Facebook’s osquery

February 11, 2016 ~ hucktech ~ Leave a comment

I only recently learned about Facebook’s osquery project. If you have not looked at it, it is fairly impressive.

https://twitter.com/mikearpaia/status/697231558026002432

Mike Arpaia and Ted Reed of Facebook have post on Facebook infrastructure, and they include firmware in their coverage of infrastructure testing:

In late 2014, we released osquery to the open source community. It’s now an increasingly important element of maintaining insight into the security of Facebook infrastructure. As such, it’s held to incredibly strict security standards to ensure we’re not introducing new vulnerabilities into our network. We also committed to a high standard of code quality when we open-sourced it because we want to build a community of trust with a secure software development ecosystem. In this same vein, we believe it’s important for people who use osquery to know what we do to keep it secure. […]

https://code.facebook.com/posts/226775617661196/in-pursuit-of-secure-open-source-software/

Minnowboard is part of GSoC16

February 11, 2016 ~ hucktech ~ Leave a comment

The Minnowboard project is part of the Google Summer of Code project. If you are a student, this might be a good opportunity for you to start on a new project. There’s dozens of things that should be done with coreboot, U-Boot, UEFI, SeaBIOS.

According to the wiki, students will get a Minnowboard Turbot, and some cables.

The MinnowBoard project is an open hardware platform that uses Intel Architecture. While the project, overall, is focused on hardware there are a lot of things surrounding this effort that can, and are, useful both to the project and to the greater open source community. As such the MinnowBoard project (from a GSoC perspective) is more of an umbrella giving a home to a number of other projects to collectively work on and around the enablement of the MinnowBoard. These projects not only help the MinnowBoard project, but also enable other open source projects and software. These tend to be smaller projects or projects that are more tightly focused and would not otherwise be apart of GSoC, but that could benefit from additional contributors.

More information:

http://wiki.minnowboard.org/GSoC2016

USB devices phoning home

February 11, 2016 ~ hucktech ~ Leave a comment

"USB devices phoning home" by @NerdingByDoing + @twillnix, data exfiltration w/ USB armoryhttps://t.co/dnUgYwyrFU https://t.co/2Q1zpUhwpc

— Andrea Barisani (@AndreaBarisani) February 11, 2016

Roland Schilling and Frieder Steinmetz have interesting new research on USB data exfiltration:

USB devices phoning home

USB is a versatile standard defining various features to allow maximum flexibility for evices. This flexibility, by design, leads to complex device configurations, combining multiple functions into one, making it impossible for users to identify the function of a device by its looks. This can be exploited by crafting programmable USB devices, looking and behaving like an ordinary flash drive that also expose virtual network devices and other functionality to their host OS. This paper outlines such a device, exploiting several USB features to establish a rogue HTTP channel used to leak data stored on the device’s disk to an internet back end. We describe the device itself and its architecture and our conclusions and methods for dealing with the issues presented in a user–friendly way.

https://tubdok.tub.tuhh.de/handle/11420/1282

Repo for the paper “USB Devices phoning home”
https://github.com/willnix/usbpoc

EDK2 issue tracking

February 11, 2016 ~ hucktech ~ Leave a comment

The Tianocore project, the open source subset of the UEFI Forum’s private UEFI implementation, is talking about getting an issue tracking system:

Tianocore issue tracking coming online March 21, 2016. Voice your opinion on the dev list. Short window to make some key design decisions

— tianocore (@tianocore) February 11, 2016

Excerpting from the initial thread on the topic:

The built-in issue tracking system that comes with GitHub isn’t sufficient to satisfy a key requirement. There needs to be support for multiple Tianocore-related programs. As you know Intel has a system today that’s internal to Intel where we track issues. That does not meet the needs of the community. And to help improve transparency, and better engage with the community I’m driving the discussion and bring up of a bug tracking system. The goal is to have one operational by March 21, 2016 (WW13). We’re 6 weeks and counting from that deadline. I’m interested in community feedback, gathering requirements, and feedback on proposals for which system to use. We’re going to transform issue tracking on Tianocore a transparent, community driven behavior. Key requirements for the system include (but not limited to):
* OSS (does not have to be free)
* Ability to bulk import/export databases, data (CSV)
* Secure, ability to shield sensitive issues
* Group credential management
* Supports mobile views (phone/tablet)
* Ability to generate reports
* Can be used to generate quick tasks for community members (e.g. Find a Task)
* Integrate with GitHub

Speak up if you have input. More info:
https://lists.01.org/mailman/listinfo/edk2-devel

(I’m hoping they also going to spend some time spend some time updating the Tianocore Security Advisories. They have only done 2 of them, and it has been over a year since those have been published. I expect there are a few Tianocore issues that are merit security advisories, but nobody is spending time to publish new advisories.)

