Intel releases version 066 of the Software Dev Manuals

March 30, 2018 ~ hucktech ~ Leave a comment

#Intel released the 66th edition of the Software Developer’s Manuals with #KnightsMill, #CoffeLake updates and the HDC (Hardware Duty State) featurehttps://t.co/qh7jNcQQFN pic.twitter.com/NKTjp7XW1a

— InstLatX64 (@InstLatX64) March 30, 2018

https://software.intel.com/en-us/articles/intel-sdm

At present, downloadable PDFs of all volumes are at version 066. The downloadable PDF of the Intel® 64 and IA-32 architectures optimization reference manual is at version 039. Additional related specifications, application notes, and white papers are also available for download.

MORF – AMI’s open source Redfish Framework in OpenBMC

March 30, 2018 ~ hucktech ~ Leave a comment

From [1]:

> AMI has made Megarac Open Redfish Framework available as open-source under Apache 2.0 License.

See, https://t.co/EUCAnmXIz4.

There are also commits with https://t.co/0v1CqKEf0N domain in the author address in the #coreboot repository.

[1] https://t.co/pxQSclCfIm

— Paul Menzel (@pmenzel_molgen) March 29, 2018

https://github.com/ami-megarac/

https://lists.ozlabs.org/pipermail/openbmc/2018-March/011255.html

Click to access MegaRAC%20Open%20Redfish%20Framework%20(MORF).pdf

Total Meltdown for Windows 7: follow-up

March 30, 2018 ~ hucktech ~ Leave a comment

Total Meltdown? How the Windows 7 Meltdown January patch made things way worse. (Patched in March updates) https://t.co/wrV8EApW1n

— Ulf Frisk (@UlfFrisk) March 27, 2018

#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame!https://t.co/TcVVMBDEPl pic.twitter.com/n0FpD8nP5X

— Ulf Frisk (@UlfFrisk) March 29, 2018

We released a security update yesterday to address CVE-2018-1038 in Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Thanks to @UlfFrisk for the partnership.

— Security Response (@msftsecresponse) March 30, 2018

Yesterday #microsoft released a security update to address CVE-2018-1038 in Windows 7 SP1 (x64) and Windows Server 2008 R2 SP1 (x64). Shout out to @UlfFrisk for the partnershiphttps://t.co/fDUMGZuw20

— Jeff Jones (@securityjones) March 30, 2018

I'm proud to have been a part of getting this vulnerability addressed and giving credit where it was due. Thank you @UlfFrisk I hope to see more research from you in the future! https://t.co/jrVghRq1NP

— 🇺🇦 Nate Warfield | n0x08.bsky.social🌻 (@n0x08) March 29, 2018

A big thanks to @UlfFrisk for working with us through this bumpy ride. We are glad to be at a better spot with this latest release. https://t.co/1kgjE7megN

— Phillip Misner (@phillip_misner) March 30, 2018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038

DiskImageCreator: designed to help people attack the machine with a secure chain-of-trust boot process in UEFI BIOS

March 30, 2018March 31, 2018 ~ hucktech ~ Leave a comment

[[
UPDATE: adding URL, which I forgot in original post:
https://github.com/tsunghowu/DiskImageCreator
]]

DiskImageCreator : A python utility to process the input raw disk image and sign MBR/partitions with given corresponding keys.

Signing Tool for boot security validation.

This python utility is designed to provide a baseline for people who may be interested in attaching the machine with secure boot process built-in. The secure boot process is a customized chain-of-trust boot flow in UEFI BIOS. It will exam the target disk image(in MBR) and see if it is properly signed by the root key controlled by owner. This utility is to help owner to create a signed image with owner keys.

