Category: Uncategorized

AMI adds Redfish support

~ hucktech ~ Leave a comment

https://twitter.com/AMI_PR/with_replies

AMI has announced Redfish support for their UEFI implementation:

American Megatrends Announces Out-of-Band BIOS Configuration through Redfish

AMI  is proud to announce out-of-band BIOS configuration compatible with DMTF Redfish. DMTF’s Redfish API platform was created by DMTF’s Scalable Platforms Management Forum as an open industry standard specification designed to provide end users simple and powerful, yet scalable management platform hardware. To meet the needs of end users, Redfish allows users to develop solutions that combat homogenous interfaces and reduced functionality. Redfish utilizes a combination of REST, JSON and OData and serves as a secure replacement for IPMI-over-LAN. AMI’s OOB (Out-of-Band) Firmware Management delivers extended management solutions through the adoption of Redfish between BIOS, BMC and Extensible Management Architecture (EMA). AMI OOB Firmware Management provides complete Redfish support and allows for the consistent exchange of information between the BIOS and BMC. AMI has been diligently working on providing an OOB firmware solution for datacenter solutions providers such as QCT (Quanta Cloud Technology).

https://ami.com/news/press-releases/?PressReleaseID=354
https://ami.com/products/bios-uefi-firmware/aptio-v/
http://www.dmtf.org/standards/redfish
http://redfish.dmtf.org/

HyperBone: minimalistic VT-X hypervisor with hooks

~ hucktech ~ Leave a comment

https://twitter.com/_jsoo_/status/720226750832087042

PG-compatible feature list:
    Syscall hooks via MSR_LSTAR
    Kernel inline hooks
    Kernel page substitution
    Kernel page EPT TLB splitting
    MSR hooks
    IDT hooks

Supported hardware: Intel processors with VT-x and EPT support
Supported platforms: Windows 7 – Windows 10, x64 only

More info:
https://github.com/DarthTon/HyperBone

Motherboard interview on Intel UEFI and IoT security

~ hucktech ~ Leave a comment

Motherboard has an interview with Brian Richardson of the Intel UEFI team, on the topic of IoT security. Wide range of topics covered!

http://motherboard.vice.com/en_uk/blog/protecting-firmware-is-crucial-for-iot-technology

 

USB Type-C authentication protocol: defense against bad cables

~ hucktech ~ Leave a comment

https://twitter.com/CypressSemi/status/721416739372855301

The USB-IF has developed a cryptographic-based authentication protocol to help protect from bad USB Type-C cables!

http://www.engadget.com/2016/04/13/usb-type-c-authentication-protocol/

http://www.businesswire.com/news/home/20160412005983/en/USB-3.0-Promoter-Group-Defines-Authentication-Protocol

Click to access USB_Type-C_Authentication_PR_FINAL.pdf

http://www.usb.org/press

Intel Tamper Protection Toolkit

~ hucktech ~ Leave a comment

Intel has posted a blog post on their Intel Tamper Protection toolkit:

Intel® Tamper Protection Toolkit Helps Protect the Scrypt Encryption Utility against Reverse Engineering

Roman Kazantsev, Denis K., Thaddeus Letnes

This article describes how the Intel® Tamper Protection Toolkit can help protect critical code and valuable data in a password-based encryption utility (Scrypt Encryption Utility) [3] against static and dynamic reverse-engineering and tampering. Scrypt [4] is a modern secure password-based key derivation function that is widely used in security-conscious software. There is a potential threat to scrypt described in [2] when an attacker can force generation of weak keys by forcing use of specific parameters. Intel® Tamper Protection Toolkit can be used to help mitigate this threat. We explain how to refactor relevant code and apply tamper protection to the utility.

https://software.intel.com/en-us/articles/intel-tamper-protection-toolkit-helps-protect-the-scrypt-encryption-utility-against-reverse
https://software.intel.com/en-us/tamper-protection

Vincent on Intel FSP and EDK-II interactions

~ hucktech ~ Leave a comment

Vincent Zimmer of Intel has a new blog post, on UEFI’s EDK-II and Intel FSP (Firmware Support Package), and how the FSP works with the EDK-II. Good background, with lots of links.

