Jono Bacon has a good article in Forbes on the maker movement:
It even references Bunnie’s Novena!
Category: Uncategorized
USB Armory with BadBIOS
Andrea Barisani posted an a document to the USB Armory wik related to BadUSB:
BadUSB with USB Armory: “USB Armory as an Offensive Attack Platform”
by Jeroen van Kessel and Nick Triantafyllidis
This research explores the feasibility of performing attacks on computer systems with the use of USB Armory, a newly introduced device which is an ARM computer in the size of a USB stick. Exploiting the USB emulation capabilities of the device we propose and test an attack scenario using a rogue DHCP server installed on the device. Based on the success of this attack we extend the scenario to DNS hijacking and traffic diversion setups with the injection of malicious static routes into the routing tables of the victim machines. This attack was successfully executed on the latest versions of Ubuntu 14.04 and Windows 8.1. The premise of the attacks as well as the scenarios themselves are explained in detail throughout the extent of this report.
[I need to learn USB-based firmware security issues more, and how they interact with UEFI and other firmware technologies… Currently, this blog is not covering USB firmware security issues properly.]
Seagate on Redfish and IPMI
Lee Calcote of Seagate wrote an article on the recent DMTF Redfish 1.0 release, and about Seagate’s support of this new API, and IPMI. Excerpts:
Like most systems manufacturers, Seagate supports IPMI and will continue to support it as a critical standard in the data center in lieu of broad adoption of Redfish. Where IPMI strains to meet the requirements of today’s massive multiscale environments, Redfish addresses IPMI inadequacies of interoperability, security, simplicity and scalability.
Redfish 1.0 is only the beginning. Seagate and other industry leaders are already engaging within the DMTF Scalable Platform Management Forum on enhancements beyond Redfish 1.0 standard.
What does Redfish mean for Seagate partners and customers? It means a new level of control, management and monitoring for the data center, using a modern, secure RESTful API that is commonly understood and will be widely supported.
Read the full post here:
AMI announces AMIDuOS 2.0
Today AMI announced AMIDuOS 2.0, with support for Windows 7-10 along with Android 5.0.1 (Lollipop). AMIDuOS lets you run both OSes at the same time, using hardware acceleration and emulation. AMIDuOS 1.x supports Android 4.3 (Jellybean), and is still available for $10, free upgrade to 2.0 if you bought 1.x before August 7th. AMIDuOS is a closed-source OS.
“People should be able to run their Android apps on any device they wish,” explained Subramonian Shankar, AMI founder and President. “We created AMIDuOS to make it easy for anyone to get the full Android experience on their Windows machines. Now, even the most recent Android apps developed for Android 5.0.1 will run smoothly and with full compatibility on the Windows platform.”
AMI has utilized its decades of expertise to build hardware acceleration support into the app and support direct hardware access whenever possible. Emulation is only used when needed – otherwise code runs natively. This, plus 3D acceleration support, means incredible performance, so games and video-intensive apps run smoothly and quickly. Since AMIDuOS can access native PC hardware and drivers, any apps installed in the Android environment can take advantage of the touchscreen, sensors, peripherals, GPS, camera and more – to deliver a fully immersive Android experience. AMI has tested AMIDuOS with over 4,000 apps and is continually releasing updates to improve its compatibility.
Some of the requirements include: x86 processor, 32/64-bit version of Windows 7/8/8.1/10, OpenGL 3.0 and above, and Hardware Virtualization Technology enabled in the system’s BIOS.
https://www.facebook.com/amiduos
http://ami.com/news/press-releases/?PressReleaseID=327&/American%20Megatrends%20Unwraps%20Lollipop%20%E2%80%93%20Run%20Android%205.0.1%20Apps%20on%20Windows%20PCs%20without%20Compromise/
US-CERT vulnerability note on DSL routers
US-CERT has issued a Vulnerability Note (VU#950576) for some DSL routers, excerpted below, see US-CERT note for full details:
DSL routers contain hard-coded “XXXXairocon” credentials
DSL routers by ASUS, DIGICOM, Observa Telecom, Philippine Long Distance Telephone (PLDT), and ZTE contain hard-coded “XXXXairocon” credentials
CWE-798: Use of Hard-coded Credentials
DSL routers, including the ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is “admin,” in the PLDT device, the user name is “adminpldt,” and in all affected devices, the password is “XXXXairocon” where “XXXX” is the last four characters of the device’s MAC address. The MAC address may be obtainable over SNMP with community string public. The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.
