https://marc.info/?l=openbsd-tech&m=151521435721902&w=2
https://github.com/marcan/speculation-bugs/blob/master/README.md
Category: Uncategorized
Punchdrum: macOS GUI for bootoption
GUI wrapper for bootoption that creates a bootable (systemd-boot) flash drive for the sole purpose of adding a loader to the firmware menu.
https://github.com/vulgo/Punchdrum
AMD PSP vuln: fTPM remote code execution
Busy year for processor security so far…
http://seclists.org/fulldisclosure/2018/Jan/12
AMD-PSP: fTPM Remote Code Execution via crafted EK certificate
From: Cfir Cohen via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 3 Jan 2018 09:40:40 -0800
AMD PSP is a dedicated security processor built onto the main CPU die. ARM TrustZone provides an isolated execution environment for sensitive and privileged tasks, such as main x86 core startup. [..] The fTPM trustlet code was found in Coreboot’s git repository [5] and in several BIOS update files. […] This research focused on vendor specific code that diverged from the TCG spec. […] As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment. […] Credits: This vulnerability was discovered and reported to AMD by Cfir Cohen of the Google Cloud Security Team.
Timeline
========
09-28-17 – Vulnerability reported to AMD Security Team.
12-07-17 – Fix is ready. Vendor works on a rollout to affected partners.
01-03-18 – Public disclosure due to 90 day disclosure deadline.
more on Meltdown and Spectre
We’re seeing browser and OS updates. The Microsoft Surface is the only firmware update I’ve seen so far…
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://support.apple.com/en-us/HT208394
https://lwn.net/Articles/741878/
https://lkml.org/lkml/2018/1/4/602
https://sourceforge.net/p/genode/mailman/message/36178974/
https://erc.europa.eu/news/Cybersecurity-ERC-grantee-behind-discovery-of-major-hardware-bugs
DPTFExtract – Linux DPTF Extract Utility
This is a companion tool to Linux Thermal Daemon (thermald). This tool tries to reuse some of the tables used by “Intel ® Dynamic Platform and Thermal Framework (Intel® DPTF)” by converting to the thermal_conf.xml format used by thermald.
https://github.com/intel/dptfxtract
more on Meltdown and Spectre
Intel advisory:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Intel tool for Linux:
https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools
Intel tool for Windows:
https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
https://meltdownattack.com/
https://spectreattack.com/
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://www.freebsd.org/news/newsflash.html#event20180104:01
http://blog.dustinkirkland.com/2018/01/ubuntu-updates-for-meltdown-spectre.html
https://www.us-cert.gov/ncas/alerts/TA18-004A
http://www.commitstrip.com/en/2018/01/04/reactions-to-meltdown-and-spectre-exploits/?
more on Meltdown and Spectre
Meltdown and Spectre
Intel says issue impacts other chip vendors, not just Intel:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://spectreattack.com/
says: At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
A few news sources are saying Apple has a fix in place:
http://appleinsider.com/articles/18/01/03/apple-has-already-partially-implemented-fix-in-macos-for-kpti-intel-cpu-security-flaw
Official T-Shirts: coming soon…
Embedded Linux Japan Technical Jamboree 63 slides/videos uploaded
Status of Embedded Linux, Tim Bird
Review of ELC Europe 2017, Tim Bird
mplementing state-of-the-art U-Boot port, 2017 edition, by Marek Vasut
Linux カーネルのメモリ管理の闇をめぐる戦い(協力者募集中, Tetsuo Handa (NTT Data)
Request for your suggestions: How to Protect Data in eMMC on Embedded Devices, Gou Nakatsuka (Daikin)
Fuego Status and Roadmap, Tim Bird
Multicast Video-Streaming on Embedded Linux environment, Daichi Fukui (TOSHIBA)
From 1 to many Implementing SMP on OpenRISC, Stafford Horne
Core Partitioning Technique on Multicore Linux systems, Kouta Okamoto (TOSHIBA)
Debian + YoctoProject Based Projects: Collaboration Status, Kazuhiro Hayashi (TOSHIBA)
https://elinux.org/Japan_Technical_Jamboree_63#Agenda
See-also: Septemer 2017 Jamboree 62:
Status of Embedded Linux, Tim Bird
EdgeX Foundry: Introduction and demonstration of end to end IoT system, Victor Duan, Linaro
Lighting Talk: Integration between GitLab and Fuego, Tomohito Esaki, IGEL Co., Ltd.
