Hex Rays contest results

September 23, 2015 ~ hucktech ~ Leave a comment

Hex-Rays Plugin Contest Results: https://t.co/JYP7V3uKUP #REhints

— REhints (@REhints) September 23, 2015

We’ve had 7 contestants this year! All plugins were interesting, but we had to choose three. Here’s the final ranking:

* First prize (1900 USD): Yaniv Balmas, Dynamic IDA Enrichment (DIE) framework
* Second prize (950 USD): Steven H. H. Ding, Kam1n0
* Third prize (450 USD): Alexander Matrosov, Eugene Rodionov, Rodrigo Branco & Gabriel Barbosa, HexRaysCodeXplorer

https://hex-rays.com/contests/2015/index.shtml

Note that one of the winners is from firmware security researchers! Congratulations!

https://hex-rays.com/contests/2015/codexplorer/CodeXplorer-Plugin_Contest_2015.zip

https://github.com/REhints/HexRaysCodeXplorer

Atlas probe hacking

September 23, 2015 ~ hucktech ~ Leave a comment

MDSec labs posted a blog analyzing an embedded device (‘IoT sensors’), trying to to assess the security of the device in order to determine if it could be compromised and leveraged to attack their client’s organization and/or customer infrastructure. They follow a standard methodology to access the device:
* Initial Hardware Communication to view the console output
* Gaining Interactive Console access gain a root shell
* Exploring the Device to determine weaknesses
* Conclusions: How can device secrets, data, and trusts be used to compromise further targets?

Full article:

An Introduction to Hardware Hacking: the RIPE Atlas probe

LITE, Linaro IoT group

September 22, 2015 ~ hucktech ~ Leave a comment

At Linaro Connect, ARM’s CEO announced a new Linaro IoT group, LITE. More details here, including the video of the announcement:

https://www.linaro.org/blog/linaro-connect-2015-kicks-off-in-san-francisco/

In Youtube video of announcement, it ironic to see ARM exec keynote interrupted by an attendee’s smartphone, which was likely ARM-based.

Many other things are in keynote video, not just LITE, since this week’s Linaro Connect is “security-themed”.

“Security is starting to become important for everything we do.” –ARM CEO

http://connect.linaro.org/program/

resflash: Resilient OpenBSD images for flash memory

September 22, 2015 ~ hucktech ~ Leave a comment

Resflash is a tool for building OpenBSD images for embedded and cloud systems in a reproducible way. Resflash exclusively uses read-only and memory-backed filesystems, and because the partitions are only written to during system upgrades (or as configured), filesystems are not subject to corruption or fsck due to power loss – and even cheap flash drives can last virtually forever. Resflash images can be written to any bootable media, flash or conventional, and make great firewalls and NAS boot drives. Resflash was written from scratch, with inspiration drawn from NanoBSD and flashrd.

Brian Conway of RCE Software just announced UEFI support for resflash:

https://twitter.com/bconwayRCE/status/646049380999544832

I just pushed a new update to resflash that enables UEFI boot on 5.8-current and newer. There are no knobs to use this, it will be enabled if the sets used to create your OpenBSD base_dir support it, and will create an EFI System Partition (ESP) before the main OpenBSD partition. Partitioning is still done via MBR, so the image produced will be bootable in either native UEFI mode or in BIOS/CSM mode.

A few caveats:
– OpenBSD UEFI support is still under heavy development and is not guaranteed to work on all hardware. Also, I’m unable to get serial console output working yet on any of my hardware.
– Support is subject to change as GPT support in OpenBSD evolves, but I’m hoping not to break out images into separate UEFI and BIOS images.

