“This video is part of a blog post about hard disk firmware security. Further details will be added once that blog post is complete.”
https://twitter.com/0x6d696368/status/786544631240544256
Category: Uncategorized
DMTF launches Redfish School Series on YouTube
Quoting their press release:
DMTF Launches YouTube Channel with Redfish™ School Series
Get schooled in Redfish™ by tuning in to DMTF’s new YouTube channel! () The DMTF is excited to announce this new resource, which offers short technical webinars on a variety of topics related to the Redfish API and other DMTF standards. Currently, DMTF’s YouTube channel features “Redfish School,” a five-webinar series that covers Redfish Model Architecture; Common Properties; Chassis, Systems and Managers; and more. In addition, you’ll find Why Redfish™?, a short webinar – hosted by Scalable Platforms Management Forum (SPMF) Co-Chair Jeff Autor – that provides an overview of the standard and how it enables simple and secure management of modern scalable platform hardware. Visit today to see DMTF’s latest videos, and be sure to subscribe to the DMTF YouTube Channel to stay up-to-date with our upcoming webinars!
http://www.dmtf.org/standards/redfish
Pork Explosion: backdoor in Foxconn apps bootloader
Pork Explosion Unleashed
[…] Pork Explosion is a backdoor found in the apps bootloader provided by Foxconn. For those that are not aware, Foxconn assembles phones for many many vendors, some (but not all) also choose to allow Foxconn to build many low level pieces of firmware. To date we have identified at least two vendors (likely many more) with vulnerable devices, InFocus (M810) and Nextbit (Robin). Pork Explosion allows an attack with physical access to a device to gain a root shell, with selinux disabled through usb. The attack can be made through fastboot and the apps bootloader, or through adb if access is available. Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products. While taking a peek at the Nexbit Robin’s apps bootloader, (based on Qualcomm’s lk bootloader, with customizations made by Foxconn International Holdings), a fastboot command was noticed that seemed out of place. The Nextbit Robin’s apps boot loader is based on the lk bootloader with customizations made by Foxconn International Holdings. […]
Seattle firmware presentation at DC206 Meeting this Sunday
Many cities have “DC<areacode>” groups, the local DEF CON community. The Seattle-area DC206 group is having it’s monthly meeting this Sunday, and is firmware-centric, in case you are in the Seattle-area.
An Introduction To Pulling Software From Flash via I2C, SPI and JTAG
by Matt DuHarte
This beginners talk is as jargon free as possible and a great introduction to the world inside all those little devices that make up our world. Not every device we have makes it easy to see the software they run. How do you analyze the firmware of a device that does not have a display or even a serial port? Simple – pull the software directly from the flash on the device. A new generation of simple and inexpensive hardware devices make it fast and easy. This talk will introduce just enough of the protocols involved, the devices used to pull a firmware image and the software we use to modify the images and put them back. Following the talk there will be a hands on area for watching demonstrations and you to try your hand at pulling images off various devices.
Matt DuHarte is the Security Lead at a major networking hardware manufacturer but is still a software guy. Matt is an avid BSides presenter in hardware topics like USB hacking and embedded electronics. He started doing electronics as a kid, later for a UGA and now does it because it is fun. He is a firm believer that password brute forcing is for wimps and that it is easier to open the case, attach a few wires and ask hardware nicely in their own language to spill their secrets. Hardware likes him, except FPGAs, they say his timing is off.
http://blacklodgeresearch.org/
http://dc206.org/
What: October DC206 Meeting
When: October 16, 1pm-3pm
Where: Black Lodge Research (17725 NE 65th St, A-155; Evans Business Park, Building A); Redmond, WA 98052 USA
UEFI Forum plugfest videos online
The PDFs of the presentations were uploaded earlier, now the videos are online on YouTube.
