Hastily-written news/info on the firmware security/development communities, sorry for the typos.
I’ve been avoiding news on IoT security, since the New Year has all the news sites full of IoT predictions, most related to security concerns…
Since Star Wars is topical again, there’s a firmware vulnerability in the new movie’s droid toy:
http://www.theregister.co.uk/2016/01/08/star_wars_iot_bb8_toy_vuln/
For a while now, the Free Software Foundation has had it’s RYF (Respects Your Freedom) hardware certification program. Companies send samples of their product to the FSF for testing. If it passes muster, the company is able to use the FSF RYF certification mark. The FSF presumes that people need not fully understand technology, and can instead trust the FSF and this certification mark, and know that this research has been done for them. This year, they’ve certified 6 new devices, half of which are legacy retroffitted hardware, half are new devices:
“The RYF certification program is one of the most important parts of the FSF’s work — and one of the most promising and successful parts. Since announcing our first RYF-certified product in October 2012 (the LulzBot AO-100 3D printer), we have certified a total of eighteen different hardware devices sold by five different companies. In 2015 alone we awarded RYF certification to six new devices:
* 3 laptops: Libreboot X200 and T400 from Minifree, and the Taurinus X200 from Libiquity.
* 2 3D-printers: The LulzBot TAZ 5 and the LulzBot Mini by Aleph Objects.
* 1 wireless router: The Free Software Wireless-N Mini Router (TPE-R1100) sold by ThinkPenguin.”
https://www.fsf.org/blogs/licensing/hardware-we-certified-in-2015-to-respect-your-freedom
https://www.fsf.org/ryf
https://www.fsf.org/resources/hw/endorsement/criteria
https://my.fsf.org/donate/?pk_campaign=2015-appeal&pk_kwd=ryf
https://my.fsf.org/join?pk_campaign=2015-appeal&pk_kwd=ryf
Bluntly, I really don’t understand why the FSF isn’t doing more to push crowdfunding of their “Free Hardware”, or even mentioning their Free Hardware concept in the RYF hardware program, or giving presentations at Embedded Linux Conference and elsewhere to discuss this with OEMs, and not helping any of the open architecture designs (GPL’ed OpenRISC, BSD LowRISC/RISC-V, etc.), or mentioning available and up-and-coming devices (eg, Inverse Path’s USB Armory, Olimex’s OSH ARM64 laptop, some of the new devices that can run Libreboot w/o blobs, etc.. I was hoping for more when RMS blessed CrowdSupply.com as funding source for GPL hardware… It looks like the best we can hope for is the above RYF Donate button. 😦
Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.
https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update
“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”
I also wonder about non-GNOME systems, how do KDE systems get firmware updates?
Judith Vanderkay posted an article on the NVM Express blog about an updated release of a tool of theirs:
Drive Trust Alliance adds NVMe support to SEDutil:
Drive Trust Alliance maintains the popular sedutil application (formally called msed), which eases configuration of Self-Encrypting Drives implementing the TCG OPAL specification. Until recently only SATA/SCSI drives were supported by sedutil. As of the 1.10 release, NVMe SEDs are officially supported by the Linux version of sedutil. This paves the way for NVMe OPAL SED adoption across a wide variety of datacenter, workstation, client, mobile, and IoT platforms.”
http://www.nvmexpress.org/blog/drive-trust-alliance-adds-nvme-support-to-sedutil/
https://github.com/Drive-Trust-Alliance/sedutil
https://github.com/r0m30/msed
https://github.com/Drive-Trust-Alliance
VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
VMware Security Advisory
Advisory ID: VMSA-2016-0001
Synopsis: VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
Updated on: 2016-01-07 (Initial Advisory)
CVE numbers: CVE-2015-6933
Impacts:
VMware ESXi 6.0 without patch ESXi600-201512102-SG
VMware ESXi 5.5 without patch ESXi550-201512102-SG
VMware ESXi 5.1 without patch ESXi510-201510102-SG
VMware ESXi 5.0 without patch ESXi500-201510102-SG
VMware Workstation prior to 11.1.2
VMware Player prior to 7.1.2
VMware Fusion prior to 7.1.2
VMware would like to thank Dmitry Janushkevich from the Secunia Research Team for reporting this issue to us.
