NCC Group: Private Key Extraction from Qualcomm Hardware-backed Keystores

NCC Group has some new research on TrustZone:

Vendor: Qualcomm
Vendor URL:
Systems Affected: Listed here
Author: Keegan Ryan
CVE Identifier: CVE-2018-11976
Risk: Critical (Key extraction from secure world to normal world possible)

ReFirm Labs: Centrifuge adds UEFI support. and BinWalk Pro

ReFirm Labs has an updated version of Centrifuge out, which includes UEFI support. They also have BinWalk Pro.

One blog post deleted.

I just had the first request to remove a blog post about a project of theirs. There are multiple broken links on this blog, where Github projects have disappeared. This is the first blog post that I’ve taken down.

If you don’t want to have people see your project, maybe you should not post it on Github to be publicly-viewable. If you’re concerned about privacy issues about your name being associated with a project, perhaps you should not use your name on that Github account. Many of my posts are based on watching Github for new projects, which is how I found the <now-deleted-project>:

Modern Vulnerability Research Techniques on Embedded Systems

This guide takes a look at vetting an embedded system (An ASUS RT-AC51U) using AFL, angr, a cross compiler, and some binary instrumentation without access to the physical device. We’ll go from static firmware to thousands of executions per second of fuzzing on emulated code. (Sorry no 0days in this post). Asus is kind enough to provide the firmware for their devices online. Their firmware is generally a root file system packed into a single file using squashfs. As shown below, binwalk can run through this file system and identify the filesystem for us.[…]

Modern Secure Boot Attacks: slides available


Slides are avaiable:

Google Cloud announces Shielded VMs, with more firmware security

[…]Last week at Google Cloud Next ’19, we announced the general availability of Shielded VM—virtual machine instances that are hardened with a set of easily configurable security features that assure you that when your VM boots, it’s running a verified bootloader and kernel. Shielded VM can help you protect your system from attack vectors like: Malicious guest OS firmware, including malicious UEFI extensions,
Boot and kernel vulnerabilities in guest OS, and Malicious insiders within your organization.[…]

The Android Platform Security Model

René Mayrhofer, Jeffrey Vander Stoep, Chad Brubaker, Nick Kralevich
(Submitted on 11 Apr 2019)

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This paper aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.

Adventures in reverse engineering Broadcom NIC firmware

For some time now, I’ve been reverse engineering the firmware of the Broadcom BCM5719 Ethernet NIC chip, so that open source firmware can be produced for it. […] The reverse engineering project, Project Ortega, began in December 2017 and involved reverse engineering proprietary firmware to determine what any open source replacement would need to do. Mainly this involved producing a reverse engineered C codebase from the disassembly of proprietary firmware, then producing a natural-language specification for others to reimplement; the actual reversed code itself is not published. In other words, this is a clean-room reverse engineering workflow. The reverse engineering side is now pretty much done and availability of open source firmware for the BCM5719 is waiting on the completion of a reimplementation effort (thanks to Evan Lojewski). This is a cleanroom implementation and doesn’t share any code with Project Ortega or the proprietary firmware, but is produced using the human-readable specifications delivered by Project Ortega. Once this is delivered, it will be possible to use Raptor’s POWER9 systems with purely 100% free, open source firmware. As far as I am aware, there is no other machine in the same performance class which can make such a claim. The rest of this article describes the entire journey of getting to this point, and briefly discusses the innards of the BCM5719.[…]

Intel Transparent Supply Chain

I wish I had more information, but nope. Please leave a Comment if you have something. As to whether this is a joke or not, I’ve heard one Intel engineer talk — with a straight face — about using blockchain-based tech to help secure firmware blobs’ supply chain a few months ago, maybe this was what they were talking about… For better or worse, I ignore anything that mentions blockchain technology, maybe I’m missing out in a bunch of legitimate things?

UEFI_Zork (Boot to Zork): more Infocom content!


There is now more Infocom content to be used! All (or at least most) of the Infocom IF game content is now available for UEFI_Zork. Hopefully the content license will permit OEMs and IBVs to bundle UEFI_Zork with this new content into new computers. Half 🙂

Hmm, I only recall playing Hitchhiker’s Guide to the Galaxy….

Hitchhikers Guide box art.jpg