Currently contains 2 UEFI shell applications. Code only, no documentation yet:
1) imgwrite, a C program that writes a rom.bin in some manner.
2) pciextr, a Pascal program that appears to extract PCI expansion ROMs.
Category: Uncategorized
Amlogic HDMI Boot Dongle: “Boot from HDMI”?
System76 supporting coreboot
System76, one of the few Linux OEMs, is now offering coreboot as a firmware option:
I’m hoping System76 replies to this question:
A Red Team Guide for a Hardware Penetration Test: Part 1
Mark Doran on UEFI 2.8 features/changes
Re: https://firmwaresecurity.com/2019/06/12/more-on-uefi-2-8-release/
Mark Doran has an article in Electronic Design on what’s new in UEFI 2.8:
Jessie Frazelle: Open Source Firmware
Jessie Frazelle has an article on Open Source Firmware in the Commucations of the ACM magazine:
https://cacm.acm.org/magazines/2019/10/239673-open-source-firmware/fulltext
macOS Catalina’sMac Firmware Password
Nikolaj mentions that the latest macOS firmwarepasswd command has a new feature:
And Xeno replied later in that Twitter thread about enterprise ability to block the use of this feature:
See-also:
3 new security advisories from Intel
Three new security advisories from Intel today:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00261.html
INTEL-SA-00261: Intel® Active System Console Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00286.html
INTEL-SA-00286: Intel® Smart Connect Technology for Intel® NUC Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00296.html
INTEL-SA-00296: Intel® NUC Advisor
ESET: Needles in a haystack: Picking unwanted UEFI components out of millions of samples
ESET experts describe how they trained a machine-learning model to recognize a handful of unwanted UEFI components within a flood of millions of harmless samples.
By Filip Mazán and Frédéric Vachon
https://www.welivesecurity.com/2019/10/08/needles-haystack-unwanted-uefi-components/
amdfw: golang library to parse AMD Firmware Structures (and: amddump tool)
amdfw: Golang library for reading and writing AMD firmware components
Credit goes to @cwerling for his psptool
amddump: is a small tool, that dumps all informations known to this library on a specfic image.
Insecure Until Proven Updated: Analyzing AMD SEV’s Remote Attestation protocol: source code available
there’s now some code to go along with the above document:
https://github.com/RobertBuhren/Insecure-Until-Proven-Updated-Analyzing-AMD-SEV-s-Remote-Attestation
BSides PDX 2019
BSidesPDX is in Portland later this month, and the schedule has been announced. A very quick look shows a few interesting HW/FW-centric workshops and talks, such as the ones below (and I may’ve missed some, look at the full schedule). Tickets are still available.
Reversing Corruption in Seagate HDD Translators, the Naked Trill Data Recovery Project
Allison Marie Naaktgeboren & MrDe4d
Translation tables are a dynamic component of HDD firmware that translate logical addresses to physical locations on the disk. Corrupted translators can be the cause of drive failures in drives that appear undamaged and are without physical trauma. That failure can be reversed in many cases. We will present ways to identify if a drive’s translator has been corrupted for the Moose & Pharaoh drive families specifically, how to force a translator rebuild, and open source tool(s) to help you repair the translator. Data recovery is a notoriously secretive field. Very little information about firmware and its internal data structures is public. By sharing what we’ve learned we hope to open this field up to more people, encourage repair, encourage re-use rather than disposal of hard drives, and encourage further publicly shared research. After the talk, attendees should be able to fix this type of error themselves in HDDs of the appropriate families using a TTL converter and the supplied code. Familiarity with the basic components of hard drive firmware is helpful, but not required.
How Not to be Seen: Creating Non-Speculative Side-Channel Resistant Code
Matt Wood
Software side-channels have been a hot topic recently, and with good reason. Many of the techniques are used to liberate secret information from other processes or trusted execution environments (TEEs) such as Intel’s SGX, ARM’s TrustZone, and the like. Some of the techniques making headlines are related to speculative execution properties of modern processors, but there is an entire class of non-speculative techniques also receiving a lot of attention in recent research. Luckily there are a few techniques available for implementing algorithms that use secrets—like cryptography—so they present as few opportunities for leaking information as possible. In this talk you will learn the anatomy of a few classic non-speculative side-channels on mathematical algorithms used in just about every system in modern computing, followed by industry best practices for mitigating them, and finally what you can do to help minimize the risks for your applications.
Hacking USB on the Cheap with USB-Tools
Kate Temkin & Mikaela Szekely
Until recently, fully exploring the world of USB has been challenging – as tools for working with USB have historically been expensive and difficult to obtain, and knowledge regarding USB has been cloistered away in lengthy and somewhat-obtuse specifications – but recent developments in USB tooling have made working with USB significantly more accessible. This workshop provides an overview of USB security and USB-hacking techniques using inexpensive open-source software and hardware tools – including several tools developed by the presenters in order to make USB hacking more accessible. The workshop includes a variety of demonstrations, and is accompanied by a set of short exercises that allow attendees to get some USB-hacking experience.This workshop is best experienced when attendees bring a laptop with a working Python3 installation to follow along with.
