Apple Insider has a story on new Apple security processor. Caber Sasser reviews a loaner iMac Pro.
Category: Uncategorized
FAT-EFI: FAT EFI loader plugin for Hopper Disassembler
This project is a FAT EFI loader plugin for Hopper Disassembler. Apple uses an extension to the standard PE format for EFI binaries to allow FAT EFI binaries that contain both 32 and 64 bits executables. It is very similar to the FAT format, except for a different magic number and for little endianness. This plugin allows to read these FAT EFI binaries with Hopper Disassembler.[…]
https://github.com/pascalwerz/FAT-EFI
Similar: https://github.com/0xc010d/EFIFatBinary.hopperLoader
more on Intel-SA-00068 (Intel ME) vuln
Intel has updated their advisory again, many more OEMs on the list now:
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
Intel ME has impacted Intel WPA2:
https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00101&languageid=en-fr
Microsoft provides info, but the researchers argue with their conclusions:
European Coreboot Conference videos uploaded
Microsoft BlueHat videos uploaded
OpenPOWER firmware development
Stewart Smith of IBM has a new blog post that gives an introduction to OpenPOWER firmware dev.
A (simplified) view of OpenPOWER Firmware Development
I’ve been working on trying to better document the whole flow of code that goes into a build of firmware for an OpenPOWER machine. This is partially to help those not familiar with it get a better grasp of the sheer scale of what goes into that 32/64MB of flash. I also wanted to convey the components that we heavily re-used from other Open Source projects, what parts are still “IBM internal” (as they relate to the open source workflow) and which bits are primarily contributed to by IBMers (at least at this point in time).[…]
UEFITool vA45 released
Pete Batard adds ARM support for VS2017 to Tianocore
Pete Batard is adding Visual Studio for ARM support to the Tianocore UEFI dev toolchain:
This is a v2 of the previous patch, that takes into account the alignment of suppressed level 4 warnings between IA32, X64 and ARM, and that also removes compiler options that weren’t actually needed. The following series adds ARM compilation support for the VS2017 toolchain. With these patches, VS2017 toolchain users should be able to compile regular UEFI ARM applications using EDK2. Note that, unlike ARM64 support, ARM support does not require a specific update of Visual Studio 2017, as the ARM toolchain has been available from the very first release. We tested compiling and running the full UEFI Shell with this series, as well as a small set of applications and drivers, and found no issues. With an additional patch [1], it is also possible to use this proposal to compile a complete QEMU ARM firmware. As the patch shows, the changes that need to be applied to the EDK2 sources to achieve this are actually very minimal. However, the generated firmware does not currently boot, possibly because of the following warnings being generated by the MS compiler[…[]At this stage, since the goal of this series is to allow users to compile regular ARM UEFI applications using the VS2017 toolchain, I have non plans to spend more time on the QEMU firmware issues, especially as I suspect that reducing the firmware size back to 2 MB may not be achievable without Microsoft altering their compiler. I am however hopeful that ARM specialists can take this matter over eventually…
[1] https://github.com/pbatard/edk2/commit/c4ce41094a46f4f3dc7ccc64a90604813f037b13
More info:
http://pete.akeo.ie/2017/05/compiling-desktop-arm-applications-with.html
https://lists.01.org/mailman/listinfo/edk2-devel
https://visualstudio.uservoice.com/forums/121579-visual-studio-ide/suggestions/18614308-add-arm-support-back
https://blogs.msdn.microsoft.com/vcblog/2017/10/23/arm-gcc-cross-compilation-in-visual-studio/
https://github.com/microsoft/vslinux/issues
https://github.com/Microsoft/VSLinux/issues/110
See-also:
http://shadetail.com/blog/using-visual-studio-code-for-arm-development-introduction/
Note that Pete is not from the Microsoft Visual Studio team, he’s just doing their work for them… I hope the VS team gives Pete a complementary subscription to their commercial product! [Strange, I don’t think I’ve ever seen Microsoft add suppport for their own tools to Tianocore, it is always an external vendor that does Microsoft’s work…]
CLKscrew: for ARM-based SoCs
CLKscrew: Exposing the Perils of Security-Oblivious Energy Management
This repository contains alpha-version code to explore the use of CLKscrew on ARM-based SoCs.
Click to access eu-17-Tang-Clkscrew-Exposing-The-Perils-Of-Security-Oblivious-Energy-Management.pdf
Tanenbaum: more comments regarding Intel ME
Re: https://firmwaresecurity.com/2017/11/07/tanenbaum-responds-to-intel-about-minix-based-me/
Andrew adds two more footnotes to his reply to Intel:
[…]Many people (including me) don’t like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel’s business decision and a separate issue from the code it runs.[…] I certainly hope Intel did thorough security hardening and testing before deploying the chip, since apparently an older version of MINIX was used.[…]
[…]If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated, even though all they wanted was reducing the memory footprint (= chip area for them). I think creating George Orwell’s 1984 is an extremely bad idea, even if Orwell was off by about 30 years. People should have complete control over their own computers, not Intel and not the government. In the U.S. the Fourth Amendment makes it very clear that the government is forbidden from searching anyone’s property without a search warrant. Many other countries have privacy laws that are in the same spirit. Putting a possible spy in every computer is a terrible development.[…]
TROMMEL: analyzes embedded devices for vulnerabilities
Embedded Device Vulnerability Analysis Case Study Using Trommel
Madison Oliver, Kyle O’Meara
Researching embedded devices is not always straightforward, as such devices often vastly differ from one another. Such research is difficult to repeat and results are not easily comparable because it is difficult to conceive a standard approach for analysis. This document proposes an initial research methodology for vulnerability analysis that can be applied to any embedded device. This methodology looks beyond preliminary research findings, such as open ports and running services, and takes a holistic, macro-level approach of the embedded device, to include an analysis of the firmware, web application, mobile application, and hardware. In addition, TROMMEL, an open source tool, was created to help researchers during embedded device vulnerability analysis. This document provides security researchers with a repeatable methodology to produce more thorough and actionable results when analyzing embedded devices for vulnerabilities. As a case study, we analyzed a Wi-Fi camera as a class of embedded devices to demonstrate this methodology is more encompassing than standard research. This methodology can be applied to all embedded devices and should be expanded as the landscape of embedded device evolves.
