Category: Uncategorized

TPM microconf at 2017 Linux Plumbers Conference

~ hucktech ~ Leave a comment

Matthew Garrett has announced a TPM microconference at the upcoming Linux Plumbers Conference:

I’m pleased to say that after the success last year, there will be another TPM microconference at this year’s Linux Plumbers Conference. The current schedule has this taking place on Wednesday the 13th of September, so just under 4 weeks from now. We have a list of proposals for discussion at http://wiki.linuxplumbersconf.org/2017:tpms but please feel free to add more! I intend to finalise the schedule by the end of next week, so please do so as soon as you can. For those of you who weren’t there, the Linux Plumbers conference is an event dedicated to bringing together people working on various infrastructural components (the plumbing) of Linux. Microconferences are 3 hour long events dedicated to a specific topic, with the focus on identifying problems and having enough people in the room to start figuring out what the solutions should be – the format is typically some short presentations coupled with discussion.

From James Bottomley’s comments on the LPC entry on this microconf:

Following on from the TPM Microconference last year, we’re pleased to announce there will be a follow on at Plumbers in Los Angeles this year. The agenda for this year will focus on a renewed attempt to unify the 2.0 TSS; cryptosystem integration to make TPMs just work for the average user; the current state of measured boot and where we’re going; using TXT with TPM in Linux and using TPM from containers.

http://wiki.linuxplumbersconf.org/2017:tpms

http://www.linuxplumbersconf.org/2017/trusted-platform-module-microconference-accepted-into-the-linux-plumbers-conference/

Full text of Matthew’s email:
https://lists.sourceforge.net/lists/listinfo/linux-ima-devel

kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

~ hucktech ~ Leave a comment

kAFL: Hard­ware-As­sis­ted Feed­back Fuz­zing for OS Ker­nels

Ser­gej Schu­mi­lo, Cor­ne­li­us Ascher­mann, Ro­bert Gaw­lik, Se­bas­ti­an Schin­zel, Thors­ten Holz

26th USE­NIX Se­cu­ri­ty Sym­po­si­um, Van­cou­ver, Ca­na­da, Au­gust 2017

Many kinds of me­mo­ry sa­fe­ty vul­nerabi­li­ties have been end­an­ge­ring soft­ware sys­tems for deca­des. Amongst other ap­proa­ches, fuz­zing is a pro­mi­sing tech­ni­que to un­veil va­rious soft­ware faults. Re­cent­ly, feed­back-gui­ded fuz­zing de­mons­tra­ted its power, pro­du­cing a steady stream of se­cu­ri­ty-cri­ti­cal soft­ware bugs. Most fuz­zing ef­forts—es­pe­ci­al­ly feed­back fuz­zing—are li­mi­ted to user space com­po­n­ents of an ope­ra­ting sys­tem (OS), alt­hough bugs in ker­nel com­po­n­ents are more se­ve­re, be­cau­se they allow an at­ta­cker to gain ac­cess to a sys­tem with full pri­vi­le­ges. Un­for­t­u­n­a­te­ly, ker­nel com­po­n­ents are dif­fi­cult to fuzz as feed­back me­cha­nis­ms (i.e., gui­ded code co­ver­a­ge) can­not be ea­si­ly ap­p­lied. Ad­di­tio­nal­ly, non-de­ter­mi­nism due to in­ter­rupts, ker­nel thre­ads, sta­te­ful­ness, and si­mi­lar me­cha­nis­ms poses pro­blems. Fur­ther­mo­re, if a pro­cess fuz­zes its own ker­nel, a ker­nel crash high­ly im­pacts the per­for­mance of the fuz­zer as the OS needs to re­boot. In this paper, we ap­proach the pro­blem of co­ver­a­ge-gui­ded ker­nel fuz­zing in an OS-in­de­pen­dent and hard­ware-as­sis­ted way: We uti­li­ze a hy­per­vi­sor and Intel’s Pro­ces­sor Trace (PT) tech­no­lo­gy. This al­lows us to re­main in­de­pen­dent of the tar­get OS as we just re­qui­re a small user space com­po­nent that in­ter­acts with the tar­ge­ted OS. As a re­sult, our ap­proach in­tro­du­ces al­most no per­for­mance over­head, even in cases where the OS cras­hes, and per­forms up to 17,000 exe­cu­ti­ons per se­cond on an off-the-shelf lap­top. We de­ve­lo­ped a frame­work cal­led ker­nel-AFL (kAFL) to as­sess the se­cu­ri­ty of Linux, macOS, and Win­dows ker­nel com­po­n­ents. Among many cras­hes, we un­co­ver­ed se­ver­al flaws in the ext4 dri­ver for Linux, the HFS and APFS file sys­tem of macOS, and the NTFS dri­ver of Win­dows.

