Category: Uncategorized

Agenda for ECC’17

~ hucktech ~ Leave a comment

The schedule for the European Coreboot Conference 2017 (ECC’17) is out:

* Keynote, Stefan Reinauer
* Run upstream coreboot on an ARM Chromebook. Paul Menzel
* DDR3 memory initialization basics on Intel Sandybrige platforms. Patrick Rudolph
* Booting UEFI-aware OS on coreboot enabled platform – “In God’s Name, Why?”. Piotr Król, Kamil Wcisło
* Reverse engineering MT8173 PCM firmwares and ISA for a fully free bootchain. Paul Kocialkowski
* Let’s move SMM out of firmware and into the kernel. Ron Minnich
* A Tale of six motherboards, two BSDs and coreboot. Piotr Kubaj
* Buying trustworthy hardware for federal agencies: How open source firmware saves the day. Carl-Daniel Hailfinger
* SINUMERIK 840D sl – step ahead with coreboot. Werner Zeh
* Enabling TPM 2.0 on coreboot based devices Piotr Król, Kamil Wcisło
* Reverse Engineering x86 Processor Microcode. Philipp Koppe, Benjamin Kollenda
* Porting coreboot to the HP ProLiant MicroServer Gen8. Alexander Couzens, Felix Held
* Implementing coreboot in a ground breaking secure system: ORWL. Wim Vervoorn , Gerard Duynisveld

https://ecc2017.coreboot.org/

VisualUEFI udpated

~ hucktech ~ Leave a comment

https://github.com/ionescu007/VisualUefi

Windows UEFI & ACPI Development

more on Google NERF

~ hucktech ~ Leave a comment

Google NERF looks interesting, they keep UEFI’s PI but replace the UEFI layers with Linux kernel, and the code is written in Go. Looks like they’re focusing on removing dynamic code in UEFI and SMM. Unclear about their position towards dynamic code in ACPI, as well as PCIe (eg, PCIleech-style attacks).

The slides from the recent North American OSS presentation are online, but I can’t find the video online:

Click to access Linuxcon%202017%20NERF.pdf

There’s an upcoming European OSS event upcoming:

Replace Your Exploit-Ridden Firmware with Linux
Ronald Minnich, Google

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor”). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs. Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.

https://osseu17.sched.com/event/ByYt/replace-your-exploit-ridden-firmware-with-linux-ronald-minnich-google
https://ossna2017.sched.com/event/BCsr/replace-your-exploit-ridden-firmware-with-linux-ronald-minnich-google
https://osseu17.sched.com/event/ByYt/replace-your-exploit-ridden-firmware-with-linux-ronald-minnich-google

http://u-root.tk/
https://github.com/u-root/u-root

Google NERF: Non-Extensible Reduced Firmware

 

 

more from Duo on Apple EFI security

~ hucktech ~ Leave a comment

Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.

 

Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:

Pepjin’s Apple EFI version spreadsheet:

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

Google Titan trust paper available

~ hucktech ~ Leave a comment

A Vendor-Agnostic Root of Trust for Measurement
Jon McCune, Rick Altherr
We report the success of a project that Google performed as a proof-of-concept for increasing confidence in first-instruction integrity across a variety of server and peripheral environments. We begin by motivating the problem of first-instruction integrity and share the lessons learned from our proof-of-concept implementation. Our goal in sharing this information is to increase industry support and engagement for similar designs. Notable features include a vendor-agnostic capability to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or device-specific integrity mechanisms, thereby providing additional defense-in-depth.

https://research.google.com/pubs/pub46352.html

Click to access 46352.pdf

Yuriy of Eclypsium has a few comments on the doc, click on below tweet for thread:

 

UEFI at SeaGL

~ hucktech ~ Leave a comment

If you are the Seattle area, the Seattle GNU Linux Conference (SeaGL, pronounced “Seagull”) is happening shortly. There’re two UEFI talks, one by PreOS Security, and one by System76.

https://osem.seagl.org/conferences/seagl2017/program/proposals/374

http://seagl.org/news/2017/09/28/QA-penglish.html

https://preossec.com/

https://system76.com/

https://osem.seagl.org/conferences/seagl2017/program/proposals/326

Duo Security on Apple EFI security

~ hucktech ~ Leave a comment

https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research

Click to access Duo-Labs-The-Apple-of-Your-EFI.pdf

https://github.com/duo-labs/EFIgy

https://www.ekoparty.org/charla.php?id=798

VMWare Workstation 14 available

~ hucktech ~ Leave a comment

[…]Workstation 14 Pro builds from the newest vSphere Virtual Hardware Platform, now at version 14, and with it delivers new features such as support for:
– Microsoft Device Guard and Credential Guard “Virtualization Based Security” feature support for Windows 10 Guests (Guests only at this time)
– A new Virtual NVMe device for faster disk access on SSD storage and a requirement for vSAN testing
– UEFI Secure Boot, required for VBS and supported with ESXi 6.5 Virtual Guests.
– A new Virtual Trusted Platform Module which is used to manage keys for guest encryption services such as BitLocker.
– Support for the latest Intel Kabylake and AMD Ryzen CPUs

https://blogs.vmware.com/workstation/2017/09/workstation-14-now-available.html

 

Firmware Test Suite 17.09.00 released

~ hucktech ~ Leave a comment

FWTS 17.09.00 has been released. New UEFI, ACPI, and IPMI features. MANY bugfixes, see the full announcement.