Tony Mangefeste, new Tianocore community manager

February 10, 2016 ~ hucktech ~ 1 Comment

Tony Mangefeste of Intel is the new “Community Technology Lead, Tianocore Community Manager”. Yesterday he posted a message to the edk2-devel mailing list with an introduction. Two excerpts:

“I’m your new Tianocore community manager. As best as I can tell, no one has had this role, and I’m the first. And I’m thrilled to have the opportunity to help Tianocore evolve into an awesome-er OSS program.”

“What’s going to change with Tianocore? I hope much positive change will come. More details will follow in the coming weeks. As many of you know, several of our members (led by Erik, Jordan) have been leading the efforts to move to GitHub. That’s just the tip of the iceberg of improvements that are coming. If there are barriers to contribution levels, I want to help knock those down. If we can’t knock them down, I want to navigate around them.”

Full post:
http://article.gmane.org/gmane.comp.bios.edk2.devel/7458

He has just created new Tianocore feeds on Twitter and Google+:
https://twitter.com/tianocore/
https://plus.google.com/communities/104320775708339899382

I noticed a non-ISO-licensed tree in the new Github tree, which may be helpful for Linux, a home non-BSD FOSS code. I hope Tianocore appropriately encourages and maintains this in conjunction with the BSD tree. I hope that in addition to Twitter and Google+ posts, the community manager helps with communinty-led questions about Tianocore, like the FW_OS_Forum. So far this list does not appear to useful for community. It’d be great to see UEFI Forum and it’s members generate a GSoC for Tianocore, most than just maintaining a wishlist of projects on their wiki. I’d like to see more work with UEFI team with coreboot and U-Boot projects using EFI as a payload. I really wish UEFI forum was a bit more open in their events. Right now events are only for members, and the only public events are ‘developer roadshow’-style groomed subset talks. Anyway, enough of me wondering about how Tianocore could do community better. If you have some ideas, contact Tony.

PLUG: UEFI Tuesday

February 8, 2016 ~ hucktech ~ Leave a comment

If you are in the Philadelphia area, the Philly LUG has a talk on UEFI by Rich Mingin:

Tomorrow, Tue, Feb 9, is PLUG North, 7pm in Blue Bell: Rich Mingin on UEFI. https://t.co/ULLIrtwmoY

— Philly Linux Users (@phillylinux) February 8, 2016

This month, PLUG North will feature a talk on UEFI by Rich Mingin. UEFI is a firmware interface that is displacing the traditional BIOS firmware on PCs. Find out more about how it interacts with Linux and other FOSS operating systems in this presentation.

http://lists.netisland.net/archives/plug/plug-2016-02/msg00019.html

http://www.phillylinux.org/meetings.html

Stewart Smith on OpenPOWER firmware

February 8, 2016 ~ hucktech ~ Leave a comment

My https://t.co/ZInEO7bNxf 2016 talk “Adventures in OpenPower Firmware” is up! https://t.co/QBuwLjJtHA

— Stewart Smith (@stewartsmith) February 8, 2016

My #lca2016 talk is up: Adventures In OpenPOWER Firmware https://t.co/uxznT7yhMd

— Stewart Smith (@stewartsmith) February 6, 2016

Stewart Smith of IBM posted a new blog entry, announcing availability of the video of his recent OpenPOWER firmware talk at LinuxConf.AU:

In mid 2014, IBM released the first POWER8 based systems with the new Free and Open Source OPAL firmware. Since then, several members of the OpenPower foundation have produced (or are currently producing) machines based on the POWER8 processor with the OPAL firmware. This talk will cover the POWER8 chip with an open source firmware stack and how it all fits together. We will walk through all of the firmware components and what they do, including the boot sequence from power being applied up to booting an operating system. We’ll delve into:
– the time before you have RAM
– the time before you have thermal management
– the time before you have PCI
– runtime processor diagnostics and repair
– the bootloader (and extending it)
– building and flashing your own firmware
– using a simulator instead
– the firmware interface that Linux talks to
– device tree and OPAL calls
– fun in firmware QA and testing

