Author: hucktech

Microsoft introduces Trusted Cyber Physical Systems (TCPS)

~ hucktech ~ Leave a comment

Trusted Cyber Physical Systems looks to protect your critical infrastructure from modern threats in the world of IoT
Thomas Pfenning / Director Software Engineering
April 24, 2018

This week at Hannover Messe 2018 in Germany, we are excited to demonstrate how Microsoft is utilizing its more than 25 years of embedded and hardware security experience with a new project codenamed Trusted Cyber Physical Systems (TCPS). This solution seeks to provide end-to-end security that is resilient to today’s cyber-attacks so our industrial customers can operate their critical infrastructures with confidence and with no negative impact to their intellectual property and customer experience.[…]

https://blogs.windows.com/business/2018/04/24/trusted-cyber-physical-systems-looks-to-protect-your-critical-infrastructure-from-modern-threats-in-the-world-of-iot/

Click to access TCPS-WP.pdf

Click to access Protecting-Critical-Infrastructure.pdf

EFI-RPM-macros: helps packaging of EFI code into Red Hat RPMs

~ hucktech ~ Leave a comment

efi-rpm-macros provides a set of RPM macros for use in EFI-related packages.

The following variables are meaningful on the make command line:

EFI_ESP_ROOT the directory where the EFI System Partition is mounted
EFI_ARCHES the rpm arches %efi will match on
EFI_VENDOR the vendor name for your EFI System Partition directory

The following rpm macros are set:

%efi the arches that EFI packages should be built on, suitable for use with %ifarch
%efi_vendor the vendor name for your EFI System Partition directory
%efi_esp_root the directory where the EFI system Partition is mounted
%efi_esp_efi the full path to \EFI on the EFI System Partition
%efi_esp_boot the full path to \EFI\BOOT on the EFI System Partition
%efi_esp_dir the full path to your vendor directory on the EFI System Partition
%efi_arch the EFI architecture name, e.g. x64
%efi_arch_upper the EFI architecture name in upper case, e.g. X64

https://github.com/rhboot/efi-rpm-macros

 

upcoming queue of BMC/iLO research…

~ hucktech ~ Leave a comment

3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:

https://twitter.com/nicowaisman/status/990232607253245957

https://www.sstic.org/2018/presentation/subverting_your_server_through_its_bmc_the_hpe_ilo4_case/

Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.

iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.

DMTF, NVMe and SNIA form 3-way alliance for SSD storage mgmt

~ hucktech ~ Leave a comment

The DMTF, NVM Express, Inc. and SNIA have formed a new three-way alliance to coordinate standards for managing SSD storage devices. […] In addition to SNIA’s Swordfish and DMTF’s Redfish, the alliance’s collaborative work will include the following standards:

* NVM Express™(NVMe™) is the register interface and command set for PCI Express attached storage with industry standard software available for numerous operating systems. The NVM Express™Management Interface (NVMe-MI™) is the command set and architecture for management of NVM Express storage (e.g., discovering, monitoring, and updating NVMe devices using a BMC).

* DMTF’s Management Component Transport Protocol (MCTP) is a protocol and Platform Level Data Model (PLDM) is a low-level data model defined by the DMTF Platform Management Components Intercommunications (PMCI) Working Group (https://www.dmtf.org/standards/pmci) . MCTP is designed to support communications between different intelligent hardware components that make up a platform management subsystem that provides monitoring and control functions inside a managed system.

* DMTF’s PLDM for Redfish Device Enablement (RDE) defines messages and data structures used for enabling PLDM devices to participate in Redfish-based management without needing to support either JavaScript Object Notation (JSON, used for operation data payloads) or the [Secure] Hypertext Transfer Protocol (HTTP/HTTPS, used to transport and configure operations).

[…]

Click to access NVMe-DMTF-SNIA_Work_Register_v1.0.pdf

https://www.dmtf.org/

Front


https://www.snia.org/
https://www.snia.org/forums/smi/swordfish
http://www.dmtf.org/standards/redfish

Micah Lee: It’s impossible to prove your laptop hasn’t been hacked. I spent two years finding out

~ hucktech ~ Leave a comment

Very good article, talks about firmware/hardware threats, and gives a checklist of how to check for some of them. I need to update the “Guidance” part of some upcoming slides to incorporate ideas from this article.

https://twitter.com/josephfcox/status/990249064104067072

It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.
Micah Lee
April 28 2018, 7:00 a.m.

Digital security specialists like me get some version of this question all the time: “I think my laptop may have been infected with malware. Can you check?”[…]

It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.