New Features:
* ACPICA: Update to version 20170831
* dmi: dmicheck: Add BMC Interface Type definitions from IPMI spec
* lib: fwts_acpi_tables: add a new function to check Reserved field
* lib: fwts_acpi_tables: add a new function to check reserved bits
* efi_runtime: add resetsystem runtime service

http://fwts.ubuntu.com/release/fwts-V17.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.09.00
https://launchpad.net/ubuntu/+source/fwts

https://lists.01.org/pipermail/luv/2017-September/002089.html

 

Signal use of Intel SGX

~ hucktech ~ Leave a comment

Signal by Open Whisper Systems is one of the modern ‘secure communication applications’ in use today. They recently blogged about how they use Intel SGX tech to help secure their tech:

[…]Huge thanks to Jeff Griffin for doing the heavy lifting and writing all the enclave code, Henry Corrigan-Gibbs for introducing us to SGX, Raluca Ada Popa for explaining ORAM state of the art to us, and Nolan Leake for systems insight.

https://signal.org/blog/private-contact-discovery/

https://github.com/whispersystems/contactdiscoveryservice

Intel seeks senior security researcher

~ hucktech ~ Leave a comment

Job ID: JR0037962
Senior Security Researcher

The Platform Engineering Group (PEG) is responsible for the design, development, and production of system-on-a-chip (SoC) products that go into Intel’s next generation client and mobile platforms. PEG strives to lead the industry moving forward through product innovation and world class engineering. Intel Security Center of Excellence’s goal is to be a prominent leader in the industry to assure security in computing platforms by conducting advanced security research. If you are a seasoned threat, vulnerability and exploit research expert who craves for tons of fun and pride in raising the security bar for ubiquitous computing systems, we would like you to join us as a proud member of Intel’s Advanced Security Research Team. Through your deep vulnerability analysis and mitigation development expertise, you will influence the security of a variety of Hardware, Firmware, Software & Systems spanning a range of products including Devices, Cloud, Auto, IOT, AI, VR, Drones, and Networks. Responsibilities include the following: Own emerging threat analysis, gain insights & know-how of evolving attack techniques, predict and extrapolate attack trends ahead of its occurrence, develop robust counter measures and mitigation. This role requires maintaining substantial knowledge of state-of-the-art security principles, theories, attacks etc. and contribute those insights to internal and external stakeholders. Participation in development or intellectual property is also a responsibility.

* Applicants should possess at least 10 years of experience in the field of system security research and excel in exploring software and hardware techniques as a method of attack against targets within the computing systems.
* Ability to span security expertise over HW, SW and Firmware domains. Passion for the latest gadgets and building security into these gadgets.
* Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others

 

 

http://jobs.intel.com/ShowJob/Id/1352711/Senior%20Security%20Researcher

 

CLKSCREW: breaking TEEs with energy mgmt

~ hucktech ~ Leave a comment

https://twitter.com/daniel_bilar/status/912003921295618049

CLKSCREW: Exposing the perils of security-oblivious energy management

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang

0x0atang.github.io/files/usenix17_clkscrew_preprint.pdf

https://hacks.hyperspacer.com/app/items/15303894

Microsoft seeks senior embedded Linux firmware engineer

~ hucktech ~ Leave a comment

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services.
This role will be for a highly-motivated Firmware Engineer with a solid background in embedded system design using embedded Linux.
* 5+ years professional experience in one or many of: designing, developing embedded solutions using ARM SoCs and Linux, extensive u-boot customization, Linux kernel internals and adding new hardware drivers.
* 2+ years proven and demonstrable programming skill in C/C++ for resource constrained embedded platforms.
* Experience with debugging tools such as JTAG, oscilloscopes and bus analyzers.

https://careers.microsoft.com/jobdetails.aspx?jid=321602&job_id=1070761

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

Apple macOS automatic EFI checks

~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/912014988608491520

High Sierra automatically checks EFI firmware each week

Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.[…]

High Sierra automatically checks EFI firmware each week

AFAICT, the article references Tweets from earlier today that appear to have subsequently been deleted from Twitter.

Intel Platform Armoring and Resiliency team seeks BIOS intern

~ hucktech ~ Leave a comment

Interesting: Intel SSG has a “Platform Armoring and Resiliency (PAR)” team! Wish I had more details on what they do (besides inferring from job postings). If you’re on the PAR team and you have a home page or more public info, please leave a Comment.

