Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Intel updates microcode status
https://newsroom.intel.com/news/security-issue-update-progress-continues-firmware-updates/
Note to Intel: when you issue security advisories via your main Newsroom, please ALSO issue an update to your Security Advisories site. Thanks.
https://twitter.com/revskills/status/961322810349105154
[…]Here’s the problem: there’s no way to know a priori which instructions your CPU supports. Identifying the CPU manufacturer isn’t sufficient. For instance, Intel’s Haswell architecture supports the AVX2 instruction set, while Sandy Bridge doesn’t. Some developers resort to desperate measures like reading /proc/cpuinfo to identify the CPU and then consulting hardcoded mappings of CPU IDs to instructions. Enter cpu_features, a small, fast, and simple open source library to report CPU features at runtime. Written in C89 for maximum portability, it allocates no memory and is suitable for implementing fundamental functions and running in sandboxed environments. The library currently supports x86, ARM/AArch64, and MIPS processors, and we’ll be adding to it as the need arises. We also welcome contributions from others interested in making programs “write once, run fast everywhere.”
By Guillaume Chatelet, Google Compiler Research Team
https://opensource.googleblog.com/2018/02/cpu-features-library.html
Driver security checklist
01/26/2018
Don Marshall
This article provides a driver security checklist for driver developers to help reduce the risk of drivers being compromised.[…]
https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/driver-security-checklist
DMCA takedowns have taken down some of the copies, but multiple others are still online.
https://twitter.com/RNavalgund_/status/961234957866754049
https://twitter.com/sizeofcat/status/961566184612114432
https://github.com/ZioShiba/iBoot
https://github.com/h1x0rz3r0/iBoot
https://github.com/emrakul2002/iboot
https://0xacab.org/sizeofcat/iBoot
Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system administrator to remotely manage a server without having to reach it physically. Such features include power management, remote system console, remote CD/DVD image mounting, as well as many monitoring indicators. We’ve performed a deep dive security study of HP iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9 servers) and the results of this study were presented at the REcon conference held in Brussels (February 2 – 4, 2018, see [1]). iLO4 runs on a dedicated ARM processor embedded in the server, and is totally independent from the main processor. It has a dedicated flash chip to hold its firmware, a dedicated RAM chip and a dedicated network interface. On the software side, the operating system is the proprietary RTOS GreenHills Integrity [2].[…]
https://github.com/airbus-seclab/ilo4_toolbox
Imperfect Silicon, Near-Perfect Security
Physically unclonable functions (PUF) seem tailor-made for IoT security.
February 7th, 2018 – By: Kevin Fogarty
Some chipmakers, under pressure to add security to rapidly growing numbers of IoT devices, have rediscovered a “fingerprinting” technique used primarily as an anti-counterfeiting measure. Physically unclonable functions (PUFs) are used to assign a unique identification number based on inconsistencies in the speed with which current causes a series of logic gates to open or close. So otherwise identical chips will deliver different results in identical test circuits due to random variation in the speed with which those gates respond to a test, according to a 2007 paper by MIT researcher Srini Devadas, who discovered the pattern and founded the company Verayo to commercialize systems that use it.[…]
[…]More than 84% of chipmakers responding to a 2017 McKinsey & Co. survey said customers want good security. But only 15% predicted customers would pay a 20% premium for good security, while 40% said customers want prices to stay flat or decline.[…]
Linux kernel v4.15 was released last week, and there’s a bunch of security things I think are interesting:[…]
A witch-hunt for trojans in our chips
A Hardware Trojan (HT) is a malicious modification of the circuitry of an integrated circuit. A malicious chip can make a device malfunction in several ways. It has been rumored that a hardware trojan implanted in a Syrian air-defense radar caused it to stop operating during an airstrike, thus instantly minimizing the country’s situational awareness and threat response capabilities. In other settings, hardware trojans may leak encryption keys or other secrets, or even generate weak keys that can be easily recovered by the adversary. This article introduces a new trojan-resilient architecture, discusses its motivation and outlines how it differs from existing solutions. The full paper (Vasilios Mavroudis, Andrea Cerulli, Petr Svenda, Dan Cvrcek, Dusan Klinec, George Danezis) has been presented in several academic and industrial venues including DEF CON 25, and ACM Conference on Computer and Communications Security 2017.[…]
The pwrtest.efi is an UEFI Shell tool that help developer to confirm RTC wake function from a system(Support on both Intel and AMD platform). Usage:
pwrtest -s3 -t 10 -w 60 ; 系統會在10 sec delay 後進入S3,然後在60 sec 後喚醒(Wake up)
pwrtest [-h|-s3|-s4|-s5|-s|-ss|-sx|-cb|-r]
-h help
-s3|-s4|-s5 ;選擇系統的Sx State (Intel platform)
-cb ;做coldboot ,我是透過 gRT->ResetSystem() 方式去做的
-ss ; 做Shutdown,我是透過 gRT->ResetSystem() 方式去做的
-sx value ; 支援AMD platform去做Sx State,因為填的SLP_TYP值不同.
