Category: Uncategorized

Linux OEMs: support fwupd.org

~ hucktech ~ 2 Comments

FWupd.org is a Linux firmware update service, roughly like Windows Update, but for Linux.

https://fwupd.org/
https://github.com/hughsie/fwupd

Building local firmware in fwupd

fwupd hits 1.0.0

It is nice to have a central place for firmware updates, so you don’t have to rely on the tools from a single OEM. Right now, most OEMs force you to use their firmware upedate tools. Windows OEMs mostly don’t bother to use Windows Update. And it looks like that problem is not OS-centric: Linux OEMs mostly don’t bother to use fwupd. However, many Linux vendors are not helping customers with firmware updates, look at second half of this page for all the vendors that suck:

https://fwupd.org/lvfs/vendorlist

It looks like Purism is heading toward supporting fwupd:

https://puri.sm/posts/coreboot-on-the-skylake-librems-part-2/

I am suprised that System76 is going their own route and not supporting fwupd, they claimed they were going to support it, but they’ve gone their own direction, sad.

https://twitter.com/hughsient/status/953375956412108806

https://twitter.com/CassidyJames/status/890610653882269696

https://github.com/system76/firmware-update

Before you buy a system from a Linux OEM, ask them if they support fwupd for firmware updates. If they do not, ask them when they are going to support it.

Infosec_reference: an infosec reference that doesn’t suck

~ hucktech ~ Leave a comment

Wow, there’s a lot of firmware-level resources listed in the “Infosec_Reference”. It has been around for a while, but I missed it until a recent UEFI update. Second URL has a different rendering beyond first URL’s Github.com Markdown rendering.

https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/BIOS%20UEFI%20Attacks%20Defenses.md

https://rmusser.net/docs/BIOS%20UEFI%20Attacks%20Defenses.html

 

Reversing/exploiting Samsung’s TrustZone, part 1

~ hucktech ~ Leave a comment

Unbox Your Phone — Part I.
This is the first part of a blog series about reverse engineering and exploiting Samsung’s TrustZone. Following parts in the series so far: 2, 3. This first post covers the basics of the architecture. All of this is public info, nothing new, all of it has been covered in bits and pieces in various publications before. Some of it comes from Trustonic/Samsung materials, some of it from open source software, and some of it from the few great instances of prior research. It’s here as an intro, for completeness. Later in the series, I summarize the reverse engineering results and explain the vulnerabilities that I have found.[…]

View at Medium.com

View at Medium.com

 

View at Medium.com

 

more on Spectre/Meltdown

~ hucktech ~ Leave a comment

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr (updated)

Acknowledgements: Intel would like to thank Jann Horn with Google Project Zero for his original report and for working with the industry on coordinated disclosure. Intel would also like to thank the following researchers for working with us on coordinated disclosure. Moritz Lipp, Michael Schwarz, Daniel Gruss, Stefan Mangard from Graz University of Technology. Paul Kocher, Daniel Genkin from University of Pennsylvania and University of Maryland, Mike Hamburg from Rambus, Cryptography Research Division and Yuval Yarom from University of Adelaide and Data61. Thomas Prescher and Werner Haas from Cyberus Technology, Germany

https://www.dragonflydigest.com/2018/01/05/20672.html

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

http://www.foxbusiness.com/features/2018/01/28/intel-warned-chinese-companies-chip-flaw-before-u-s-government.html

Sigh, these days all global tech companies are now cyber arms manufacturers. 😦

 

a bit more on Spectre/Meltdown

~ hucktech ~ Leave a comment

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown (updated)

https://access.redhat.com/solutions/3315431

https://support.apple.com/en-ca/HT201222

https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help

https://www.goodreads.com/author_blog_posts/16310893-the-effects-of-the-spectre-and-meltdown-vulnerabilities

http://www.patentlyapple.com/patently-apple/2018/01/intel-confirms-that-silicon-based-changes-addressing-meltdown-spectre-will-be-arriving-later-this-year.html
https://www.marketwatch.com/story/intel-promises-chip-fix-sees-no-financial-impact-from-spectre-and-meltdown-2018-01-25

Microsoft Azure team seeks senior security firmware engineer

~ hucktech ~ Leave a comment

“2 years using Secure Boot” 🙂

Senior Security Firmware Engineer-CSI/Azure-Cloud Server Infrastructure

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services. […] This role is for a highly motivated Senior Firmware Engineer with a background in embedded systems and security technologies. […] We are looking for someone with strong systems background and passion for security and Real Time OS internals. The successful candidate should have experience with some of the following: Real Time Operating Systems, Embedded Systems, Secure boot technologies and strong C development.

* 2+ years using or implementing Secure boot, and Protocol Security using I2C, SPI, USB or UART buses

https://careers.microsoft.com/jobdetails.aspx?jid=344972&job_id=1087878

 

AMD: Software techniques for managing speculation on AMD processors

~ hucktech ~ Leave a comment

Click to access Managing-Speculation-on-AMD-Processors.pdf

White Paper: SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS

Speculative execution is a basic principle of all modern processor designs and is critical to support high performance hardware. Recently, researchers have discussed techniques to exploit the speculative behavior of x86 processors and other processors to leak information to unauthorized code * . This paper describes software options to manage speculative execution on AMD processors ** to mitigate the risk of information leakage. Some of these options require a microcode patch that exposes new features to software. The software exploits have recently developed a language around them to make them easier to reference so it is good to review them before we start discussing the architecture and mitigation techniques.

