[…]We have confirmed missing firmware storage access controls and insecure firmware updates on specific Supermicro systems. Many other systems are likely to have similar vulnerabilities, leaving them exposed to attacks targeting firmware and hardware. Since most organizations do not monitor at this deep level, these attacks may go unnoticed for an extended period. By providing this summary of the vulnerabilities, impacts, and mitigation strategies, we hope to assist organizations in understanding and defending against threats at this level.

I did not see any CVE yet, I hope SuperMicro has seen this.

Teddy Reed on U-Boot’s Verified Boot

June 7, 2018 ~ hucktech ~ 1 Comment

Teddy Reed, author of UEFI Firmware Parser, among other things, has some U-Boot Verified Boot issues:

Verified boot production uses question

Hi all, question, is anyone using the U-Boot verified-boot in production? I am using configuration verification for several OpenCompute/OpenBMC boards. After a deep-dive review I found some edge cases that in rare circumstances could lead to a signature check bypass. I think this is low-risk at best since the scenario requires special hardware behavior to exist. Our board were susceptible in the general sense, but we had implemented some additional sanity checks on the FIT structures that
prevented this. There are some proposed changes that attempt to mitigate this [1], [2], [3]. Any one of these changes mitigates the bypass scenario. If you don’t mind reaching out to me I can share the exact situation/details.

[1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
[2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html
[3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html

https://lists.denx.de/pipermail/u-boot/2018-June/330898.html

Shadow-Box: Lightweight and Practical Kernel Protector for x86 (or ARM)

June 7, 2018 ~ hucktech ~ Leave a comment

RT @kkamagui1: My lightweight hypervisor-based kernel protector, Shadow-box finally can support Page Table Isolation (PTI) in Linux kernel. The solution is very simple, but I analyze the whole patches of PTI. See new Shadow-box, https://t.co/L3wzReJLJ5

— Frank ⚡ (@jedisct1) June 3, 2018

Lightweight Hypervisor-Based Kernel Protector

Shadow-box v2 (for ARM) is a next generation of Shadow-box v1 (for x86). If you want to know about Shadow-box for ARM, please visit Shadow-box for ARM project.

https://github.com/kkamagui/shadow-box-for-x86

https://github.com/kkamagui/shadow-box-for-arm

ACM SIG Int’l Symposium on Microarchitecture 2017: slides “temporarily available”

June 7, 2018 ~ hucktech ~ Leave a comment

The slides of the last Annual IEEE/ACM International Symposium on Microarchitecture https://t.co/4tL549ieYY

— Embedded Systems (@embedsys) June 7, 2018

Slides for #MICRO50 author presentations and keynote temporarily available here: https://t.co/p4FWo7nkM6

— SIGMICRO (@ACMSIGMICRO) November 26, 2017

https://drive.google.com/drive/folders/1cmjix6YEPiyRde7Be2vshtny4mHjZ50p

https://www.microarch.org/micro50/

https://dl.acm.org/citation.cfm?id=3123939

http://www.wikicfp.com/cfp/servlet/event.showcfp?eventid=60858

Graz: School on Security and Correctness in the IoT 2018

June 7, 2018 ~ hucktech ~ Leave a comment

There is a summer school on security of IoT and it's backends in Graz @tugraz from September 3 – 9. https://t.co/UUpj4K08XD
Among the speakers we have @gianluca_string @SrdjanCapkun @asabelfeld @matteo_maffei and me and quite a few people that I couldn't find on Twitter.

— Daniel Gruss (@lavados) June 7, 2018

Looking forward to showing some attendees the best places to get a beer in Graz and chat about interesting research ideas.
Also if you just started with your #PhD you can chat with @misc0110 and @mlqxyz and me on how we approach paper writing.

— Daniel Gruss (@lavados) June 7, 2018

The school covers attacks, countermeasures and formal methods to analyze the security of implementations. There will be two labs/trainings with tutorials on runtime attacks and side-channels including the recent attacks #meltdown and #spectre.
And it's a good way to connect.

