Category: Uncategorized

EFIDroid’s Qt port working on Intel now

~ hucktech ~ Leave a comment

The author of EFIDroid posted a comment, in reply to another EFIDroid query comment.  Previously, UEFI Qt of EFIDroid was ARM-centric, now:

“I’ve even recently started adding X64 support so it can be used on regular computers – I only have to add X64 support to UEFIThreads to complete that(which is required by QML).”

Looking forward to seeing UEFITool GUI app working as a UEFI app. 🙂

Qtbase: EFIDroid port of Qt to UEFI!

https://github.com/efidroid/qtbase

Purism has Heads working on Librem laptops

~ hucktech ~ Leave a comment

And newer Librems have TPMs bulit-in now.

https://puri.sm/posts/librem-now-most-secure-laptop-under-full-user-with-tamper-evident-features/

Heads booting on a Librem 13v2 TPM

SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution

~ hucktech ~ Leave a comment

SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution
Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, Ten H. Lai
(Submitted on 25 Feb 2018)

This paper presents SgxPectre Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes. An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX. To demonstrate the practicality of our SgxPectre Attacks, we have systematically explored the possible attack vectors of branch target injection, approaches to win the race condition during enclave’s speculative execution, and techniques to automatically search for code patterns required for launching the attacks. Our study suggests that any enclave program could be vulnerable to SgxPectre Attacks since the desired code patterns are available in most SGX runtimes (e.g., Intel SGX SDK, Rust-SGX, and Graphene-SGX).

https://arxiv.org/abs/1802.09085

 

ASUS doesn’t care about Linux [Firmware]

~ hucktech ~ Leave a comment

See image in below tweet. A tweet with a bug report about ACPI and TPM2 on ASUS systems.

Linux users: remember that you’re not using a Linux box, you’re using a Windows box, or a Chrome box, and reinstalling an OS, which the OEM doesn’t support, so they won’t be offering you any way to update your firmware with that OS. Unless you’re buying your machine from an OEM that installs Linux. If you are a Linux user, stop buying Windows/Chrome PCs and buy Linux PCs.

https://twitter.com/orionwl/status/968517661704556545

Amazon [Snowball] seeks Senior Hardware Security Engineer

~ hucktech ~ Leave a comment

Sr. Hardware Security Engineer

AWS Security is looking for an experienced Senior Security Engineer, specializing in hardware technologies, to help ensure AWS services are designed and implemented to the highest possible security standards. You will be responsible for supporting AWS service teams in the secure design of services, including customer-facing services with hardware components such as AWS Snowball. As the primary technical and strategic advocate for a variety of AWS-wide security initiatives, you will help internal and external partners to design from the beginning with security in mind.This is not an entry-level position, and a confident understanding of hardware/firmware security and the ability to collaborate with other leaders across the industry are essential to success in this role.
[…]
* Demonstrate *exceptional* judgment, integrity, business acumen, and communication skills
* Minimum 4 years of experience with two or more of the following categories:
— IoT network technologies (Z-Wave, Zigbee, Bluetooth/BLE, WLAN, identity/auth security)
— Hardware security (PCB, JTAG, UART, SPI, ROM, microcode, custom ASIC/FPGA)
— x86 and/or ARM chipset and firmware security (TPM, UEFI, TrustZone, secure boot)
— Local encryption and key management (LUKS, BitLocker, self-encrypting drives, etc)
— PKI and code signing architecture (X.509, EV SSL, certificate pinning, OCSP, CRL, etc)

https://us-amazon.icims.com/jobs/626253/sr.-hardware-security-engineer/job

See-also:

AWS Snowball:
https://aws.amazon.com/snowball/

Oracle Solaris 11.4: UEFI Secure Boot on Intel HW

~ hucktech ~ Leave a comment

UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.

https://docs.oracle.com/cd/E72435_01/html/E72445/grijo.html
https://docs.oracle.com/cd/E37838_01/html/E60974/index.html
https://blogs.oracle.com/solaris/oracle-solaris-114-beta-released
https://github.com/oracle/solaris-userland/tree/master/components/shim
https://www.phoronix.com/scan.php?page=news_item&px=Oracle-Linux-7-Update-4

