Category: Uncategorized

European coreboot conference 2017: Call for Papers

~ hucktech ~ Leave a comment

Note the request for SECURITY talks!

We are particularly interested in advances in the application of technology in a particular discipline primarily around coreboot, hardware, firmware, and security. As a result, the conference will be structured around the following topics:
– Free and Open Source hardware and firmware.
– Attacks against current hardware and firmware, like side and covert channel attacks.
– Firmware and hardware reverse engineering.
– coreboot payloads, extensions, and features.
– Advances of coreboot and UEFI on the market.
– Applications of free and open source hardware/firmware in practice.
– State-of-the-art security in embedded devices.

Conference talks, lightning talks, and workshops will be video taped and published afterwards. If a recording is not desired by a speaker or workshop instructor, no recordings will be made (notification in advance of the talk / workshop requested)[…]

https://ecc2017.coreboot.org/

Qualcomm seeks server firmware engineer

~ hucktech ~ Leave a comment

The position requires systemic understanding of server firmware, software, and hardware, and the ability to solve issues across a broad range of technologies. Job duties include: Customer support, including: – Support design and bringup of server systems implementing Qualcomms Centriq server processors – Debug and resolution of customer hardware, firmware, and software issues – Analyze and replicate reported customer-reported problems in Qualcomm labs, for root cause analysis, working in conjunction with software, firmware, and chip design teams – Support customer BIOS / firmware bring-up and customization – Provide performance optimization support for system software – Support server platform validation, performance analysis, and power measurement tools – Delivery of customer training – Creation and support of customer-facing documentation – Create and edit documentation such as device specifications, data sheets, and user manuals – Write application notes and reference code – Creation of training materials.

Detailed knowledge of server processor architecture and system-level features including:
– CPU and system-level caches
– High performance DDR memory systems
– Server system SoC and system-level interfaces, including coherent system interconnects, PCIe, SATA, USB, Ethernet
– Memory management units
– Interrupt controllers and hardware timers
– Power management features
– System clocks and their management
– CPU and system performance monitor hardware
– Debug and trace hardware
– Security features
– System management controller hardware, firmware, and software
– Understanding of system-level programming UEFI, system initialization firmware, etc.
– C programming, preferably for embedded systems or drivers (ARM preferred)
– Familiarity with JTAG based debug tools and environments (Lauterbach Trace-32 preferred)
– Experience using hardware performance monitors for system debug and optimization
– Experience using a configuration management system, e.g. CVS, ClearCase, Git
– Experience using a defect tracking system, e.g. ClearQuest, Bugzilla, JIRA
– Excellent system debugging skills
– Knowledge of multi-agent coherent systems
– Knowledge of power management features, including voltage/frequency scaling and sleep modes
– Experience with ARM RVDS, ARM Development Studio, and GNU tools
– Experience with documentation applications such as Microsoft Word and Excel
– Working knowledge of digital oscilloscopes, logic analyzers, etc.

https://jobs.qualcomm.com/public/jobDetails.xhtml?requisitionId=1958654&src=indeed

U-Boot v2017.09 released

~ hucktech ~ Leave a comment

Tom Rini has announced the v2017.09 release of U-Boot. And it clarifies status of VU166743/CVE-2017-3225/CVE-2017-3226, excerpt below:

I’ve released v2017.09 and it’s now live on git and FTP and ACD (along with PGP sig file). There’s a few things I need to headline in this release. First and foremost is https://www.kb.cert.org/vuls/id/166743 (aka CVE-2017-3225 and CVE-2017-3226). If you’re using CONFIG_ENV_AES in your project, you have security implications to worry about and decide the correct path forward in. With respect to the community, I marked it as deprecated for this release, and I plan to remove it for the next release unless someone with relevant background steps up and wants to rewrite the code in question (and make sure the rest of the environment code isn’t going to lead to other issues similar to CVE-2017-3226). Both of the issues in question here could be fixed but the worry is about it being the “tip of the iceberg” in the area. […]

Full announcement:

https://lists.denx.de/pipermail/u-boot/2017-September/305340.html

 

Talos II by Raptor Engineering

~ hucktech ~ Leave a comment

The Free Software Foundation has a new announcement, reminding you to pre-order a Talos II by Raptor Engineering before Septembert 15th deadline. The FSF includes the Talos II in their Respects Your Freedom hardware certification program.

