Category: Uncategorized
US Treasury Sanctions Russian Federal Security Service Enablers
https://twitter.com/GossiTheDog/status/1006187828366192641
“Embedi was designated pursuant to E.O. 13694, as amended. As of May 2017, Embedi was owned or controlled by Digital Security.”
https://home.treasury.gov/news/press-releases/sm0410
Embedi does firmware security research.
Subverting your server through it’s BMC: the HPE iLo4 case (presentation + toolbox)
NIST SP 800-125A: Security Recommendations for Server-based Hypervisor Platforms
Date Published: June 2018
Supersedes: SP 800-125A (January 2018)
The Hypervisor platform is a collection of software modules that provides virtualization of hardware resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST document (Special Publication 800-125B). [This revision includes additional technologies for device virtualization such as para-virtualization, passthrough and self-virtualizing hardware devices as well as associated security recommendations. Major content changes in this revision are in: Section 1.1, Section 2.2.2 and Section 5.]
https://csrc.nist.gov/News/2018/NIST-Publishes-SP-800-125A-Rev-1
https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final
Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level. We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97%. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1%.
Niklas Baumstark: Unboxing your VirtualBox
How to acquire Linux memory images using without a driver
How to acquire Linux memory images using without a driver
Posted on Sunday, June 10th, 2018 at 5:52 am.
Written by blschatz
For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve’s LiME is the go-to for many. It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME. The prerequisite here is that /proc/kcore is enabled, which fortunately is widely the case: Ubuntu ships with it enabled by default, as does Redhat. On x64 the full physical address space is mapped into the kernel address space, and /proc/kcore exports this as a part of its virtual ELF file view.[…]
FreeBSD 11.2R released, with speculative execution and UEFI updates
The latest version of FreeBSD is out, and has a few speculative execution and UEFI changes, including:
https://www.freebsd.org/releases/11.2R/relnotes.html
[arm64] The bsdinstall(8) installer has been updated to default to UEFI-only boot. [r322254]
(Sponsored by The FreeBSD Foundation)
The efibootmgr(8) utility has been added, which is used to manipulate the EFI boot manager. [r332126]
(Sponsored by Netflix)
https://www.freebsd.org/cgi/man.cgi?query=efibootmgr&sektion=8&manpath=freebsd-release-ports
The cpucontrol(8) utility has been updated to include a new flag, -e, which is used to re-evaluate reported CPU features after applying firmware updates. [r327871]
Note: The cpucontrol(8) -e flag should only be used after microcode update have been applied to all CPUs in the system, otherwise system instability may be experienced if processor features are not identical across the system.
https://www.freebsd.org/cgi/man.cgi?query=cpucontrol&sektion=8&manpath=freebsd-release-ports
FreeBSD-SA-18:03.speculative_execution 14 March 2018. Speculative Execution Vulnerabilities
Note: This advisory addresses the most significant issues for FreeBSD 11.x on amd64 CPUs. We expect to update this advisory to include i386 and other CPUs.
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc
iPXE-Boot-Server: Setup iPXE to support both BIOS and UEFI
Step by step guide for how to build your own PXE boot server supporting both legacy BIOS and EFI hardare
Build your own PXE boot server
This article is a step by step guide for building your own PXE boot infrastructure which can be used to boot both legacy BIOS and EFI based hardware from network. There are many articles on the Internet for building PXE boot infrastructure however I found most of them does not work for EFI based hardware. I use iPXE as the boot image and dnsmasq as DHCP & TFTP server and I found it’s dead simple to setup those two software.
https://github.com/boliu83/ipxe-boot-server
Theo of OpenBSD: Speculating about Intel at BSDCan
LAVA: Large-scale Automated Vulnerability Addition for PANDA
Re: https://firmwaresecurity.com/2015/11/23/panda-vm/ and https://firmwaresecurity.com/2016/12/01/panda-2-0-released/
PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU’s support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development.
LAVA (Large Scale Automated Vulnerability Addition) for PANDA:
Evaluating and improving bug-finding tools is currently difficult due to a shortage of ground truth corpora (i.e., software that has known bugs with triggering inputs). LAVA attempts to solve this problem by automatically injecting bugs into software. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers.
https://github.com/panda-re/lava
https://github.com/panda-re/panda
PANDA’s LAVA is separate from the Linaro LAVA project, which the Tags on this blog points to.
VMWare: Enable or Disable UEFI Secure Boot for a Virtual Machine
I believe this is a new (or revised) document [to me].
[…]VMware Tools version 10.1 or later is required for virtual machines that use UEFI secure boot. You can upgrade those virtual machines to a later version of VMware Tools when it becomes available.