Impact: A remote attacker may utilize these credentials to gain administrator access to the device.
Solution: The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround: Restrict access: Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.
Vendors impacted include: AsusTek, DIGICOM, Observa Telecom, Philippine Long Distance Telephone, and ZTE Corporation.
See CERT VU for full information:
http://www.kb.cert.org/vuls/id/950576
http://seclists.org/fulldisclosure/2015/May/129
https://www.kb.cert.org/vuls/id/228886
https://www.asus.com/Networking/DSLN12E/
http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0
http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/
Linux Security Summit 2015 proceedings available
As part of LinuxCon North America, the Linux Security Summit recently finished, and presentations are now available (I omitted the few talks which had no presentations from below list):
* Keynote: Giant Bags of Mostly Water – Securing your IT Infrastructure by Securing your Team, Konstantin Ryabitsev, Linux Foundation
* CC3: An Identity Attested Linux Security Supervisor Architecture, Greg Wettstein, IDfusion
* SELinux in Android Lollipop and Android M, Stephen Smalley, NSA
* Discussion: Rethinking Audit, Paul Moore, Red Hat
* Assembling Secure OS Images, Elena Reshetova, Intel
* Linux and Mobile Device Encryption, Paul Lawrence, Mike Halcrow, Google
* Discussion: Core Infrastructure Initiative, Emily Ratliff, Linux Foundation
* Security Framework for Constraining Application Privileges, Lukasz Wojciechowski, Samsung
* IMA/EVM: Real Applications for Embedded Networking Systems, Petko Manolov, Konsulko Group, Mark Baushke, Juniper Networks
* Ioctl Command Whitelisting in SELinux, Jeffrey Vander Stoep, Google
* IMA/EVM on Android Device, Dmitry Kasatkin, Huawei Technologies
* Subsystem Update: Smack, Casey Schaufler, Intel
* Subsystem Update: AppArmor, John Johansen, Canonical
* Subsystem Update: Integrity, Mimi Zohar, IBM
* Subsystem Update: SELinux, Paul Moore, Red Hat
* Subsystem Update: Capabilities, Serge Hallyn, Canonical
* Subsystem Update: Seccomp, Kees Cook, Google
* Discussion: LSM Stacking Next Steps, Casey Schaufler, Intel
http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule
Purism coreboot update
Purism is a new OEM trying to build hardware for consumers that care about personal privacy and security, and are concerned about any closed-source code that controls their systems, including OS-level and firmware-level “blobs”. They’ve chosen an Intel-based platform for their laptop, so they’re busy fighting to disable all of the silicon-level security protections that Intel has been adding to their products. This is more ambitious than other Intel-based “Linux OEMs”, which use stock BIOS, 100% firmware blobs. If Purism is able to accomplish what they want, I then wonder how insecure their new systems will be, from the pragmatic POV of an attacker (who cares less about if a system was built with closed-source blobs or not).
Read the update here:
http://blogs.coreboot.org/blog/2015/08/24/2015-08-21-librem-13-weekly-progress-update/
Excerpting from the summary of their blog post:
BIOS development is hard. One of the major challenges facing BIOS developers is a lack of accurate, comprehensive documentation for all the hardware coreboot interacts with. The “elephant in the room,” for an Intel-based laptop, is the Management Engine.
I’m wiling to bet a buck that Purism’s their 3rd model will not be based on Intel, but ARM or AMD systems. where they can more easily have zero firmware blobs, and have to fight fewer pink elephants, and can use U-Boot or Libreboot. Recent libreboot efforts with some Chromebook models is also very encouraging. I would almost rather focus on COTS Intel/ARM dev boards for the next few years, until RISC-V boards (like Raven3) are available for Purism to use. A thick laptop with room to fit a Beagle or Panda or Minnow or RPI — or two — would be nice to see.
It is nice to see Purism, like Bunnie’s Novena, trying to build a system that people want, not just a system that the industry trade groups want for enterprises. I hope they’re able to manage to deal with the various silicon and firmware issues that they face.