https://www.syssec.rub.de/research/publications/kafl/

https://github.com/RUB-SysSec/kAFL

SELinux Switch for Android

~ hucktech ~ Leave a comment

The SELinux Switch is a New Tool for Toggling SELinux Between Enforcing and Permissive
by Doug Lynch
Some applications and modifications for Android require that SELinux be set to Permissive instead of Enforcing. Many who want this on their phone or tablet likely know of an alternative called SELinuxModeChanger or The SELinux Toggler. So XDA Senior Member Ibuprophen came out with a new tool called The SELinux Switch that lets you change a device’s SELinux state without having to permanently modify the boot script files. So your device will still boot with SELinux in Enforcing mode, but will then automatically launch and change the devices SELinux Mode after the boot process is completed.[…]

https://www.xda-developers.com/selinux-switch-toggle-permissive/

 

Apple Secure Enclave Processor (SEP) firmware hacked

~ hucktech ~ 1 Comment

“Hacker xerub has posted the decryption key for Apple’s Secure Enclave Processor (SEP) firmware.”

https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/SecureKeyGen.html

https://www.theiphonewiki.com/wiki/Greensburg_14G60_%28iPhone6,1%29

http://www.techrepublic.com/article/hacker-claims-to-have-decrypted-apples-secure-enclave-destroying-key-piece-of-ios-mobile-security/

http://www.iclarified.com/62025/hacker-decrypts-apples-secure-enclave-processor-sep-firmware

 

BootStomp: Android bootloader vulnerability finder

~ hucktech ~ Leave a comment

BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper. To run BootStomp’s analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.[…]

https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017

https://github.com/ucsb-seclab/BootStomp/blob/master/tools/huawei_tools/oeminfo_exploit.py

https://github.com/ucsb-seclab/BootStomp

print [!] Usage: + sys.argv[0] + <oeminfo.img> <exploit_oeminfo.img>\n

Lots of links to read at the end of the github readme web page.

 

Smart grid security

~ hucktech ~ Leave a comment

Smart electrical grids more vulnerable to cyber attacks

Electricity distribution systems in the USA are gradually being modernized and transposed to smart grids, which make use of two-way communication and computer processing. This is making them increasingly vulnerable to cyber attacks.[…]

https://www.sciencedaily.com/releases/2017/08/170816100230.htm

https://www.elsevier.com/about/press-releases/research-and-journals/smart-electrical-grids-more-vulnerable-to-cyber-attacks

http://www.sciencedirect.com/science/article/pii/S1874548217300495?via%3Dihub

NXP security during the boot process

~ hucktech ~ Leave a comment

Data Protection with the NXP QorIQ Platform Trust Architecture
Mike Slonosky
With the increased sophistication of embedded applications, systems designers and their customers are expressing heightened concerns regarding the importance of protecting the data residing in their systems, and by extension, their investment in intellectual property. Curtiss-Wright Defense Solutions has given data protection a very high priority in the design of its Power Architecture single board computers (SBC). Curtiss-Wright utilizes NXP’s (formerly Freescale) next generation system-on-chip (SoC) QorIQ T2080 Platform for its rugged, SWaP-optimized Power Architecture modules. The QorIQ Platform’s Trust Architecture allows for developing systems to achieve higher levels of security, with reductions in cost, size and power. This paper will refer solely to the T2080 Processor when stating the name of this QorIQ processor family. For a detailed review of the P4080 Processor, please read the following white paper: Embedded High Assurance Computing Using NXP Trust Architecture. This paper presents an overview of the potential threats to an embedded system, and how the Trust Architecture can effectively defend against these threats.[…]

https://www.curtisswrightds.com/infocenter/white-papers/trusted-architecture—data-protection-with-the-qoriq-platform-trust-architecture.html

https://www.curtisswrightds.com/content/images/T2080-with-QorIQ-Trust-Architecture.JPG

