Category: Uncategorized

BinCAT: Binary Code Analysis Toolkit

~ hucktech ~ Leave a comment

BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA. It features: value analysis (registers and memory), taint analysis, type reconstruction and propagation, and backward and forward analysis.

https://github.com/airbus-seclab/bincat

 

 

Black Hat Briefings: Firmware is the New Black

~ hucktech ~ Leave a comment

 

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
Bruce Monroe, Rodrigo Branco, Vincent Zimmer

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).

https://www.blackhat.com/us-17/briefings/schedule/index.html#firmware-is-the-new-black—analyzing-past-three-years-of-biosuefi-security-vulnerabilities-6924

 

Hardware is the new software

~ hucktech ~ Leave a comment

https://twitter.com/binitamshah/status/875375226690863105

Hardware is the new software
Andrew Baumann, Microsoft Research

Moore’s Law may be slowing, but, perhaps as a result, other measures of processor complexity are only accelerating. In recent years, Intel’s architects have turned to an alphabet soup of instruction set extensions such as MPX, SGX, MPK, and CET as a way to sell CPUs through new security features. Unlike prior extensions, which mostly focused on accelerating user-mode data processing, these new features exhibit complex interactions and give system designers plenty to think about. This calls for a rethink of how we approach the instruction set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and speculate about the longer-term implications.

 

Click to access baumann-hotos17.pdf

Building a USB analyzer with USB armory

~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/875036408133627904

 

Armory Sandbox – Building a USB analyzer with USB armory
June 14, 2017
By Pedro Vilaca
Some time ago a friend received a mysterious USB pen with a note talking about some kind of heavily persistent malware. He had that USB pen stored untouched and of course my curiosity took over. Since one should never plug in unknown USB devices into a computer (well, any USB device we purchase is unknown but that is another story) and I didn’t want to “burn” a computer just to take a look at the contents I decided to use my USB armory to build an air gap sandbox that would be harder to infect and for malware to escape from it.[…]

https://sentinelone.com/blogs/armory-sandbox-building-usb-analyzer-usb-armory/

Maxim security issue?

~ hucktech ~ Leave a comment

Steve Bush has a new blog post on Electronics Weekly:

One I missed: easy security in a single chip:

I took my eye off the ball last year and missed a single chip public key cryptography processor IC from Maxim, aimed at folk who don’t have a deep knowledge in security. The firm’s claim is that: customers don’t need to write firmware and they get a comprehensive set of crypto services, secure key storage and easy certificates distribution. […]

One I missed: easy security in a single chip

https://www.maximintegrated.com/en/products/digital/microcontrollers/MAXQ1061.html

 

CherryBlossom

~ hucktech ~ Leave a comment

[…] CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for “Man-In-The-Middle” attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user. The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap.[…]

https://wikileaks.org/vault7/#Cherry%20Blossom

Avatar redesigned as Avatar2

~ hucktech ~ Leave a comment

First there was S2E, then there was Avatar. Now there is Avatar2:

Avatar is an orchestration framework designed to support dynamic analysis of embedded devices. Avatar² is the second generation of the framework, which has been completely re-designed and re-implemented from scratch to improve performance, usability, and support for advanced features. An Avatar² setup consists of three parts: A set of targets,  A memory layout, and An execution plan. Targets are responsible for the execution and the analysis of the firmware code. While it is possible to run Avatar² with a single target, most configurations will have at least two (typically an emulator and a physical device). The memory layout describes the different regions of memory and their role in the system (e.g., the fact that may be mapped to an external peripheral or connected to a file) as well as the memory access rules, i.e., how memory read and write operations needs to be forwarded between targets. Finally, the execution plan tells Avatar² how the actual execution of the firmware needs to be divided among the targets in order to achieve the analyst goal. If this sounds complex, it is because Avatar² is an extremely powerful and flexible framework designed to adapt to different scenarios and support complex configurations. However, a simple Avatar² example is quite straightforward to write and understand.[…]

https://github.com/avatartwo/

https://github.com/avatartwo/avatar2/blob/master/handbook/0x01_intro.md

RackHD

~ hucktech ~ Leave a comment

https://twitter.com/BrettJohnson008/status/867239045675581441

RackHD is a technology stack created for enabling hardware management and orchestration, to provide cohesive APIs to enable automated infrastructure. In a Converged Infrastructure Platform (CIP) architecture, RackHD software provides hardware management and orchestration (M&O). It serves as an abstraction layer between other M&O layers and the underlying physical hardware. Developers can use the RackHD API to create a user interface that serves as single point of access for managing hardware services regardless of the specific hardware in place.

https://github.com/RackHD/RackHD

http://rackhd.io/

Toshiba adds security features to firmware

~ hucktech ~ Leave a comment

Toshiba has added firmware-level security to their Mobile Zero Client:

[…]How Toshiba Mobile Zero Client works
* Power on: User powers on the device, which connects to pre-configured LAN or Wi-Fi
* Boot permission: Device requests boot permission from Toshiba Boot Control Service*
* Big Core download: When boot permission is granted, your unique, secure, Big Core package is encrypted, downloaded and unpacked in the RAM
* Ready to go: Your Big Core, with Linux and the VDI client, is executed – establishing its connection to your VDI server

