“Bad Valet is the new Evil Maid” –Joanna Rutkowska
“A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made.”
https://github.com/shipcod3/mazda_getInfo
Category: Uncategorized
CMC-Vboot: investigates Chrome’s Verified Boot
This project takes Chrome’s Verified Boot (Vboot) process and examines its various security properties using formal logic. This verification is done with a focus on the firmware/hardware boundary. The Vboot process depends on the correct functionality of a Trusted Platform Module (TPM) and a SHA accelerator. Because these hardware accelerators are interacted with through Memory Mapped I/O (MMIO), it is difficult for normal formal methods to capture the interface between the MMIO registers and the workings of the Hardware modules. To explore this boundary I am using a Software TPM Library and passing it through to the QEMU Hardware Emulator. This allows me to use the normal MMIO registers of a TPM with the original Vboot Library.[…]
PNP-ID: Plug and Play Vendor ID tool/library
PNP-ID: given a PNP (Plug and Play) industry-unique Vendor ID, return the Vendor name. This is C code that, given a PNP (Plug and Play) industry-unique Vendor ID, returns the Vendor name. This file contains a script, update.sh to automatically download the PNP ID REGISTRY from the UEFI Forum body, and generate and compile a C program and a test binary. The C program uses a binary search to efficiently resolve a PNP Vendor ID to the Vendor name.
https://github.com/golightlyb/PNP-ID
Green Threads for UEFI
Green Threads for UEFI: This project is a an alpha version of “green” threads for UEFI. It’s not really like Linux green threads as there is no distinction between user space and kernel space but the different threads are running on the same core
This C-based project has a bit of Intel-centric assembly language code.
Wikipedia defines “Green Threads” as: “threads that are scheduled by a runtime library or virtual machine (VM) instead of natively by the underlying operating system. Green threads emulate multithreaded environments without relying on any native OS capabilities, and they are managed in user space instead of kernel space, enabling them to work in environments that do not have native thread support.”
Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)
Today Intel announced a NEW AMT security advisory:
Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017
Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr
More on malware use of Intel AMT
After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:
Apple seeks UEFI engineers
Most job offers are from headhunters. This one comes from one of the pioneers of firmware security research!
Symbolic execution timeline
Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
https://github.com/enzet/symbolic-execution
Udemy IoT security course
Udemy has a course on IoT security. The curriculum includes 23 lectures:
Author Introduction and Table of Content
Introduction to IoT and IoT Foundation
Section 3 : Getting started with IoT Security
Firmware Hacking 101
Automated Firmware Analysis
Conclusion and Discussion
https://www.udemy.com/introduction-to-iot-security-and-hacking-iot-firmware/?platform=hootsuite
Intel: IoT Security in the Developer’s Mind
Ricardo Echevarria of Intel has a new blog post about IoT security:
Internet-enabled smart devices open up a new universe of possibilities for how consumers interact with the world. But those same smart lightbulbs or TVs may pose a serious threat if their designers fail to strengthen the devices’ security protocols. Last year’s Mirai distributed denial-of-service (DDOS) botnet attack was a wake-up call for the computing world. By targeting vulnerable Internet-connected cameras and other Internet of Things (IoT) devices, the massive botnet was able to redirect enough Internet traffic to a DNS provider to crash multiple high-profile websites. It is no surprise then that IoT developers worry more about security than anything else – including interoperability, connectivity, and hardware integration. The Eclipse IoT Working Group’s 2017 IoT Developer Survey shows that security has remained the number one concern among developers for the third straight year.[…]
https://software.intel.com/en-us/blogs/2017/06/07/iot-security-in-the-developers-mind
CrashOS
CrashOS is a tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations. CrashOS is a minimalist Operating System which aims to lead to hypervisor crashs, hence its name. You can launch existing tests or implement your owns and observe hypervisor behaviour towards this unusual kernel.[…]
https://github.com/airbus-seclab/crashos
William Leara on using the UDK
William Leara of Dell has a new blog post, with a tutorial on writing a UEFI hello-world app using the UDK.
“Hello World” Quick-Start with UDK2015
The objective of this post is to explain how to get started with UEFI development by getting the UDK2015 development environment up and running, creating a Hello, World example program, and running it in the UEFI shell. Once you can get a simple application built and running in a UEFI Shell, you can begin extending it to greater and greater sophistication![…]
http://www.basicinputoutput.com/2017/06/hello-world-quick-start-with-udk2015.html
Breaking Samsung Galaxy Secure Boot through Download mode
“A bootloader bug in Samsung Galaxy smartphones allows an attacker with physical access to execute arbitrary code. Protections like OS lock screen and reactivation lock can be defeated. Several attacks are possible, including memory dump. Fortunately countermeasures exist for unpatched devices.”
Click to access SSTIC2017-Article-attacking_samsung_secure_boot-basse.pdf
Microsoft on malware use of Intel AMT
If you thought the recent Intel AMT security issues was just theoretical, here’s an example of malware using AMT.
GBStrings: search strings in Chinese firmware
Quick GB2312 strings tool in Go for Chinese firmware. This is a quick little tool that I tossed together one night for finding GB2312 Chinese strings from the memory of an imported ham radio. You might find it handy when translating old video games, as well. (GB2312 is not Unicode, and far better tools exist for locating Chinese Unicode strings.) I cannot speak Chinese, so it’s quite likely that you can improve upon this tool. Pull requests are welcome.
https://github.com/travisgoodspeed/gbstrings
see-also: UBU-helpers tool
Apple ships development iBoot on AppleTV?
alloc_uefi: Rust allocator for UEFI
There is another new Rust/UEFI project:
alloc_uefi: Rust allocator for UEFI environments.
Usage: Add alloc_uefi as a dependency, and provide the following function as your application’s entry point:
pub extern fn efi_main(sys_table: *const internal_uefi::SystemTable, image_handle: *mut internal_uefi::CVoid)
https://github.com/csssuf/alloc_uefi
Intel Excite project
https://twitter.com/DevZoneBlog/status/872118468262473729
There is a new document out from Intel that describes their Excite project. No URL to source code, AFAICT.
Finding BIOS Vulnerabilities with Symbolic Execution and Virtual Platforms
By Engblom, Jakob (Intel), Added June 6, 2017
Finding BIOS Vulnerabilities With Excite
Finding vulnerabilities in code is part of the constant security game between attackers and defenders. An attacker only needs to find one opening to be successful, while a defender needs to search for and plug all or at least most of the holes in a system. Thus, a defender needs more effective tools than the attacker to come out ahead.[…]
https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite
CreateUEFIBootableUSB
If you use Windows and want a PowerShell script to help with boot USB drives, this might be useful for you.
ARM joins UEFI Forum Board
The UEFI Forum issued a press release today, about ARM joining the board.
UEFI Forum Appoints ARM to Board of Directors Fortifying Its Commitment to Firmware Innovation
ARM Strengthens Its Long-Standing Presence and Contributions to the UEFI Ecosystem
June 06, 2017 11:00 AM Eastern Daylight Time
BEAVERTON, Ore.–(BUSINESS WIRE)–The UEFI Forum, a non-profit industry standards body that champions firmware advancement through industry collaboration and advocacy of firmware technology standards, announced today that ARM has been appointed to the UEFI Forum Board of Directors.[…]
Firmware Security 
You must be logged in to post a comment.