— Daniel Gruss (@lavados) June 7, 2018

Welcome to our second School on Security & Correctness in the Internet of Things 2018, held from 3.-9. September. It is hosted by the research center “Dependable Internet of Things“, located at Graz University of Technology. This school targets graduate students interested in security aspects of tomorrow’s IoT devices. Current advances in technology drive miniaturization and efficiency of computing devices, opening a variety of novel use cases like autonomous transportation, smart cities and health monitoring devices. However, device malfunction could potentially threaten human welfare or even life. Malfunction might not only be caused by design errors but also by intentional impairment. As computing devices are supposed to have high and permanent network connectivity, an attacker finding a vulnerability might easily target millions of devices at once. Moreover, integration of computing devices in everyday items exposes them to a potentially hostile physical environment. A central requirement of tomorrow’s IoT is the ability to execute software dependably on all kinds of devices. IoT devices need to provide security in the presence of network attacks as well as against attackers having physical access to the device. During the five-day school, participants will gain awareness of these IoT-related challenges. Introductory classes are supplemented by advanced courses in the area of system security, cryptography as well as software and hardware side-channels. During spare time participants are invited to enjoy the city of Graz and attend organized events.

https://www.securityweek.at/school/

T-Fuzz: fuzzer based on angr and radare2

June 6, 2018 ~ hucktech ~ Leave a comment

T-Fuzz – a fuzzing tool based on program transformation and Crash Analyzer. Slides: https://t.co/LEKdcT9Ykn WP: https://t.co/C2StHBv917 Based on angr, radare2. https://t.co/6pWBB70DQG

— PythonArsenal (@PythonArsenal) June 6, 2018

https://github.com/HexHive/T-Fuzz

Click to access 18Oakland-presentation.pdf

Click to access 18Oakland.pdf

TPM 2.0 in QEMU

June 6, 2018 ~ hucktech ~ Leave a comment

Useful post by Serge Hallyn, "TPM 2.0 in qemu",
https://t.co/n1Ewfllpzj

— James Morris 👾 (@xjamesmorris) June 6, 2018

If you want to test software which exploits TPM 2.0 functionality inside the qemu-kvm emulator, this can be challenging because the software stack is still quite new. Here is how I did it.[…]

TPM 2.0 in qemu

ZFS-on-Root-Installer: Install ZFS on Root with Ubuntu

June 6, 2018 ~ hucktech ~ Leave a comment

A Bare Metal Installer for ZFS on Root

This repository is intended to produce a bootable UEFI image that allows installing a full bare system with ZFS disks. Be aware that it is not intended for building dual-boot systems. While you are given the ability to choose which disks are used, the EFI boot system will wipe other OS entries. It uses an Ubuntu kernel and a minimal ramdisk builder to host the scripts used to perform the actual install.[…]

https://github.com/symmetryinvestments/zfs-on-root-installer

UEFI_Python: python tool to prase uefi as fv/ffs/variable/Hii

June 6, 2018 ~ hucktech ~ Leave a comment

python tool to prase uefi as fv/ffs/variable/Hii

https://github.com/Tank2018/Uefi_python

windows2usb: Windows ISO to Flash drive burning utility for Linux

June 6, 2018 ~ hucktech ~ Leave a comment

Windows 7/8/8.1/10 ISO to Flash Drive burning utility for Linux (MBR/GPT, BIOS/UEFI, FAT32/NTFS.