EmbeddedComputing on TPM-flavored IoT security
The Trusted Computing Group likes Embedded Computing’s story on TPM-flavored IoT security:
EmbeddedComputing on regulating IoT security
Embedded Computing has a story on if/how/when governments will step in after the IoT gets out of hand.
http://embedded-computing.com/25958-should-iot-security-be-regulated-by-industry-or-government/
I’m still without opinion on IoT software-level stacks, beyond traditional embedded computing stack. So far, it appears each big company has their own solution, wrapped up in a standards body organization or open-looking industry trade group. Kindof like “the Cloud”. Especially since most IoT stacks are tied to a vendor’s Cloud stack. 😦 I’m yet to be impressed by any IoT-centric software. I wish I could find a decent vendor-neutral definition of IoT problems and solutions, and how the various implementations will work together, and how to deal with all of the IoT security issues that are new.
Intel on IoT, IoTivity, and Minnowboard
Yesterday Slashdot did a interview (video + text transcript) with Mark Skarpness of Intel, on the IoT, Minnowboard, and IoTivity.
DFRWS Android firmware research available
Earlier I pointed out DFRWS2015 conference:
Well, presentations of most are online now:
http://www.dfrws.org/2015/program.shtml
Amongst many interesting forensic presentations, one firmware-centric one that caught my eye was:
“New acquisition method based on firmware update protocols for Android smartphones”
Seung Jei Yang, Jung Ho Choi, Ki Bom Kim and Tae Joo Chang
Android remains the dominant OS in the smartphone market even though the iOS share of the market increased during the iPhone 6 release period. As various types of Android smartphones are being launched in the market, forensic studies are being conducted to test data acquisition and analysis. However, since the application of new Android security technologies, it has become more difficult to acquire data using existing forensic methods. In order to address this problem, we propose a new acquisition method based on analyzing the firmware update protocols of Android smartphones. A physical acquisition of Android smartphones can be achieved using the flash memory read command by reverse engineering the firmware update protocol in the bootloader. Our experimental results demonstrate that the proposed method is superior to existing forensic methods in terms of the integrity guarantee, acquisition speed, and physical dump with screen-locked smart-phones (USB debugging disabled).
Click to access DFRWS2015-8.pdf
Linaro Firmware mini-Summit next month
Today on the Linaro Firmware Summit mailing list, Al Stone of Red Hat just announced the next Firmware Summit
What: Linaro Firmware mini-Sumit (at Linaro Connect)
When: Tuesday, September 22th, 2015, 2-6pm
Where: Hyatt Regency San Francisco Airport Hotel, Burlingame, CA
Initial agenda topics include:
1) Current state of ACPI on ARM
2) Support/backing for a longer term organization (i.e., mailing lists, web sites, further meetings…)
3) Use of _DSD device properties
4) Follow-up on others items from the last meeting (mostly promised documents)
Other topics are being solicited. See the full posting on the fw-summit list archives.
https://lists.linaro.org/mailman/listinfo/fw-summit
http://sanfranciscoairport.hyatt.com/en/hotel/home.html
http://connect.linaro.org
HP/Intel presentation on HTTP Boot and Redfish
Samer El-Haj-Mahmoud, a System Firmware Architect at Hewlett-Packard, was kind enough to give me an URL to a recent presentation at Intel Developer Forum (IDF), on UEFI HTTP Boot and DMTF Redfish:
STTS001: Firmware in the Data Center:
Building a Modern Development Framework Using UEFI and Redfish REST APIs.
Mark Doron, Intel
Dong Wei, HP
Samer El-Jah-Mahmoud, HP
The HP/Intel co-presentation is on HTTP Boot and Redfish, and the UEFI based deployment solution on HP ProLiant Servers. Topics include PXE -vs- UEFI HTTP Boot, IPMI -vs- Redfish, and clarification of HP’s implementation -vs- recent UEFI 2.5/TianoCore implementation. I wish I could find audio or video archives of this talk, not just slides. 😦
I’m not a fan of URL-shorteners, and this is a LONG URL, I think you need all the stuff after the .pdf extension:
Also, check out the UEFI videos and other resources at HP’s site:
http://www.hp.com/go/proliant/uefi
What’s new in CPUs since the 1980s?
