Hurray for Pete Batard, for creating an open source EBC assembler!
fasmg-ebc – EBC (EFI Byte Code) assembler for fasmg
Because programming in assembler for UEFI is easy and nobody should have to pay to produce EBC executables…
Category: Uncategorized
Securing Hardware: Applied Physical Attacks and Hardware Pentesting
Joe Fitzpatrick of Securing Hardware has announced a new course:
[…]This course focuses on approaching hardware as part of a pentest or red team engagement, implementing advanced hardware hacks, and managing the hardware ‘problem’. This two-day course builds directly upon the skills covered in Physical Attacks on Embedded Systems – consider taking the two together for a complete 4 days. If you’ve already taken another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should have sufficient background.[…]
https://securinghardware.com/news/Announcing-Hardware-Pentesting-Course/
Vincent on UEFI and free chapter of new Beyond BIOS 3rd edition
Vincent has a multi-topic blog post, including insight on UEFI spec, and pointer to a free chapter of the 3rd edition of Beyond BIOS:
http://vzimmer.blogspot.com/2017/02/specifications-and-new-book.html
clr-boot-manager: Clear Linux’s UEFI boot manager
clr-boot-manager exists to enable the correct maintainence of vendor kernels and appropriate garbage collection tactics over the course of upgrades. The implementation provides the means to enable correct cohabitation on a shared boot directory, such as the EFI System Partition for UEFI-booting operating systems. Special care is taken to ensure the ESP is handled gracefully, and in the instance that it is not already mounted, then clr-boot-manager will automatically discover and mount it, and automatically unmount the ESP again when it is complete. Clr-boot-manager is designed to operate solely with GPT disks, and exclusively uses PARTUUID. Generated boot entries also contain the PARTUUID in their root= command line, as part of a merge of the vendor provided cmdline files for default options.
Copyright © 2016-2017 Intel Corporation
UK NCSC on firmware security, part II
https://twitter.com/TrapezoidSec/status/829732647467438082
Regarding:
There’s a second post:
As we noted back in November, it’s common knowledge that keeping device software up to date and securely configured is important. System firmware, on the other hand, is often overlooked. Despite being critical to the secure operation of a device, it’s frequently out of date. But how bad is the problem? How widespread? And what can be done to remedy the situation? To answer these questions we decided to put our money where our mouth is and run some simple tests on one of our research networks. The goal was gain an accurate picture of the BIOS version running on all connected devices. The results were a wake-up call. The firmware of devices running on our own network required some attention. This may be the case for you as well.[…]
https://www.ncsc.gov.uk/blog-post/firmware-ii-status-check
with some source code:
https://www.ncsc.gov.uk/file/1972/download?token=wIpTEpLO
Black Hat Asia: The UEFI Firmware Rootkits: Myths and Reality
The UEFI Firmware Rootkits: Myths and Reality
Alex Matrosov | Principal Research Scientist, Cylance
Eugene Rodionov | Senior Specialized Software Engineer, ESET
In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).
In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC.
In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard – hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) – is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks.
Booting an Intel System Architecture
This is a 2015 paper that I just noticed.
Booting an Intel System Architecture:
Taking many little steps walking a path is a good analogy for understanding the Intel Architecture boot flow. The bare minimum firmware requirements for making an Intel architecture platform operational and for booting an OS are presented in this article in a particular order. For most of the system designs, the order of these steps are sufficient for a full or cold boot, from a state where the power is off to the handoff to the operating system. Depending on the architecture of the BIOS, there may be multiple software phases to jump through with different sets of rules, but the sequence for actually engaging the hardware is very much the same.
https://www.researchgate.net/publication/295010710_Booting_an_Intel_System_Architecture
Capsule8: Linux container security
Introducing Capsule8: Industry’s First Container-Aware, Real-time Threat Protection for Linux
Founded by Renowned Security Veterans and Funded by Bessemer Venture Partners
BROOKLYN, New York (February 8, 2017) — Capsule8 today emerged from stealth mode to unveil its plans for the industry’s first container-aware, real-time threat protection platform designed to protect legacy and next-generation Linux infrastructures from both known and unknown attacks. Founded by experienced hackers John Viega, Dino Dai Zovi and Brandon Edwards, Capsule8 is being built on the real-world experience of its founders to protect against exploitation of previously unknown vulnerabilities. The company raised seed funding of $2.5 million from Bessemer Venture Partners, as well as individual investors Shardul Shah of Index Ventures and Jay Leek of ClearSky. The funding will help fuel the launch of the Capsule8 platform this spring.[…]
Tianocore patch to harden UEFI executables
Ard Biesheuvel of Linaro has posted a V2 patch to the Linux-EFI list, which includes some UEFI image hardening.
