Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Marc-Etienne M.Lévei has an IDA shell in IPython! (I wish more security tool projects would integrate with IPython.)
IPyIDA is a python-only solution to use a IPython console in the context of IDA Pro. It spawns an IPython kernel that you can connect to with ipython console –existing in your shell or by opening a QT Console window in IDA Pro with <Shift-.>. You can then benefit from IPython’s autocompletion, online help, monospaced font input field, graphs, and so on.
Wired has an article about some new research by Duo Security, on how OEMs build insecure laptops.
https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
https://www.wired.com/2016/05/2036876/
It is a nice article, but only scratches the surface. OS-level OEM bloatware is fixable. Firwmare-level OEM bloatware is often not fixable. And in recent years, operating systems are tied to the firmware more than ever, Microsoft Windows has install binaries embedded in ACPI tables. So, read the article and realize that the situation is much worse than it mentions. 😦
The video is online, no pointer to slides found:
https://www.fastly.com/blog/announcing-second-edition-fastly-security-speaker-series
[Update: SMM driver dev advice for this from issue is here:
]
Bruno of Sogeti ESEC Lab has published an interesting paper with an SMM exploit, well-written with lots of background on UEFI and SMM exploits, lots of images/figures and links, definately worth reading:
SMM unchecked pointer vulnerability
Mon 30 May 2016 by Bruno
This article explains the exploitation of an SMM unchecked pointer vulnerability present in several firmwares. As this vulnerability is a memory corruption, it only applies to firmwares including the unpatched vulnerable DXE driver. It first explains the SMM mode and some of its mechanisms, then the reversing of the UEFI driver in which the vulnerability is present, then the exploitation of the vulnerability in it-self and finally a little conclusion about the impact of the vulnerability. […]
This vulnerability was initially found on two different firmwares of different OEM, both of them seem to have a lot in common. Their firmware were based on one version of the EDK implementation by Intel with several new features added. After some research it appears that both were using code provided by American Megatrends Inc. (AMI) . We contacted AMI and the OEM and got quick responses from them. We would like to thank them for working with us, especially Lenovo for coordinating with us. […]
This vulnerability allows to gain code execution in SMM. In the case of both studied firmwares the flash was not protected by the Protected Range (PR) registers, code execution in SMM allows rewriting the flash and potentially the setup of a persistent bootkit.
On January 2016 VirusTotal (VT) began to provide information on firmware images as described in their blog post . We used this for finding firmware which includes the SMIFlash driver. In total we found approximately 900 different firmwares (type:rom) which contains it, 468 of those had different versions, however it is likely that a lot of these firmwares are just different versions of one another. We have gathered the Vendor identification provided by VT for each of those firmware and got approximately 10 different constructors however 84% of the firmwares have AMI as vendor. […]
http://esec-lab.sogeti.com/posts/2016/05/30/smm-unchecked-pointer-vulnerability.html
I don’t know anything more about this story…
“Chinese ARM vendor’s Kernel root backdoor snippet”
“Allwinner […] apparently shipped a version of its Linux kernel with a backdoor built in.”
Kindly pointed out by a reader of the blog, laginimaineb has some more research going on for QualComm TrustZone, sounds non-trivial:
[Grr, when I paste an URL of a Twitter tweet, WordPress usually renders it, today, it is not, maybe it will before it posts it, unsure. I’ve extracted the text from the Tweets in case it does not.]
