Author: hucktech
OPCDE’18 presentations uploaded
BSidesMUC’18: ARM shellcode and exploit development materials uploaded
Open Source Hardware certification update
The Open Source Hardware Association (OSHWA) has updated their certification:
After almost a year and a half of community discussion, OSHWA unveiled the Open Source Hardware Certification Program at the 2016 Open Hardware Summit. Today, with the help of a major grant from the Sloan Foundation, we are excited to announce that we are taking major steps towards Certification 2.0. The original certification program has some fairly straightforward goals. It is designed to make it easy for creators to identify their hardware as compliant with the community definition of open source hardware, as well as make it easy for users to know that hardware that is advertised as “open source” meets their expectations. The certification process gives a creator confidence that they have done everything required to call their hardware open source. The certification logo gives users confidence that they will be able to access, build upon, and hack any hardware that they receive. We didn’t know what to expect when we launched the certification program and have been blown away by the results. There are currently 170 certified hardware projects from 18 countries on 5 continents participating in the program.[…]
WinMagic on Microsoft Pre-Boot Full Disk Encryption Authentication
WinMagic makes full-disk encryption products, including a UEFI one, which the UEFI CA (Microsoft) signs, AFAIK.
Is Microsoft really claiming Pre-Boot Authentication for Full Disk Encryption is not necessary?[…]To summarize, Microsoft has got this one wrong. The fault in their logic is thinking that PBA is limited to protection against memory attacks AFTER automatically unlocking the drive. They missed the whole point of PBA, which is to prevent anything being read from the drive, such as the operating system BEFORE the user has confirmed they have the correct password or other credentials. PBA is a necessary component of a FDE solution in order to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.
Microsoft adds temporary Spectre/Meltdown bug bounty
Mid-last month Microsoft announced a temporary bug bounty, good until the end of the year, on speculative execution:
Microsoft Speculative Execution Side Channel Bounty Program
https://blogs.technet.microsoft.com/msrc/2018/03/14/speculative-execution-bounty-launch/
Lenovo: securing the supply chain
Lenovo has a blog post on supply chain security:
[…]Have you ever considered whether the PC’s delivered to your business contain the same components installed by the manufacturer?[…]
http://blog.lenovo.com/en/blog/securing-the-supply-chain/
Lenovo: please publish hashes for your online firmware images!
Quarks Lab: dumping flash chips, blog series
Quarks Lab has a 2-part blog series on dumping flash chips:
First part of a blog post series about our approach to dump a flash chip. In this article we describe how to desolder the flash, design and build the corresponding breakout board. This blog post series will detail simple yet effective attacks against embedded devices non-volatile memories. This type of attack enables you to do the following:
* read the content of a memory chip;
* modify the content of a memory chip;
* monitor the accesses from/to a memory chip and modifying them on the fly (Man-In-The-Middle attack).
In particular, the following topics will be discussed:
* Desoldering of a flash chip;
* Conception of a breakout board with KiCAD;
* PCB fabrication and microsoldering;
* Addition of a breakout board on an IoT device;
* Dump of a SPI flash;
* Dump of a parallel flash;
* Man-in-the-Middle attacks.
AMPC: new ACPI table by Ampere Computing
Please leave a comment on this blog if you can find their spec, UEFI does not have a pointer to it.
http://www.uefi.org/acpi_id_list?search=&order=field_acpi_approved_on_date&sort=asc
http://uefi.org/acpi
https://amperecomputing.com/
GlobalLogic: U-Boot and Android Verified Boot
Noticed a new document on Slideshare on U-Boot and AVB:
Forensics acquisition: Analysis and circumvention of Samsung Secure Boot enforced Common Criteria Mode
https://doi.org/10.1016/j.diin.2018.01.008
https://www.sciencedirect.com/science/article/pii/S1742287618300409
Forensics acquisition: Analysis and circumvention of samsung secure boot enforced common criteria mode
Gunnar Alendal, Geir Olav Dyrkolbotn, StefanAxelssonab
The acquisition of data from mobile phones have been a mainstay of criminal digital forensics for a number of years now. However, this forensic acquisition is getting more and more difficult with the increasing security level and complexity of mobile phones (and other embedded devices). In addition, it is often difficult or impossible to get access to design specifications, documentation and source code. As a result, the forensic acquisition methods are also increasing in complexity, requiring an ever deeper understanding of the underlying technology and its security mechanisms. Forensic acquisition techniques are turning to more offensive solutions to bypass security mechanisms, through security vulnerabilities. Common Criteria mode is a security feature that increases the security level of Samsung devices, and thus make forensic acquisition more difficult for law enforcement. With no access to design documents or source code, we have reverse engineered how the Common Criteria mode is actually implemented and protected by Samsung’s secure bootloader. We present how this security mode is enforced, security vulnerabilities therein, and how the discovered security vulnerabilities can be used to circumvent Common Criteria mode for further forensic acquisition.