[PATCH v2 00/14] arm64+ARM: efi: PE/COFF cleanup/hardening
This cleans up the PE/COFF EFI header, by taking some of Mark’s patches and use them to replace open coded constants with symbolic ones, and remove incorrect values or unused sections. Finally, it updates the section layout so that the kernel Image can be mapped in a way that does not require setting RWX permissions anywhere. Note that this is currently not a huge win, given that most current UEFI implementations map all of RAM RWX by default, but this is finally gaining some attention, and work is underway to make the PE/COFF loader in EDK2 adhere to the section permissions, which would also allow the RAM mapping to default to non-executable. Work in progress nonetheless…
Changes since v1:
– added missing secondary SOB on Mark’s patches
– leave Image header as before, only move the PE header to a separate file
– put PE header fixes in a separate patch
– add acks from Mark and Peter (#6)
– give ARM the same treatment as arm64 (#10 – #13)
– add NB10 PE debuglink entry to ARM PE/COFF header as well (#9, #14)
Full announcement/patch:
http://vger.kernel.org/majordomo-info.html
political/firmware humor (and poll)
Open Source Hardware Camp 2017 announced
Andrew Back announced the CfP for “Open Source Hardware Camp 2017”, taking place in September in the U.K. Note also ChipHack and ORConf! I wish O’Reilly’s Maker Faire would merge with this group, so that these OSH camps were worldwide, not just in the UK…
This year Open Source Hardware Camp will take place over the weekend of Saturday 2nd & Sunday 3rd September, hosted as part of the Wuthering Bytes festival in Hebden Bridge, which in 2017 will take place over the course of 10 days (again!). We will be returning to the Birchcliffe Centre in Hebden Bridge, which benefits from the convenience of adjoining, budget accommodation. Proposals for talks and workshops for OSHCamp 2017 are invited! That the deadline for submitting titles and abstracts is Monday 1st May. There is no theme and topics may include, for example: Open source hardware projects, Open development practices and principles, Novel/interesting/fun projects built using open source hardware, Tools (hardware and software), Skills and techniques, e.g. PCB fab, DIY SMT assembly, Relevant technologies, e.g. SPI/I2C bus programming, …something else relevant to the community. Other events running as part of Wuthering Bytes 2017 and which may be of interest:
* Fri 1st: Wuthering Bytes Festival Day, http://wutheringbytes.com/
* Wed 6th & Thurs 7th: Chip Hack, http://chiphack.org/
* Thurs 7th PM & Fri 8th AM: EDSAC Challenge
* Fri 8th AM – Sunday 10th PM: GNU ORConf, http://orconf.org/
More info:
http://orconf.org/
http://chiphack.org/
http://wutheringbytes.com/
http://oshug.org/pipermail/oshug/2017-February/000595.html
https://www.eventbrite.co.uk/e/open-source-hardware-camp-2017-tickets-31845191826
Utimaco firmware reversing tools project about to be removed…
They’ve only been online for 2 weeks, and now they’re about to go down. Fork it quickly if you want a copy.
https://github.com/fotisl/utimaco
Testing SMM with QEMU, KVM and libvirt
Laszlo Ersek has created a new document that shows how to test SMM using UEFI’s OVMF. Great information!
I’ve added the following article to the TianoCore wiki[1]. It should help both Windows and Linux desktop users build a KVM test machine / environment that closely resembles mine. Such an environment is useful for testing and regression-testing new MP and SMM features and bugfixes. The initial setup is not short, but once you got it up and running, it’s very simple to rebuild OVMF with the edk2 changes, install the firmware binary in the right place (see the article) and then click the Play button on the Fedora 25 and Windows 10 guests, to see the changes in action. If you have smaller updates or structural reorgs for the document, there’s no need to ask me, just go ahead and do them. If some significant information is missing that you’d like me to add, I think I’d prefer new TianoCore BZs at this time (Product: Tianocore Feature Requests, Component: Web Content, Assignee: yours truly). I don’t know when I’ll have time again to dig into this.