This tool is designed to help people attack the machine with a secure chain-of-trust boot process in UEFI BIOS.

cgasm: command line tool that provides x86 assembly docs

March 30, 2018 ~ hucktech ~ Leave a comment

People working with assembly and reverse engineering might find cgasm useful. Has a great backstory about how we changed the world, too.https://t.co/suwV1BJ9f2 https://t.co/iLAsRSj80c

— thaddeus e. grugq (@thegrugq) March 30, 2018

We’re insanely passionate about command line asm documentation in the cloud, and we’re crushing it!

cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced “SeekAzzem”.[…]
TODO: Nothing. No other features. Ever.

Contributing: I. Will. Cut. You.

https://github.com/bnagy/cgasm

PS4 4.55 BPF Race Condition Kernel Exploit Writeup

March 30, 2018 ~ hucktech ~ Leave a comment

The PS4 4.55/FreeBSD BPF kernel exploit writeup is now up on my GitHub repo! The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution.https://t.co/irpUCdcfEk

— Specter (@SpecterDev) March 29, 2018

https://twitter.com/cybergibbons/status/979680338006958081

Interesting side note: BPF is also the mechanic that the Spectre/Meltdown PoCs used to get arbitrary code to run in the kernel to trigger the speculative reads, as arbitrary code running in the kernel (albeit jitted) is a feature not a bug when it comes to BPF.

— Graham Sutherland (Polynomial^DSS) ➡️ chaos.social (@gsuberland) March 30, 2018

PS4 4.55 BPF Race Condition Kernel Exploit Writeup
Cryptogenic Update PS4 4.55 BPF Race Condition Kernel Exploit Writeup

Note: While this bug is primarily interesting for exploitation on the PS4, this bug can also potentially be exploited on other unpatched platforms using FreeBSD if the attacker has read/write permissions on /dev/bpf, or if they want to escalate from root user to kernel code execution. As such, I’ve published it under the “FreeBSD” folder and not the “PS4” folder.[…]

https://github.com/Cryptogenic/Exploit-Writeups/blob/master/FreeBSD/PS4%204.55%20BPF%20Race%20Condition%20Kernel%20Exploit%20Writeup.md

Update on Microsoft UEFI Github projects

March 29, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/11/01/microsoft-uefi-capsule-update-package-on-github/

Last year at the UEFI Forum Spring Plugfest, Microsoft announced a new Github tree with UEFI-centric code.

This year, they talked about some new code on that tree.

Honestly, I thought that they haven’t been doing anything in a year, but it ends up all the activity has been in the BRANCHES:

https://github.com/Microsoft/MS_UEFI

For example:

https://github.com/Microsoft/MS_UEFI/tree/share/MsCapsuleSupport

So, there’s a lot of new Microosoft UEFI-related code on this tree, just not on the master. 🙂

Stealthy dopant-level hardware Trojans

March 29, 2018 ~ hucktech ~ Leave a comment

Stealthy dopant-level hardware Trojans: extended version
Georg T. Becker, Francesco Regazzoni, Christof Paar, Wayne P. Burleson

In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like and how difficult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs—a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation—and by exploring their detectability and their effects on security.

https://link.springer.com/article/10.1007/s13389-013-0068-0

FWAudit 0.0.1 released

March 28, 2018 ~ hucktech ~ Leave a comment

I have released 0.0.1 — milestone 1 — of Firmware Audit (fwaudit). It is *NOT* ready to use yet. Milestone 2 should start to be usable.

FWAudit is a Python script that calls various tools, CHIPSEC, FirmWare Test Suite, acpidump, etc. See the readme and other documents for more info in abilities, and current issues.

https://github.com/PreOS-Security/fwaudit

CeLoader: A UEFI bootloader for Windows CE

March 28, 2018 ~ hucktech ~ Leave a comment

CELoader is an EFI application that can load and boot to a Windows CE kernel (NK.EXE). The code is fairly simple but demonstrates the ability to read and write the console, read files and query and configure the graphics system. The loader configures the BootArgs structure with information needed by the kernel. Finally, the loader jumps to the entry point of the CE kernel.

https://github.com/dougboling/CeLoader

Ulf: Total Meltdown (Windows 7)