Also, I’ve released a set of sample tools for building and configuring resflash images called resflash-tools.

http://stable.rcesoftware.com/resflash/
https://github.com/bconway/resflash-tools

Full announcement:
http://www.freelists.org/post/resflash/resflash-582-supports-UEFI-boot-in-58current-and-newer-and-announcing-resflashtools

LUV 2.0 RC3 released

September 22, 2015 ~ hucktech ~ Leave a comment

Ricardo Neri of Intel announced version 2.0-RC3 of the LUV (Linux UEFI Validation) distribution today. It includes fresh versions of CHIPSEC, FWTS, BITS, as well as changes to LUV. Excerpts of announcement:

This release includes improvements to allow to use the same LUV USB stick several times and save the results of all the executions. This comes handy when, for instance, you want tests several systems or you need to run LUV several times if you are debugging. From now on, the luv-results directory name will be appended with a timestamp; it will look like: luv-results-yyyy-mm-dd–hh-mm-ss. A new directory will be created each time you run LUV. If, for any reason (e.g., your system resets the real time clock each time you reboot) a directory with the same timestamps exists already in the luv-results partition, a number will be appended to the newly created directory.

We have bumped the following test suite versions: FTWS is now V15.09.00, CHIPSEC is now v1.2.1, BITS is now 2005.

On top of FWTS, we have a applied a patch to downgrade the the severity of failure in systems that are prepared for Secure Boot (i.e., have a database of keys and certificates) but do not have the Microsoft UEFI CA certificate. This is especially relevant for users that want to build their own chain of trust. This is a patch that is in process of being merged in to FWTS (https://lists.ubuntu.com/archives/fwts-devel/2015-September/006884.html).

We also have included a change in the LEG (Linaro) kernel to fix a build break due to a problem in the kernel configuration. Work is in progress to use the mainline kernel instead of the LEG kernel tree.

There are patches to improve builds of sbsigntool in native and cross-compilation mode.

More info:
https://lists.01.org/pipermail/luv/2015-September/000610.html

https://download.01.org/linux-uefi-validation/v2.0/luv-live-v2.0-rc3.tar.bz2
https://download.01.org/linux-uefi-validation/v2.0/sha256_sums.asc

More IDA plugins for UEFI

September 21, 2015 ~ hucktech ~ Leave a comment

The other day I posted a pointer to a new list of IDA plugins:

new list of IDA Plugins

Here are a few more IDA plugins for UEFI, the new list only mentions Danse-Macbre’s IDA-EFItools project:

https://github.com/danse-macabre/ida-efitools

http://ho.ax/posts/2012/09/ida-pro-scripts-for-efi-reversing/
https://github.com/snare/ida-efiutils/

https://github.com/gdbinit/TELoader

http://www.hexblog.com/?p=116

http://bioshacking.blogspot.com/2012/06/ida-pro-support-for-efi-byte-code-ebc.html

Also see chapter 4 and 22 (at least) of this new book:
https://www.nostarch.com/rootkits

Does anyone know of any others? If so, please leave a Comment (see left) or send email (see upper right). Thanks.

Absolute divests some assets to HEAT

September 21, 2015 ~ hucktech ~ Leave a comment

Absolute Software, makers of the Persistance(TM) silicon/firmware tracking technology, is selling off some of it’s products, to focus on it’s core security business.

HEAT Software, a global provider of Hybrid Service Management and Unified Endpoint Management (UEM) solutions for organizations of all sizes, today announced that it has reached a definitive agreement to acquire the assets and operations related to Absolute Manage and Absolute Service from Absolute Software Corporation. HEAT Software is a portfolio company of Clearlake Capital Group.

Absolute Software Corporation (TSX: ABT) today announced that it has signed a definitive agreement with HEAT Software for the sale of the assets and operations related to Absolute Manage(R) and Absolute Service, its computer lifecycle management and IT service management businesses. The transaction is subject to the satisfaction of normal closing conditions and is expected to close in early October, 2015. After the transaction closes, Absolute will work closely with HEAT Software to ensure a smooth transition and uninterrupted service to existing Absolute Manage and Absolute Service customers.

“We are pleased with the terms of this agreement and are incredibly excited for the future of our business,” said Geoff Haydon, chief executive officer, Absolute. “This divestiture enables us to singularly focus on our core information security business. With the ability to focus resources and investments on our adaptive endpoint security solutions, we are favorably positioned to accelerate our technology roadmap, extend our unique persistence platform, and strengthen our market leadership in this important segment globally.”

https://www.absolute.com/en/about/pressroom/press-releases/2015/absolute-announces-sale-of-absolute-manage-and-absolute-service
http://www.heatsoftware.com/news/press-releases/heat-software-acquire-absolute-manage-and-absolute-service-businesses-absolute

http://www.clearlakecapital.com/portfolio.html

https://www.absolute.com/en/partners/compatibility
https://www.absolute.com/en/about/persistence

Android Bionic gets setjmp hardening

September 21, 2015 ~ hucktech ~ Leave a comment

As found on Twitter feed of CopperheadSec, Bionic now has glibc-style setjmp hardening for x86, x86_64, ARM and AArch64:

Bionic now has glibc-style setjmp hardening for x86, x86_64, ARM and AArch64: https://t.co/ttStO1c0MN.