[1]https://github.com/tianocore/tianocore.github.io/wiki/Testing-SMM-with-QEMU,-KVM-and-libvirt
Full announcement:
https://lists.01.org/mailman/listinfo/edk2-devel
Kaby Lake second release details
Todd Garrigues of Intel has a new blog post that gives details about the Kaby Lake 2.0 release:
What you need to know about the second release of the Intel® 7th Gen Core™ processor family (Kaby Lake).[…]
Tianocore BIOS setup authentication password patch
Jiewen Yao of Intel posted a V2 patch to the EDK2-devel list, adding new user authentication to Tianocore, including SMM interaction.
==== V2 ====
1) Add SmmCommunicationBufferProtocol dependency.
2) Cleanup header file and copyright to 2017.
3) Add missing UserAuthenticationSmm.uni.
4) Rename KeyLib.h/c to KeyService.h/c to avoid confusing.
This series patch adds password support in EDKII. This password based user authentication is to verify user when a user
wants to enter BIOS setup page. The detail information is added in [PATCH 5/6].
CryptoPkg:SmmCryptLib: Add real Pkcs5Pbkdf2.c.
SecurityPkg/dec: Add PcdPasswordCleared.
SecurityPkg/include: Add PlatformPasswordLib lib class.
SecurityPkg/PlatformPasswordLibNull: Add PlatformPasswordLib instance.
SecurityPkg/Password: Add Password based UserAuthentication modules.
SecurityPkg/dsc: add Password authentication module.
24 files changed, 2768 insertions(+), 2 deletions(-)
Purism Librem 13 progress with coreboot
Denver coreboot Conference 2017
https://twitter.com/coreboot_org/status/828649637309513728
Denver coreboot conference
Monday June 5 – Tuesday June 6, 2017
Optional Hacking Day
Wednesday June 7, 2017
https://www.coreboot.org/events/denver2017
https://www.coreboot.org/Denver2017
See also:
Lenovo: AMI BIOS SMM vulnerability
Lenovo Security Advisory: LEN-4710
Potential Impact: Execution of code in SMM by an attacker with administrative access
Severity: Medium
Scope of impact: Industry-wide
Summary Description: System Management Mode (SMM) is the most privileged execution mode of the x86 processor. Software System Management Interrupt (SWSMI) handlers are used by software to call on BIOS functions that reside within the SMM. A vulnerability has been identified in one of the SWSMI handlers in the BIOS code from American Megatrends Inc. (AMI) used on some Lenovo systems. This could allow a malicious attacker with administrative access to execute code in the SMM and bypass some BIOS security mechanisms and install software with bootkit functionality. Mitigation Strategy for Customers (what you should do to protect yourself): Update your BIOS level to the latest version by following the instructions in the readme file. This issue only affects Lenovo products with BIOS firmware from AMI. Brands not listed, such as ThinkPad, do not use AMI firmware and are not affected by this vulnerability. Lenovo thanks Bruno Pujos of Sogeti ESEC R&D for reporting this issue.[…]
More info:
http://esec-lab.sogeti.com/posts/2016/05/30/smm-unchecked-pointer-vulnerability.html
Microsoft updates Device Guard OEM guidance
Microsoft has updated it’s OEM guidance for using Device Guard and Credential Guard.
There is no changelog, hopefully you have an old copy of this web page cached somewhere for you to manually diff…
InfoSec Mag on IoT firmware security
Tara Seals has a new story in Infosecurity Magazine on IoT firmware security concerns:
Firmware Security Lags as IoT Devices Proliferate
As the era of automation and the Internet of Things (IoT) continues to dawn, businesses are seeing a marked increase in connected devices as part of their hardware footprint. Yet most businesses don’t have comprehensive programs in place to address firmware vulnerabilities[…]
https://www.infosecurity-magazine.com/news/firmware-security-lags-as-iot/
Firmware Security 
You must be logged in to post a comment.