DoNotDisturb: now with email support (and YONTMA)

~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

someone has created some more Mac-centric Evil Maid detection code:

https://twitter.com/ptrckhbr/status/989903893898416128

https://github.com/ptrckhbr/scripts/blob/master/applescript/DND.scpt

I wish someone would collect all the various FW/OS-centric ways to check for Evil Maids, and write a tool that covers all of them. Here’re some other ways, via You’ll Never Take Me Alive (YONTMA) from iSEC Partners (now NCC Group):

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2013/march/yontma-youll-never-take-me-alive/
https://github.com/iSECPartners/yontma
https://github.com/iSECPartners/yontma-mac

 

QEMU has RISC-V support

~ hucktech ~ Leave a comment

part 2:https://www.sifive.com/blog/2018/04/25/risc-v-qemu-part-2-the-risc-v-qemu-port-is-up stream/

part 1: https://www.sifive.com/blog/2017/12/20/risc-v-qemu-part-1-privileged-isa-hifive1-virtio/

see-also Sifive’s statement on Spectre/Meltdown:

https://www.sifive.com/blog/2018/01/05/sifive-statement-on-meltdown-and-spectre/

HPE seeks senior UEFI developer

~ hucktech ~ Leave a comment

Senior UEFI Development Engineer
Job ID 1023806

Strong knowledge in UEFI security or firmware security in general.
Strong knowledge in TPM, Secure Boot, TXT, and RSA.
Knowledge of industry standard technologies including ACPI, USB, SMBIOS, IPMI, Redfish, and PCI express.
8+ years’ experience in firmware or BIOS/UEFI development.
In-depth knowledge of UEFI architecture and development (focused on the EDK2 development environment).

https://careers.hpe.com/job/-/-/3545/7942722

U-Boot gets Android Verified Boot (AVB) 2.0

~ hucktech ~ Leave a comment

Igor Opaniuk of Linaro posted a patch to the U-Boot list, adding Android Verified Boot 2.0 support:

This series of patches introduces support of Android Verified B oot 2.0,which provides integrity checking of Android partitions on MMC. It integrates libavb/libavb_ab into the U-boot, provides implementation of AvbOps, subset of `avb` commands to run verification chain (and for debugging purposes), and it enables AVB2.0 verification on AM57xx HS SoC by default. Currently, there is still no support for verification of A/B boot slots and no rollback protection (for storing rollback indexes there are plans to use eMMC RPMB). Libavb/libavb_ab will be deviated from AOSP upstream in the future, that’s why minimal amount of changes were introduced into the lib sources, so checkpatch may fail. For additional details check [1] AVB 2.0 README and doc/README.avb2, which is a part of this patchset.[…]

https://lists.denx.de/pipermail/u-boot/2018-April/326562.html

 

Detecting Evil Maid attacks with PowerShell

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

the above solution was a Mac-centric solution. Here’s a Microsoft-centric solution, using Powershell:

https://pastebin.com/hAEHibHf

Grab this version before the Visual Studio or Azure teams ties the code to their products. 🙂

US CERT update on Spectre/Meltdown

~ hucktech ~ Leave a comment

This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update F) that was published March 1, 2018, on the NCCIC/ICS-CERT website.

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01

 

Intel SGX hardening patent, by Intel

~ hucktech ~ Leave a comment

https://twitter.com/vpikhur/status/989561250609709057

PATENT ALERT. Engineers not wanting to be tainted by external patent info should not read this post. It is only the title/abstract of the patent, however.

.
.
.
.
.
.
.

Inventor: Volodymyr Pikhur, Atul A. Khare
Current Assignee: Intel Corp
Priority date: 2016-09-07

Non-enclave access prevention

A processing system includes an execution unit comprising a logic circuit to implement an architecturally-protected execution environment associated with a protected region in a memory, in which the execution unit is to execute application code stored in the protected region as a thread running in the architecturally-protected execution environment, determine that an access mode flag is set to a first value, detect an attempt by the thread to access data stored outside the protected region, and responsive to detecting the attempt and determining that the access mode flag is set to the first value, generate an exception.

https://patents.google.com/patent/US20180067873A1

IOActive: HooToo TripMate Routers are Cute But Insecure

~ hucktech ~ Leave a comment

Monday, April 23, 2018
HooToo TripMate Routers are Cute But Insecure
By Tao Sauvage

[…] While HooToo TripMate routers are cute, they are also extremely insecure. Multiple memory corruptions, multiple OS command injections, arbitrary file upload, and arbitrary firmware update: all of them unauthenticated.[…]

http://blog.ioactive.com/2018/04/hootoo-tripmate-routers-are-cute-but.html

Click to access HooToo_Security_Advisory_FINAL_4.19.18.pdf

https://www.hootoo.com/hootoo-tripmate-ht-tm05-wireless-router.html

DMTF Redfish becomes ISO/IEC 30115:2018 Redfish

~ hucktech ~ Leave a comment

https://www.dmtf.org/content/dmtf-announces-adoption-redfish-iso-and-iec

ISO/IEC 30115:2018: The Redfish Scalable Platforms Management API (“Redfish”) is a new specification that uses RESTful interface semantics to access data defined in model format to perform out-of-band systems management. It is suitable for a wide range of servers, from stand-alone servers to rack mount and bladed environments but scales equally well for large scale cloud environments. There are several out-of-band systems management standards (defacto and de jour) available in the industry. They all either vary widely in implementation, were developed for single server embedded environments or have their roots in antiquated software modeling constructs. There is no single industry standard that is simple to use, based on emerging programming standards, embedded friendly and capable of meeting large scale data center & cloud needs.

https://www.iso.org/standard/53235.html