Just managed to extract the Qualcomm KeyMaster keys directly from TrustZone! Writeup coming soon 🙂 (1/2)
And wrote a script to decrypt all keystore keys. This can also be used to bruteforce the FDE passphrase off the device! (2/2)
This specifically is done on the Nexus 6, but I’ve also dabbled w/ the Nexus 5 and Moto X 2nd Gen
https://mobile.twitter.com/laginimaineb/status/737051964857561093
https://mobile.twitter.com/laginimaineb/status/737052350674817024
https://mobile.twitter.com/laginimaineb/status/737185999760052224
https://mobile.twitter.com/laginimaineb/status/737186295655596032
https://mobile.twitter.com/laginimaineb/status/737188674371215360
More info:
https://mobile.twitter.com/laginimaineb
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.com/
If you have not read this book, and you are reading this blog, then you should make time to read it soon, it is a classic.
http://bioshacking.blogspot.com/2016/05/bios-disassembly-ninjutsu-pdf-moved-to.html
https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered
He has more firmware research on his web site:
https://sites.google.com/site/pinczakko/
http://bioshacking.blogspot.com/
It looks like a few companies, including Imagination Technologies, the current company behind MIPS processors, has donated some hardware to the Debian project!
[…] Imagination Technologies recently donated several high-performance SDNA-7130 appliances to the Debian Project for the development and maintenance of the MIPS ports. The SDNA-7130 (Software Defined Network Appliance) platforms are developed by Rhino Labs, a leading provider of high-performance data security, networking, and data infrastructure solutions. With these new devices, the Debian project will have access to a wide range of 32- and 64-bit MIPS-based platforms. […] The Debian project would like to thank Imagination, Rhino Labs and aql for this coordinated donation. […]
https://bits.debian.org/2016/05/imagination-64-bit-mips-cpus.html
PS: I mostly pay attention to Intel and ARM hardware, it’s been a while since I’ve worked on a MIPS box. Just catching up to MIPS after years, there’s a lot of firmware exploit research out there:
https://www.google.com/?gws_rd=ssl#q=MIPS+firmware+reverse+engineering
https://www.linux-mips.org/wiki/Firmware
Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities
Graphics processing units (GPUs) are important components of modern computing devices for not only graphics rendering, but also efficient parallel computations. However, their security problems are ignored despite their importance and popularity. In this paper, we first perform an in-depth security analysis on GPUs to detect security vulnerabilities. We observe that contemporary, widely-used GPUs, both NVIDIA’s and AMD’s, do not initialize newly allocated GPU memory pages which may contain sensitive user data. By exploiting such vulnerabilities, we propose attack methods for revealing a victim program’s data kept in GPU memory both during its execution and right after its termination. We further show the high applicability of the proposed attacks by applying them to the Chromium and Firefox web browsers which use GPUs for accelerating webpage rendering. We detect that both browsers leave rendered webpage textures in GPU memory, so that we can infer which webpages a victim user has visited by analyzing the remaining textures. The accuracy of our advanced inference attack that uses both pixel sequence matching and RGB histogram matching is up to 95.4%.
Click to access StealingWebpagesRenderedonYourBrowserbyExploitingGPUVulnerabilities.pdf
https://twitter.com/_snagg/status/735716631653978112
There’s a new research paper on using Deduplication and Rowhammer against Windows. Abstract:
Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 8.1 and Windows 10 operating systems. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system. In this paper, we demonstrate that the deduplication side channel is much more powerful than previously assumed, potentially providing an attacker with a weird machine to read arbitrary data in the system. We first show that an attacker controlling the alignment and reuse of data in memory is able to perform byte-by-byte disclosure of sensitive data (such as randomized 64 bit pointers). Next, even without control over data alignment or reuse, we show that an attacker can still disclose high-entropy randomized pointers using a birthday attack. To show these primitives are practical, we present an end-to-end JavaScript-based attack against the new Microsoft Edge browser, in absence of software bugs and with all defenses turned on. Our attack combines our deduplication-based primitives with a reliable Rowhammer exploit to gain arbitrary memory read and write access in the browser. We conclude by extending our JavaScript-based attack to cross-process system-wide exploitation (using the popular nginx web server as an example) and discussing mitigation strategies.