My linux.conf.au 2016 talk “Adventures in OpenPower Firmware” is up!

vUSBf – QEMU/KEMU USB-Fuzzing framework

February 8, 2016 ~ hucktech ~ Leave a comment

vUSBf:A KVM/QEMU based USB-fuzzing framework https://t.co/P8zfYXL4ns

— TROOPERS Conference (@WEareTROOPERS) February 8, 2016

vusbf-Framework: A KVM/QEMU based USB-fuzzing framework.
Sergej Schumilo, OpenSource Security Spenneberg 2015
Version: 0.2

A USB-fuzzer which takes advantage of massive usage of virtual machines and also offers high reproducibility. This framework was initially released at Black Hat Europe 2014. This software is licensed under GPLv2. vUSBf was written in Python2 and requires the Scapy-framework. This framework provides:
* USB-fuzzing in practical time frames
* multiprocessing and clustering
* export sequences of payloads and replay them for debugging or investigation
* XML-based dynamic testcase generating
* expandable by writing new testcases, USB-emulators or monitoring-modules

https://github.com/schumilo/vUSBf

Intel roadshow for Xeon Phi code modernization

February 7, 2016 ~ hucktech ~ Leave a comment

Intel, in partnership with Bayncore, is doing a free roadshow, 1-day workshop in a few European cities, on “code modernization” for the Intel Xeon Phi processor. So far, Dublin, Cambridge. and Barcelona are the only 3 cities listed in the tour. The event is free, so if you’re in the area, use Intel System Studio, and do parallel processing and other coding techniques that need “modernization”, check out this event. Agenda:

INTEL TECHNOLOGY PLATFORM FOR HPC & PROCESSOR UPDATE
MEET INTEL PARALLEL STUDIO XE 2016 – WHAT’S NEW?
OPTIMIZE AND PERFORM WITH INTEL MPI
HPC MEETS BIG DATA – CODING HIGH-PERFORMANCE ANALYTICS IN C++ USING INTEL’S NEW DATA
ANALYTICS ACCELERATION LIBRARY
BEST PRACTICES FOR VECTORIZATION – PARALLELISM AT CORE LEVEL (SIMD)
TUTORIAL – REAL WORLD EXAMPLES FOR VECTORIZATION
CODE OPTIMIZATION IN A 3D DIFFUSION MODEL
CASE STUDY – PAIRWISE SEQUENCE ALIGNMENT WITH THE SMITH-WATERMAN ALGORITHM

http://www.inteldevconference.com/
http://www.intel.com/content/www/us/en/processors/xeon/xeon-phi-detail.html

Home

UEFI VirtualBox tutorial

February 7, 2016 ~ hucktech ~ Leave a comment

There’s another new Github project related to UEFI, this one is a turorial using UEFI undre VirtualBox. Most use of virtualized UEFI occurs under QEMU, but VirtualBox also supports UEFI’s OVMF (Open Virtual Machine Firmware) format, so it is nice to see more documentation on using UEFI with VirtualBox, not only QEMU.

Tutorial on making UEFI with CMake and VirtualBox

UEFI Bare Bone Exercise

by Emanuele Ruffaldi using CMake,mxe and VirtualBox/Qemu

Related instructiosn from OSDEV: http://wiki.osdev.org/UEFI_Bare_Bones Other related project (Make+QEmu): – https://github.com/tqh/efi-example – http://www.rodsbooks.com/efi-programming/hello.html

Requirements:
* GCC Cross Compiler x86_64-w64-mingw32. MXE is fine
* MTools
* GNU-efi

[…]

https://github.com/eruffaldi/uefiboot

Rust-UEFI

February 7, 2016 ~ hucktech ~ Leave a comment

There are a few Rust-centric UEFI projects:

https://firmwaresecurity.com/tag/rust/

Now there’s a new on, rust-uefi:

https://github.com/mischief/rust-uefi

No documentation yet, and mainly a single source file:

https://raw.githubusercontent.com/mischief/rust-uefi/master/src/lib.rs

UEFI for D language

February 7, 2016 ~ hucktech ~ Leave a comment

A new Github project for using the D language with UEFI:

