P. Sperl and K. Böttinger, “Side-Channel Aware Fuzzing” […approach to extract feedback for fuzzing on embedded devices using information the power consumption leaks… Our results show that the power side-channel carries information relevant for fuzzing…]https://t.co/WDmYiUG296

— Arrigo Triulzi (@cynicalsecurity) August 15, 2019

[…]In this paper we present and evaluate a new approach to extract feedback for fuzzing on embedded devices using information the power consumption leaks. Side-channel aware fuzzing is a threefold process that is initiated by sending an input to a target device and measuring its power consumption. First, we extract features from the power traces of the target device using machine learning algorithms. Subsequently, we use the features to reconstruct the code structure of the analyzed firmware. In the final step we calculate a score for the input, which is proportional to the code coverage. We carry out our proof of concept by fuzzing synthetic software and a light-weight AES implementation running on an ARM Cortex-M4 microcontroller. Our results show that the power side-channel carries information relevant for fuzzing.

https://arxiv.org/abs/1908.05012

I wrote a blog post "Breaking Through Another Side: Bypassing Firmware Security Boundaries". It's a first part of the series based on our #BHUSA research with Alexandre Gazet.

HW/FW Security != Summary of all Security Boundarieshttps://t.co/5x0d5DJnfK

— Alex Matrosov (@matrosov) August 18, 2019

This blog post is the first in the series about my joint Black Hat research “Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller” (slides) with Alexandre Gazet presented last week in Vegas. This REsearch took literally 5 months of our spare time to dig into Embedded Controller security and Intel BIOS Guard technology implementation in Lenovo Thinkpad BIOS.[…]

View at Medium.com

Pop!_OS's new firmware management integration keeps more of your devices up to date, thanks to system76 and LVFS support. Update to see the new feature, and read the details here: https://t.co/SlsG45KRmh pic.twitter.com/R9Bjn0gz2e

— System76 (@system76) August 17, 2019

System76 is one Linux distro/OEM that rolled it’s own firmware update mechanism, instead of supporting fwupd. Now they have a new tool that integrates the two solutions:

One of the remaining issues with firmware management on Linux is the lack of options for graphical frontends to firmware management services like fwupd and system76-firmware. For fwupd, the only solutions available were to distribute either GNOME Software, or KDE Discover; which is not viable for Linux distributions which have their own application centers, or frontends to package managers. For system76-firmware, an official GTK application exists, but it only supports updating System76 firmware, when it would be more ideal if it could support updating firmware from both services. fwupd is a system service which connects to LVFS to check for firmware updates to a wide variety of hardware from multiple vendors. system76-firmware is our own system service which connects to System76 to check for firmware updates for System76 hardware. To solve this problem, we’ve been working on the Firmware Manager project, which we will be shipping to all Pop!_OS users, and System76 hardware customers on any other distribution. It supports checking and updating firmware from the fwupd and system76-firmware services, is Wayland-compatible, and provides both a GTK application and library. […]

https://blog.system76.com/post/187072707563/the-new-firmware-manager-updating-firmware-across

https://github.com/pop-os/firmware-manager

August 14, 2019 09:17 by Paul Roberts

A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors.[…]

Huge Survey of Firmware Finds No Security Gains in 15 Years

See-also:
https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-linux-mips.html

Still working on Volume II of Android Internals. Haven’t forgotten y’all. And there’s updates on EFI file format, etc in the update to Volume I that I am preparing… […]

The imgtool utility is another one of the tools I’m including in my book, this time to accompany the chapter about the Boot process. I deal a lot with the internal format of images there, and realized I needed a quick extractor. This became more important when I started to deal with the L preview, and Google Glass system images I used for research. Included in V1.0 changes:
“[…]

• Full support for EFI firmware files, SCAP, MacEFI images, etc – so now you can extract QCOM xbl/abl further!
• ..And Apple’s (yep, Apple’s) T2 EFI images, Firmware.scap,etc:
  […]”

http://newandroidbook.com/tools/imgtool.html#V10

Re: https://firmwaresecurity.com/2018/06/25/wifi-hid-injector-an-usb-rubberducky-badusb-on-steroids/

USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$ https://t.co/8dtdrBd03g

— Nicolas Krassas (@Dinosn) August 17, 2019

USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$

USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$

https://github.com/whid-injector/WHID (aka http://whid.ninja/ )

And here is a more detailed blog post on our homebrewed security static analysis tool, Zoncolan: https://t.co/SbGVhBiQMT

— collin (@libber) August 15, 2019

https://engineering.fb.com/security/zoncolan/

https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/?verso=true

Hmm, have not found source code, please leave URL in Comment if you do:
https://github.com/facebookresearch?utf8=%E2%9C%93&q=Zoncolan&type=&language=

Biosup is a program designed to automate the sourcing and downloading of BIOS/UEFI from Various vendor websites. Using the config file, a user can manually set what chipset’s and vendor’s (between ASUS, ASROCK, GIGABYTE and MSI) they wish to download.

https://github.com/Rexzarrax/Biosup

See-also: UEFI-Spider

https://firmwaresecurity.com/2015/07/15/tool-review-uefi-spider-and-firmware_vault/

Began curating a list of Hyper-V exploitation resources, hope it can be of use to anyone interested in starting Hyper-V security research: https://t.co/uWJZo9Flh0 #ExploitDev #HyperV pic.twitter.com/fS6jAmajin

— Shogun Lab (@shogun_lab) August 15, 2019

https://github.com/shogunlab/awesome-hyper-v-exploitation

Sadly we routinely find Secure Boot issues in hardware boot ROMs. We have other boot ROM findings in the queue and we are working hard for public release.

I am thankful to Xilinx for their fast response, it is quite good that Reference Manual for the P/Ns will be updated. https://t.co/pVzwOPSaSE

— Andrea Barisani (@AndreaBarisani) August 12, 2019

https://blog.f-secure.com/hardware-security-team-says-flawed-secure-boot-schemes-becoming-too-common/

https://www.xilinx.com/support/answers/72588.html

#ScrewedDrivers: Common Design Flaw In Dozens (40+) of Device Drivers Allows Widespread Windows Compromisehttps://t.co/RDGG8iw8Sp

DEF CON slides: https://t.co/jO6EEoFebZ [PDF] pic.twitter.com/JQm2MH96KD

— Yuriy Bulygin (@c7zero) August 10, 2019

https://github.com/eclypsium/Screwed-Drivers

Yep, drivers, in general, are screwed. 🙂 Certified Windows drivers merely mean the drivers passed some basic tests. There are lots of gaps in how drivers are tested on Windows. (If Microsoft has open-sourced these tests, it would be helpful for researchers to find coverage gaps.) The UEFI SCTs are a minimum bar at feature testing, and have no security tests …and CHIPSEC only helps with security testing on Intel systems, not AMD nor ARM vendors. Does Linux have any equivalent tests for drivers, last time I looked into the LTP and some related projects it did not. Does Apple have tests like this for drivers?

Richard Hughes, of the Linux FWUpd project, has a new blog post about the new Microsoft UEFI update mechanism, CFU (Component Firmware Update):

Musings on the new Microsoft Component Firmware Update (CFU) Protocol: https://t.co/3NvXx5Kf5x#fwupd #firmware

— Richard Hughes (@hughsient) August 15, 2019

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Musings on the Microsoft Component Firmware Update (CFU) Protocol

Musings on the Microsoft Component Firmware Update (CFU) Protocol

https://github.com/microsoft/CFU

Musings on the Microsoft Component Firmware Update (CFU) Protocol

PS: When you see duplicate URLs in a post, like above, it is because the WordPress web UI for pasting URLs is broken. 😦

The security of computer systems is a very important topic for many years. It has been taken into the account in the OSes and applications for a long time. However, security of the firmware and boot process has not been taken so seriously until recently. Now that is changing. Firmware is more often being designed with security in mind. Boot processes are also evolving. There are many security solutions available there and even some that are now becoming common. However, they are often not complete solutions and solve problems only partially. So, it is good time to integrate various approaches and build full top-down solutions. There is a lot happening in that area right now. New projects arise, e.g. TrenchBoot, and they meet various design, implementation, validation, etc. obstacles. The goal of this microconference is to foster a discussion of the various approaches and hammer out, if possible, the best solutions for the future. Perfect sessions should discuss various designs and/or the issues and limitations of the available security technologies and solutions that were encountered during the development process. […]Expected topics: TPMs, SRTM and DRTM, Intel TXT, AMD SKINIT, attestation, UEFI secure boot, IMA, Intel SGX, boot loaders, firmware, OpenBMC, etc.