— CopperheadOS (@CopperheadOS) September 19, 2015

https://android-review.googlesource.com/#/c/170157/

Mentor improves Sourcery toolchain

September 21, 2015 ~ hucktech ~ Leave a comment

Mentor Graphics is adding support for AArch64 and AMD x86 in their freeware eLinux toolchains:

Mentor is offering embedded #Linux tools for @AMD's 64-bit #ARM processors @mentor_graphics http://t.co/CwIPZqSFPM pic.twitter.com/NYvfVUuoQs

— Arm (@Arm) September 21, 2015

Mentor Embedded Linux for AMD x86 G-Series and R-Series Processors and Sourcery CodeBench Tools for AMD x86 and ARM
Linux Development for Next-Generation Embedded Systems

Mentor Embedded and AMD have joined forces to announce several software enablement products for the AMD Embedded G-Series and R-Series families of processors: Mentor Embedded Linux and Sourcery CodeBench IDE tools. To complement the offer, free versions of the Mentor Embedded Linux-Lite and Sourcery CodeBench Lite are available for customers to download. The combination of AMD’s breadth of embedded processors and Mentor Embedded’s software solutions will enable developers to build robust and powerful applications in industries such as digital gaming, industrial control & automation, retail Point-of-Sale (POS), networking equipment and storage.
http://www.mentor.com/company/news/mentor-amd-armv8-a-linux

Mentor tools up 64-bit ARM processors at AMD

Intel security alert: Local APIC Elevation of Privilege

September 21, 2015 ~ hucktech ~ Leave a comment

[ I just noticed a new (September-era) announcement on the Intel Securty Center. I think this means that their mailing list of these announcements — or at least my subscription to it — does not work, as I did not receive any announcement for this, or the August ones. I emailed Intel about this last month, no reply. If you are waiting for announcements via the mailing list, do not trust it, manually check this web site every few days… 😦 ]

Excerpted summary of announcement:

Intel ID: INTEL-SA-00045
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Last revised: Sep 03, 2015
Impacts: Intel Server Board S5500HC Family, Intel Server Board S5500HCT Family, Intel Server Board S7000 Family, Intel Workstation Board S5520SC Family

An issue was disclosed to Intel which leverages architectural differences in processors prior to 2nd Generation Intel Core Processors to gain access to SMM. Administrator or root level privileges are required to execute the attack. Intel is releasing mitigations for a privilege escalation issue. This issue affects certain Intel processors based on older Intel micro-architectures. The issue identified is a method that enables malicious code to gain access to SMM. Intel highly recommends applying the mitigations. Intel would like to acknowledge Christopher Domas of Battelle for working with us on this coordinated disclosure.

Full announcement:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00045&languageid=en-fr

tool: ebiso: UEFI bootable ISO image creator

September 21, 2015 ~ hucktech ~ Leave a comment

Vladimir Gozora just created ebiso, an UEFI bootable ISO image creator, a newly-created UEFI-centric project on Github. It is so

The Primary intention of ebiso was to create simple bootable UEFI ISO image for ReaR on SLES11.

* currently supports only 8.3 file name convention (Joliet might follow in future)
* no additional dependencies
* released under GPL
* currently under heavy testing 😉
* more info will come (maybe)

The project is new, unclear if it’ll work with non-SLES11 ISOs. Ebiso aside, rear looks like an interesting project as well:

Relax-and-Recover is the leading Open Source bare metal disaster recovery and system migration solution. It is a modular framework with many ready-to-go workflows for common situations. Relax-and-Recover produces a bootable image. This image can repartition the system. Once that is done it initiates a restore from backup. Restores to different hardware are possible. Relax-and-Recover can therefore be used as a migration tool as well. Currently Relax-and-Recover supports various boot media (incl. ISO, PXE, OBDR tape, USB or eSATA storage), a variety of network protocols (incl. sftp, ftp, http, nfs, cifs) as well as a multitude of backup strategies (incl. IBM TSM, HP DataProtector, Symantec NetBackup, Bacula, rsync).