SiFive appoints new CEO

~ hucktech ~ Leave a comment

SiFive Appoints Naveed Sherwani as CEO

SAN FRANCISCO – August 15, 2017 – SiFive, the first fabless provider of customized, open-source-enabled semiconductors, today announced that industry veteran Naveed Sherwani has joined the company as CEO to lead it through its next phase of growth. Stefan Dyckerhoff, who had held the top spot at the company since its inception, will remain a member of the SiFive board of directors. “Naveed brings a lifetime of experience not only in the semiconductor and open source sectors, but also in growing successful startups into industry leaders,” Dyckerhoff said. “SiFive has achieved significant industry milestones since its founding, and we continue to drive innovations that are leveling the playing field for those priced out of the traditional silicon market. We are excited to have Naveed join the team, and look forward to further growth under his leadership.” Sherwani joins SiFive with more than 25 years of experience in the industry at companies including Intel, Brite Semiconductor and Open Silicon. Over the course of his career, Sherwani has been involved in the development of more than 300 chips, and, through his work as founder and CEO of Open Silicon, was instrumental in leading the development of ASIC technologies, which offered lower cost alternatives to traditional, less reliable legacy offerings.[…]

https://www.sifive.com/posts/2017/08/15/sifive-appoints-naveed-sherwani-as-ceo/

https://riscv.org/

HiFive1

Absolute introduces Absolute Reach

~ hucktech ~ Leave a comment

https://www.brighttalk.com/webcast/14813/272099

https://www.absolute.com/en/resources/datasheets/reach

https://www.absolute.com/en/resources/videos/product/reach

Absolute Reach™ is a flexible endpoint security feature within the Absolute Platform that gives you the power to execute custom discovery, compliance, and remediation tasks across 100% of your endpoints on-demand, anytime or anywhere:

• Assess and enhance security posture: Always-on visibility and control—on and off the network
• Eliminate blind spots: Remediate known vulnerabilities on the spot
• Gather precise insights from any endpoint: Evaluate risk and prove compliance
• Remediate with lightning speed: Script once. Deploy everywhere
• Validate delivery for compliance assurance: Receive confirmation of successful delivery and execution

 

eventstat for Linux

~ hucktech ~ Leave a comment

Colin Ian King just tweeted about eventstat. But his tweets are protected, so you have to login to Twitter and Follow him in order to see them.

Eventstat periodically dumps out the current kernel event state. It keeps track of current events and outputs the change in events on each output update. The tool requires sudo to run since it needs to write to /proc/timer_stats to start and stop the event monitoring.

http://kernel.ubuntu.com/~cking/eventstat/

https://github.com/ColinIanKing/eventstat

https://launchpad.net/~colin-king/+snap/eventstat

Maybe there’ll be a blog post on it shortly, as well.

http://smackerelofopinion.blogspot.co.uk/

 

Minoca 0.4 released

~ hucktech ~ Leave a comment

I just noticed that Yabits  has a new Github project called “uefi”, which is a:

“A minoca based UEFI coreboot payload”

https://github.com/yabits/uefi

Yikes, I don’t know what Minoca is.

“Minoca OS is a general purpose operating system written from scratch. It aims to be lean, maintainable, modular, and compatible with existing software. It features a POSIX-like interface towards application software, and a growing suite of popular packages already built and ready to go. On the backend, it contains a powerful driver model between device drivers and the kernel. The driver model enables drivers to be written in a forward compatible manner, so that kernel level components can be upgraded without necessarily requiring a recompilation of all device drivers. Minoca OS is event driven, preemptible, SMP ready, and network capable. It currently runs on x86 PCs and a range of ARM boards.”

https://github.com/minoca/os/tree/master/boot/bootman/efi
https://github.com/minoca/os
https://www.minocacorp.com/documentation/developers/debug/docs/reference/
https://blog.minocacorp.com/minoca-os-0-4-we-love-the-eighties-170a93112db1
https://fossbytes.com/minoca-os-interview-open-source/
https://www.minocacorp.com/product/

Installing Git on Minoca OS

 

Usenix WOOT presentations available

~ hucktech ~ Leave a comment

” (Sign in to your USENIX account to download these files.)”

