For the last few days, the AMI blog — and Twitter account — has been getting regular updates.
Category: Uncategorized
Peplink Vulnerabilities
https://twitter.com/marver/status/871679588518293505
During a recent penetration test for a customer, Claus and I noticed a Peplink router web interface exposed to the Internet. While I noticed an XSS (CVE-2017-8839) Claus spotted strange behavior with an overly long bauth cookie. This peaked our interest of course. The next logical step was to fingerprint the device, to get to know more about the specific model and firmware version.[…]
USB Armory: High Assurance Boot (HABv4) bypass
Security advisory: High Assurance Boot (HABv4) bypass
The NXP i.MX53 System-on-Chip, main processor used in the USB armory Mk I board [1] design, suffers from vulnerabilities that allow bypass of the optional High Assurance Boot function (HABv4). The HABv4 [2] enables on-chip internal boot ROM authentication of the initial bootloader with a digital signature, establishing the first trust anchor for further code authentication. This functionality is commonly known as Secure Boot [3] and it can be activated by users who require authentication of the bootloader (e.g. U-Boot) to further maintain, and verify, trust of executed code. Quarkslab reported [4] to NXP, and subsequently to Inverse Path, two different techniques for bypassing HABv4 by means of exploiting validation errors in the SoC internal boot ROM [5], which are exposed before bootloader authentication takes place. While the two vulnerabilities have been initially reported for the i.MX6 SoC, Inverse Path evaluated that both issues also apply to the i.MX53 SoC, used on the USB armory Mk I.
[…]
Technical details under embargo until July 18th, by mutual agreement between
reported and NXP.
[…]
American coreboot conference
UEFI updates specs
The UEFI Forum has updated their specs.
UEFI Spec v2.7
Click to access UEFI_Spec_2_7.pdf
PI v1.6
Click to access PI_Spec_1_6.pdf
ACPI v6.2
SCT v2.5A
http://www.uefi.org/testtools
http://uefi.org/specsandtesttools
http://uefi.org/specifications
Jacob Torrey joins DARPA
“Mr. Jacob Torrey joined DARPA as a program manager in May 2017.”
http://www.darpa.mil/staff/mr-jacob-torrey
Jacob is also the creator of the Firmware-Security list on Twitter.
https://www.jacobtorrey.com/ (expired HTTPS cert)
PaX legal warning
Guys, this is your *last warning*. This stops *now* or I’m sending lawyers after you and the companies paying you to plagiarize our work and violate our *registered* copyright (which for the record entitles us to punitive damages which now are very easily provable). It’s time to get serious about attribution — what you are doing is completely unacceptable. I’m already in contact with lawyers to prepare for the next time this happens. If any of this plagiarized and misattributed code actually made it into the Linux kernel, you’d all be in a world of pain.
http://openwall.com/lists/kernel-hardening/2017/06/03/14
http://www.openwall.com/lists/kernel-hardening/2017/06/03/11
Google updates Android bug bounty program
“Rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise increase from $50,000 to $200,000.”
https://android-developers.googleblog.com/2017/06/2017-android-security-rewards.html
Linux kernel patch for ACPI HMAT support
Ross Zwisler of Intel posted a new patch to the Linux kernel, with support for the ACPI 6.2 HMAT (Heterogeneous Memory Attribute Table).
This series adds kernel support for the Heterogeneous Memory Attribute Table (HMAT) table, newly defined in ACPI 6.2. The HMAT table, in concert with the existing System Resource Affinity Table (SRAT), provides users with information about memory initiators and memory targets in the system. A “memory initiator” in this case is any device such as a CPU or a separate memory I/O device that can initiate a memory request. A “memory target” is a CPU-accessible physical address range. The HMAT provides performance information (expected latency and bandwidth, etc.) for various (initiator,target) pairs. This is mostly motivated by the need to optimally use performance-differentiated DRAM, but it also allows us to describe the performance characteristics of persistent memory. The purpose of this RFC is to gather feedback on the different options for enabling the HMAT in the kernel and in userspace.
