Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Re: https://firmwaresecurity.com/2018/04/11/intel-persistent-memory/ and https://firmwaresecurity.com/2018/05/10/intel-adds-python-bindings-to-persistent-memory-sdk/
https://twitter.com/daniel_bilar/status/1002250766357278720
https://newsroom.intel.com/editorials/re-architecting-data-center-memory-storage-hierarchy/
Kryptowire LLC, Fairfax, Va., SAFARI: Scalable Analysis of Firmware for AndRoid and iOS—Kryptowire was awarded $149,993 to determine the feasibility of a scalable, comprehensive and automated framework to detect firmware-borne threats—malicious and unintentionally insecure—in Android and iOS devices. The framework will encompass three analysis techniques: forced-path execution, static analysis and dynamic analysis across multiple software modules and applications to provide analysis of device firmware across different vendors, operating systems and applications.
RAM Laboratories, Inc., San Diego, California, Automated & Scalable Analysis of Mobile & IoT Device Firmware—RAM Laboratories was awarded $150,000 to prove its concept for Firmalytics, a modular and scalable framework that will automatically analyze firmware for security vulnerabilities, backdoors and malware. As envisioned, the framework also will add the analysis results to a database to support a correlation engine to be used for identifying groups of similar firmware vulnerabilities.
Red Balloon Security, New York, New York, Firmware Automated Analysis at Scale with Testing—Red Balloon was awarded $149,869 to test its proposed Firmware Automated Analysis at Scale with Testing (FAAST) technology. FAAST will be built on top of the company’s Firmware Reverse Analysis Konsole (FRAK) unpacker for unpacking, analyzing, modifying and packaging firmware images. The goal of the project is to demonstrate feasibility of the mobile and embedded firmware analysis automation technology platform.
Sekurity LLC, Jersey City, New Jersey, Principled Security Analysis of the Firmware Binaries via Guaranteed Formal Verification and Scalable Dynamic Monitoring—Sekurity was awarded $149,999 to test the feasibility of its proposed firmware binary security analysis framework (BINNSEC) for mobile and IoT devices. To ensure scalability and usability across different firmware binary formats, BINNSEC will use a combination of advanced binary reverse engineering, malware analysis, programming languages techniques, formal methods and dynamic vulnerability assessment algorithms to generate accurate and human-perceivable reports in a timely manner.
https://redballoonsecurity.com/
If you can find the web site for Sekurity LLC, please leave a Comment on this blog with an URL.
Practical DMA attack on Windows 10
Written by Jean-Christophe Delaunay · 2018-05-30 · in Pentest
Among the various security assessments performed by Synacktiv, some involve attacking the security hardening of a laptop or workstation master image that will be massively deployed in an infrastructure. The purpose of this kind of security assessment is to give the client an overview of its level of maturity regarding security concerns and provide him with some recommendations in order to increase his level of security. This post describes how Synacktiv defeated a workstation security measures by using a hardware approach.[…]
https://www.synacktiv.com/posts/pentest/practical-dma-attack-on-windows-10.html
Example photo of Evil Maid attacker in their lab: 🙂
Zercat is selling Chipflasher “board-edition-1”, which has earned the Free Software Foundation’s Respects Your Freedom (RYF) certification.
[…]Let’s create trustworthy hardware on our own, the free-design Propeller microchip empowers us to do so! When it comes to flash a coreboot or libreboot laptop, we are now using Zerocat’s free-design chipflasher as part of a quite clean & free toolchain. Commonly used flashers like the Beagle Bone Black or Raspberry Pi with chips of a proprietary design can now be avoided. The Zerocat Chipflasher is meant as a Do-It-Yourself project (DIY). It is easy to build and easy to use. For SMD packed chips, you may use a test clip.[…]
http://www.zerocat.org/chipflasher-board-edition-1.html
http://www.zerocat.org/shop-en.html
It looks like hardware/firmware security submissions to security conferences are on a rise:
https://twitter.com/savagejen/status/1001595209766113280
https://www.blackhat.com/us-18/briefings/schedule/#track/hardwareembedded
https://twitter.com/fugueish/status/1001605230583136256
In light of Spectre/Meltdown, we needed to re-think our threat model and defenses for Chrome renderer processes. Spectre is a new class of hardware side-channel attack that affects (among many other targets) web browsers. This document describes the impact of these side-channel attacks and our approach to mitigating them. The upshot of the latest developments is that the folks working on this from the V8 side are increasingly convinced that there is no viable alternative to Site Isolation as a systematic mitigation to SSCAs [speculative side-channel attacks]. In this new mental model, we have to assume that user code can reliably gain access to all data within a renderer process through speculation. This means that we definitely need some sort of ‘privileged/PII data isolation’ guarantees as well, for example ensuring that password and credit card info are not speculatively loaded into a renderer process without user consent. […] In fact, any software that both (a) runs (native or interpreted) code from more than one source; and (b) attempts to create a security boundary inside a single address space, is potentially affected. For example, software that processes document formats with scripting capabilities, and which loads multiple documents from different sources into the same process, may need to take defense measures similar to those described here.[…]
https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md
Re: https://firmwaresecurity.com/2017/05/15/xeno-updates-low-level-pc-attack-papers-list/
Xeno has updated it again. Look at his current tweets to see the indivual entries added. Xeno is one of the pioneers of firmware security research, and this is basically the canon list of HW/FW issues.