Jérémie Boutoille has a new blog post with information on Xen, with a video at the beginning for those who are too busy to read the entire article:
Xen exploitation part 1: XSA-105, from nobody to root
This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5. We are not aware of any public exploit for this vulnerability, although Andrei Lutas wrote excellent articles describing the root cause of the vulnerability and how to trigger it. This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5 (it probably works with many others versions). […]
http://blog.quarkslab.com/xen-exploitation-part-1-xsa-105-from-nobody-to-root.html
Hurray, more IoT security certification programs! 😉
To help companies mitigate risks associated with an increasingly connected world, ICSA Labs, an independent division of Verizon, is rolling out a new security testing program to provide assurance testing for Internet of Things (IoT) devices and sensors. The program is believed to be among the first-of-its-kind. ICSA Labs will test six components as part of the new IoT Security Testing and Certification Program including: alert/logging, cryptography, authentication, communications, physical security, and platform security. The ICSA Labs Product Assurance Report found the majority of security devices fail to perform as intended. Certified devices and sensors carry the ICSA Labs’ mark of approval that indicates they underwent demanding testing and any weakness or vulnerability found was mitigated and confirmed through further testing by ICSA Labs. In addition, certified devices are tested over their lifecycle at regularly established intervals to help make the devices more secure. In developing the new criteria, ICSA Labs compared its categories and requirements to other emerging guidelines including OWASP Internet of Things Top 10, Industrial Internet Consortium Reference Architecture and the Online Trust Alliance’s IoT Trust Framework. […]
Rabbitstack has created Fibratus, a tool for tracing Windows kernel:
Fibratus is a tool which is able to capture the most of the Windows kernel activity – process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. You can use filaments to extend Fibratus with your own arsenal of tools.
Brian Richardson of Intel UEFI team has a new blog post, showing HP vendor data using DMTF Redfish as well as viewing UEFI x-UEFI Configuration Language data.
http://blogs.intel.com/evangelists/2016/05/25/firmware-modern-data-center/
For more on the x-UEFI Configuration language, see Vincent’s post:
https://twitter.com/FirmwareEngine/status/735564887267500032
Intel® Firmware Engine Release 2.0.0
Program installer for Microsoft* Windows 7/8/8.1/10.
Includes program and MinnowBoard Max and MinnowBoard Turbot platform support.
https://firmware.intel.com/learn/intel-firmware-engine/downloads
<soapbox>
Intel: please port Firmware Engine to Linux (and FreeBSD, which also has UEFI support), the current Windows-only release only helps Windows subset of your target firmware vendor ecosystem. Thanks!
</soapbox>
Short notice, but if you are reading this immediately and are in Bay Area, then you might be able to attend. The rest of us will have to hope they videotape this and share the archive.
Defending, detecting, and responding to hardware and firmware attacks
This presentation takes a different approach to hardware and firmware security by exploring how our enterprise defenders can recognize vulnerable systems and potential compromise. Defense begins with visibility, that means baselining kernel drivers, kernels, boot loaders, ACPI table content, SMBIOS metadata; it then continues into logging real time OS API-generated hardware events. This data and pipeline can fuel existing correlation and IoC collections to identify known good and eventually known bad. Creating production deployable and repeatable recipes for these somewhat esoteric features is essential. We will present a summary of immediate tools and actions for “deep systems defense”, an analysis of where our defenders remain blind to compromise, and recommendations on where our industry can focus tailored effort to generate massive impact.
Teddy is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design.