Support the Talos II, Respects Your Freedom certification candidate: pre-order by 9/15

Raptor Engineering is now taking pre-orders for the Talos II until September 15th. The Talos II is a powerful system built from the ground up with freedom in mind. We’ve previously [supported] the work of the folks at Raptor Engineering. This time, rather than a crowdfunding effort, we are asking you to support their work by pre-ordering the [Talos II]. The system comes in a variety of forms to meet your needs, from a workstation to rack-mounted to the board by itself. Raptor Engineering has put in a great deal of effort researching and prototyping this system, and now it is ready for prime time. The Talos II is great for any hacker who needs a powerful machine, perfect for developing even more free software.[…]

https://www.fsf.org/blogs/licensing/support-the-talos-ii-a-candidate-for-respects-your-freedom-certification-by-pre-ordering-by-september-15

https://raptorcs.com/TALOSII/

 

more on U-Boot encryption vulnerabilties

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/08/u-boot-aes-cbc-encryption-multiple-vulnerabilities/

I asked on the U-Boot mailing list for more information on this issue. The response from Tom Rini of Konsulko:

So, I mentioned this in the patch that migrated the option to Kconfig and marked it deprecated, and I plan to mention it in the release notes on Monday. But, this option has no in-tree users and I plan to remove the code in the near term, if no one with the relevant background steps up to re-implement it. Thanks!

Full post:

https://lists.denx.de/pipermail/u-boot/2017-September/305181.html

Qubes and Golem

~ hucktech ~ 1 Comment

Golem is a global, open sourced, decentralized supercomputer that anyone can access. It’s made up of the combined power of user’s machines, from personal laptops to entire datacenters. Anyone will be able to use Golem to compute (almost) any program you can think of, from rendering to research to running websites, in a completely decentralized & inexpensive way. The Golem Network is a decentralized sharing economy of computing power, where anyone can make money ‘renting’ out their computing power or developing & selling software.

Click to access Secure%20Computing%20in%20Decentralized%20World.pdf

https://golem.network/

 

U-Boot AES-CBC encryption multiple vulnerabilities

~ hucktech ~ Leave a comment

Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot’s use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.Das U-Boot’s AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data. Devices that make use of Das U-Boot’s AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message. The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device. An attacker with physical access to the device may be able to decrypt the device’s contents. The CERT/CC is currently unaware of a practical solution to this problem.[…]

http://www.kb.cert.org/vuls/id/166743

LLVM 5.0.0 released

~ hucktech ~ Leave a comment

Lots of changes for Intel/AMD/ARM/MIPS/PowerPC, eg AMD Rhyzen support. And new PDB tool. Clang has new diagnostic/”lint” abilities. The static analyzer uses Microsoft’s Z3 solver. New C and C++ features (wow, C++ is at C++17 already!). Many other changes! I wish I had time to look at it more detail today… 😦

http://releases.llvm.org/5.0.0/docs/ReleaseNotes.html
http://releases.llvm.org/5.0.0/tools/clang/docs/ReleaseNotes.html
http://releases.llvm.org/5.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html

http://lists.llvm.org/pipermail/llvm-announce/2017-September/000075.html

https://en.wikipedia.org/wiki/C%2B%2B17

CHIPSEC 1.3.3 released

~ hucktech ~ Leave a comment

ErikBjorge released this 2 days ago:

New or Updated Modules:
* Added common.spi_access to verify the host processor access rights for different SPI regions

New or Updated Functionality:
* Added ability to search a memory region of a string
* Updated support for the RWE driver

Fixes:
* Added error handling if a register type is not supported

https://github.com/chipsec/chipsec/releases/tag/v1.3.3

https://github.com/chipsec/chipsec/commits/master

 

Clarification of new Windows UEFI/SMM security feature

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/05/new-windows-uefi-security-protections-deciphered/

Here’s authoritative information from Jeremiah Cox of Microsoft:

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/device-guard-and-credential-guard

Someone at Microsoft: please write a Technical Support KB article based on Jeremiah’s tweets.

 

Android: Untethered initroot

~ hucktech ~ Leave a comment

Untethered initroot (USENIX WOOT ’17)
By Roee Hay (@roeehay)
August 30, 2017
CVE-2016-10277 ALEPH-2017024

In USENIX WOOT ‘17, that took place earlier this month in Vancouver, we presented our paper, “fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations”, covering a year’s work in Android bootloaders research. Our paper also includes some previously undisclosed details on CVE-2016-10277, a critical kernel command-line injection vulnerability in the Motorola Android Bootloader (ABOOT) that we had found and blogged about. In the previous couple of blog posts, we demonstrated a tethered unrestricted root exploit against that vulnerability, that we later extended to other Moto devices – G4 & G5. Additional Moto devices have also been confirmed by the community. In the WOOT’17 paper we describe a natural continuation of that exploit – a second stage untethered secure boot & device locking bypass (tested to be working on the vulnerable versions of Nexus 6, Moto G4 & G5). Moreover, we also present in the paper and this blog post other second stage exploits, such as persistent kernel code execution in Nexus 6, the ability to downgrade critical partitions (such as the bootloaders chain and TrustZone), unlocking a re-locked Nexus 6 bootloader, and more. As usual, our PoC exploit is publicly available in our GitHub repo. DISCLAIMER: Unlike the previous ephemeral jailbreak, the one presented today may brick your device. For example, during the development of it, we had to unlock our (luckily unlockable!) Moto G5 device in order to unbrick it.[…]

https://alephsecurity.com/2017/08/30/untethered-initroot/
https://github.com/alephsecurity/initroot
https://www.usenix.org/conference/woot17/workshop-program/presentation/hay
https://alephsecurity.com/2017/05/23/nexus6-initroot/