DebConf17 Report, Kazuhiro Hayashi, TOSHIBA
Lightning Talk : About the LTS now, Shinsuke kato, Panasonic Corporation
Kernel Recipes 2015 – Linux Stable Release process, Greg KH
Lightning Talk: IPv6 Ready Logo Test for LTSI 4.9 and introduction about CVE-2016-5863 and CVE-2017-11164, Fan Xin, Fujitsu Computer Technologies Limited
Intel KPTI issue
Windows adds TXT-supported MLE to boot security
https://twitter.com/aionescu/status/944286540984827904
Interesting to hear that Microsoft has added TXT support alongside MLE. Sorry, no more info on it than above tweet….
From Wikipedia: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, Cloud Raxak, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.
Intel adds ROP-detection Branch Monitoring support to Linux
https://twitter.com/aionescu/status/947990492062420992
https://lwn.net/Articles/738166/
Date: Fri, 3 Nov 2017 11:00:03 -0700
This patchset adds support for Intel’s branch monitoring feature. This feature uses heuristics to detect the occurrence of an ROP(Return Oriented Programming) or ROP like(JOP: Jump oriented programming) attack. These heuristics are based off certain performance monitoring statistics, measured dynamically over a short configurable window period. ROP is a malware trend in which the attacker can compromise a return pointer held on the stack to redirect execution to a different desired instruction. Currently, only the Cannonlake family of Intel processors support this feature. This feature is enabled by CONFIG_PERF_EVENTS_INTEL_BM. Once the kernel is compiled with CONFIG_PERF_EVENTS_INTEL_BM=y on a Cannonlake system, the following perf events are added which can be viewed with perf list:
intel_bm/branch-misp/ [Kernel PMU event]
intel_bm/call-ret/ [Kernel PMU event]
intel_bm/far-branch/ [Kernel PMU event]
intel_bm/indirect-branch-misp/ [Kernel PMU event]
intel_bm/ret-misp/ [Kernel PMU event]
intel_bm/rets/ [Kernel PMU event]
A perf-based kernel driver has been used to monitor the occurrence of one of the 6 branch monitoring events. There are 2 counters that each can select between one of these events for evaluation over a specified instruction window size (0 to 1023). For each counter, a threshold value (0 to 127) can be configured to set a point at which an interrupt is generated. The entire system can monitor a maximum of 2 events(either from the same or different tasks) at any given time. Apart from the kernel driver, this patchset adds CPUID of Cannonlake processors to Intel family list and the Documentation/x86/intel_bm.txt file with some information about Intel Branch monitoring.
Flashrom 1.0 released!
The mysterious case of the Linux Page Table Isolation patches
WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.
https://twitter.com/revskills/status/947894765126934528
The mysterious case of the Linux Page Table Isolation patches
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
See-also: https://firmwaresecurity.com/2017/12/07/tu-graz-story-on-rowhammer/
Trammell’s CCC LinuxBoot presentation, annotated transcript uploaded
https://twitter.com/qrs/status/948181434296164352
LinuxBoot at 34c3
This is an annotated transcript of an overview talk that I gave at 34C3 (Leipzig 2017) entitled “Bringing Linux back to the server BIOS with LinuxBoot”.
https://trmm.net/LinuxBoot_34c3
ToySMT – simple SMT solver under ~1500 SLOC of pure C.
https://twitter.com/yurichev/status/947598373057585152
ToySMT – simple SMT solver under ~1500 SLOC of pure C.
It’s very early sneak preview. It supports only bools and bitvecs. No integers, let alone reals and arrays and tuples and whatever. However, it can serve as education tool (hopefully). It parses input SMT-LIB file (see “tests” and “examples”), constructs digital circuit, which is then converted to CNF form using Tseitin transformations. This is also called “bitblasting”. minisat is then executed, as an external SAT solver. Stay tuned, it will be evolved. Aside from SMT-LIB standard, I also added two more commands: (get-all-models) and (count-models) (see “tests”). Since it’s early preview, it was only checked on “tests” and “examples” you can find here. Anything else can fail. Also, error reporting is somewhat user-unfriendly. First, you can check your .smt files using other SMT solver (I used z3, Boolector, STP, Yices, CVC4).[…]
https://github.com/DennisYurichev/ToySMT
macOS vuln in IOHIDFamily
Siguza, 01. Dec 2017 (published 31. Dec 2017)
IOHIDeous
“IOHIDFamily once again.”
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user. IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.[…]
https://siguza.github.io/IOHIDeous/
https://github.com/Siguza/IOHIDeous/blob/master/docs/index.md
https://github.com/Siguza/iokit-utils
https://github.com/Siguza/hsp4
https://github.com/Siguza/ios-kern-utils
PoC|GTFO 18 released
https://www.sultanik.com/pocorgtfo/#0x17
https://www.alchemistowl.org/pocorgtfo/
You can get a hardcopy of an older edition:
Firmware Security 
You must be logged in to post a comment.