See full announcement for more information, including patch/workarounds.
http://www.vmware.com/security/advisories/VMSA-2016-0001.html
http://kb.vmware.com/kb/2078735
From September:
https://twitter.com/jjstevensjj/status/660175493023559681
http://centrifuge.tacnetsol.com/
I can’t find any presentations or documentation about Centrifuge. If you spot any, please leave a Comment (see left of page). Thanks.
Hitmoon has created MyRop, a ROP tool based on Capstone that targets ARM systems.
[[UPDATE: As Teddy Reed points out, this information is in the Ubuntu wiki, not just in a Ubuntu bug report:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532
“IMPORTANT: Canonical’s Secure Boot implementation in Ubuntu 15.10 and early is primarily about hardware-enablement and this page focuses on how to test Secure Boot for common hardware-enablement configurations, not for enabling Secure Boot to harden your system. If you want to use Secure Boot as a security mechanism, an appropriate solution would be to use your own keys (optionally enrolling additional keys, see above) and update the bootloader to prohibit booting an unsigned kernel. Ubuntu 16.04 LTS is planned to enable enforcing secure boot (see LP: #1401532 for details). “]]
Research the implementation of UEFI Secure Boot by a Linux/FreeBSD distro before presuming to rely on it to provide any security. 😦
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954/comments/1
CanSecWest is around the corner, and some of the training has been announced.
The USB Armory group is giving a day of TrustZone training.
John Butterworth, one of the group of MITRE BIOS researchers — along with LebaCore — who created Copernicus, is giving FOUR days of UEFI training! I am not sure I’ve seen John offer BIOS/UEFI training for a while, so this is exciting!
https://cansecwest.com/dojo.html
March 15, Mastering ARM TrustZone with USB armory by Andrea Barisani & Andrej Rosano
March 12-13, UEFI BIOS Platform Security2 Understanding Attacks and Defense by John Butterworth
March 14-15, UEFI BIOS Platform Security: Understanding Attacks and Defense by John Butterworth
Laurie Jarlstrom of Intel has announced a documentation update to the UEFI Forum’s EDK II Specifications:
“Announcing the V1.25 and V1.26 updates to the EDK II Specifications. Go to the EDK II Specifications page to download the latest documentation.”
These are the specs beyond the UEFI Forum’s PI and UEFI specs, focused on development implementation details of Tianocore’s EDK-II.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Specifications
http://article.gmane.org/gmane.comp.bios.edk2.devel/6371
At the 3rd RISC-V Workshop, there have been presentations by coreboot and UEFI. The below blog has some notes on these presentations:
http://riscv.org/workshop-jan2016.html
http://www.lowrisc.org/blog/2016/01/third-risc-v-workshop-day-one/
Apparently, someone is porting UEFI to RISC-V. I wonder what company is funding/doing it??
0xAX has a new blog post, discussing how GRUB works.
It is a nicely-detailed blog post, one day I wish I hope to be able to have blog posts with such rich content.
http://0xax.github.io/how-does-gnu-grub-work.html#.VovK1179mV4
Pau Oliva has a presentation at NO CON NAME 2015 on Untrusted Execution Environments, presentation slides and video available online. Focus appears to be mostly ARM-centric. Presentation video is in Spanish.
