Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Laszlo Ersek of RedHat has updated the EDK2’s FatPkg to use the BSD license!
“This is huge. It will enable Fedora to ship OvmfPkg and ArmVirtPkg builds. It will enable RHEL to ship OVMF in Main. Of course other GNU/Linux distros will benefit similarly.”
I rarely say this as much as I’d like to, but: “Great job Microsoft!”
http://thread.gmane.org/gmane.comp.bios.edk2.devel/9930/focus=9956
Nikolaj Schlej has released a new version of UEFITool. This is an alpha of a big release, as it adds parsering for UI for all major NVRAM formats.
Please help out Nikolaj and test out this alpha release!
The call for papers (and registration) for the 4th RISC-V workshop, this July, is now open:
https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html?m=1
In addition to BinDiff, Diaphora may also be useful for Mac OS X (and other) users:
https://github.com/joxeankoret/diaphora
http://joxeankoret.com/blog/2015/03/13/diaphora-a-program-diffing-plugin-for-ida-pro/
There are a few new QNX-centric security research and tools available:
RU 5.17.0284 Beta came out recently. A lot of UI changes in this release, see the announcement for lots of screenshots. List of minor changes:
Fixed ALT-M is not working for SMBIOS.
UEFI variables: Fixed DEL deletes a variable but the list was not updated accordingly.
Highlight color for key help in command line.
CTRL-F and CTRL-D are just for the first search. CTRL-DOWN and CTRL-UP will continue the last search.
Added more key list on the pull-down menu.
Mass storage: Fixed search did not advance to next LBA.
SMBUS: Fixed compare SMBUS saved file is not working.
RU.EFI screen is moved to the center of 100*31 resolution.
E820: Added 2 more type according to ACPI E820 spec: Unusable and Disabled.
E820: Added Extended Attribute support.
MEMORY: Fixed memory address is always reset while input a new one and RU.EXE could display garbage characters.
SPD: Support Skylake 2 pages SPD.
F1 is changed to display all help lines on info block.
CTRL-F1 is added to display original help window.
https://firmwaresecurity.com/tag/ru-efi/
http://ruexe.blogspot.tw/2016/03/ru-5170284-beta.html
https://github.com/JamesAmiTw/ru-uefi
Intel has a survey for UEFI developers:
https://twitter.com/Intel_UEFI/status/714481953865465856
http://intelcustomer.az1.qualtrics.com/jfe1/form/SV_6lJbxG5BYFFMPSl?Source=Twitter
I hope they show the results.
Dark Reading and other news sources are reporting a new USB malware on the loose, called ‘USB Thief’:
http://www.darkreading.com/attacks-breaches/dangerous-new-usb-trojan-discovered/d/d-id/1324853
Metaphor – Stagefright with ASLR bypass By Hanan Be’er from NorthBit Ltd.
Metaphor’s source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator – I’m using XAMPP to serve gzipped MP4 files. The attack page is index.php. The exploit generator is written in Python and used by the PHP code.
https://blog.zimperium.com/reflecting-on-stagefright-patches/
William Leara, a UEFI engineer at Dell, has a new blog post giving an introduction to FWTS, Canonical’s FirmWare Test Suite. It is a very complete introduction to FWTS, with many pointers to all of the relevant resources.
http://www.basicinputoutput.com/2016/03/introduction-to-firmware-test-suite-fwts.html
A coreboot convention is in the works for this June in San Francisco area! Excerpt from announcement:
We are going to hold a 4 day coreboot convention in San Francisco, CA, Monday June 13 – Thursday June 16. Google has agreed to host two very nice conference rooms for those 4 days and we are also working to get a block of rooms in a nearby hotel for a reasonable rate.
We plan for two days of talks structured talks, followed by two days of informal discussion and classes. We will have the smaller room open for hacking all four days. We’ll provide flashing equipment and other useful tools; let us know what you need.
There will be a fee for this convention – $250 for corporate employees and $100 for students or individual contributors. If this is an issue, please let us know on the form and we’ll work with you on a fee waiver.
We have set up an outing on Tuesday night to the Long Now Foundation for the first 40 paid registrations (Long Now has space limits) and we’re working on a visit to a local Hackerspace.
Whether you are part of the Open Source community, working for a silicon vendor supporting coreboot already, or are just interested in getting some hands on experience, our goal is to make this an interesting and valuable meeting for all of us. You are welcome to present talk proposals and subject areas you think we should cover. We will be having a talk on RISC-V from Andrew Waterman of SiFive, classes by senior members of the community, and discussions on future directions.
Full announcement:
https://www.coreboot.org/pipermail/coreboot/2016-March/081010.html
http://goo.gl/forms/f8uqHHFL2S.
https://www.coreboot.org/Coreboot_conference_San_Francisco_2016
If you are in Singaport, on Tuesday March 22 there will be a coreboot install party at the Singapore-based ‘HackerspaceSG’ hackerspace:
Matt Gumbel of Intel has submitted a patch to the Linux-EFI and Linux-kernel lists, to add an EFI bootloader control driver to Linux:
efi: Introduce EFI bootloader control driver
This driver intercepts system reboot requests and populates the LoaderEntryOneShot EFI variable with the user-supplied reboot argument. EFI bootloaders such as Gummiboot will consume this variable and use it to control which OS is booted next. We use this with Android where reboot() tells the kernel that we want to boot into recovery or other non-default OS environment. It is the bootloader’s job to guard against this variable being uninitialzed or containing invalid data, and just boot normally if that is the case.