D bindings for UEFI specifications

https://github.com/kubasz/uefi-d

http://dlang.org/

Intel blog: attackers moving down toward hardware

February 6, 2016 ~ hucktech ~ Leave a comment

I always miss lots of firmware news. 😦 I just now noticed this blog post from 11/2015 from Intel Security executives:

Hardware.Next: Diving deeper into the stack—understanding the dangers of hardware and firmware vulnerabilities
https://blogs.mcafee.com/executive-perspectives/hardware-next-hardware-firmware-vulnerabilities-provide-tools-attackers-defenders/

It gives me a big ‘deja-vu’ to the 4/2014 blog post from elsewhere at Intel:

Attackers Expand to Hack Hardware
https://communities.intel.com/community/itpeernetwork/blog/2015/04/15/attackers-expand-to-hack-hardware

I guess if you’re a chip company, this will be your perspective, that attackers are coming from usermode down to attack their hardware.

February’s Google Nexus security bulletin is out

February 6, 2016 ~ hucktech ~ Leave a comment

The February 2016 Nexus Security Bulletin is live – https://t.co/Vn0GPZYj75 And so starts another cycle… OTA URLs coming soon.

— Joshua J. Drake (@jduck) February 1, 2016

The Google Nexus Security team has released their monthly security bulletin.

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49G or later and Android M with Security Patch Level of February 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level.
[…]
We would like to thank these researchers for their contributions:
* Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810
* Broadgate Team: CVE-2016-0801, CVE-2015-0802
* David Riley of the Google Pixel C Team: CVE-2016-0812
* Dongkwan Kim (dkay@kaist.ac.kr) of System Security Lab, KAIST: CVE-2015-6614
* Gengjia Chen (@chengjia4574) of Lab IceSword, Qihoo 360: CVE-2016-0805
* Hongil Kim (hongilk@kaist.ac.kr) of System Security Lab, KAIST: CVE-2015-6614
* Qidan He (@Flanker_hqd) of KeenLab (@keen_lab), Tencent: CVE-2016-0811
* Seven Shen (@lingtongshen) of Trend Micro (www.trendmicro.com): CVE-2016-0803
* Weichao Sun (@sunblate) of Alibaba Inc: CVE-2016-0808
* Zach Riggle (@ebeip90) of the Android Security Team: CVE-2016-0807
[…]

See the full bulletin for specifics on each of the CVEs:

https://source.android.com/security/bulletin/2016-02-01.html

Mozilla abandons B2G platform, announces new as-yet-unabandoned IoT platform

February 6, 2016 ~ hucktech ~ Leave a comment

In a move that reminds me of the the previous version of the Tizen project, Mozilla Corp. — after recently abandoning Thunderbird — just abandoned it’s Firefox OS and it’s developers. Now it is ready to call developers to re-flock and support Mozilla Corps’s latest ‘pivot’, the Internet of Mozilla-based Things. Here’s a post from Copperhead Security, a security-centric fork of Android AOSP, emulating a post from the “Internet of Shit”, on the Mozilla IoT announcement:

“The Internet of Things is apparently too secure. Mozilla is here to save the day by bringing web technology to your barbecue and desk lamp.”

The Internet of Things is apparently too secure. Mozilla is here to save the day by bringing web technology to your barbecue and desk lamp.

— CopperheadOS (@CopperheadOS) February 4, 2016

“Connected Devices Participation is in early days, a great time to get involved. But we are moving fast. Stay with us as we set everything up.”

More information:
https://wiki.mozilla.org/Connected_Devices/Product_Innovation_Process
https://wiki.mozilla.org/Connected_Devices/Participation
https://github.com/mozilla-b2g

Firefox OS Pivot to Connected Devices

https://discourse.mozilla-community.org/t/firefox-os-connected-devices-announcement/6864

The Internet of Shitty Things is here. Have all of your best home appliances ruined by putting the internet in them!

— Internet of Shit (@internetofshit) July 3, 2015

Board Design Files for Minnowboard Turbot available

February 5, 2016 ~ hucktech ~ Leave a comment

John Hawley of Intel announced on the Minnowboard mailing list the availability of board design files for the ADI MinnowBoard Turbot, released by Mentor Graphics.