For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode. Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot.[…]
CHIPSEC gets support for Nine more ACPI tables
Lots of news are filled with news about the latest version of CHIPSEC released. I don’t see that, but there are some interesting new checkins w/r/t ACPI support:
ACPI_TABLE_SIG_BGRT = ‘BGRT’
ACPI_TABLE_SIG_LPIT = ‘LPIT’
ACPI_TABLE_SIG_ASPT = ‘ASPT’
+ACPI_TABLE_SIG_FIDT = ‘FIDT’
+ACPI_TABLE_SIG_HEST = ‘HEST’
+ACPI_TABLE_SIG_BERT = ‘BERT’
+ACPI_TABLE_SIG_ERST = ‘ERST’
+ACPI_TABLE_SIG_EINJ = ‘EINJ’
+ACPI_TABLE_SIG_TPM2 = ‘TPM2’
+ACPI_TABLE_SIG_WSMT = ‘WSMT’
+ACPI_TABLE_SIG_DBG2 = ‘DBG2’
+ACPI_TABLE_SIG_NHLT = ‘NHLT’
+ACPI_TABLE_SIG_MSCT = ‘MSCT’
+ACPI_TABLE_SIG_RASF = ‘RASF’
+ACPI_TABLE_SIG_SPMI = ‘SPMI’
+ACPI_TABLE_SIG_OEM1 = ‘OEM1’
+ACPI_TABLE_SIG_OEM2 = ‘OEM2’
+ACPI_TABLE_SIG_OEM3 = ‘OEM3’
+ACPI_TABLE_SIG_OEM4 = ‘OEM4’
+ACPI_TABLE_SIG_NFIT = ‘NFIT’
as well as some new SGX support… Fun!
Down the rabbit hole of tboot, E820 maps, and Xen PV PCI-passthrough domains
https://github.com/OpenXT/xenclient-oe/pull/890#issuecomment-395497431
From an OpenXT bug report:
TL;DR: a minor adjustment had to be made in tboot so that it picks the right memory protection for itself in the E820 map. The bug only affected PV Linux guests with PCI-passthrough devices as correctly guessed above.[…]
Microsoft Research 2017: The Seven Properties of Highly Secure Devices
The Seven Properties of Highly Secure Devices
March 31, 2017
MSR-TR-2017-16
Industry largely underestimates the critical societal need to embody the highest levels of security in every network-connected device—every child’s toy, every household’s appliances, and every industry’s equipment. High development and maintenance costs have limited strong security to high-cost or highmargin devices. Our group has begun a research agenda to bring high-value security to low-cost devices. We are especially concerned with the tens of billions of devices powered by microcontrollers. This class of devices is particularly ill-prepared for the security challenges of internet connectivity. Insufficient investments in the security needs of these and other price-sensitive devices have left consumers and society critically exposed to device security and privacy failures. This paper makes two contributions to the field of device security. First, we identify seven properties we assert are required in all highly secure devices. Second, we describe our experiment working with a silicon partner to revise one of their microcontrollers to create a prototype, highly secure microcontroller. Our experimental results suggest that in the near future even the most price-sensitive devices should be redesigned to achieve the high levels of device security critical to society’s safety. While our first experimental results are promising, more ongoing research remains and we seek to enlist the broader security community in a dialog on device security.
https://www.microsoft.com/en-us/research/publication/seven-properties-highly-secure-devices/
Firmwalker review
SecurityBoulevard has a new blog post on the FirmWalker tool.
IoT Firmware Analysis — Firmwalker
by Nitesh Malviya on May 27, 2018
IoT is the next big technology that will change the way we communicate and exchange data. Every day thousands of IoT devices are coming into the market. Most of these devices collect and exchange data over the cloud. Not much effort has been put into securing the IoT devices, thus understanding the security of IoT devices and their communication is of utmost importance.[…]
Uptane, and: firmware security humor: nearly impossible :-)
“Uptane is the first compromise-resilient software update security system for the automotive industry. […] Uptane has been security audited by several different groups. We welcome further audits from the community. You can help to fix security issues before hackers use them to exploit millions of cars!.”
https://github.com/uptane/uptane
A humorous 3-tweet conversation, in the context of automotive firmware updates and security, from where I learned about Uptane:
https://twitter.com/trishankkarthik/status/1003360144862916613
Side-channel attacking browsers through CSS3 features
tl;dr:
We (co-)discovered a side-channel vulnerability in browser implementations of the CSS3 feature “mix-blend-mode” which allowed to leak visual content from cross-origin iframes.
We demonstrate the impact of this vulnerability by showing how visiting a malicious site was enough to de-anonymize Facebook users. In particular, exploitation allowed to leak the profile picture, username and likes of unsuspecting visitors all while requiring no additional user interaction.
This vulnerability affected major browsers like Chrome and Firefox and was disclosed responsibly.
OpenBSD gets RETGUARD (anti-ROP) for Clang x64
RETGUARD for clang (amd64) added to -current
Contributed by rueda on 2018-06-06 from the d(e)ropping-the-gadgets dept.
Todd Mortimer has committed “RETGUARD” for clang (for amd64).
Phasar, LLVM-based static-analysis framework
Phasar is a LLVM-based static analysis framework written in C++. It allows users to specify arbitrary data-flow problems which are then solved in a fully-automated manner on the specified LLVM IR target code. Computing points-to information, call-graph(s), etc. is done by the framework, thus you can focus on what matters.
https://github.com/pdschubert/phasar
Firmware Security 
You must be logged in to post a comment.