+config EFI_BOOTLOADER_CONTROL
+ tristate “EFI Bootloader Control module”
+ depends on EFI_VARS
+ default n
+ help
+ This driver installs a reboot hook, such that if reboot() is
+ invoked with a string argument NNN, “bootonce-NNN” is copied to
+ the EFI variable, to be read by the bootloader. If the string
+ matches one of the boot labels defined in its configuration,
+ the bootloader will boot once to that label.
For more information, see drivers/firmware/efi/efi-bc.c, the linux-efi or linux-kernel mailing lists:
http://vger.kernel.org/majordomo-info.html
Eric Dong of Intel has submitted an 8-part patch to enable TCG OPAL password support in UEFI:
Enable Opal password solution: These patches used to enable opal password solution in BIOS. Opal feature defined in TCG storage Opal spec. This opal solution is a sample driver shows how to use opal feature in bios. It enables user to config opal feature in the setup page and popup dialog to let user unlock device in boot phase. It auto unlock opal device in S3 resume phase.
MdePkg: Add definition for TCG Storage Core and Opal specs.
SecurityPkg: TcgStorageCoreLib: Add TCG storage core library.
SecurityPkg: TcgStorageOpalLib: Add TCG storage opal library.
SecurityPkg: OpalPasswordSupportLib: Add Opal password support
library.
SecurityPkg: Add library header file definition to package.
SecurityPkg: OpalPasswordDxe: Add Opal password dxe driver.
SecurityPkg: OpalPasswordSmm: Add Opal password Smm driver.
SecurityPkg: Enable Opal password solution build in Security package
build.
39 files changed, 21524 insertions(+)
For more information:
https://lists.01.org/mailman/listinfo/edk2-devel
This Ekoparty 2012 presentation — uploaded this month — (video in Spanish) covers both BIOS and UEFI (GOP).
Click to access corelabs-ekoparty-2012-VGA_Persistent_Rootkit.pdf
Secure or configurable, pick one. 😦 On the Windows PC world, this shows up as UEFI with Secure Boot. On the Chrome PC world, this shows up as coreboot with Verified Boot. Mobile device vendors are also having to deal with it, as this article on XDA Developers discusses:
[…] The truth has been there for some time. The more we rely on these same devices to handle very secure data and tasks, the more we have to make sure that they’re secure. Let’s take the recent kerfuffle with Samsung. Secure boot features from Qualcomm block anything with an improper signature being run on the system, including custom recoveries, kernels and ROMs. That may be frustrating for those of you who want to do that, but we have to realize that a much larger part of the market share neither wants, needs or even expects the system to allow such a lack of security. It’s not what’s actually being done that’s the problem; it’s what is made possible by the reduced security that poses the greater risk. To further reinforce the fact that this is becoming the norm, readers only have to understand UEFI Secure Boot and how that is doing the same thing in the PC world. What does that mean for those of us who want to see open development on those mainstream devices? Just like PCs still have options that don’t require UEFI Secure Boot we will continue to see options in the world of Android that will remain open. […]
Full article:
http://www.xda-developers.com/opinion-why-end-user-devices-are-locked-down-for-security-and-why-they-have-to-be/
Excerpt from IEEE article:
Domain Wall Memory: The Next Big Thing in Hardware Security?
University of South Florida researchers recently set out to find a way to give consumers more bandwidth. What they stumbled upon, however, may very well become a valuable hardware network security tool. An article in IEEE Journal on Emerging and Selected Topics in Circuits and Systems details how the team originally investigated new ways to design cache using domain wall memory (DWM), which is ideal for the application due to its low standby power, fast access time and good endurance. The researchers tested a physics-based model of DWM to determine how it behaves under temperature, radiation and velocity. That’s when they inadvertently discovered that DWM’s characteristics make it a potential asset for hardware security purposes.
[…]
“Our original research sought to design new cache using DWM,” said Anirudh Srikant Iyengar, lead researcher of the group. “But once we determined how difficult hacking a system like this would be, we changed directions and started looking at hardware security. The way DWM is designed makes it extremely hard to copy. Hardware security could greatly benefit from this.”[…]
Full article:
https://twitter.com/FirmwareEngine/status/710460703048511488
http://lkml.iu.edu/hypermail/linux/kernel/1603.2/01137.html
For the next Linux kernel, there are some new UEFI improvements to look forward to. Excerpting email from Ingo Molnar:
The main changes are:
– Use separate EFI page tables when executing EFI firmware code. This isolates the EFI context from the rest of the kernel, which has security and general robustness advantages. (Matt Fleming)
– Run regular UEFI firmware with interrupts enabled. This is already the status quo under other OSs. (Ard Biesheuvel)
– Various x86 EFI enhancements, such as the use of non-executable attributes for EFI memory mappings. (Sai Praneeth Prakhya)
– Various arm64 UEFI enhancements. (Ard Biesheuvel)
Zachary Cutlip has written an exploit framework for MIPS:
The Bowcaster Exploit Development Framework, implemented in Python, is intended to aid those developing exploits by providing useful set of tools and modules, such as payloads, encoders, connect-back servers, etc. Currently the framework is focused on the MIPS CPU architecture, but the design is intended to be modular enough to support arbitrary architectures.
https://github.com/zcutlip/bowcaster
https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/hedwig_cgi_httpcookie
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.