value = 3/4/5 for AMD platform(S3/S4/S5)
value = 5/6/7 for Intel Platform (S3/S4/S5)
e.g,
pwrtest -sx 4 -t 5 -w 30 ; For AMD Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -sx 6 -t 5 -w 30 ; For INTEL Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -s3 -t 5 -w 30 ; For INTEL Platform, Put system to S3 after 5 sec, then wake after 30 sec.
pwrtest -r ; Warm boot
pwrtest -cb ; Cold boot
[…]
See URL to password-protected live.com-hosted zip containing freeware binary (not open source) in blog post.
http://biosengineer.blogspot.com/2018/02/uefi-shell-utility-pwrtestefi.html
Intel-SA-00088 for Intel® NUC, Intel® Compute Stick, and Intel® Compute Card
Last Reviewed: 02-Feb-2018
Article ID: 000026620
In response to the recent Intel Security Advisory regarding Software/Side Channel Analysis, Kernel Memory Leak:
Intel has observed rare incidences of system reboots and other unpredictable system behavior after updating to microcode mitigating CVE-2017-5715 a.k.a. Spectre.
We have identified the root cause and made good progress in developing a solution to address it.
We have removed any BIOS posted recently that included the first microcode update and will post new BIOS updates as soon as they are ready.
If you have already updated BIOS with the first microcode update and you experience reboots or unstable system behavior, you can downgrade your BIOS to the previous version.
We will provide an update on this issue by February 15, 2018.
See Facts About Side-Channel Analysis for complete information and Frequently Asked Questions.[…]
https://www.intel.com/content/www/us/en/support/articles/000026620/mini-pcs.html
Not listed on the Intel Security Advidsory page, only listed on the NUC support page. 😦
Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.
I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.
Below is copy of slides:
There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.
bsidesseattle2018.fisher.defending-firmware
Bsides didn’t record audio/video of their event.
I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.
If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
http://www.intelsecurity.com/advanced-threat-research/blog.html
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html
This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:
https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]
This Mac-centric bash script has been rewritten as a Mac-centric Python script:
“A more robust edition of my previous MountEFI script. Added my usual collection of disk functions – plus some experimentation with callback functions.
def custom_quit():
head(“MountEFI”)
print(“by CorpNewt\n”)
print(“Thanks for testing it out, for bugs/comments/complaints”)
print(“send me a message on Reddit, or check out my GitHub:\n”)
print(“www.reddit.com/u/corpnewt”)
print(“www.github.com/corpnewt\n”)
print(“Have a nice day/night!\n\n”)
exit(0)
I’ve released man-pages-4.15. This release resulted from patches, bug reports, reviews, and comments from 26 contributors. Just over 200 commits changed around 75 pages. In addition, 3 new manual pages were added.
http://linux-man-pages.blogspot.com/2018/02/man-pages-415-is-released.html
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.