 

ARM (Linaro) on Meltdown and Spectre

~ hucktech ~ 1 Comment

Spoiler alert:

[…]This is the first part in a series of blog posts about Meltdown and Spectre. The intention here was to penetrate the whitepapers and give an easy to grasp overview of the attacks. In the upcoming blog post we will talk more about individual components, like OP-TEE, Linux kernel and other firmware.

https://www.linaro.org/blog/meltdown-spectre/

NIST releases SP 800-125A: security recommendations for hypervisors

~ hucktech ~ 1 Comment

SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers

The Hypervisor is a collection of software modules that provides virtualization of hardware resources (such as CPU/GPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and Application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST Special Publication (SP), SP 800-125B.

Keywords: Virtualization; Hypervisor; Virtual Machine; Virtual Network; Secure Configuration; Security Monitoring; Guest OS

 

https://csrc.nist.gov/News/2018/Security-Recommendations-for-Deploying-Hypervisors

Click to access NIST.SP.800-125A.pdf

https://csrc.nist.gov/publications/detail/sp/800-125a/final

See-also:
SP 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection
https://csrc.nist.gov/publications/detail/sp/800-125b/final

Linux UEFI Validation Project v2.2 released

~ hucktech ~ Leave a comment

Features:

1. Add a wrapper script to setup build environment which makes
configuring LUV build systems very simple. It also makes it easy to
perform automated builds from a fresh clone of the git repository.

2. Write messages to a console and/or debug file so that someone with
access to only a serial console or netconsole will also know what is
going on. Currently, we only use the plymouth graphical manager to
display certain messages to the user.

The LUV git repository URL has been updated from
https://github.com/01org/luv-yocto.git
to:
https://github.com/intel/luv-yocto.git

See the full announcement for list of bugfixes an other changes.

https://lists.01.org/mailman/listinfo/luv

 

SMM rootkits: a new breed of malware

~ hucktech ~ Leave a comment

The below video was uploaded recently. The previous talk was from a few years ago. I’m unclear if this video is new or from a few years ago…

The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.

https://dl.acm.org/citation.cfm?id=1460892

http://clearhatconsulting.com/index.php/papers/

 

Payment card Industry: Secure Boot == Verified Boot == “Trusted Boot”

~ hucktech ~ Leave a comment

I just noticed that the PCI compliance group lumps all of the Trusted/Measured/Verified/Secure boot technologies into one, and calls it Trusted Boot, which, AFAIK, is the name for Intel TXT-based Trusted Boot. I wish they were more precise. Then again, I guess I should be glad there is *SOME* firmware security in the PCI compliance docs, I wish there was more, system should check firmware-based code for malware, not just OS-based code.

Payment Card Industry (PCI)
Software-based PIN Entry on COTS Security Requirements
Version 1.0, January 2018
[…]
The PIN CVM Application must only support platforms that, at a minimum, provide the following features:
* An enforcing mandatory access control framework
* A “trusted boot” mechanism that validates the operating system’s authenticity

Trusted Boot: A cryptographic process where the bootloader verifies the integrity of all components (e.g., kernel objects) loaded during operating system start-up process, before loading. Also known as Verified Boot and Secure Boot (e.g., Google or Apple).
[…]

Click to access RP450RP456RP457_PCI_Security_Policy-1461704231.78085.pdf

 

Thunderbolt talk from LCA2018

~ hucktech ~ Leave a comment

From: Joel Wirāmu Pauling <joel@aenertia.net>
Subject: [Thunderbolt-Software] Lca2018 talk
Date: Thu, 25 Jan 2018 15:51:10 +1300
To: thunderbolt-software@lists.01.org

Hi all; I delivered my talk on tb3 (and some other things this morning) at Linuxconf Australasia. I’ve made all my benchmarking tests using flent available (and some dmesg
dumps of crash situations etc) public. Hopefully this of help to someone, and Wellcome feedback.

https://github.com/aenertia/lca2018-talk/tree/talk

 

Black Hat: System Firmware Attack and Defense for the Enterprise

~ hucktech ~ Leave a comment

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to interaction with system firmware components. This includes operating system loaders, secure boot mechanisms, runtime interfaces, and system management mode (SMM). This training will detail and organize objectives, attack vectors, vulnerabilities, and protection mechanisms in this fascinating environment. The training includes two parts.
1. Present a structured approach to system firmware security analysis and mitigations through lecture and hands-on exercises to test system firmware for vulnerabilities. After the training, students will have basic understanding of platform hardware components, system firmware components, attacks against system firmware, and available mitigations. Students can apply this knowledge to identify firmware vulnerabilities and perform forensic analysis.
2. Apply concepts to an enterprise environment. Using an understanding of security issues, students explore potential risks to operational environments including both supply chain and remote malware attacks. Students will perform assessments and basic forensic analysis of potential firmware attacks.

https://www.blackhat.com/us-18/training/schedule/index.html#system-firmware-attack-and-defense-for-the-enterprise-9792