Found on the Twitter feed of Salvatore Sanfilippo (@antirez):
The document by Dan Luu is “What’s New in CPUs Since the 80s and How Does It Affect Programmers?”. It is focused for application developers, not firmware developers. Regardless, it is a good overview of changes in CPU technologies, covering caching, concurrency, different kinds of memory, GPUs, and a bit on porting to non-x86 systems, and about a dozen other topics. Worth reading!
http://danluu.com/new-cpu-features/
For a more detailed description of some of the other Intel platform changes, also read this book:
ACPICA releases Version 20150818
Last week ACPICA.org released a new version of their ACPI code. Version 20150818, released 2015-08-18, has various bugfixes, cleanups and simplifications to the ACPI Disassembler and Debugger, including making the Debugger a fully standalone component. Various new command-line options in the AcpiNames, AcpiExec, iASL/Disassembler, Debugger tools.
Two specific new Disassembler and Debugger commands:
iASL/Disassembler: Implemented a prototype “listing” mode that emits AML that corresponds to each disassembled ASL statement, to simplify debugging.
Debugger: Add option to the “objects” command to display a summary of the current namespace objects (Object type and count). This is displayed if the command is entered with no arguments.
Besides this release, the trunk has some even fresher updates. For full details, see the readme in the source distribution and trunk history.
https://acpica.org/downloads/version-20150717
https://github.com/acpica/acpica/commits/master
https://acpica.org/source
https://github.com/acpica/acpica/
new fuzzing tool: Fuddly
K0retux has created a new Fuddly, a fuzzing and data manipulation framework. It is a Python based (v2 or v3) command line tool. Fuddly uses a graph-based data model that enables: to represent complex data formats and also to mix them, complex data manipulations, to dissect/absorb existing data, and generation & mutation fuzzing strategy. Fuddly’s fuzzing automation framework enables: target abstraction, monitoring means based on independant probes, replay & logging, data manipulation based on disruptors (objects that implement specific data transformation), and virtual operator abstraction.
Fuddly is a fuzzing and data manipulation framework whose main objectives are: 1) To allow users to build data model that: 1.1) mix very accurate representations for certain aspects with much coarser ones for others that are outside the focus of the testing; leaving open the way of refining the other parts should the need arise; 1.2) may be combined with each other; 1.3) enable to dissect raw data for analyzing them and enable to absorb them within the data model for manipulation; 1.4) enable to mix up generation and mutation fuzzing techniques. 2) To represent the data in a way that simplify the process of fuzzing and especially to enable the implementation of elaborated transformations. By ‘’elaborated’’ we mean the capability to act on any data part (that is not necessarily contiguous) while preserving consistency of dependent parts if so desired. This amounts to allowing transformations to be articulated around syntactic criteria—e.g., modification of an integer depending on the size of the field hosting it—or semantic ones—e.g., alteration of a value regarding its meaning for a given data format or protocol, alteration of specific data sub-parts forming a sound group for a given data format or protocol. 3) To automate the fuzzing process relying on various fuddly’s sub-systems enabling: the communication with the target, to follow and monitor its behavior and to act accordingly (e.g., deviate from the protocol requirements like sequencing, timing constraints, and so on), thanks to data model search and modification primitives, while recording every piece of information generated during this process and enabling to replay it.
tool: DumpFlash
I just became aware of a tool, DumpFlash, by Jeong Wook:
DumpFlash is a tool to retrieve and write Flash data to the physical NAND Flash memory or virtual image file. Various operations like ECC check and on-image pattern recognition, extraction and rewriting for u-Boot bootloader and JFFS2 file system are supported.
https://github.com/ohjeongwook/DumpFlash
Click to access us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit.pdf
Click to access Reverse%20Engineering%20Flash%20Memory%20for%20Fun%20And%20Benefit.pdf
DumpFlash aside, also check out his DaruGrim tool, a Binary Diffing and Patch Analysis Tool:
U-Boot TPM driver model added
Yesterday Simon Glass of Chromium has submitted a large (28-part) patch to U-Boot, adding a driver model for TPMs.
[PATCH v2 00/28] dm: Convert TPM drivers to driver model
This series adds driver model support for Trusted Platform Modules (TPMs). These have a very simple interface and are configured via the device tree.