More info:

https://github.com/gozora/ebiso

https://github.com/rear/rear

HID emulation for USB Armory

September 21, 2015 ~ hucktech ~ Leave a comment

Last month (and I just noticed…), Collin Mulliner updated the USB Armory github project with some HID emulation code:

Some more HID tools for the USBARMORY https://t.co/yGqge5PssJ … more stuff soon

— Collin Mulliner (@collinrm) August 27, 2015

The project includes a few scripts, including:
* hidonly.sh : switches the usbarmory to be usb hid gadget
* hidnet.sh : switches the usbarmory to be a usb hid and usb ethernet gadget
* button_setup.sh : switches pin 3 and 4 to in and out
* button.sh : checks if pin 3 and 4 are connected

More info:
https://github.com/crmulliner/hidemulation

tool: python-eficompressor

September 21, 2015 ~ hucktech ~ Leave a comment

There are a few versions of the EFI compress/decompress tools outside of the UEFI Shell commands, for OS-level usage. Here are two, there are others, I am not sure which is most up-to-date:

https://github.com/sstjohn/python-eficompressor
https://github.com/linearregression/python-eficompressor

Note there is an EfiCompress and EfiDecompress, as well as TianoCompress (but no TianoDecompress). Comparing to the Tianocore commands for freshness would be useful:

https://github.com/tianocore/edk2-ShellPkg/blob/master/Library/UefiShellDebug1CommandsLib/EfiCompress.c
https://github.com/tianocore/edk2-ShellPkg/blob/master/Library/UefiShellDebug1CommandsLib/EfiDecompress.c
https://github.com/tianocore/edk2-ShellPkg/blob/master/Library/UefiShellDebug1CommandsLib/Compress.c
https://github.com/tianocore/edk2-BaseTools/blob/master/Tests/TianoCompress.py

As well, the UEFI spec has an appendix with some source code on this topic. I have not checked if the source in the spec is in sync with the sources on Tianocore.

I’ve heard that EFI/UEFI has had 4 versions of compression algorithms, at least one of them is broken in a few ways, but I don’t have any specific details. I am not sure of the variatios of the compression algorithms used over time by EFI/UEFI in EDK1 and EDK2, and current UEFI spec. I wish I could find some specific test that verifies these errors. Teddy Reed’s UEFI-Firmware-Parser is also a current tool that deals with this compression issue. I also wonder if there are more recent compression algorithms that’d be better suited for current UEFI usage.

Gentoo support for EDK2

September 20, 2015 ~ hucktech ~ Leave a comment

On the EDK2-devel mailing list, Stéphane Veyret just announced Gentoo Linux for EDK2, including rEFInd application support. Excerpt:

I made a Gentoo ebuild for EDK2. This ebuild transforms a little bit the installation in order to be able to use the product as is generally used a library in Linux. Samples are also modified. I also made an ebuild for rEFInd as a proof of concept.

More Information:
https://github.com/sveyret/sveyret-overlay
http://permalink.gmane.org/gmane.comp.bios.edk2.devel/2446

OSHWA announces Open Source Hardware Certification v1

September 20, 2015 ~ hucktech ~ Leave a comment

Excerpting the initial text:
Open Source Hardware Certification Version 1

This is version 1 of an official certification for open source hardware housed in the Open Source Hardware Association. It outlines the purpose and goals of such a certification, and establishes the mechanisms for the operation of the certification process itself.

Primary Goals
* Make it easier for the public to identify open source hardware.
* Expand the reach of open hardware by making it easier for newer members to join the open source hardware community.