https://linuxplumbersconf.org/event/4/page/21-lpc-2019-overview

https://linuxplumbersconf.org/event/4/page/34-accepted-microconferences#security

Some presentation abstracts are online, eg:

Non-UEFI-aware measured boot using coreboot, GRUB and TPM2.0
https://linuxplumbersconf.org/event/4/contributions/517/

Secure and Trusted boot in OpenBMC
https://linuxplumbersconf.org/event/4/contributions/515/

FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation by Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu and Limin Sun at USENIX Security'19.https://t.co/iPfh9yjVhL

— Emmanuel Fleury (@perr0r) August 13, 2019

By: Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun

Cyber attacks against IoT devices are a severe threat. These attacks exploit software vulnerabilities in IoT firmware. Fuzzing is an effective software testing technique for vulnerability discovery. In this work, we present FIRM-AFL, the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it addresses compatibility issues by enabling fuzzing for POSIX-compatible firmware that can be emulated in a system emulator. Second, it addresses the performance bottleneck caused by system-mode emulation with a novel technique called augmented process emulation. By combining system-mode emulation and user-mode emulation in a novel way, augmented process emulation provides high compatibility assystem-mode emulation and high throughput as user-mode emulation. Our evaluation results show that (1) FIRM-AFL is fully functional and capable of finding real-world vulnerabilities in IoT programs; (2) the throughput of FIRM-AFL is on average 8.2 times higher than system-mode emulation based fuzzing; and (3) FIRM-AFL is able to find 1-day vulnerabilities much faster than system-mode emulation based fuzzing, and is able to find 0-day vulnerabilities.

https://www.cs.ucr.edu/~heng/pubs/FirmAFL.pdf

https://www.usenix.org/conference/usenixsecurity19/presentation/zheng

https://github.com/zyw-200/FirmAFL

[Have not found the source code to this; if you do, please put the URL in a Comment to this blog post. Thanks.]

In this work, we present AFLtar, a coverage-guided fuzzer for embedded firmware. AFLtar leverages avatar 2 , an orchestration framework for dynamic analysis, along with the American Fuzzy Lop coverage-guided fuzzer and the AFL-Unicorn CPU emulator. The goal of AFLtar is to reduce the cost of embedded fuzzing by providing a platform that can be used to quickly setup a firmware fuzzing job, while reaping the benefits of modern, feedback-driven fuzzing strategies.

https://siagas.math.unipd.it/siagas/getTesi.php?id=2030

My latest post: Understanding modern UEFI-based platform boot https://t.co/lG1pfyXVYl
Complete with some possibly half-baked rambling thoughts on DRTM at the end pic.twitter.com/5kpOGNUJGs

— David Kaplan (@depletionmode) August 14, 2019

https://depletionmode.com/uefi-boot.html

Arca Noae, the company that bought OS/2 from IBM, is adding UEFI support:

https://www.arcanoae.com/arca-noae-progress-report-arcaos-on-uefi-only-hardware/

Going off-topic: When OS/2 was created, IBM wanted to move from the OEM-cloneable IBM PC to the PS/2 system, which had ABIOS, a reentrant protect mode BIOS. Microsoft had to do a clean-room reverse engineering of the IBM PS/2 ABIOS. For Microsoft OEMs, ABIOS was a PITA for OEMs who wanted a full clone of OS/2. IBM did not publish a Technical Manual with the source code to ABIOS, unlike BIOS. 🙂

[Builds on Linux, using the GNU-EFI toolchain.]

EFI program printing Intel Message Check errors. The program starts by looking for previous Message Check errors by reading content of Message-Specific Registers (MSRs). Then new Message Check errors are displayed.

https://github.com/emvivre/uefi_message_check_error

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)

https://usbguard.github.io/
https://github.com/dkopecek/usbguard/