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=509271
TROMMEL: Sift Through Directories of Files to Identify Indicators That May Contain Vulnerabilities.
The intended use of TROMMEL is to assist researchers during firmware analysis.
TROMMEL has been tested using Python 2.7 on macOS Sierra and Kali Linux x86_64.
TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices.
Cutter 1.0 released (GUI for radare2)
Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
HP ships keylogger in Windows, update available
https://zwclose.github.io/HP-keylogger/
[…]The research were done by reading the code of SynTP.sys, I couldn’t verify if it’s correct or not. I tried to find HP laptop for rent and asked a few communities about that but got almost no replies. One guy even thought that I am a thief trying to rob someone. So, I messaged HP about the finding. They replied terrificly fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace. Get the list of affected models and fixed driver at HP website. The update also available via Windows update.[…]
https://zwclose.github.io/HP-keylogger/
Debsources: browse/search sources of all Debian releases
Matthieu Caneill of Debian announced Debsources. Excerpt of announcement below, for full announcement, see the debian-devel-announce mailing list archives.
https://twitter.com/zacchiro/status/938327579135807488
Announcing sources.debian.org
We’re happy to announce that Debsources, the Web application that allows to browse and search the entire source code of all Debian releases, is now hosted on the official Debian infrastructure and available at https://sources.debian.org . You may already know this service as previously hosted at sources.debian.net . We took the move to Debian hardware as the opportunity to officially announce it here.[…]
https://sources.debian.org
https://codesearch.debian.net/search?q=firmware
https://codesearch.debian.net/search?q=UEFI
https://codesearch.debian.net/search?q=coreboot
Hmm, “EFI” does not work as a search string, and there are Linux-centric UEFI commands that only use “EFI”, not “UEFI”…
REmatch: binary diffing framework
“REmatch, a complete binary diffing framework that is free and strives to be open source and community driven.
REmatch, a simple binary diffing utility that just works. At least, we hope it will be. Rematch is still a work in progress and is not fully functional at the moment. We’re currently working on bringing up basic functionality. Check us out again soon or watch for updates! It is intended to be used by reverse engineers by revealing and identifying previously reverse engineered similar functions and migrating documentation and annotations to current IDB. It does that by locally collecting data about functions in your IDB and uploading that information to a web service (which you’re supposed to set up as well). Upon request, the web service can match your functions against all (or part) of previously uploaded functions and provide matches. A secondary goal of this (which is not currently pursued) is to allow synchronization between multiple reverse engineers working on the same file. The goal of REmatch is to act as a maintained, extendable, open source tool for advanced assembly function-level binary comparison and matching. Rematch will be a completely open source and free (as in speech) community-driven tool. We support buttom-up organizational methods and desire Rematch to be heavily influenced by it’s users (both in decision making and development).[…]”
TU Graz story on rowhammer
TU Graz News
When rowhammer only knocks once
04 Dec 2017 | Planet Research | FoE Information, Communication & Computing
By Birgit Baustädter
Rowhammer attacks make use of hardware vulnerabilities in order to access computer systems. TU Graz researchers have discovered a new type of attack – and raise questions about protective mechanisms. There is a huge computer screen with a lot of words on it. In the background there are four men. The research team with Michael Schwarz (left), Daniel Gruss (second from left) and Moritz Lipp (right) as well as working group leader Stefan Mangard.“When a system is regarded as absolutely safe, our curiosity is awakened,” explains Daniel Gruss from the Institute of Applied Information Processing and Communication Technology at TU Graz. As part of the Secure Systems working group, the researcher is occupied with the security of IT systems and in particular rowhammer attacks. Together with colleagues Michael Schwarz and Moritz Lipp, he has recently published research results which have generated excitement in the community to say the least and possibly may lead to a complete rethink.[…]
AMD to add option to disable PSP?
Phoronix is reporting that Reddit claims that AMD has enabled an option to disable the PSP (Platform Security Processor, the AMD equivalent to Intel’s ME). Interesting if that is the case, please leave a Comment if you have more info on this.
https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option
Joanna on trusting hardware
Joanna Rutkovska gave a talk on trust at BlackHat EU:
Click to access eu-17-Rutkowska-Security-Through-Distrusting.pdf
US-CERT on securing mobile devices
Securing Mobile Devices During Holiday Travel:
https://www.us-cert.gov/ncas/current-activity/2017/12/05/Securing-Mobile-Devices-During-Holiday-Travel
Holiday Traveling with Personal Internet-Enabled Devices:
https://www.us-cert.gov/ncas/tips/ST11-001
Cybersecurity for Electronic Devices:
https://www.us-cert.gov/ncas/tips/ST05-017
See-also:
https://ssd.eff.org/
https://en.wikipedia.org/wiki/Cyber_self-defense
Firmware Security 
You must be logged in to post a comment.