March 28, 2018 ~ hucktech ~ Leave a comment

Total Meltdown? How the Windows 7 Meltdown January patch made things way worse. (Patched in March updates) https://t.co/wrV8EApW1n

— Ulf Frisk (@UlfFrisk) March 27, 2018

https://twitter.com/marcan42/status/978833263618748416

https://blog.frizk.net/2018/03/total-meltdown.html

LSI SAS2008/SAS2108 SBR writing tool for Linux

March 28, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/marcan42/status/978686332183633920

https://github.com/marcan/lsirec

Duo Security: Microcontroller Firmware Recovery Using Invasive Analysis

March 27, 2018 ~ hucktech ~ Leave a comment

Microcontroller Firmware Recovery Using Invasive Analysis – a dissection of IoT (internet of things) security by @sirus of @duo_labs – https://t.co/PEtYBFYAgN pic.twitter.com/qpQqrrgE4P

— Duo Security (@duosec) March 27, 2018

Microcontroller Firmware Recovery Using Invasive Analysis

by Mikhail Davidov

https://duo.com/blog/microcontroller-firmware-recovery-using-invasive-analysis

UEFI for Binary Ninja users

March 26, 2018 ~ hucktech ~ Leave a comment

A blog post on using Binary Ninja to analyze UEFI:

New blog post – UEFI Ninja! Walks through a bit of work I did on UEFI and how I used #BinaryNinja to find protocols defined elsewhere in a firmware image.https://t.co/sLDZauEvr1

— Dean Pucsek (@lightbulbone) March 25, 2018

HP seeks iLO firmware developer intern

March 25, 2018March 25, 2018 ~ hucktech ~ Leave a comment

“[…]Summer intern to work on the iLO team (Integrated Lights Out).
iLO firmware provides industry leading remote management in each HPE ProLiant server.
This position will be to work on enhancements in our functionality and tools.[…]”

https://careers.hpe.com/job/-/-/3545/7543386

LLVM: Speculative Load Hardening (a Spectre variant #1 mitigation)

March 25, 2018 ~ hucktech ~ Leave a comment

Finally posted my proposed design for Spectre variant #1 automatic and comprehensive mitigation:https://t.co/quj4aEAvcV

Twitter-summary? Not practical for performance sensitive applications (30% overhead) but in security sensitive contexts may be best option. Also, OMG hard….

— Chandler Carruth (@chandlerc1024) March 23, 2018

http://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html

OCP Summit 2018 presentations online

March 25, 2018 ~ hucktech ~ Leave a comment

The OpenComputeProject Summit 2018 presentations are online:

https://www.youtube.com/results?search_query=ocpus18

http://opencompute.org/ocp-u.s.-summit-2018/

https://2018ocpussummit.sched.com/type/ew%3A+security+%26+system+firmware?iframe=yes&w=100%&sidebar=yes&bg=no

SDQAnalyzer: A Saleae analyzer plugin for the SDQ (Apple Lightning, MagSafe, Battery) protocol

March 24, 2018 ~ hucktech ~ Leave a comment

I just open-sourced a @saleae logic-analyzer plugin for analyzing the Apple Lightning, iPhone/Mac battery & MagSafe protocol. https://t.co/7bdXSfReqg /cc @nedos pic.twitter.com/VhnbVGfXkl

— Thomas Roth (@StackSmashing) March 24, 2018

https://github.com/nezza/SDQAnalyzer

“A Saleae analyzer plugin for the SDQ (Apple Lightning, MagSafe, Battery) protocol.”

https://support.saleae.com/hc/en-us/articles/115005987726-Protocol-Analyzer-SDK

Example of the analyzer in action

UbootKit: A Worm Attack for the Bootloader of IoT Devices

March 23, 2018 ~ hucktech ~ Leave a comment

#UbootKit: A #Worm Attack for the #Bootloader of #IoT Devices – Black Hat Asia 2018 | Briefings Schedule https://t.co/rYmqip6S6Q