Firmware exploitation with PNF Software’s JEB

~ hucktech ~ Leave a comment

PNF Software has a series of blog posts on how to use their JEB product to reverse firmware:

Firmware Exploitation with JEB:

In this series of blog posts I will show how JEB’s MIPS decompiler 1 can help you find and exploit software vulnerabilities in embedded devices. To do so, we will use Praetorian’s Damn Vulnerable Router Firmware (DVRF) written by b1ack0wl. DVRF is a custom firmware made to run on a Linksys E1550 router containing a bunch of memory corruption vulnerabilities. The goal of the DVRF is to serve as a playground to learn exploitation on the MIPS architecture. As far as I know, there are no write-ups of the challenges on the Internet. For the readers interested in testing the challenges by themselves, I suggest to follow the DVRF tutorial, and getting a complete MIPSEL Debian QEMU image as it allows the usual exploit development workflow on Linux, without any limits on the available tools.[…]

Firmware Exploitation with JEB: Part 1

Firmware exploitation with JEB: Part 2

Firmware exploitation with JEB part 3: Reversing the SmartRG’s sr505n

https://www.pnfsoftware.com/jeb2/mips

Insider_BIOS_Tools: BIOS tools from Insyde Software

~ hucktech ~ Leave a comment

Cool, Insyde  Software is releasing some of their tools. It appears they’re older tools, see the readme about restrictions and newer versions of the tools.

https://twitter.com/NikolajSchlej/status/905204898366709762

Insider_BIOS_Tools

BIOS tools for Insyde Insiders! (release approved by the management of Insyde Software Japan)

We believe that the commercial value of our outdated BIOS developer tools is quite low. As a gesture of good will towards the BIOS modding community and IT community in general, we have decided to release some of our outdated BIOS developer tools – which are a part of this GitHub repository.[…]

Includes:
* H20EZE: Easy BIOS Editor that helps edit binaries in the BIOS, including Option ROMs, driver binaries, logos, and Setup values.
* H20FFT: Firmware Flash Tool assists in quickly and easily updates flash devices with new BIOS firmware.
* H20SDE: SMBIOS Data Editor that facilitates easy modification of any SMBIOS (DMI) field by GUI and Command Line, with support for a wide variety of OS environments.
* H20UVE: UEFI Variable Editor

https://github.com/s-sosnitskiy80/Insider_BIOS_Tools

 

 

Android Oreo docs on keymaster3 and HIDL

~ hucktech ~ Leave a comment

In Android 8.0, Keymaster 3 transitioned from the old-style C-structure Hardware Abstraction Layer (HAL) to the C++ HAL interface generated from a definition in the new Hardware Interface Definition Language (HIDL). As part of the change, many of the argument types changed, though types and methods have a one-to-one correspondence with the old types and the HAL struct methods.[…]

https://source.android.com/security/keystore/

https://source.android.com/devices/architecture/

https://source.android.com/security/keystore/attestation

https://developer.android.com/training/articles/security-key-attestation.html

https://source.android.com/devices/architecture/hidl/

https://android.googlesource.com/platform/system/tools/hidl/

Android Oreo Verified Boot’s Rollback Protection

~ hucktech ~ Leave a comment

This flew under our radar back at I/O, but it’s big news. On compatible devices, the new Verified Boot changes in Android 8.0 Oreo will prevent a device from booting should it be rolled back to an earlier firmware. The new feature is called Rollback Protection. So if your phone is flashed with older software, you (and your data) are protected from whatever potential security vulnerabilities may have been present in earlier versions. For 99% of users, the new Rollback Protection is great news. If a phone is lost or stolen, it further decreases the number of potential attacks which could be used to gain access, providing better safety for your data.[…]

http://www.androidpolice.com/2017/09/05/android-oreo-feature-spotlight-changes-verified-boot-wont-allow-start-downgraded-os/

https://android.googlesource.com/platform/external/avb/#Rollback-Protection

 

Intro to dumping flash chips

~ hucktech ~ Leave a comment

QuarksLab has a new blog post with an introduction to dumping flash chips:

https://blog.quarkslab.com/flash-dumping-part-i.html

This reminds me of a talk by CryptoMonkey from DEF CON 24:

https://github.com/CryptoMonkey/Conference-Presentations

He re-gave the talk at Black Lodge Research a few months ago. I can’t find it now, but if you’re good at searching, the video of his DEF CON talk is online.