Security BIOS Engineering Intern Hillsboro, OR
Job ID: JR0034895
Job Category: Intern/Student

Intel Corporation’s Software and Services Group (SSG) is looking for an intern to work in the area of platform firmware resiliency. The Platform Armoring and Resiliency PAR team within SSG is responsible for creating a secure firmware capability within Intel and the ecosystem to proactively ensure the standard boot and recovery infrastructure of IA platforms is both usable and secure[…]

* Utilizing fuzzing and symbolic execution tools to explore target binaries
* Prototyping new functionality in UEFI/BIOS
* Developing/supporting software tools in C and Python
* Gathering and analyzing execution traces to identify patterns of interest
* Utilizing QEMU or virtualization environments to analyze target binaries

Preferred:
* 3 months experience with Intel Model-Specific Registers (MSRs) or Configuration Space Registers (CSRs)
* 3 months experience with developing kernel modules or kernel code

http://jobs.intel.com/ShowJob/Id/1352713/Security%20BIOS%20Engineering%20Intern

A bit less interesting: Intel HR webmaster posts URLs with spaces in them. 😦

Intel MeshCentral2 updated with Load Balancer & Peering Support

~ hucktech ~ Leave a comment

Intel has released an updated version of MeshCentral2, an Intel AMT-based management tool for Windows. New version has “server peering” support, which I confess I don’t yet understand what that means, but sounds signficant, something to learn about…

[…]MeshCentral2 is a free open source web-based remote computer management solution allowing administrators to setup new servers in minutes and start remotely controlling computers using both software agent and Intel® AMT. The server works both in a LAN environment and over the Internet in a WAN setup. Now, I just released a new version with support for server-to-server peering allowing for improved fail-over robustness and scaling. Some technical details:

* Servers connect to each-other using secure web sockets on port 443. This is just like browsers and Mesh agents, so you can setup a fully working peered server installation with only port 443 being open.
* Server peering and mesh agent connections use a secondary authentication certificate allowing the server HTTPS public certificate (presented to browser) to be changed. This allows MeshCentral2 peer servers to be setup with different HTTPS certificates. As a result, MeshCentral2 can be setup in a multi-geo configuration.
* All of the peering is real-time. As servers peer together and devices connect to the servers, users see a real-time view on the web page of what devices are available for management. No page refresh required.
* MeshCentral2 supports TLS-offload hardware for all connections including Intel® AMT CIRA even when peering. So, MeshCentral2 servers can benefit from the added scaling of TLS offload accelerators.
* Fully support server peering for Browsers, Mesh Agents and Intel® AMT connections.
* The server peering system does not use the database at all to exchange state data. This boosts the efficiency of the servers because the database is only used for long term data storage, not real time state.
* There is no limit to how many servers you can peer, however I currently only tested a two server configuration.

https://software.intel.com/en-us/blogs/2017/09/21/meshcentral2-load-balancer-peering-support

http://www.meshcommander.com/meshcentral2

https://software.intel.com/sites/default/files/managed/ce/37/MeshCentral2-DualServer.png

 

Ekoparty: analysis of Apple’s EFI security

~ hucktech ~ Leave a comment

https://twitter.com/XenoKovah/status/911110271279628288

The Apple of your EFI: An analysis of the state of Apple’s EFI Security Support

Duo Labs condujo un análisis de información extenso en el estado de seguridad de EFI de Apple desde dos perspectivas. La primera fue analizar todas las actualizaciones de EFI lanzadas por Apple desde OS X 10.10.0 a través de macOS 10.12.6 para caracterizar el soporte de seguridad proporcionado por completo en diferentes modelos de Mac y versiones de OS, esto también proporcionó una línea de base para el estado esperado de los sistemas Mac, para poder comparar el estado actual de su seguridad EFI contra el estado esperado. Nuestros descubrimientos cubren un rango de anomalías y cuestiones de seguridad del soporte de seguridad provisto por Apple para su firmware EFI. Más preocupante aún, nuestro análisis muestra significativas deviaciones en el estado real del firmware EFI en Macs, comparado con el estado esperado, el cual genera sospechas de cuestiones sistemáticas que estén causando las fallas del nuevo firmware de EFI, que supuestamente es instalado automáticamente a lo largo de una actualización OS: Además del análisis de datos discutido anteriormente, nuestra investigación apunta a iluminar los mecanismos utilizados para actualizar EFI de Apple y se discutirá cómo las herramientas del actualizador EFI de Apple operan y los controles que tienen en su lugar. Estas revelaciones vienen del análisis binario de las mismas herramientas y creemos que no han sido discutidas en detalle hasta ahora. Junto a nuestro descubrimiento en la forma de un ensayo técnico, también lanzamos herramientas y APIs para habilitar a administradores y usuarios finales a tener mayor visibilidad del estado del firmware EFI en el sistema de Apple, y a entender las implicaciones de seguridad que puede contener.

 

https://www.ekoparty.org/charla.php?id=798