The presentations are all very interesting. The Microsoft talk gives more background on clarifying the “Secure Boot” golden keys being leaked. Style points go to that speaker with his ‘golden key’ necklace. 🙂
CHIPSEC ported to ARM??
screenshot: https://pbs.twimg.com/media/CubkpMsVIAAIrQT.jpg:large
Intel CHIPSEC is — or at least was — Intel-specific. Actually it may be called McAfee CHIPSEC now? Anyway, it did not work on ARM. Via Linaro, ARM Ltd. was in the process of porting LUV (Linux UEFI Validation) distro to AArch64, and LUV includes CHIPSEC, so that was on the list, but AFAIK Linaro had not yet started to port CHIPSEC to ARM yet.
So the above screenshot is news to me, and very exciting. I hope we get more news about this soon!! AND a source check-in (currently nothing in repo)… 🙂
RHme’s embedded hardware CTF
What is RHme+
The RHme+ (Riscure Hack me ) is a low level hardware challenge that comes in the form of an Arduino board. It was launched during BlackHat Amsterdam in 2015. The winners of the first edition were announced on 18th of January 2016. The writeups together with the interview of the winners can be found from March 1 at the official challenge website. Use your weapon of choice to extract the flags. We have no preference and we are curious to see where your creativity and skill will take you! Just be sure to have fun! 😉 We estimate the difficulty level to be moderate. If you like these challenges and you would like more, let us know. Get in touch with us via twitter (#riscure #rhme+) or send us an email at challenge. at. riscure.com
Microsoft: Keeping Windows Secure documents on Github
https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/keep-secure/TOC.md
This reminds me, the guidance for Linux users from the Linux Foundation is nearly a year old now, no updates:
more info on PCI Leech
DMA attacking over USB-C and Thunderbolt 3
I just got an Intel NUC Skull Canyon that has an USB-C port capable of Thunderbolt 3. Thunderbolt is interesting since it’s able to carry PCI Express which is Direct Memory Access (DMA) capable. I have previously demonstrated how it is possible to DMA-attack macs over Thunderbolt 2 in my DEF CON talk “Direct Memory Attack the Kernel”. To attack my MacBook Air in the DEF CON demo I used a Sonnet Echo ExpressCard Thunderbolt 2 to ExpressCard adapter together with a PCILeech ExpressCard. I also got a Thunderbolt 3 to Thunderbolt 2 adapter from Startech and I wanted to try it on the NUC to see if it’s possible to use it for DMA attacks, or if Thunderbolt has been secured. […]
http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html
Google’s fuzzer-test-suite
fuzzer-test-suite:
This is a set of tests (benchmarks) for fuzzing engines (fuzzers). The goal of this project is to have a set of fuzzing benchmakrs derived from real-life libraries that have interesting bugs, hard-to-find code paths, or other challenges for bug finding tools. The current version supports libFuzzer, in future versions we exect to support AFL and potentially other fuzzers. […]
iUEFI
“iUEFI is a tool to manager uefi boot option. It is based on qml/Qt.”
https://github.com/Iceyer/iUEFI
screenshot:
coreboot user group meeting in Berlin next Tuesday
Oliver Schwarz: No Hypervisor Is an Island
No Hypervisor Is an Island:
System-wide Isolation Guarantees for Low Level Code
OLIVER SCHWARZ
The times when malware was mostly written by curious teenagers are long gone. Nowadays, threats come from criminals, competitors, and government agencies. Some of them are very skilled and very targeted in their attacks. At the same time, our devices – for instance mobile phones and TVs – have become more complex, connected, and open for the execution of third-party software. Operating systems should separate untrusted software from confidential data and critical services. But their vulnerabilities often allow malware to break the separation and isolation they are designed to provide. To strengthen protection of select assets, security research has started to create complementary machinery such as security hypervisors and separation kernels, whose sole task is separation and isolation. The reduced size of these solutions allows for thorough inspection, both manual and automated. In some cases, formal methods are applied to create mathematical proofs on the security of these systems.
The actual isolation solutions themselves are carefully analyzed and included software is often even verified on binary level. The role of other software and hardware for the overall system security has received less attention so far. The subject of this thesis is to shed light on these aspects, mainly on (i) unprivileged third-party code and its ability to influence security, (ii) peripheral devices with direct access to memory, and (iii) boot code and how we can selectively enable and disable isolation services without compromising security.