Writing CHIPSEC Modules & Tools
Brent Holtsclaw; Erik Bjorge; Nick Armour; Stephano Cetola
CHIPSEC is a security research and validation tool implemented in Python that allows for low-level access to hardware. The powerful scripting capabilities can be used for tasks including verification of security mitigations and security research. This hands-on workshop will provide an overview of the existing tool architecture and how to write modules and tools. CHIPSEC modules focus on verification of firmware mitigations. CHIPSEC tools are designed to stress the system and perform tasks such as fuzzing interfaces.
ABC to XYZ of Writing System Management Mode (SMM) Drivers
Brian Delgado & Tejaswini Vibhute
System Management Mode (SMM) has gotten a lot of attention for being the most privileged processor mode, which raises concerns over how software and firmware manage hardware. This session demystifies designing and writing System Management Interrupt (SMI) handlers, and covers challenges that developers face in the process. Content covers different types of SMI handlers and various methods of invoking them. The session also describes common vulnerabilities that can result from incorrect coding practices or oversights. Debugging is critical to developing quality SMM drivers, so this session also demonstrates debugging using virtual environments (OVMF) and physical platforms.
CVE-2019-10492: Boot image not getting verified by Android Verified Boot in multiple devices
Boot image not getting verified by AVB in Snapdragon Auto, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 820, SD 820A, SDM439
Security Boulevard: 32 hardware and firmware vulnerabilities
by Dan Virgillito on October 1, 2019
Hardware and firmware vulnerabilities can put your business and your customers’ sensitive data at risk, costing you in diminished sales, reputation loss and penalties. Most of them arise from continued use of legacy systems and out-of-date software that are no longer maintained by their respective vendors. The fact that the majority of these loopholes don’t necessarily raise a red flag may allow hackers to steal information, inject malware or completely hijack your applications or corporate systems. Below, we give a breakdown of the 32 most commonly exploited hardware and firmware vulnerabilities. If any of these relate to systems or devices that are under your jurisdiction, it’s extremely important that you take steps to plug these holes before disaster strikes.[…]
Linux Kernel Lockdown Patches added to Linux 5.4
https://lore.kernel.org/lkml/CAHk-=wg=7y82dJYeLzQeup70CHBT7MpCC155d85cPFctNsxUYA@mail.gmail.com/T/#u
I’m not sure of the list of all who have contributed to this patchset; thanks to all of you!! Now let’s see how downstream distros will use it…
William: “Hello World” Quick-Start with edk2-stable201908
William has written a detailed blog post on writing a hello-world app using Tianocore, Windows-centric, using Visual Studio and VisualUEFI:
https://www.basicinputoutput.com/2019/10/hello-world-quick-start-with-edk2.html
Let’s hope someone does a detailed blog post for Linux and Mac someday, too…
Vincent on SMM and UEFI security…
Vincent has a new blog post about SMM, UEFI security, and other things:
http://vzimmer.blogspot.com/2019/09/formal-erdos-rings-and-smm.html
Insecure Until Proven Updated: Analyzing AMD SEV’s Remote Attestation
[…]This paper analyzes the firmware components that implement the SEV remote attestation protocol on the current AMD Epyc Naples CPU series. We demonstrate that it is possible to extract critical CPU-specific keys that are fundamental for the security of the remote attestation protocol. Building on the extracted keys, we propose attacks that allow a malicious cloud provider a complete circumvention of the SEV protection mechanisms. Although the underlying firmware issues were already fixed by AMD, we show that the current series of AMD Epyc CPUs, i.e., the Naples series, does not prevent the installation of previous firmware versions. We show that the severity of our proposed attacks is very high as no purely software-based mitigations are possible. This effectively renders the SEV technology on current AMD Epyc CPUs useless when confronted with an untrusted cloud provider. To overcome these issues, we also propose robust changes to the SEV design that allow future generations of the SEV technology to mitigate the proposed attacks.
https://arxiv.org/pdf/1908.11680.pdf
https://www.dcl.hpi.uni-potsdam.de/meetings/ss19/Christian%20Werling%20-%20Security%20Analysis%20of%20the%20AMD%20Secure%20Processor.pdf
FirmFuzz: Automated IoT Firmware Introspection and Analysis
Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer
While the number of IoT devices grows at an exhilarating pace their security remains stagnant. Imposing secure coding standards across all vendors is infeasible. Testing individual devices allows an analyst to evaluate their security post deployment. Any discovered vulnerabilities can then be disclosed to the vendors in order to assist them in securing their products. The search for vulnerabilities should ideally be automated for efficiency and furthermore be device-independent for scalability. We present FirmFuzz, an automated device-independent emulation and dynamic analysis framework for Linux-based firmware images. It employs a greybox-based generational fuzzing approach coupled with static analysis and system introspection to provide targeted and deterministic bug discovery within a firmware image. We evaluate FirmFuzz by emulating and dynamically analyzing 32 images (from 27 unique devices) with a network accessible from the host performing the emulation. During testing, FirmFuzz discovered seven previously undisclosed vulnerabilities across six different devices: two IP cameras and four routers. So far, 4 CVE’s have been assigned.
http://nebelwelt.net/publications/files/19IOTSP.pdf
If you know where the source code is, please leave a Comment on the blog.
