trusting their server providers and the hypervisors they are using. We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine. We verify the effectiveness of SEVered on a recent AMD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines. With these examples, we demonstrate that SEVered reliably and efficiently extracts all memory contents even in scenarios where the targeted virtual machine is under high load.

ROMsplit: split UEFI/BIOS files into two or more binary chunks

~ hucktech ~ Leave a comment

A quick and dirty tool written in C to split UEFI/BIOS files into two or more binary chunks, which can then be flashed onto a chip using flashrom or something similar. This was born out of the necessity of needing a UEFI and an EC (embedded controller) image to be reflashed manually on a laptop where the UEFI was 2MB and the EC was 128K, but seperate images were not available.

printf(“romsplit – split binary files into two or more seperate chunks\n”);
printf(“Usage: %s <filename> <size of chunk 1> <size of chunk 2> … <size of chunk n>\n\n”, argv[0]);
printf(“You must specify a filename and at least two chunk sizes\n”);

https://github.com/mode13h/romsplit

The Evil Mouse Project

~ hucktech ~ Leave a comment

Conclusion: Never trust USB devices (and not only storage devices…)

https://blog.rootshell.be/2018/05/22/evil-mouse-project/

The Evil Mouse