[…]Beyond supporting the storage of data securely away from the device, TMZC can provide added protection through Toshiba’s uniquely developed BIOS, which is designed and built in–house to help remove the risk of third-party interference.[…] We’re one of the only manufacturers that creates our own BIOS and UEFI’s.[…]

http://us.toshiba.com/solutions/tmzc

http://www.businesswire.com/news/home/20170613005346/en/Toshiba-Expands-Portfolio-Security-Solutions-Addition-Mobile

CrashOverride malware

~ hucktech ~ Leave a comment

US-CERT Alert (TA17-163A)
CrashOverride Malware
Systems Affected: Industrial Control Systems
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine.[…]

Click to access Win32_Industroyer.pdf

https://www.dragos.com/blog/crashoverride/

https://www.us-cert.gov/ncas/alerts/TA17-163A

EFI Swiss Knife: IDA plugin

~ hucktech ~ 1 Comment

https://twitter.com/osxreverser/status/874636697841152001

EFI Swiss Knife – An IDA plugin to improve (U)EFI reversing
Today I am finally releasing one of the EFI reversing tools I built when I was working on the SCBO post. Yesterday there were some tweets about IDA improving its support for EFI binaries (although I’m not sure it’s the same thing as in here) so I decided to finally release this one. Tested with IDA 6.9 and IDA 6.95 OS X versions, might work in Windows with just paths modification. It is based on Snare’s work, https://github.com/snare/ida-efiutils. Since I hate Python I rewrote it in C and added some extra features.[…]

https://reverse.put.as/2017/06/13/efi-swiss-knife-an-ida-plugin-to-improve-uefi-reversing/

https://github.com/gdbinit/EFISwissKnife

Evil Chambermaids in the era of Travel 2.0

~ hucktech ~ Leave a comment

Does the OEMs have any proactive effort to help verify the silicon of a system against a profile, in effect to ‘hash’ the hardware? Maybe vendors need to make a verifiable device that can be used on an airline (and other places where users would like to verify their hardware). OEMs need to build verifiable systems, not sit back and let politicians and criminals destroy their market. Who is doing research to help here? Simply banning devices is not a solution. When you check a laptop, you lose physical access to the device, and it can no longer be trusted, given the current firmware/hardware designs by vendors. OEMs need to build solutions that work in this Travel 2.0 era. The Stateless Laptop by Joanna Rutkoska is a start.

“Evil Maids are believed to be enthusiastic to the new regulation.” –Joanna Rutkowska

Opsec for a world where the laptop ban goes global

https://backchannel.com/what-to-do-if-the-laptop-ban-goes-global-120295a957a4

https://www.wired.com/2017/06/bad-math-trump-laptop-ban/

http://www.securityweek.com/israeli-intelligence-discovered-plans-laptop-ban-report

 

Hacking the Virgin Media Super Hub

~ hucktech ~ Leave a comment

By Jan Mitchell and Andy Monaghan, 12 June 2017
Context’s Research team have looked at a large number of off-the-shelf home routers in the past and found them to be almost universally dreadful in terms of security posture. However, flagship routers from large ISPs such as BT, Sky and Virgin Media are notably absent from the regular stream of router vulnerabilities in the press. We were curious to discover if these routers were significantly more secure than their off-the-shelf cousins, so we decided to dedicate some of our public research time into looking at one of these devices. […]
The output in Figure 1 suggested that U-Boot is executing a boot script, which was definitely something we wanted to investigate. The first step was to obtain a copy of the bootloader by reading the Flash memory. Given we didn’t have the ability to input characters this would be somewhat tricky via software, so we fired up the hot air gun and removed the Spansion (S25FL129P) NAND flash chip. There are a number of ways to read data from a flash chip, all of which we will be detailing in another blog shortly. In our case, as our preferred I2C/Serial Peripheral Interface (SPI) reader was in another office we used a BeagleBone Black and a bit of Python to manually drive the chip’s SPI bus[…]

https://www.contextis.com/resources/blog/hacking-virgin-media-super-hub/

VM_1_uboot

Mike on Windows Config Mgr and Secure Boot

~ hucktech ~ Leave a comment

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

BIOS and Secure Boot State Detection during a Task Sequence Part 1

BIOS and Secure Boot State Detection during a Task Sequence Part 2

 

HardwareSecurityTraining.info gets 4th trainer

~ hucktech ~ Leave a comment

Colin O’Flynn joins Joe+Joe+Dymtry, so ‘power trio’ is no longer appropriate.

https://hardwaresecurity.training/

HardwareSecurity.Training

OEMs still not shipping golden image hashes

~ hucktech ~ Leave a comment

OEMs: you need to ship hashes of your golden images. Read NIST SP 147 (and 193). You should be OpenPGP-signing them, as well.

I want to update the BIOS on my <OEM> motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it’s integrity as neither signed or non-signed checksums are available. I’m extremely uncomfortable with just installing the update without being able to verify it’s integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I’m downloading. What can I do?

https://news.ycombinator.com/item?id=14530302