https://www.usenix.org/conference/woot17/workshop-program

Context on firmware security

~ hucktech ~ Leave a comment

https://twitter.com/CTXIS/status/897055250078715904

Part I: An Overview of Firmware Storage Options
Firmware storage options
By Scott Lester and Steven Day, 09 Aug. 2017

The security of a device’s firmware, as the first or an early part of a trusted chain, can have implications for the security of the whole system. At Context we often obtain the firmware for a device so that we can extract it and take a good look at the underlying code for both the operating system and applications. For a recent example see our blog on the Virgin Media SuperHub. This blog is the first in a series of blogs on how firmware is commonly stored on embedded devices, and the techniques for extracting it. This first blog covers how and where firmware can be stored on a device. Future blogs will focus on some of the cheap, and not-so-cheap, methods of extraction.[…]

https://www.contextis.com/resources/blog/part-i-overview-firmware-storage-options/
https://www.contextis.com/

ARM updates C/C++ compilers

~ hucktech ~ Leave a comment

ARM has updated it’s C/C++ compiler toolchains.

C and C++ update for Arm Compiler 6:
As you are hopefully aware, Arm Compiler 6 has been available for 3+ years now, and has grown in maturity, and optimization quality release on release. As I write this, the latest available version is 6.8, and 6.6 has been qualified for use in safety-related development. We offer full support for the latest Arm processors, across the Cortex-A, R, and M, and SecureCore families. Arm Compiler 6 is available within DS-5 and Keil MDK toolchains. Furthermore the qualified version is available for purchase stand-alone. Arm Compiler 6 is based on the LLVM framework, using the modern Clang compiler front-end, and this is reflected in the name of the executable, Armclang. The compiler is then integrated into the full Arm tools suite, enabling use of legacy assembler code built with Armasm, as well as gas format assembler directly with Armclang. Finally the Arm linker (Armlink) brings in the optimized C and C++ libraries, or if desired the size optimized Arm C MicroLib library, as well as (optionally) implementing link-time optimizations across the source code.[…]

https://community.arm.com/tools/b/blog/posts/c-and-cpp-update-for-arm-compiler-6
https://developer.arm.com/products/software-development-tools/compilers/Arm-compiler

NXP: designing IoT devices with secure boot

~ hucktech ~ Leave a comment

NXP has a webinar for IoT makers, talking about secure booting. ‘Webinar’ scared me, but there’s no registration required. 🙂

Watch this on-demand presentation to learn how to:
* Manage the life cycle of an IoT edge node from development to deployment.
* Leverage hardware and software offerings available with the Kinetis MCU portfolio that can help you protect against attacks.
* Ease the burden of secure IoT edge node development using new processors and architectures from ARM.

https://community.arm.com/processors/trustzone-for-armv8-m/b/blog/posts/designing-secure-iot-devices-starts-with-a-secure-boot

http://www.nxp.com/video/designing-secure-iot-devices-starts-with-a-secure-boot:DESIGNING-SECURE-IOT-DEVICES

slides: https://www.nxp.com/docs/en/supporting-information/Designing-Secure-IoT-Devices-Starts-with-a-Secure-Boot.pdf

Click to access Designing-Secure-IoT-Devices-Starts-with-a-Secure-Boot.pdf

Roee Hay’s abootool: fuzzer for Android bootloader

~ hucktech ~ Leave a comment

fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations:
We discuss the fastboot interface of the Android bootloader, an area of fragmentation in Android devices. We then present a variety of vulnerabilities we have found across multiple Android devices. Most notable ones include Secure Boot & Device Locking bypasses in the Motorola and OnePlus 3/3T bootloaders. Another critical flaw in OnePlus 3/3T enables easy attacks by malicious chargers – the only prerequisite is a powered-off device to be connected. An unexpected attack vector in Nexus 9 is also shown – malicious headphones. Other discovered weaknesses allow for data exfiltration (including a memory dumping of a Nexus 5X device), enablement of hidden functionality such as access to the device’s modem diagnostics and AT interfaces , and attacks against internal System-on-Chips (SoCs) found on the Nexus 9 board.

abootool: Simple fuzzer for discovering hidden fastboot gems. Modus Operandi: Based on static knowledge (strings fetched from available bootloader images), dynamically fuzz for hidden fastboot OEM commands.

https://github.com/alephsecurity/abootool
https://www.usenix.org/conference/woot17/workshop-program/presentation/hay
https://alephsecurity.com/

abootool