https://firmware.intel.com/blog/open-source-platforms-edkii-using-intel-fsp

 

For more information on UEFI and FSP, also read the APress book, which Vincent is one of the authors:

Book Review: Embedded Firmware Solutions

Nikolaj on NVRAM formats, part 3

~ hucktech ~ Leave a comment

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

https://habrahabr.ru/post/281469/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281469%2F&sandbox=1

Nikolaj on NVRAM formats, volume 2

Also it appears he’s also released UEFITool NE alpha 25:
https://github.com/LongSoft/UEFITool/releases/tag/NE.A25

Intel Ethernet diagnostics driver for Windows vulnerable

~ hucktech ~ Leave a comment

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-fr

Potential vulnerability in the Intel® Ethernet diagnostics driver for Windows®
Intel ID:      INTEL-SA-00051
Product family:      Intel® Ethernet diagnostics driver for Windows®
Impact of vulnerability:      Denial of Service
Severity rating:      Important
Original release:      Apr 11, 2016
CVE Name:  CVE-2015-2291

A vulnerability was identified in the Intel diagnostics driver IQVW32.sys and IQVW64.sys, also identified as CVE-2015-2291. Intel released an update to mitigate this issue in June 2015. Intel highly recommends that customers of the affected products obtain and apply the updated versions of the driver.

https://downloadcenter.intel.com/download/22283/Intel-Ethernet-Adapters-Connections-CD
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-fr

Schneider to sign PLC firmware

~ hucktech ~ 1 Comment

https://twitter.com/ReverseICS/status/720605400249139200

http://www.digitalbond.com/blog/2016/04/14/basecamp-redux-integrity-in-modicon-m580/

I normally only see news on Schneider in the US-CERT advisories and in DEF CON/other presentations about exploits, so it is nice to hear that they are securing their firmware. I wish we’d see news like this from all device vendors.

http://www.schneider-electric.com/ww/en/

http://www.schneider-electric.com/en/search/firmware?category=all

A New Approach for Rowhammer Attacks

~ hucktech ~ Leave a comment

Click on the Twitter link for the PDF:

A New Approach for Rowhammer Attacks

Rowhammer is a hardware bug identified in recent commodity DRAMs: repeated row activations can cause bit flips in adjacent rows. Rowhammer has been recognized as both a reliability and security issue. And it is a classic example that layered abstractions and trust (in this case, virtual memory) can be broken from hardware level. Previous rowhammer attacks either rely on rarely used special instructions or complicated memory access patterns. In this paper, we propose a new approach for rowhammer that is based on x86 non-temporal instructions. This approach bypasses existing rowhammer defense and is much less constrained for a more challenging task: remote rowhammer attacks, i.e., triggering rowhammer with existing, benign code. Moreover, we extend our approach and identify libc memset and memcpy functions as a new rowhammer primitive. Our discussions on rowhammer protection suggest that it is critical to understand this new threat to be able to defend in depth.

ByoSoft supports Intel Firmware Engine

~ hucktech ~ Leave a comment

https://twitter.com/FirmwareEngine/status/720168913229590528

Intel Developer Forum (IDF) takes place in San Francisco and also in China, and the one in ShenZhen is in the news now. Nanjing Byosoft Co., Ltd — aka Byosoft, a UEFI firmware vendor, announced that their ByoCore(TM) BIOS will fully support Intel Firmware Engine:

“Byosoft is the first vendor announce to fully support Intel® Firmware Engine among the independent firmware vendors in the industry, and the Intel® Firmware Engine technology will offer a low-cost, high-flexibility, easy-to-use service solution to Byosoft’s customers in Internet of Thing (IoT) and embedded market.”
 
“Byosoft believe Intel® Firmware Engine can greatly help customer to use ByoCoreTM BIOS and finish the customization, especially for those who don’t purchase source code of the ByoCoreTM. Intel® Firmware Engine offers flexible method of firmware customization based on binary, and without involving Byosoft engineer direct support, the customer can finish the firmware modification by themselves to create the required image.”