https://www.eventbrite.com/e/fastly-security-speaker-series-part-2-tickets-25216388898
BusinessInsider has a story about IoT patent portfolios that is interesting, if you care about that sort of thing. The LexInnova research download requires an email to access their document. 😦
[…] For IoT-related patents, those that pertain to collecting and transmitting data from IoT devices are the most valuable, according to LexInnova’s analysis. Qualcomm holds a number of patents in this area for collecting and transmitting data from connected medical devices and other IoT device categories. The technologies that Qualcomm has patented in this area are used in its chipsets for connecting IoT devices to the internet over different types of networks. […]
http://www.businessinsider.com/qualcomm-has-the-most-valuable-iot-patent-portfolio-2016-5?r=UK&IR=T
I rarely look at IoT security issues anymore, since there are so many news stories on this topic each day… 😦
But Underwriters Labs apparently has a new IoT security testing program:
http://www.ul.com/newsroom/pressreleases/ul-launches-cybersecurity-assurance-program/
http://industries.ul.com/software-and-security/product-security-services/product-testing-and-validation
http://www.ul.com/cybersecurity/
http://arstechnica.com/security/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/
http://www.darkreading.com/endpoint/underwriters-laboratories-to-launch-cyber-security-certification-program/d/d-id/1321202
http://www.cio.com/article/3073263/security/new-iot-security-certification-aims-to-make-the-world-safer.html
http://readwrite.com/2016/04/11/underwriters-laboratories-dives-iot-security-testing-sf4/
http://www.computerworld.com/article/3051147/internet-of-things/ul-takes-on-cybersecurity-testing-and-certification.html
A few document updates from Microsoft on Secure Boot and one news article on Windows hardware requirements:
Justin Hall of Microsoft has updated their document on how to disable Secure Boot:
Justin has also updated their guidance on Secure Boot keys:
Milad Aslaner of Microsoft has updated their document on how to access UEFI security features in their Surface devices:
https://technet.microsoft.com/en-us/itpro/surface/advanced-uefi-security-features-for-surface
The Windows driver doc team has updated their document on Booting and UEFI:
https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/boot-and-uefi
Extreme Tech has a story on Windows hardware requirements increasing:
It mentions that Windows 10 Mobile OEMs must not disable Secure Boot. I have not been following Microsoft’s changes to Secure Boot guidance too closely, this might be a change.
Bin Meng posted an 18-part patch to the SeaBIOS list, fixing multiple issues that may impact the installation of Ubuntu (only Ubuntu and no other Linux distros??) and Windows:
[PATCH v2 00/18] x86: acpi: Support installation of Ubuntu/Windows and boot Windows
SeaBIOS can be loaded by U-Boot to aid the installation of Ubuntu and Windows to a SATA drive and boot from there. But till now this is broken. The installation either hangs forever or just crashes. This series fixed a bunch of issues that affect the installation of Ubuntu and Windows, and booting Windows.
Testing was performed on MinnowMax by:
– Install Ubuntu 14.04 and boot
– Install Windows 8.1 and boot
– Install Windows 10 and boot
This series is available at u-boot-x86/acpi2-working.
Changes in v2:
– New patch to remove the unnecessary checksum calculation of DSDT
– New patch to remove header length check when writing tables
– New patch to enable SeaBIOS on all boards
– New patch to add GPIO ASL description
Bin Meng (18):
x86: minnowmax: Adjust U-Boot environment address in SPI flash
x86: Call board_final_cleanup() in last_stage_init()
x86: Fix up PIRQ routing table checksum earlier
x86: Compile coreboot_table.c only for SeaBIOS
x86: Prepare configuration tables in dedicated high memory region
x86: Unify reserve_arch() for all x86 boards
x86: Reserve configuration tables in high memory
x86: Use high_table_malloc() for tables passing to SeaBIOS
x86: acpi: Switch to ACPI mode by ourselves instead of requested by OSPM
x86: acpi: Remove the unnecessary checksum calculation of DSDT
x86: acpi: Remove header length check when writing tables
x86: doc: Update information about IGD with SeaBIOS
x86: baytrail: Enable SeaBIOS on all boards
x86: doc: Mention Ubuntu/Windows installation and boot support
acpi: Quieten IASL output when ‘make -s’ is used
x86: baytrail: Add internal UART ASL description
x86: baytrail: Add GPIO ASL description
x86: doc: Add porting hints for ACPI with Windows
For more information, see the U-Boot list:
http://lists.denx.de/mailman/listinfo/u-boot
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.