3D STEP files now available – Courtesy of Mentor Graphics. Just wanted to let everyone know that Mentor Graphics has just released accurate STEP files for ADI MinnowBoard Turbot. I know there’s been folks interested in getting these for a variety of reasons, and while I’ve attempted to respond to the folks who have pinged me directly, I wanted to make sure that everyone is aware that those are now available. If you’ve got any problems with them, let me know, and serious thanks go out to Mentor Graphics for doing this!

More information:
http://wiki.minnowboard.org/MinnowBoard_Turbot#MinnowBoard_Turbot_Rev_X205_.28PCB_Rev_F200.29
http://lists.elinux.org/mailman/listinfo/elinux-minnowboard
http://minnowboard.57273.x6.nabble.com/MinnowBoard-3D-STEP-files-now-available-Courtesy-of-Mentor-Graphics-td2061.html
https://firmwaresecurity.com/tag/minnowboard/

Two quotes from the Minnowboard wiki:

“The design files are released under Creative Commons CC-BY-SA.”

“The MinnowBoard Turbot is intended to comply with all requirements and guidelines set forth by the Open Source Hardware Association (OSHWA).”

The word “intended” is probably significant; regardless I’m happy to see Minnowboard intending to be OSH. I hope they fulfill this intended goal! 🙂

Firmware as a marketing weapon

February 5, 2016 ~ hucktech ~ Leave a comment

Recently Dell added some new UEFI-based security to their business-class systems.

This is an interesting response from an analyst on this move:

Perhaps future servers will refuse to boot without a valid support contract https://t.co/BwcJopSHPM

— Daniel Bowers (@Daniel_Bowers) February 5, 2016

Today, it appears Windows uses different levels of firmware security, based on how long you’ve been using some legacy hardware.

http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx

AFAICT, this has been happening for years, I forget when it stated. Rooted smartphones are one camp. Game consoles are another. Apple started using EFI to only let Apple Mac Servers load Apple Mac OS X Server software, no other OS. Microsoft does likewise with all of their their consoles and mobile devices. When the OS vendor is *also* the OEM, secure firmware technologies act like DRM for the maker, to ensure their software is tied to their hardware.

I am worried that we’ll start seeing devices using their firmware security technologies — coreboot Verified Boot, UEFI Secure Boot, TCG Measured Boot, TXT Trusted Boot, U-Boot Verified Boot, etc. — intentionally turn into bricks at the firmware level, if they manufacturer is not happy with their return on investment with the consumer. As Daniel mentions above, if the customer does not pay their service contract, and they don’t own the device anyway, why not brick it, until the customer sends valid payment? 😦

Slides from Matthews TPM presentation online

February 5, 2016 ~ hucktech ~ Leave a comment

Slides from my #lca2016 talk are at https://t.co/jYIG0rvYjS

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 5, 2016

The file format is an Open Document Format Presentation file. If ODP files don’t work for you, try installing LibreOffice or ApacheOpenOffice. 🙂

http://www.codon.org.uk/~mjg59/talks/lca_tpm_2016.odp

Trammel video on Thunderstrike

February 5, 2016 ~ hucktech ~ Leave a comment

There is a new video of Trammel Hudson giving a presentation on Thunderstrike!

https://twitter.com/qrs/status/695675928026939392

Today 12:30 306 Sherrerd Trammel Hudson-Thunderstrike 2:More Mac EFI Firmware Vulnerabilties https://t.co/Sm9E4fAnxQ https://t.co/TGVgnKqCnZ

— Princeton Center for Information Technology Policy (@PrincetonCITP) February 2, 2016

Great talk on firmware security at @PrincetonCITP today https://t.co/JDgvYA0C9T

— Marcela Melara, PhD (@mas0mel) February 2, 2016

The Repair Association

February 5, 2016 ~ hucktech ~ Leave a comment

You buy it, you own it, you have the right to repair it. https://t.co/fxgtBsUb9M

— Eva (@evacide) February 4, 2016

http://motherboard.vice.com/read/a-new-advocacy-group-is-lobbying-for-the-right-to-repair-everything

Stand Up For Repair In Your State: We are working to pass Fair Repair legislation at the state level, so that every consumer and every small business has access to the parts, tools, and service information they need. Protect repair jobs. Defend your right to repair. Support Fair Repair.

http://repair.org/