— 3mdeb (@3mdeb_com) January 24, 2018

UbootKit, a manipulation attack against the bootloader, can remotely control devices & spread malware #BHASIA Briefing https://t.co/hiAOFLex4V

— Black Hat (@BlackHatEvents) January 12, 2018

UbootKit: a Worm Attack for the Bootloader of IoT Devices#MobileSecurity #IoTSecurity #BHASIA
SLIDES: https://t.co/WTPGEIN9mw
PAPER: https://t.co/YjWULbi1x7 pic.twitter.com/BJgS5XNL8S

— Mobile Security (@mobilesecurity_) March 22, 2018

https://www.blackhat.com/asia-18/briefings.html#ubootkit-a-worm-attack-for-the-bootloader-of-iot-devices

bootKit: A Worm Attack for the Bootloader of IoT Devices

The security of the IoT has never been so important, especially when millions of devices become parts of everyday life. Most of the IoT devices, however, are vulnerable to cyberattacks, as the hardware resources are limited or the security design is missing during the development. Tencent Anti-Virus Laboratory demonstrates a new worm prototype dubbed UbootKit, which targets the bootloader of IoT devices, to indicate how a worm can propagate between variable devices and why it is difficult to eliminate. UbootKit attack is a kind of manipulation attack against the bootloader, causing infected devices to be remotely controlled and spread malware to other devices. UbootKit is extremely difficult to remove, even by physically pressing the reset button, and is able to attack various kinds of IoT devices with Linux system. A demonstration will be introduced to explain how UbootKit is able to propagate between ARM and MIPS based devices. First, the worm rewrites the bootloader to parasite on the host. Second, the modified bootloader hijacks the start procedure of the Linux kernel in memory. The malicious code in the kernel will download a worm program and execute it with the root privilege. Finally, the downloaded worm program attacks other devices through password scanning or remote execution exploits. The experiment affirms that UbootKit is able to infect real IoT products, such as routers and webcams. Just to clarify, all experiments were restricted in the laboratory environment, and no harmful payload has ever been applied. The reason the UbootKit attack can be launched is that the integrity verification for bootloader is missing for most IoT devices. At the end of the paper, a mitigation solution – which is adding an integrity verification procedure at the on-chip code – is explained to address the vulnerability.

slides:

Click to access asia-18-Yang-UbootKit-A-Worm-Attack-for-the-Bootloader-of-IoT-Devices.pdf

paper:

Click to access asia-18-Yang-UbootKit-A-Worm-Attack-for-the-Bootloader-of-IoT-Devices-wp.pdf

Microsoft Windows: Kernel Virtual Address (KVA) Shadow: mitigating Meltdown

March 23, 2018 ~ hucktech ~ Leave a comment

Deep dive technical blog post on KVA Shadow which is the mitigation for Meltdown on Windows, this one authored by Ken Johnson (Skywing) from @msftsecresponse. Lots of low-level systems engineering details! https://t.co/Lgukpy1PRm

— Matt Miller (@epakskape) March 23, 2018

If you remember his https://t.co/1IMCACTZaK posts and miss them, Ken Johnson (NOT YET ON TWITTER) authors this week's SRD post on speculative execution mitigations. 👍 https://t.co/UsOhst1cM7

— John Lambert (@JohnLaTwC) March 23, 2018

KVA Shadow: Mitigating Meltdown on Windows

On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows kernel mitigation for one specific speculative execution side channel: the rogue data cache load vulnerability (CVE-2017-5754, also known as “Meltdown” or “Variant 3”). KVA Shadow is one of the mitigations that is in scope for Microsoft’s recently announced Speculative Execution Side Channel bounty program. It’s important to note that there are several different types of issues that fall under the category of speculative execution side channels, and that different mitigations are required for each type of issue. Additional information about the mitigations that Microsoft has developed for other speculative execution side channel vulnerabilities (“Spectre”), as well as additional background information on this class of issue, can be found here. Please note that the information in this post is current as of the date of this post.[…]

https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/