 

 

SGX After Spectre and Meltdown: Status, Analysis and Remediations

~ hucktech ~ Leave a comment

SGX After Spectre and Meltdown: Status, Analysis and Remediations
Posted on January 25, 2018 by idfusionllc

Much has been written about the recently disclosed micro-architectural cache probing attacks named in the title of this document. These attacks, while known as a possibility for some time, have created significant concerns and remediation activity in the industry, secondary to the significant confidentiality threats they pose. These attacks are particularly problematic since they evade long standing protections that the industry has used as foundational constructs in the security design of modern operating systems.

While the threats to operating system protections have undergone significant discussion, there has been little official information surrounding the impact of this new threat class to Intel’s Software Guard eXtension (SGX) technology. This document is intended to provide support for system security architects and software engineers with respect to the impact of this new class of attack on SGX security guarantees. The development of this document was inspired by dialogue on the Intel SGX developer’s forum surrounding whether or not enclaves provide credible security guarantees in the face of these new threats.

Hardware and microcode enhancements introduced in the Intel Skylake micro-architecture provide the framework for the SGX Trusted Execution Environment (TEE). The SGX security architecture uses the notion of an enclave, which is an area of memory which contains data and code which can only be referenced by the enclave itself. Unauthorized access to these protected memory regions are blocked regardless of the privilege level of the context of execution attempting the access. As a result the premise is that enclaves will provide confidentiality and integrity guarantees even if the hardware, BIOS, hypervisor or operating system are compromised.[…]

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/754168

https://idfusionllc.com/2018/01/25/sgx-after-spectre-and-meltdown-status-analysis-and-remediations/

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols

~ hucktech ~ Leave a comment

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols

Caroline Trippel, Daniel Lustig, Margaret Martonosi

The recent Meltdown and Spectre attacks highlight the importance of automated verification techniques for identifying hardware security vulnerabilities. We have developed a tool for synthesizing microarchitecture-specific programs capable of producing any user-specified hardware execution pattern of interest. Our tool takes two inputs: a formal description of (i) a microarchitecture in a domain-specific language, and (ii) a microarchitectural execution pattern of interest, e.g. a threat pattern. All programs synthesized by our tool are capable of producing the specified execution pattern on the supplied microarchitecture. We used our tool to specify a hardware execution pattern common to Flush+Reload attacks and automatically synthesized security litmus tests representative of those that have been publicly disclosed for conducting Meltdown and Spectre attacks. We also formulated a Prime+Probe threat pattern, enabling our tool to synthesize a new variant of each—MeltdownPrime and SpectrePrime. Both of these new exploits use Prime+Probe approaches to conduct the timing attack. They are both also novel in that they are 2-core attacks which leverage the cache line invalidation mechanism in modern cache coherence protocols. These are the first proposed Prime+Probe variants of Meltdown and Spectre. But more importantly, both Prime attacks exploit invalidation-based coherence protocols to achieve the same level of precision as a Flush+Reload attack. While mitigation techniques in software (e.g., barriers that prevent speculation) will likely be the same for our Prime variants as for original Spectre and Meltdown, we believe that hardware protection against them will be distinct. As a proof of concept, we implemented SpectrePrime as a C program and ran it on an Intel x86 processor, averaging about the same accuracy as Spectre over 100 runs—97.9% for Spectre and 99.95% for SpectrePrime.

https://scirate.com/arxiv/1802.03802

UEFI BIOS Accessibility for the Visually Impaired

~ hucktech ~ Leave a comment

UEFI BIOS Accessibility for the Visually Impaired

Rafael R. Machado, Gustavo M. D. Vieira

People with some kind of disability face a high level of difficulty for everyday tasks because, in many cases, accessibility was not considered necessary when the task or process was designed. An example of this scenario is a computer’s BIOS configuration screens, which do not consider the specific needs, such as screen readers, of visually impaired people. This paper proposes the idea that it is possible to make the pre-operating system environment accessible to visually impaired people. We report our work-in-progress in creating a screen reader prototype, accessing audio cards compatible with the High Definition Audio specification in systems running UEFI compliant firmware.