Required reading for anyone reading a blog like this.
https://timeglider.com/timeline/5ca2daa6078caaf4
I’ll be blunt, I *LOVE* the data, but I wish it was a plain web page, TimeGlider makes the data less useful to me.
Hoping someday the data expands to virtualization-level firmware, in addition to bare-metal.
Pyra needs help by kernel and low-level ARM/OMAP experts
W. Martin Borgert posted a message to the Debian kernel/ARM lists, about soliciting kernel dev help for a Debian-based gaming console, successor to OpenPandora.
Borgert quote:
I just read this post by Pyra project leader Michael Mrozek a.k.a. “Evil Dragon”. (Pyra is planned to be a Debian based gaming console, successor of OpenPandora.) They need help by kernel devs and folks who know OMAP etc. Maybe somebody here can help them? There even might be some money in it. No doubt about fame and fun, though!
Evil Dragon quote:
[…]This brings up another important point: Kernel developers! There’s still quite a few things which should be done before the release. We don’t have proper powersaving, the TILER implementation needs to be tidied up, 3D is not yet implemented, Audio needs a better setup, etc. It seems there are less and less kernel developers having the time to work on such things in their spare time. That’s why I decided to hire freelancers to help out as well![…]I know we’ve got quite a lot of OpenSource fans around here. Maybe some know some good kernel developers, who are able to include and improve hardware support and fix various issues. We can provide a test unit as well as the needed datasheets – but it needs someone who is capable of debugging and fixing low-level things.[…]
https://pyra-handheld.com/boards/threads/moving-along.82982/
https://pyra-handheld.com/
In this article I’ll show how a protocol analyzer is used, how my instincts turned out to be very wrong, and along the way dive into arcane USB details you probably won’t see explained anywhere else.[…]
https://www.pjrc.com/usb-hub-bug-hunting-lessons-learned/
The Call for Papers is open for the Open Source Firmware Conference:
This is a Win32 console application for Windows Preinstall Environment system. The gaol is checking PC uses UEFI BIOS (or with CSM) must ensures the disk type is GPT format, otherwise the legacy BIOS must using MBR format for disk layout. C++ code only does windows executing diskpart and reg commands and checks results to improve function, because requester is lazy and having lack knowledge on his job to design commands flow.
https://github.com/sharowyeh/checkbiosdisk
PS: Another tool by author:
https://github.com/sharowyeh/NvGpuUtility
Alex Deymo notes that the Android project has more documentation on their boot process, and posted about it on the U-Boot mailing list:
“Just an FYI, earlier this month the team spent some time polishing and publishing in source.android.com documentation about the flows the bootloader goes through in Android, specially true for stock Android like in Pixels phones or other devices based of recent AOSP versions. This documentation includes the interaction between userspace and the bootloader such as the properties userspace expects when booting A/B devices, the whole A/B flow, the bootloader message in the misc partition (BCB), how they interact with the “recovery mode” in Android and much more.
USB Reverse Engineering: A Universal Guide
by: Ben James
May 25, 2018
[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others. His guide is impressively comprehensive, and covers all the necessary areas in hardware and software.[…]
Welcome to Software Security: Principles, Policies, and Protection (SS3P), a free book about software security. SS3P focuses on basic software security principles, secure software development from design over implementation to testing, software security policies (with a focus on memory and type unsafe language like C/C++), defense strategies with a focus on verification, testing, and mitigation, attack vectors, and reverse engineering. The different chapters are augmented with several case studies.
This book is, was, and always will be free and openly accessible in PDF form. If you reference the book, please link to the SS3P PDF directly so that your readers will always get the most recent version.
The intended audience of this book are advanced undergraduate and graduate students interested in software security (e.g., as part of a software security, system security, or information security class) as well as developers working with low level languages such as C/C++.
[…]For a company like Intel, testing would cost several million dollars and take two to three months for each iteration.
“Flat out, that’s [a complete rewrite] not gonna happen,” said Joe FitzPatrick, a hardware security researcher and trainer.[…]
https://duo.com/decipher/expect-more-spectre-meltdown-variants-until-updated-chips-arrive
AMD SEV is a hardware feature designed for the secure encryption of virtual machines. SEV aims to protect virtual machine memory not only from other malicious guests and physical attackers, but also from a possibly malicious hypervisor. This relieves cloud and virtual server customers from fully trusting their server providers and the hypervisors they are using. We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine. We verify the effectiveness of SEVered on a recent AMD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines. With these examples, we demonstrate that SEVered reliably and efficiently extracts all memory contents even in scenarios where the targeted virtual machine is under high load.
Re: https://firmwaresecurity.com/2017/04/20/chipsec_gui/
CHIPSEC_GUI is a GUI front-end to CHIPSEC. There’s been little activity for a year, but it looks like a recent change, picking up some English language support patch, has happened recently:
https://github.com/EmadHelmi/chipsec_gui
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.