https://www.wireshark.org/lists/wireshark-announce/201511/msg00001.html
https://www.wireshark.org/docs/relnotes/wireshark-2.0.0.html
Category: Uncategorized
vulnerabilities in ARRIS cablemodems
rEFInd
https://twitter.com/LukeVizzicks/status/666916414528311296
Luke Vizzicks has a short post on rEFInd, a UEFI boot manager. If you’ve never seen rEFInd before, this is a good starting point:
http://lukevizzicks.co.uk/refind-an-efi-uefi-boot-manager-utility/
CHIPSEC training at TROOPERS!
It appears that two of the Intel CHIPSEC team — Oleksandr Bazhaniuk and Yuriy Bulygin — will be teaching CHIPSEC at TROOPERS next year in Germany!
https://twitter.com/daniel_bilar/status/667386337171935232
https://www.troopers.de/events/troopers16/567_security_below_the_os_with_chipsec_framework/
CHIPSEC aside, there is other hardware security training going on at TROOPERS as well.
https://www.troopers.de/troopers16/trainings/
Linux’s auditd
Heyward Fann has a tweet pointing out a blog post by Vivek Gite showing how to use the Linux’s audit feature:
https://twitter.com/fannheyward/status/664009857998200833
The article is from 2007 so “modern” Linux is defined as 2.6.x, but I think advice is still useful with current Linux…
[…] Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd. In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.
=> aureport – a tool that produces summary reports of the audit system logs.
[…]
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
updated RISC-V specs
https://blog.riscv.org/2015/11/risc-v-draft-compressed-isa-version-1-9-released/
Click to access riscv-compressed-spec-v1.9.pdf
A. Waterman, Y. Lee, D. A. Patterson, and K. Asanović,
“The RISC-V Compressed Instruction Set Manual, Version 1.9,”
EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2015-209, 5 Nov 2015.
Trammel speaking on Thunderstrike2 at CCC
Trammel Hudson will be speaking at CCC on Apple Thunderstrike2:
https://twitter.com/qrs/status/666636517411004416
https://events.ccc.de/congress/2015/wiki/Main_Page
https://trmm.net/Thunderstrike_2
ARMageddon
ARMageddon: Last-Level Cache Attacks on Mobile Devices
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Stefan Mangard
In the last 10 years cache attacks on Intel CPUs have gained increasing attention among the scientific community. More specifically, powerful techniques to exploit the cache side channel have been developed. However, so far only a few investigations have been performed on modern smartphones and mobile devices in general. In this work, we describe Evict+Reload, the first access-based cross-core cache attack on modern ARM Cortex-A architectures as used in most of today’s mobile devices. Our attack approach overcomes several limitations of existing cache attacks on ARM-based devices, for instance, the requirement of a rooted device or specific permissions. Thereby, we broaden the scope of cache attacks in two dimensions. First, we show that all existing attacks on the x86 architecture can also be applied to mobile devices. Second, despite the general belief these attacks can also be launched on non-rooted devices and, thus, on millions of off-the-shelf devices. Similarly to the well-known Flush+Reload attack for the x86 architecture, Evict+Reload allows to launch generic cache attacks on mobile devices. Based on cache template attacks we identify information leaking through the last-level cache that can be exploited, for instance, to infer tap and swipe events, inter-keystroke timings as well as the length of words entered on the touchscreen, and even cryptographic primitives implemented in Java. Furthermore, we demonstrate the applicability of Prime+Probe attacks on ARM Cortex-A CPUs. The performed example attacks demonstrate the immense potential of our proposed attack techniques.
TrustZone exploration series
“Bits, Please!” has a very nice blog post on understanding TrustZone implementation on Qualcomm Snapdragon SOC:
http://bits-please.blogspot.fr/2015/08/exploring-qualcomms-trustzone.html
Watch for the next blog:
“In the next blog post, I’ll cover more details about Qualcomm’s TrustZone implementation, and the vulnerability I discovered and exploited within its kernel. “
SANS on firmware security
I enjoyed this slide from a recent post from — I am presuming — a student of a recent SANS class by Ed Skoudis:
Memory Explorer added to DbgKit
Andrey Bazhan has announced Memory Explorer, a new tool for DbgKit, a fancy add-on to Microsoft’s Windbg debugger. If you do Windows debugging or forensic analysis, you might want to check this out.
http://www.andreybazhan.com/dbgkit.html
Sly Tom Cat’s UEFI Boot
SlyTomCat has released UEFI Boot, a new Github-hosted project which “is a small and simple project aimed to organize the loading of linux (ubuntu) via UEFI firmware (without any bootloader). The synchronization of UEFI boot options with installed kernel versions is triggered via postinst.d and postrm.d kernel triggers.” Two of the main files in the project are:
* /usr/bin/uefuboot-update – utility to update UEFI boot options according to installed kernel versions
* /etc/uefiboot.conf – configuration file of uefuboot-update utility
It appears to be Ubuntu-centric. Read the readme for the warnings, before trying to use it. More information:
https://github.com/slytomcat/UEFI-Boot
GetUEFI, Powershell script to check UEFI or BIOS
Chris Warwick has released GetUEFI, a new UEFI-centric tool for Windows systems, on Github.