==== Lots of details ====
[…]
See the patch, especially more details in comment documentation in part 0, on the linux-acpi mailing list posting.
http://vger.kernel.org/majordomo-info.html
http://marc.info/?l=linux-acpi&r=1&b=201706&w=2
Debian project seeking OEM partners
https://twitter.com/LucaFilipozzi/status/855830951892353024
OEMs: the Debian project is asking for your help.
syscall_intercept
syscall_intercept: Userspace syscall intercepting library.
https://github.com/pmem/syscall_intercept
Intel-SGX-SSL
The Intel Software Guard Extensions SSL (Intel SGX SSL) cryptographic library is intended to provide cryptographic services for Intel Software Guard Extensions (SGX) enclave applications. The Intel SGX SSL cryptographic library is based on the underlying OpenSSL Open Source project, providing a full-strength general purpose cryptography library. The API exposed by the Intel SGX SSL library is fully compliant with unmodified OpenSSL APIs.
https://github.com/01org/intel-sgx-ssl
Firmware Security for the Banking and Financial Sector
Sorry, I could not find a link to the site, these two Tweets are the closest I can find to this presentation. If you find the slides and/or A/V archives, please leave a comment.
Microsoft WinHEC Taipei 2017
Welcome to WinHEC June 2017 Registration
The Windows Hardware Engineering Community (WinHEC) is where technical experts from around the world, and Microsoft, come together to make Windows great for every customer. Our next WinHEC event is June 14th and 15th in Taipei, Taiwan. The workshop will feature sessions and a lab for developers, product managers and planners to help prepare for Windows 10 S and to showcase the benefits of adopting key hardware features. Presentations will include: Introduction to Universal Drivers, Universal Developer Center for Hardware and Driver Servicing, Driver Flighting end-to-end, Windows Ink, Windows 10 Mixed Reality, Designing and Optimizing for Long Battery Life and Responsive Windows Devices, Windows Hello, and Developer Platform Updates. We will also have a guided, hands-on lab to explore and practice the concepts covered in the Introduction to Universal Driver session.
https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x19594336ecd
Newsletter for German Hardware Startups
automated-efi-fw-update
automattically update server and adapter firmware using efi shell
This Updatepack automates and simplifies the update process of Intel Servers and Adapters. […] Supported Devices:
Intel S2600WT Server Board Family
Intel RMS3JC080 RAID Controller
Intel RMS3CC080 RAID Controller
Intel RES3TV360 SAS Expander
QLogic BR1860-2 Converged Network Adapter
Lenovo N2225 SAS Host Bus Adapter
https://github.com/thost96/automated-efi-fw-update
Careful, this Github project includes some binary-only *.EFI files, no source code included.
DMTF updates Redfish
New Redfish Update Adds Composability Support
Continuing its aggressive development timeline, an important update to the DMTF’s Redfish® standard is now available. The newly-released version 2017.1 of the Redfish Schema and version 1.2.0 of the Redfish Specification contain a number of additions, including support for composable infrastructures. With the ultimate goal of addressing all of the components in the data center with a consistent API, Redfish is an open industry standard that helps enable simple, modern and secure management of scalable platform hardware. DMTF continues to expand Redfish to cover customer use cases and technology, and the new Composition Service provides support for binding resources together into logical constructs. For example, disaggregated hardware – which allows for independent components, such as processors, memory, I/O controllers, and drives, to be bound together to create a composed Computer System – becomes a Computer System from an end user perspective in Redfish. Redfish composability allows clients to adjust their hardware configurations in response to their application needs, without having to touch any hardware.
Click to access DSP0266_1.2.0.pdf
https://www.dmtf.org/standards/redfish
http://redfish.dmtf.org/
http://www.dmtf.org/standards/spmf
Microsoft Surface devices and Intel AMT
During the initial Intel AMT bug report, Xeno of Apple tweeted that Apple didn’t use AMT.
Recently, Microsoft has also stated that the Surface devices don’t use AMT:
https://blogs.technet.microsoft.com/surface/2017/06/01/intel-amt-vulnerability-and-surface-devices/
UniversalROP
Small tool for generating ropchains using unicorn and z3
Troll: ARM Cortex-M source-level debugger
The troll is a C-language source-level debugger for ARM Cortex-M systems, accessed with the excellent blackmagic hardware debug probe, and a customized variant of the blackmagic – the vx/blackstrike (or blackstrike for short). The troll only supports source-level debugging of source code programs written in the C programming language, compiled to executable files in the ELF format, containig DWARF debug information.[…]
https://github.com/stoyan-shopov/troll
Firmware Security 
You must be logged in to post a comment.