Does not break UEFI Secure Boot chain.

https://github.com/ValdikSS/windows2usb

eWeek: Processor Flaws Force Chip Producers to Make Security Top Priority

June 6, 2018 ~ hucktech ~ Leave a comment

[…]Here are five of the most serious that were reported in the past year.
1. Spectre, Meltdown variants post triple threat
2. Researchers find flaws related to Speculative Store Bypass
3. Intel acknowledges flaws in ME, AMT subsystems
4. When 140 years is not long enough: the ROCA flaw
5. Insensitive disclosure of sensitive issues: AMD PSP flaws

http://www.eweek.com/security/processor-flaws-force-chip-producers-to-make-security-top-priority

Intel releases SMM-free processor! :-)

June 5, 2018 ~ hucktech ~ Leave a comment

Time to stock up new FreeDOS-capable hardware, while you have a chance. 😉

Actually, I’m not sure, maybe this limited edition processor *DOES* have SMM, that’d be interesting in other ways.

https://www.intel.com/content/www/us/en/products/processors/core/i7-processors/i7-8086k.html

https://game.intel.com/8086sweepstakes/

Let's not forget, it was David Schor who came up with this idea 6 months ago https://t.co/m6gW9G4M9j pic.twitter.com/zj4IzNOvZl

— VideoCardz.com (@VideoCardz) June 5, 2018

Anyone from #Intel, please pitch this SKU to management! 🤞

Launch Date: June 8, 2018
SKU: "Intel Core i7-8086K 40th Anniversary Edition"
Specs: 8th Gen (CFL), 6C/12T, 5 GHz Turbo, unlocked.

— David Schor (@david_schor) January 18, 2018

As someone who cut his teeth on the processor this celebrates, my desire for this is beyond appropriate. You don't understand.

Intel announces limited edition 5GHz Core i7-8086K anniversary CPU https://t.co/7MQXo2xTUN #8086K pic.twitter.com/gTVTK0jNjm

— Joel Santiago (@joelsantiago) June 5, 2018

https://www.bleepingcomputer.com/news/hardware/intel-announces-the-intel-core-i7-8086k-5ghz-limited-edition-cpu/

https://www.bleepingcomputer.com/news/hardware/intel-core-i7-8086k-5ghz-anniversary-edition-cpus-leaked-online/

Two random tweets

June 5, 2018 ~ hucktech ~ Leave a comment

The highest standards of security, privacy, and engineering of ZTE/Huawei means nothing if security expert cannot review your firmware for backdoors. I wonder if Apple/Google/Samsung gives exclusive access to the Pentagon to review their source code.

— nixCraft 🐧 (@nixcraft) May 2, 2018

Also, it's funny when some people are yelling about possible ME/AMT backdoors. Actually, BMC backdooring by supply chain or remote attacker is more easier task in 1000 times w-out any significant technical challenges

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) May 2, 2018

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

June 5, 2018 ~ hucktech ~ Leave a comment

I’m glad that Virtualization-Based Security has replaced VisualBasic Script as the new acronym for VBS. 🙂

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks. Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.[…]

https://cloudblogs.microsoft.com/microsoftsecure/2018/06/05/virtualization-based-security-vbs-memory-enclaves-data-protection-through-isolation/

Duo Labs: organizations can be “software secure but firmware vulnerable”

June 5, 2018 ~ hucktech ~ Leave a comment

Duo Labs, who has EFIgy, an EFI firmware update status tool for Mac, is interviewed by InfoSecurity Magazine on the topic of EFI security:

[…]Although efforts to compromise EFI are most often carried out as part of highly targeted attacks, they remain a major threat to organizations, he warned. […] Smith revealed newly updated research from Duo Security which details shortcomings in Apple’s EFI update processes. Drawing on data collected from 73,000 customer machines, the findings show that 4.2% were running the wrong EFI version – much higher than the 1% or so expected. That rose to nearly 43% for the oldest Mac model on the market, dating back to 2015. The results also showed that organizations could be “software secure but firmware vulnerable.” […] He called on tech firms to introduce “the same degree” of transparency into the firmware update process as they do with software updates. Duo Security chose to study Apple because the firm’s singular ecosystem made it easier to analyze, but Smith warned that failings in the Wintel space are arguably even more acute.[…]

https://www.infosecurity-magazine.com/news/infosec18-experts-in-efi-update/

Rufus: 2 unspecified vulnerabilities hinted-at

June 4, 2018 ~ hucktech ~ Leave a comment

Stefan Kanthak has submitted a bug against Pete Batard’s Rufus, a Win32 GDI tool that helps create USB thumbdrives. Rufus is — these days — somewhat of a rarity, an open source tool that is a native Win32 GDI GUI C application. These days, most open source GUI tools are Qt or GTK. Even Microsoft has basically given up on Win32. Old School Windows tool. 🙂

I wish Stefan was less of an <EXPLETIVE> in how he reported it.