GetUEFI: Determine Firmware Type (UEFI or BIOS)
Chris Warwick, @cjwarwickps, November 2015
The function in this module determines the underlying system firmware (BIOS) type – either UEFI or Legacy BIOS. See the comments at the end of the script file for further detailed notes and references. This Get-FirmwareType function uses three techniques (in helper functions) to determine the underlying machine firmware type, either checking the firmware type recorded by Windows setup or using one of two Win32 APIs that are called from PowerShell through a compiled (Add-Type) class using P/Invoke. The first method relies on the fact that Windows setup detects the firmware type as a part of the Windows installation routine and records its findings in the setupact.log file in the \Windows\Panther folder. It’s a trivial task to use Select-String to extract the relevant line from this file and to pick off the (U)EFI or BIOS keyword it contains. This technique should work on all versions on Windows. For Windows 7/Server 2008R2 and above, the GetFirmwareEnvironmentVariable Win32 API (designed to extract firmware environment variables) can be used. This API is not supported on non-UEFI firmware and will fail in a predictable way when called – this will identify a legacy BIOS. On UEFI firmware, the API can be called with dummy parameters, and while it will still fail the resulting error code will be different from the legacy BIOS case. For Windows 8/Server 2012 and above there’s a more elegant solution in the form of the GetFirmwareType() API. This returns an enum (integer) indicating the underlying firmware type. Get-FirmwareType will use one of the above methods based on the version of the Windows OS. Alternatively, the method can be explicitly selected using the -QueryType parameter.
Sounds useful. But what a mess, just to determine firmware type. You’d think that Microsoft Windows team would have a GetFirmwareType() API with Hungarian-flavored versions of BIOS, UEFI, and all the other flavors that embedded WinCE and embedded NT use.
More information:
https://github.com/ChrisWarwick/GetUEFI
SeaBIOS 1.9.0 released
Kevin O’Connor announced the release of SeaBIOS version 1.9.0 today, on the SeaBIOS, QEMU-devel, and coreboot mailing lists. New in this release:
* The default boot menu key is now the ESC key (instead of F12)
* Initial support for Trusted Platform Module (TPM) hardware and BIOS calls
* Initial support for chain loading SeaBIOS from Grub (via multiboot support)
* Initial support for booting from SD cards on real hardware
* virtio 1.0 device support
* The build will no longer include the build hostname or build time on “clean” builds. This makes the build binaries more “reproducible”.
* Basic support for running SeaBIOS on Baytrail Chromebooks
* SeaVGABIOS: improved support for old versions of x86emu (the “leal” instruction is now emulated)
* Several bug fixes and code cleanups
TPM support sounds interesting! And remember, if F12 no longer works, try ESC…
More information:
http://seabios.org/Releases
http://seabios.org/Download
http://www.seabios.org/mailman/listinfo/seabios
Flashing Minnows
Vincent points out an interesting article about using SPI on Minnowboards using Linux:
Excerpt:
Flashing MinnowBoard MAX With the SPI Hook in Linux
If you are doing development on the MinnowBoard MAX board having the ability to read from, write to, and erase the onboard SPI Flash memory is very useful. The SPI Hook tool from TinCanTools provides exactly this functionality. Priced at only $29USD the SPI Hook provides an affordable alternative to much more expensive tools such as the Dediprog SF100 SPI Flash Programmer that retails for $230USD. The SPI Hook is not as fast as more expensive tools but for most development needs it’s fast enough. The SPI Hook also provides a virtual Serial Port for communicating with the MinnowBoard MAX. […]
http://billtraynor.com/post/2015/11/12/flashing-minnowboard-max-with-the-spi-hook-in-linux/
ELC15 post-conference materials available
There are multiple interesting presentations, mostly at the hardware and OS-level, but some at boot-loader level.
http://events.linuxfoundation.org/events/embedded-linux-conference-europe/program/slides
http://www.elinux.org/ELCE_2015_Presentations
Sigh, WordPress, renders a Youtube playlist of N videos by only showing the first one. URL is split into two lines below or click on this: URL.
https://www.youtube.com/
playlist?list=PLGeM09tlguZTP9-9nMQNGiT_2PPFay0Cs
Slides from The Rootless Monster’s World Tour
The Rootless Monster has been giving a few recent presentations on UEFI security, many new documents to read by this researcher:
https://reverse.put.as/2015/11/06/london-and-asia-efi-monsters-tour/
Internet Society concerned about IoT security and standards
The Internet Society posted an article about concerns on IoT security:
misc_util: misc utils for UEFI
Daniel Lin created a new UEFI-centric project on Github last week called “misc_util”. Well, named, it contains miscellanous utilities, 3 for now:
* check_override: GUI script to show AptioV override folder and double click to open with Beyond Compare
* showdep: Show UEFI .depex section in human reable form
* pdtpacker: Pack up Intel ISS without MPDT header into a single PDT.binary with MPDT header because of RC will check the header
https://github.com/nitpicker/misc_util
fTPM 2.0 research from Microsoft
There’s a new paper from Microsoft Research, on a firmware-based TPM implementation (fTPM):
https://twitter.com/h0x0d/status/662465826503524352
This paper presents the design and implementation of a firmware-based TPM 2.0 (fTPM) leveraging ARM TrustZone. The fTPM is the reference implementation used in millions of mobile devices, and was the first hardware or software implementation to support the newly released TPM 2.0 specification. This paper describes the shortcomings of ARM’s TrustZone for implementing secure service (such as our implementation), and presents three different approaches to overcome them. Additionally, the paper analyzes the fTPM’s security guarantees and demonstrates that many of the ARM TrustZone’s shortcomings remain present in future trusted hardware, such as Intel’s Software Guard Extensions (SGX).
Authors: Himanshu Raj, Stefan Saroiu, Alec Wolman, Ronald Aigner, Jeremiah Cox, Paul England, Chris Fenner, Kinshuman Kinshumann, Jork Loeser, Dennis Mattoon, Magnus Nystrom, David Robinson, Rob Spiger, Stefan Thom, and David Wooten
http://research.microsoft.com/apps/pubs/default.aspx?id=258236
Firmware Security 
You must be logged in to post a comment.