Two bus types are supported at present: I2C and LPC (Intel Low-Pin-Count).
Most drivers and users are converted over to driver model. The exception is the Atmel TPM and its users.
The I2C driver has been cleaned up and simplified. It was ported from Linux and was pretty hard to follow. This series includes patches to unify the code, remove duplicated data structures and drop unnecessary indirection.
Also this series enables the TPM on all Chromebooks supported by upstream U-Boot (snow, spring, nyan-big, pit, pi, link, panther) since some did not have it fully enabled.
As before, the ‘tpm’ command can be used to implement TPM functionality. In addition a ‘tpmtest’ command provides some basic TPM tests taken from Chrome OS U-Boot. These are fairly rudimentary but are useful if you know what you are doing.
For more information, see the U-boot mailing list:
http://lists.denx.de/mailman/listinfo/u-boot
Phoenix quiet these years
A quick personal note to Phoenix, one of the big IBVs:
Is everything ok at Phoenix? Or is it that you’re doing so good these days you don’t need to keep the public informed of your company’s activities? It is nice to see talks at UEFI Forum meeetings, but please get someone to update your blogs and press release pages. Your press release and event pages haven’t been updated since 2013. Your blog hasn’t been updated since 2010. Even Tim Lewis’ of Phoenix’s personal blog hasn’t been updated since 2014. If this kind of interactivity with the public is an indication, I’m worried about the next firmware security update that impacts Phoenix systems, if nobody is updating things there anymore. Thanks!
http://www.phoenix.com/pages/news-events/
http://www.phoenix.com/pages/upcoming-events
http://blogs.phoenix.com/
Intel’s new Innovation Engine
Last week at IDF, a few UEFI Forum ecosystem vendors announced support for Intel’s new Innovation Engine (IE). But I still don’t know what it is. All I know so far is that the “Innovation Engine is a small Intel(R) architecture processor and I/O sub-system that will be embedded into future Intel data center platforms“, and that it’s roughly like an integrated service process or base board management controller (BMC). I presume everyone from Intel is taking post-IDF “comp-time” Summer vacation, and haven’t uploaded the IE data sheets to intel.com yet. 😦 So far, this is all I can find is this blog post by Jesse Schrater from last week:
Intel’s New Innovation Engine Enables Differentiated Firmware
Historically, platform embedded firmware limits the ways system-builders can customize, innovate, and differentiate their offerings. Today, Intel is streamlining the route for implementing new features with the creation of an “open engine” for system-builders to run firmware of their own creation or choosing.
This important advance in platform architecture is known as the Innovation Engine. It was introduced this week at the Intel Developer Forum in San Francisco.
The Innovation Engine is a small Intel® architecture processor and I/O sub-system that will be embedded into future Intel data center platforms. The Innovation Engine enables system builders to create their own unique, differentiating firmware for server, storage, and networking markets.
Some possible uses include hosting lightweight manageability features in order to reduce overall system cost, improving server performance by offloading BIOS and BMC routines, or augmenting the Intel® Management Engine for such things as telemetry and trusted boot.
These are just a few of the countless possibilities for the use of this new path into the heart of Intel processors. Truthfully, the uses for the Innovation Engine are limited only by the feature’s capability framework and the developer’s imagination.
It’s worth noting that the Innovation Engine is reserved for system-builder’s code, and not Intel firmware. Intel supplies only the hardware, and the system builder can tailor things from there. And as for security, the Innovation Engine code is cryptographically bound to the system-builder. Code not authenticated by the system-builder will not load.
As the name suggests, the Innovation Engine will drive a lot of great benefits for OEMs and, ultimately, end users. This embedded core in future Intel processors will foster creativity, innovation, and differentiation, while creating a simplified path for system-builders implementing new features and enabling full customer visibility into code and engine behavior.
Read the full blog post here:
https://communities.intel.com/community/itpeernetwork/datastack/blog/2015/08/19/intel-s-new-innovation-engine-enables-differentiated-firmware
Looking forward to some actual specs… Wondering if ‘open engine’ may imply Open Hardware, or at least Open Source code to interface with device. 🙂
Firmware Security 
You must be logged in to post a comment.