The six papers included in this thesis are both design and verification oriented, however, with an emphasis on the analysis of instruction set architectures. With the help of a theorem prover, we implemented various types of machinery for the automated information flow analysis of several processor architectures. We used these tools to make explicit which registers arbitrary and unprivileged software on ARM or MIPS platforms can access. The analysis is guaranteed to be both sound and accurate. To the best of our knowledge, we were the first to publish an automated analysis and verification of information flow properties for commodity instruction set architectures.
DLink Harvester: firmware image file scraper
ARM Trusted Firmware issue on Amlogic S905?
https://plus.google.com/+JeroenPluimers/posts/VfAYwFMj58s
“Amlogic S905 processor used in many Android TV boxes and ODROID-C2 development board implements ARM TrustZone security extensions to run a Trusted Execution Environment (TEE) used for DRM & other security features. However, Frédéric Basse, a security engineer, worked with others and managed to bypass secure boot in one Amlogic S905 powered Android TV box, namely Inphic i7, but any other device based on the processor would have made the same thing possible. […]”
http://www.cnx-software.com/2016/10/06/hacking-arm-trustzone-secure-boot-on-amlogic-s905-soc/
Device Guard: undocumented policies
“Interesting undocumented Device Guard code integrity policy rules. Obtained via the SIPolicy XML schema.”
https://twitter.com/mattifestation/status/783399561306005504
https://twitter.com/mattifestation/status/783405609651765248
WordPress mangles Github Gist urls, click on the above Twitter URLs to get the Gist URL.
BlueGuard
https://github.com/nohajc/BlueGuard
I just noticed this on Github. Not much documentation: “UEFI Hypervisor”. Windows-based. Maybe interesting to some.
CHIPSEC gets QEMU VirtIO device detection
https://github.com/chipsec/chipsec/commits/master
“Just added detection of QEMU VirtIO devices by @mikhailgorobets & @c7zero. Use “chipsec_util.py vmm virtio” command”
https://github.com/chipsec/chipsec
https://github.com/chipsec/chipsec/pull/98
HAXWell: loads custom ISA on Intel Haswell GPUs
https://github.com/jbarczak/HAXWell
Code demonstrating how to load custom ISA on Intel Haswell GPUs via OpenGL. Also includes various ISA utilities and benchmarks. This code works on Windows 8.1. […] For more information, see my related blog posts:
GPU Ray-Tracing The Wrong Way: http://www.joshbarczak.com/blog/?p=1197
SPMD Is Not Intel’s Cup of Tea: http://www.joshbarczak.com/blog/?p=1120
You Compiled This Driver, Trust Me: http://www.joshbarczak.com/blog/?p=1028
UEFI Forum publishes plugfest presentation PDFs
Recently the UEFI Forum had a plugfest. They just uploaded the slides of the presentations. I think the videos are expected in a few weeks as well.
UEFI Fall Plugfest – September 20-22, 2016
* Redfish Configuration of UEFI HII Settings – Mike Rothman (Intel) and Samer El Haj Mahmoud (Lenovo)
* Out of Band BIOS Remote Management – Matthew Krysiak (AMI)
* UEFI Forum Update – Dong Wei (HPE)
* Microsoft UEFI Security Updates – Scott Anderson, Suhas Manangi, Nate Nunez, Jeremiah Cox, and Michael Anderson (Microsoft)
* Tianocore 2016 Updates -Tony Mangefeste (Intel)
* UEFI Network and Security Update – Vincent Zimmer (Intel)
* Updated TCG TPM 2.0 Specs – Dick Wilkins (Phoenix Technologies Ltd.)
* ARM Trusted Firmware ARM UEFI SCT Update – Charles Garcia-Tobin (ARM)
http://www.uefi.org/learning_center/presentationsandvideos
http://uefi.org/events/past
Firmware Security 
You must be logged in to post a comment.