Category: Uncategorized

GCC 8.1 Released

~ hucktech ~ Leave a comment

GCC 8.1 is a major release containing substantial new functionality not available in GCC 7.x or previous GCC releases.

This releases features significant improvements in the emitted diagnostics, including improved locations, location ranges and fix-it hints (especially in the C++ front-end), and various new warnings have been added.

Profile driven optimizations have been significantly improved, on x86 functions are now split into hot and cold regions by default. The link time optimizations now have a new way of emitting the DWARF debug information, which makes LTO optimized code more debuggable. New loop optimizers have added and existing improved and some, like -ftree-loop-distribution, -floop-unroll-and-jam and -floop-interchange have been enabled by default at-O3.

The AArch64 target now supports the Scalable Vector Extension, whichfeatures vectors with runtime determined number of elements.

http://gcc.gnu.org/gcc-8/porting_to.html
https://gcc.gnu.org/gcc-8/changes.html
http://www.gnu.org/order/ftp.html

 

Lojack (formerly CompuTrace) Becomes a Double-Agent

~ hucktech ~ Leave a comment

ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.

https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Wikipedia on LoJack: “Analysis of Computrace by Kaspersky Lab shows that in rare cases, the software was preactivated without user authorization. The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute’s servers via the internet. This installer (small agent) is vulnerable to certain local attacks[8][9] and attacks from hackers who can control network communications of the victim.”

https://en.wikipedia.org/wiki/LoJack_for_Laptops

https://www.absolutelojack.com/features/

 

AMI statement for Meltdown/Spectre for MegaRAC BMC

~ hucktech ~ Leave a comment

https://ami.com/en/tech-blog/ami-statement-in-response-to-meltdown-and-spectre-security-vulnerabilities-for-megarac-bmc-firmware-on-aspeed-armbased-platforms/

https://www.nikktech.com/main/news/8940-american-megatrends-statement-in-response-to-meltdown-and-spectre-security-vulnerabilities-for-megarac-bmc-firmware-on-aspeed-arm-based-platforms

Bypassing code protection on an Intel 8752

~ hucktech ~ Leave a comment

Bypassing code protection on an Intel 8752
Kibo Schaffer

The security bits that enforce code protection on the Intel 8752 can be cleared with UV, while keeping the main program memory mostly intact by applying a UV mask (nail polish) to the EPROM regions of the die.[…]

https://blog.inach.is/8752/

Ceramic chip decapping rig

Arm announces security features in Cortex-M35P

~ hucktech ~ Leave a comment

On Wednesday, 2nd May we announced a range of IP to protect silicon from physical attacks, extending our portfolio of Arm security IP to bring physical security within reach of any IoT product. Our new IP, all marked with a “P” tag for physical security, includes: the Cortex-M35P processor, as well as a new suite of security IP with added side-channel attack protection (CryptoIsland-300P and CryptoCell-312P). This post describes how the benefits and features of the Cortex-M35P bring anti-tampering protection to the widely-supported, user-friendly Cortex-M processor to guard against physical attacks, providing access to new markets for your product.[…]

https://www.arm.com/products/processors/securcore

https://community.arm.com/processors/b/blog/posts/arm-cortex-m35p-multilayered-security-at-heart-of-your-device

Microsoft introduces Trusted Cyber Physical Systems (TCPS)

~ hucktech ~ Leave a comment

Trusted Cyber Physical Systems looks to protect your critical infrastructure from modern threats in the world of IoT
Thomas Pfenning / Director Software Engineering
April 24, 2018

This week at Hannover Messe 2018 in Germany, we are excited to demonstrate how Microsoft is utilizing its more than 25 years of embedded and hardware security experience with a new project codenamed Trusted Cyber Physical Systems (TCPS). This solution seeks to provide end-to-end security that is resilient to today’s cyber-attacks so our industrial customers can operate their critical infrastructures with confidence and with no negative impact to their intellectual property and customer experience.[…]

https://blogs.windows.com/business/2018/04/24/trusted-cyber-physical-systems-looks-to-protect-your-critical-infrastructure-from-modern-threats-in-the-world-of-iot/

Click to access TCPS-WP.pdf

Click to access Protecting-Critical-Infrastructure.pdf

EFI-RPM-macros: helps packaging of EFI code into Red Hat RPMs

~ hucktech ~ Leave a comment

efi-rpm-macros provides a set of RPM macros for use in EFI-related packages.

The following variables are meaningful on the make command line:

EFI_ESP_ROOT the directory where the EFI System Partition is mounted
EFI_ARCHES the rpm arches %efi will match on
EFI_VENDOR the vendor name for your EFI System Partition directory

The following rpm macros are set:

%efi the arches that EFI packages should be built on, suitable for use with %ifarch
%efi_vendor the vendor name for your EFI System Partition directory
%efi_esp_root the directory where the EFI system Partition is mounted
%efi_esp_efi the full path to \EFI on the EFI System Partition
%efi_esp_boot the full path to \EFI\BOOT on the EFI System Partition
%efi_esp_dir the full path to your vendor directory on the EFI System Partition
%efi_arch the EFI architecture name, e.g. x64
%efi_arch_upper the EFI architecture name in upper case, e.g. X64

https://github.com/rhboot/efi-rpm-macros

 

upcoming queue of BMC/iLO research…

~ hucktech ~ Leave a comment

3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:

https://twitter.com/nicowaisman/status/990232607253245957

https://www.sstic.org/2018/presentation/subverting_your_server_through_its_bmc_the_hpe_ilo4_case/

Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.

iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.