“Byosoft has co-worked with Intel and upgraded the ByoCoreTM BIOS codebase to support Intel® Firmware Engine. ByoCoreTM customer can fast customize ByoCoreTM firmware through Intel® Firmware Engine, configuring, adding or removing the existed firmware packages, and integrate user-defined payload. With Intel® Firmware Engine, ByoCoreTM customer can build customized firmware faster and easier.”

Full announcement:
http://www.byosoft.com.cn/xwzxx/98.htm

This is great news for the Windows UEFI ecosystem. Again, I wish Intel would release a Linux version of the Windows-only Firmware Engine. 😦

Nikolaj on NVRAM formats, volume 2

~ hucktech ~ Leave a comment

Nikolaj has started a series of blog posts on NVRAM formats in UEFI:

First edition is here:

Nikolaj on UEFI NVRAM formats

The second edition is already out:

https://habrahabr.ru/post/281412/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281412%2F&sandbox=1

Looking forward volume 3!

 

Brian Richardson on UEFI community changes

~ hucktech ~ Leave a comment

Brian Richardson of Intel’s UEFI team posted a new blog with information about recent changes in the Tianocore development ecosystem. Brian summarizes recent activity, including Tony Mangefeste’s new community roadmap, the recent UEFI plugfest in Taipei, and other changes:

http://blogs.intel.com/evangelists/2016/04/11/tianocore-community-uefi/

U-Boot’s EFI loader gets El Torito ISO support

~ hucktech ~ Leave a comment

Alexander Graf of SuSE has updated his EFI patch for U-Boot, adding the ability to boot from El Torito-style ISOs:

efi_loader: Support loading from El Torito isos

Some distributions still provide .iso files for installation media. To give us greatest flexibility, this patch set adds support for El Torito booting with EFI payloads.

  iso: Make little endian and 64bit safe
  iso: Start with partition 1
  iso: Allow 512 byte sector size
  efi_loader: Split drive add into function
  efi_loader: Add el torito support
  efi_loader: Pass file path to payload
  efi_loader: Increase path string to 32 characters
  distro: Enable iso partition code

For more information, see the full patch:
http://lists.denx.de/mailman/listinfo/u-boot

Nikolaj on UEFI NVRAM formats

~ hucktech ~ Leave a comment

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

https://habrahabr.ru/post/281242/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281242%2F&sandbox=1

Nikolaj is also looking for some NVRAM formats for testing:

Hardwear.io: Call For Papers Open

~ hucktech ~ Leave a comment

The Call-for-Papers is open for the 2nd annual Hardware.IO conference, the only (?) hardware-centric security conference.

Hardwear.io is seeking innovative research on hardware security. If you have done interesting research on attacks or mitigation on any Hardware and want to showcase it to the security community, just submit your research paper. Hardwear accepts papers on any topic that discusses in-depth hardware and firmware security both from the offensive as well as defensive perspective.

Dates:
CFP Opens: 5th April 2016
CFP Closing Date: 5th July 2016
Final list of speakers online: 15th July 2016
Training: 20th – 21st Sept 2016
Conference: 22nd – 23rd Sept 2016

Training Venue:
The Hague Security Delta
Wilhelmina van Pruisenweg 104
2595 AN The Hague
The Netherlands
Conference Venue: TBD

http://hardwear.io/

Voltron

~ hucktech ~ Leave a comment

If you have not looked at Voltron, by Jim Fear, please check it out, it is quite powerful:

https://twitter.com/snare/status/718720138866917376

Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs. Voltron does not aim to be everything to everyone. It’s not a wholesale replacement for your debugger’s CLI. Rather, it aims to complement your existing setup and allow you to extend your CLI debugger as much or as little as you like. If you just want a view of the register contents in a window alongside your debugger, you can do that. If you want to go all out and have something that looks more like OllyDbg, you can do that too.

https://github.com/snare/voltron

 

UEFITool NE Alpha24 released, seeking NVRAM testers

~ hucktech ~ Leave a comment

Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.

Changes:
* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state

Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!

https://github.com/LongSoft/UEFITool/releases/tag/NE.A24