Read the full document:

Open Source Hardware Certification Version 1

http://2015.oshwa.org/

Intel Kernel Guard Tech: multiple projects

September 19, 2015 ~ hucktech ~ Leave a comment

Earlier I briefly mentioned Intel Kernel Guard Technologies (iKGT).

https://firmwaresecurity.com/tag/ikgt/

I don’t see any checkins yet to the UEFI project, still empty.

But I just noticed that this project contains multiple other projects, which I didn’t notice earlier, and a few of them aren’t empty:

https://github.com/01org?utf8=%E2%9C%93&query=iKGT

https://github.com/01org/ikgt-uefi-loader
https://github.com/01org/ikgt-loader
https://github.com/01org/ikgt-manifest
https://github.com/01org/ikgt-api
https://github.com/01org/ikgt-core
https://github.com/01org/ikgt-plugin
https://github.com/01org/ikgt-usage

Apple Xcode vulnerability

September 19, 2015 ~ hucktech ~ Leave a comment

https://twitter.com/FredericJacobs/status/644664194181267456

Allegedly the source code to the XcodeGhost malware. https://t.co/ratnBoNTij

— thaddeus e. grugq thegrugq@infosec.exchange (@thegrugq) September 19, 2015

Apple began to remove iOS apps infected by #XcodeGhost from App Store, and to notify developers to recompile them by official Xcode.

— Claud Xiao (@claud_xiao) September 19, 2015

http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

https://github.com/XcodeGhostSource/XcodeGhost

Teddy Reed research on Minnow firmware

September 19, 2015 ~ hucktech ~ Leave a comment

As found by ‘retweeted’ by the CHIPSEC team:

Cool project from @teddyreedv! Minnowboard Max: Quickstart UEFI Secure Boot http://t.co/J3R524wXlX

— Melanie Ensign (@iMeluny) September 18, 2015

Teddy Reed has an EXCELLENT blog post — the first in a series! — going into detail about the firmware of Intel’s MinnowBoard.

Again, this is an EXCELLENT article, worth reading!

http://prosauce.org/blog/2015/9/13/minnowboard-max-quickstart-uefi-secure-boot

Intel Clear Linux announces Clear Containers for Docker

September 18, 2015 ~ hucktech ~ Leave a comment

Today Dimitri John Ledkov of Intel’s Linux team announced the availability of Clear Containers for Docker Engine for multiple OSes. This enables executing existing Docker applications in the secure and fast Clear Containers environment. The experimental source code is based on the Docker 1.8.1 upstream release. The primary host platform is Clear Linux Project for Intel Architecture, version 4000 or better, and binaries for multiple OSes, including: CentOS, Scientific Linux, Fedora, openSUSE, Debian, and Ubuntu.

The Clear Linux Project for Intel Architecture is a distribution built for various cloud use cases in order to showcase the best of Intel Architecture technology, from low-level kernel features to complex applications that span across the entire OS stack. We’re putting emphasis on power and performance optimizations throughout the operating system as a whole. Clear Containers leverage the isolation of virtual-machine technology along with the deployment benefits of containers. The security of containers is improved by using Intel Virtualization Technology (Intel VT). The optimization of key components results in slimmer, simpler, safer and substantially speedier virtualization.

For more information, see the full announcement on the archives of the dev list.

https://lists.clearlinux.org/mailman/listinfo/dev
http://clearlinux.org/
https://software.opensuse.org/download.html?project=home%3Aclearlinux%3Apreview&package=clear-containers-docker
https://clearlinux.org/features/clear-containers
https://lwn.net/Articles/644675/
https://github.com/clearlinux/docker

Home

Xerox PARC announces ultra-secure CPU

September 18, 2015 ~ hucktech ~ Leave a comment

“The self-destructing chip was demonstrated last Thursday at DARPA’s Wait, What? event in St. Louis. Research into the chip was funded as it qualified for of DARPA’s vanishing programmable resources project. It is envisaged that the chip could carry sensitive data, such as encryption keys, and if it fell into enemy hands it could be commanded to shatter irrecoverably, into thousands of pieces.”

http://hexus.net/ce/news/gadgets/86453-xerox-parc-chip-self-destructs-command-funded-darpa/

http://www.computerworld.com.au/article/584274/xerox-parc-new-chip-will-self-destruct-10-seconds/

There are some videos from the DARPA event here:

top