DMTF, NVMe and SNIA form 3-way alliance for SSD storage mgmt

~ hucktech ~ Leave a comment

The DMTF, NVM Express, Inc. and SNIA have formed a new three-way alliance to coordinate standards for managing SSD storage devices. […] In addition to SNIA’s Swordfish and DMTF’s Redfish, the alliance’s collaborative work will include the following standards:

* NVM Express™(NVMe™) is the register interface and command set for PCI Express attached storage with industry standard software available for numerous operating systems. The NVM Express™Management Interface (NVMe-MI™) is the command set and architecture for management of NVM Express storage (e.g., discovering, monitoring, and updating NVMe devices using a BMC).

* DMTF’s Management Component Transport Protocol (MCTP) is a protocol and Platform Level Data Model (PLDM) is a low-level data model defined by the DMTF Platform Management Components Intercommunications (PMCI) Working Group (https://www.dmtf.org/standards/pmci) . MCTP is designed to support communications between different intelligent hardware components that make up a platform management subsystem that provides monitoring and control functions inside a managed system.

* DMTF’s PLDM for Redfish Device Enablement (RDE) defines messages and data structures used for enabling PLDM devices to participate in Redfish-based management without needing to support either JavaScript Object Notation (JSON, used for operation data payloads) or the [Secure] Hypertext Transfer Protocol (HTTP/HTTPS, used to transport and configure operations).

[…]

Click to access NVMe-DMTF-SNIA_Work_Register_v1.0.pdf

https://www.dmtf.org/

Front


https://www.snia.org/
https://www.snia.org/forums/smi/swordfish
http://www.dmtf.org/standards/redfish

Micah Lee: It’s impossible to prove your laptop hasn’t been hacked. I spent two years finding out

~ hucktech ~ Leave a comment

Very good article, talks about firmware/hardware threats, and gives a checklist of how to check for some of them. I need to update the “Guidance” part of some upcoming slides to incorporate ideas from this article.

https://twitter.com/josephfcox/status/990249064104067072

It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.
Micah Lee
April 28 2018, 7:00 a.m.

Digital security specialists like me get some version of this question all the time: “I think my laptop may have been infected with malware. Can you check?”[…]

It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.

DoNotDisturb: now with email support (and YONTMA)

~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

someone has created some more Mac-centric Evil Maid detection code:

https://twitter.com/ptrckhbr/status/989903893898416128

https://github.com/ptrckhbr/scripts/blob/master/applescript/DND.scpt

I wish someone would collect all the various FW/OS-centric ways to check for Evil Maids, and write a tool that covers all of them. Here’re some other ways, via You’ll Never Take Me Alive (YONTMA) from iSEC Partners (now NCC Group):

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2013/march/yontma-youll-never-take-me-alive/
https://github.com/iSECPartners/yontma
https://github.com/iSECPartners/yontma-mac

 

QEMU has RISC-V support

~ hucktech ~ Leave a comment

part 2:https://www.sifive.com/blog/2018/04/25/risc-v-qemu-part-2-the-risc-v-qemu-port-is-up stream/

part 1: https://www.sifive.com/blog/2017/12/20/risc-v-qemu-part-1-privileged-isa-hifive1-virtio/

see-also Sifive’s statement on Spectre/Meltdown:

https://www.sifive.com/blog/2018/01/05/sifive-statement-on-meltdown-and-spectre/

HPE seeks senior UEFI developer

~ hucktech ~ Leave a comment

Senior UEFI Development Engineer
Job ID 1023806

Strong knowledge in UEFI security or firmware security in general.
Strong knowledge in TPM, Secure Boot, TXT, and RSA.
Knowledge of industry standard technologies including ACPI, USB, SMBIOS, IPMI, Redfish, and PCI express.
8+ years’ experience in firmware or BIOS/UEFI development.
In-depth knowledge of UEFI architecture and development (focused on the EDK2 development environment).

https://careers.hpe.com/job/-/-/3545/7942722

U-Boot gets Android Verified Boot (AVB) 2.0

~ hucktech ~ Leave a comment

Igor Opaniuk of Linaro posted a patch to the U-Boot list, adding Android Verified Boot 2.0 support:

This series of patches introduces support of Android Verified B oot 2.0,which provides integrity checking of Android partitions on MMC. It integrates libavb/libavb_ab into the U-boot, provides implementation of AvbOps, subset of `avb` commands to run verification chain (and for debugging purposes), and it enables AVB2.0 verification on AM57xx HS SoC by default. Currently, there is still no support for verification of A/B boot slots and no rollback protection (for storing rollback indexes there are plans to use eMMC RPMB). Libavb/libavb_ab will be deviated from AOSP upstream in the future, that’s why minimal amount of changes were introduced into the lib sources, so checkpatch may fail. For additional details check [1] AVB 2.0 README and doc/README.avb2, which is a part of this patchset.[…]

https://lists.denx.de/pipermail/u-boot/2018-April/326562.html