Vimeo.com URL:
SysIntenals, now acquired by the Microsoft TechNet team, has some new tool announcements:
Sigcheck v2.4
Sysmon v3.2
Process Explorer v16.1
Autoruns v13.51
AccessChk v6.01
The Trustworthy Computing Group has a new blog post, talking about IoT security, specifically about Industrial IoT Security Working Group involvement.
http://www.iiconsortium.org/wc-security.htm
Someone just pointed out that Mozilla Firefox treats GPUs differently when it uses WebGL:
https://hg.mozilla.org/mozilla-central/file/tip/widget/windows/GfxInfo.cpp#l817
This got me thinking how little I know about GPU security. 😦
There’s a bit on GPU security in the August Intel security report:
http://www.securityweek.com/gpu-malware-not-difficult-detect-intel-security
Click to access rp-quarterly-threats-aug-2015.pdf
I noticed the tool Cryptohaze, but it appears to have not been updated since 2013 or so:
http://www.cryptohaze.com/
http://blog.cryptohaze.com/
http://sourceforge.net/projects/cryptohaze/files/
“Cryptohaze is the home of high performance, open source, network-enabled, US-based cross-platform GPU and OpenCL accelerated password auditing tools for security professionals. The tools run on all platforms that support CUDA or OpenCL (currently Windows, Linux, OS X). If you don’t have a GPU – the OpenCL code will run just fine on your host CPU!”
If you know of other useful GPU security tools, please speak up!
Burt Triplett of Intel has announced the version 2070 release of BITS (BIOS Implementation Test Suite). The main new feature is network support, but also includes new UEFI and ACPI and Python features, better command line features, and other new features. I’ve just excerpted the first paragraph of the networking-centric portion of the announcement below, there are a lot of implementation caveats to read. See the full announcement for the list of features and bugfixes.
Note that there is also a new BITS mailing list, see below URL for ‘first post’ message in the archives:
BITS on EFI now supports TCP networking, using the Python socket module and various modules built atop it. On EFI systems that provide `EFI_IP4_CONFIG_PROTOCOL` and `EFI_TCP4_SERVICE_BINDING_PROTOCOL`, we implement a `_socket` module in Python with support for TCP sockets over IPv4. We then include Python’s higher-level socket module that runs on top of `_socket`.
https://lists.01.org/mailman/listinfo/bits
https://lists.01.org/pipermail/bits/2016-January/000000.html
http://biosbits.org/news/bits-2070/
http://biosbits.org/downloads/bits-2070.zip
https://github.com/biosbits/bits
Nikolaj has written a UEFI DXE driver that takes screenshots. In addition to a useful new UEFI tool (since taking pre-OS screenshots outside of a VMM are often a PITA), the article is a nice introduction to EFI development. Attackers can use techniques like this to capture display activity in the background, just like they do in OS-level malware.
UEFI DXE driver to take screenshots from GOP-compatible graphic console: This DXE driver tries to register keyboard shortcut (LCtrl + LAlt + F12) handler for all text input devices. The handler tries to find a writable FS, enumerates all GOP-capable video devices, takes screenshots from them and saves the result as PNG files on that writable FS. The main goal is to be able to make BIOS Setup screenshots for systems without serial console redirection support, but it can also be used to take screenshot from UEFI shell, UEFI apps and UEFI bootloaders.
See the readme and the blog post (in Russian) for more information:
https://github.com/NikolajSchlej/CrScreenshotDxe
From the FreeBSD Foundation’s December 2015 (end-of-year) update, in summarizing their development efforts, they mention firmware (as well as improvements to x86 hardware support, and AArch64 support):
UEFI and secure boot: FreeBSD’s UEFI boot support needs to interoperate with many different EFI firmware implementations, and it’s only after broad testing that we were able to identify some incompatibilities. Through effort from Foundation staff and from volunteers in the FreeBSD community we’ve fixed UEFI boot on a variety of hardware and virtualization platforms, including Apple Macbook and Mac Pro computers and VirtualBox and VMware. These improvements will be available in FreeBSD 11.0 and 10.3. We also started working on support for secure boot. To date we’ve been working on individual tools — the uefisign(8) utility to add Authenticode signatures to EFI files, and the sysutils/pesign, sysutils/sbsigntool and sysutils/shim ports. Next year we’ll integrate these components into a broader secure boot implementation.
More information: click on the tiny-URL PDF in the below tweet:
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
“Ubuntu’s support for secure boot is solely intended as a compatibility measure so that media can boot on secure boot enabled computers. There are no current plans to enable secure boot as a security measure.”