Pete has been writing EFI-centric Free Software for a long time, not many people can write UEFI file system drivers and Win32 GDI GUI applications. Thanks for creating all these tools for people, Pete!

https://rufus.ie/
https://pete.akeo.ie/
https://skanthak.homepage.t-online.de/home.html
https://github.com/pbatard/rufus
http://www.openwall.com/lists/oss-security/2018/05/31/1

Mr. IoT’s IoT Security 101

June 4, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/campuscodi/status/1003682799604420608

https://github.com/V33RU/IoTSecurity101/blob/master/README.md

http://iotpentest.com/ has a bunch of interesting blog posts, eg:

http://iotpentest.com/firmware-analysis-basics/

CopperheadOS company problems

June 4, 2018 ~ hucktech ~ 2 Comments

https://twitter.com/danielmicay/status/1003704234263511040

https://twitter.com/danielmicay/status/1003704704814026753

https://twitter.com/danielmicay/status/1003705802270445573

https://copperhead.co/android/
https://github.com/copperhead

PT Security: new Intel ME research

June 4, 2018 ~ hucktech ~ Leave a comment

Our (with @_Dmit & @_markel___ ) new presentation about security keys in ME11 and DLMP partition which allows to get a main ME secret. #CONFidence_news #IntelME https://t.co/iCnyqMgrGY

— Maxim Goryachy (@h0t_max) June 4, 2018

Positive Technologies' researchers Dmitry Sklyarov and Maxim Goryachy gave a technical talk about security keys genealogy and obfuscation in #IntelME at @CONFidence_news Krakow (https://t.co/tvz2kyuNHb). Presentation slides are available on GitHub: https://t.co/NcmCqZa4kg

— PT Security (@PTsecurity_EN) June 4, 2018

https://github.com/ptresearch

Click to access Intel%20ME%20Security%20keys%20Genealogy%2C%20Obfuscation%20and%20other%20Magic.pdf

Eclypsium on BloombergTV

June 4, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/05/17/eclypsium-in-bloomberg/

Eclypsium was on BloombergTV today! Hmm, I can’t find the URL of the video, if you can, please add it as a Comment to this blog.

Eclypsium co-founder and CEO @c7zero discussed the growing threat of firmware attacks with @jordanr1000 and @CarolineHydeTV on #BloombergTV pic.twitter.com/ORQRyDffqa

— Eclypsium (@eclypsium) June 4, 2018

Thank you for a great discussion! https://t.co/JwlftCUqsG

— Yuriy Bulygin (@c7zero) June 4, 2018

Category: Uncategorized

Eclypsium: new Supermicro firmware research

Teddy Reed on U-Boot’s Verified Boot

Shadow-Box: Lightweight and Practical Kernel Protector for x86 (or ARM)

ACM SIG Int’l Symposium on Microarchitecture 2017: slides “temporarily available”

Graz: School on Security and Correctness in the IoT 2018

T-Fuzz: fuzzer based on angr and radare2

TPM 2.0 in QEMU

ZFS-on-Root-Installer: Install ZFS on Root with Ubuntu

UEFI_Python: python tool to prase uefi as fv/ffs/variable/Hii

windows2usb: Windows ISO to Flash drive burning utility for Linux

eWeek: Processor Flaws Force Chip Producers to Make Security Top Priority

Intel releases SMM-free processor! :-)

Two random tweets

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

Duo Labs: organizations can be “software secure but firmware vulnerable”

Rufus: 2 unspecified vulnerabilities hinted-at

Mr. IoT’s IoT Security 101

CopperheadOS company problems

PT Security: new Intel ME research

Eclypsium on BloombergTV