ME Analyzer 1.48.0 released
Maxim and Dmitry speaking on Intel ME at CONFidence
Alex speaking at OPCDE
How to update Chrome OS firmware to improve security
How to update Chrome OS firmware to improve security
By Andy Wolber
1. Check Chrome OS firmware version
2. Save settings and files
3. Create Chrome recovery media
4. Update with a Powerwash
Full article:
https://www.techrepublic.com/article/how-to-update-chrome-os-firmware-to-improve-security/
See-also:
https://support.google.com/chromebook/answer/183084
https://support.google.com/chromebook/answer/3296214
https://support.google.com/chrome/a/answer/1360642
https://support.google.com/chromebook/answer/1080595
Spring 2018 UEFI Forum plugfest presentations uploaded
* State of the UEFI – Mark Doran (UEFI Forum President)
* An Introduction to Platform Security – Brent Holtsclaw and John Loucaides (Intel)
* Firmware Security: Hot Topics to Watch – Dick Wilkins (Phoenix Technologies, Ltd.)
* UEFI Updates, Secure firmware and Secure Services on Arm – Dong Wei and Matteo Carlini (Arm)
* The State of ACPI Source Language (ASL) Programming – Erik Schmauss (Intel)
* Implementing MicroPython as a UEFI Test Framework – Chris McFarland (Intel)
* UEFI and the Security Development Lifecycle – Tim Lewis (Insyde)
* Attacking and Defending the Platform – Erik Bjorge and Maggie Jauregui (Intel)
* Microsoft Security Features and Firmware Configurations – Scott Anderson, Jeremiah Cox and Michael Anderson (Microsoft)
* Dynamic Tables Framework: A Step Towards Automatic Generation of Advanced Configuration and Power Interface (ACPI) & System Management BIOS (SMBIOS) Tables – Sami Mujawar (Arm)
* Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU) – Bret Barkelew, Keith Kepler, and Michael Anderson (Microsoft)
* Embedded Development Kit 2 (EDK2): Platforms Overview – Leif Lindholm (Linaro)
* Enabling Advanced NVMe Features Through UEFI – Zachary Bobroff (AMI)
https://uefi.blogspot.com/2018/04/spring-2018-uefi-plugfest-presentations.html
http://www.uefi.org/learning_center/presentationsandvideos
I expect videos on Youtube shortly after PDFs have become available.
INTEL-SA-00116: Intel® 2G Firmware Update for Modems using ETWS
Intel ID: INTEL-SA-00116
Product family: Intel® XMM71xx, Intel® XMM72xx, Intel® XMM73xx, Intel® XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Apr 04, 2018
Buffer overflow in ETWS processing module Intel® XMM71xx, XMM72xx, XMM73xx, XMM74xx and Sofia 3G/R allows remote attacker to potentially execute arbitrary code via an adjacent network. In late February 2018, external security researchers identified and disclosed to Intel a security vulnerability affecting Intel® 2G Modem firmware. The vulnerability affects Intel® 2G Modem products where the Earthquake Tsunami Warning System (ETWS) feature is enabled in Modem firmware. Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk. Intel is making firmware updates available to device manufacturers that protect systems from this vulnerability. End users should check with their device manufacturers and apply any available updates as soon as practical. Intel would like to thank Dr. Ralph Phillip Weinmann and Dr. Nico Golde from Comsecuris for reporting CVE-2018-3624.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00116&languageid=en-fr
next-loader: EFI Boot Manager for Apple Macs
AHCI BIOS Security Extension
This software is useful if:
* you have a (probably self-encrypting) hard disk / solid state drive that supports the (S)ATA SECURITY command set
* you want to boot from this drive.
* your motherboard’s BIOS does not support asking the user for a hard disk password at startup
* you don’t want to buy a new motherboard.
* the hard disk controller of your motherboard supports AHCI.
Matthew Garret on the Linux Kernel Lockdown Patch, and UEFI
Re: Kernel Lockdown Patch:
Matthew Garret of Google has a new blog post that gives some background on this patch, w/r/t UEFI:
Firmware Security 
You must be logged in to post a comment.