Drill Apple Core: Up and Down – Fuzz Apple Core Component in Kernel and User Mode for Fun and Profit



VmcsAuditor – A Bochs-Based Hypervisor Layout Checker



VMCS Auditor

CVE-2018-12155, INTEL-SA-00202: Intel Integrated Performance Primitives advisory

Advisory Category: Software
Impact of vulnerability: Information Disclosure
Severity rating: MEDIUM
Original release: 12/05/2018

A potential security vulnerability in Intel® IPP may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability. Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access. Intel recommends that users of Intel® IPP update to 2019 update1 or later. Updates are available for download […]  Intel would like to thank an Wichelmann (Universität zu Lübeck), Ahmad Moghimi (Worcester Polytechnic Institute), Thomas Eisenbarth (Universität zu Lübeck) and Berk Sunar (Worcester Polytechnic Institute) for reporting this issue and working with us on coordinated disclosure.





EFI-Firmware-Password-Simulator: macOS EFI Password Simulator

A new macOS EFI password tool has appeared on Github today
…but I’ve no time today to look at how it works. 😦

CLOSED-SOURCE WARNING: The project includes a few pre-compiled .EFI binaries but no source, so be careful.




MNT Reform DIY Laptop: A free and open source modular computing platform

MNT Reform DIY Laptop
A free and open source modular computing platform
Goals: Security, Transparency, Hackability — All power to the user!

Thoroughly understand it on the electrical, mechanical and software levels
Take it apart, modify and upgrade it without regret
Repair it yourself with simple 3D printed parts and the hardware store
Reclaim your privacy and security: No microphone, camera or management engine




Formal Verification of RISC-V cores with riscv-formal

Learn how to use formal Assertion Based Verification (ABV) and open-source tools to formally verify HDL designs, and how to use the properties and formal test benches in the riscv-formal framework to formally verify RISC-V cores with ease. This tutorial is aimed specifically at HDL design engineers without in-depth knowledge of formal methods who want to add formal ABV to their verification toolbox.




Making Sure A Heterogeneous Design Will Work

Why the addition of multiple processing elements and memories is causing so much consternation. An explosion of various types of processors and localized memories on a chip or in a package is making it much more difficult to verify and test these devices, and to sign off with confidence.[…]


IBM: Let’s Not Speculate: Discovering and Analyzing Speculative Execution Attacks

[…]We plan to release our tool, SPECULATOR , which we used
to investigate speculative execution behavior, as open source.[…]

Speculative execution attacks exploit vulnerabilities at a CPU’s microarchitectural level, which, until recently, remained hidden below the instruction set architecture, largely undocumented by CPU vendors. New speculative execution attacks are released on a monthly basis, showing how aspects of the so-far unexplored microarchitectural attack surface can be exploited. In this paper, we generalize speculative execution related attacks and identify common components. The structured approach that we employed helps us to identify potential new variants of speculative execution attacks. We explore one such variant, SPLITSPECTRE, in depth and demonstrate its applicability to a real-world scenario with the SpiderMonkey JavaScript engine. Further, we introduce SPECULATOR, a novel tool to investigate speculative execution behavior critical to these new microarchitectural attacks. We also present our findings on multiple CPU platforms.


Dynetics: seeks Weapons System Analysis, Hardware and Embedded Firmware

This is new kind of role for the new cyberwar era. I wish Consumer Reports was doing likewise for consumer devices.

Weapon System Analysis – Hardware and Embedded Firmware

Job responsibilities/focus areas include:

Embedded hardware and firmware characterization and vulnerability analysis of foreign weapon systems including missiles and radars.


Zephyr Project: MCUboot Security Part 1

MCUboot Security Part 1
By Zephyr Project
November 28, 2018

Zephyr Project member David Brown, a Senior Engineer with Linaro Ltd., shares the best practices for security in this blog post, which first ran on Brownian Motion.

This is the first in what I hope to be a series of posts about the MCUboot bootloader from a security perspective. Please note that although I work in security, I am by no means a cryptographer. I appreciate any feedback on any and all flaws in my analysis. The MCUboot Project is a secure bootloader for 32-bit MCUs. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade. The essential problem that MCUboot seeks to solve is how to allow firmware updates, while still maintaining some kind of integrity and control over what firmware can be run on the device. The easiest way to prevent unauthorized firmware from running on a device is to configure the flash to be immutable. Unfortunately, this prevents potential security updates (as well as functionality improvements). MCUboot solves this by itself being a small amount of code that can be placed in an immutable section of flash. It then can verify the main code before allowing it to execute, as well as control updates to that code. MCUboot is configurable, and these configuration choices affect the security promises that MCUboot is able to make.[…]





Intel: using SGX to improve blockchain security

Intel has a new post about using SGX to help with blockchain security.



Wow, blockchain-based thinking is one thing I don’t want to see to have any part of my firmware. I wish I could wake up and blockchain would just end up being a bad dream about some snake oil.

2 possible ASUS UEFI malware issues?????

Two threads on ASUS issues that might be malicious, but will probably end up to be other kinds of defects. Sorry, no better summary of the issues:


Kaspersky TDSS Killer: now with UEFI support (and Kaspersky Anti-Virus for UEFI (KUEFI))

The above tweet hints at UEFI support in Kaspersky TDSS Killer, but I’ve not found any more specific information.


PS: Kaspersky has a UEFI AntiVirus product, for OEMs:

Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product’s key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware specifically designed to circumvent desktop anti-malware technologies. KUEFI is provided as a small EFI module which nevertheless contains the award-winning Kaspersky Anti-Virus engine. The KUEFI architecture enables its integration into any motherboard firmware supporting the EFI standard, regardless of the vendor.


Kaspersky Security Bulletin 2019: including “The Negative Rings” section

[…]The negative rings:
The year of Meltdown/Spectre/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have. For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully. We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet. Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.[…]