Submitted 7 Dec 2017 to Computers and Society [cs.CY]
Published 11 Dec 2017
Journal ref: SBESC ’17: Proceedings of the VII Brazilian Symposium on Computing Systems Engineering, IEEE Computer Society, 2017, 155-160
Doi: 10.1109/SBESC.2017.27
http://arxiv.org/abs/1712.03186

Click to access 1712.03186.pdf

https://scirate.com/arxiv/1712.03186

 

ShmooCon2018 videos uploaded

~ hucktech ~ Leave a comment

https://archive.org/details/Shmoocon2018

0wn The Con
A Social Science Approach To Cybersecurity Education
AFL-Unicorn Fuzzing The Unfuzzable
AWS Honey Tokens With SPACECRAB
Better Git Hacking
Blink For Your Password, Blink Away Your Civil Rights
Building Absurd Christmas Light Shows
Catch Me If You Can
Certgraph
CITL Quantitative, Comparable Software Risk Reporting
Closing Remarks
Cyberlaw Year In Review
Debates
Deep Learning For Realtime Malware Detection
Defending Against Robot Attacks
Don’t Ignore GDPR It Matters Now
Electronic Voting In 2018 Threat Or Menace
Embedded Device Vulnerability Analysis Case Study Using Trommel
Friday Night Fire Talks – 1
Friday Night Fire Talks – 2
Getting Cozy With OpenBSM Auditing On MacOS
Hacking The News An Infosec Guide To The Media, And How To Talk To Them
IoT RCE, A Study With Disney (audio missing till 3rd minute)
Keynote
Listing The 1337
Ok Google, Tell Me About Myself (part)
Opening Closed Systems With Glitchkit
Opening Remarks, Rumblings, Ruminations, And Rants
Profiling And Detecting All Things SSL With JA3
Pseudo-doppler Redux
Radare2 In Conversation
Running A Marathon Without Breaking A Sweat
Securing Bare Metal Hardware At Scale
SIGINT On A Budget
Skill Building By Revisiting Past CVEs
Someone Is Lying To You On The Internet
Tap, Tap, Is This Thing On Testing Edr Capabilities
The Friedman Tombstone
This Is Not Your Grandfather’s SIEM
Time Signature Based Matching … In Cyber Relevant Logs
When CAN Cant

 

Xen Security Advisory XSA-254 updated to V12 (on Spectre/Meltdown)

~ hucktech ~ Leave a comment

The XSA on Spectre/Meltdown has been updated again, with more info on ARM firmware:

Xen Security Advisory CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 / XSA-254
version 12

Information leak via side effects of speculative execution

UPDATES IN VERSION 12:

Corrections to ARM SP2 information:
* ARM 32-bit requires new firmware on some CPUs.
* Provide link to the ARM firmware page, accordingly.
* ARM 32-bit mitigations are complete for Cortex-A CPUs.
We do not have information for other ARM CPUs at this time.

[…]
VULNERABLE SYSTEMS:
Systems running all versions of Xen are affected. For SP1 and SP2, both Intel and AMD are vulnerable. Vulnerability of ARM processors to SP1 and SP2 varies by model and manufacturer. ARM has information on affected models on the following website. For SP3, only Intel processors are vulnerable. (The hypervisor cannot be attacked using SP3 on any ARM processors, even those that are listed as affected by SP3.) Furthermore, only 64-bit PV guests can exploit SP3 against Xen. PVH, HVM, and 32-bit PV guests cannot exploit SP3.
[…]

https://xenbits.xen.org/xsa/advisory-254.html
https://xenbits.xen.org/xsa/
https://developer.arm.com/support/security-update
https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/
https://www.qubes-os.org/security/xsa/
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt

Aurora: Providing Trusted System Services for Enclaves On an Untrusted System

~ hucktech ~ Leave a comment

Aurora: Providing Trusted System Services for Enclaves On an Untrusted System
Hongliang Liang, Mingyu Li, Qiong Zhang, Yue Yu, Lin Jiang, Yixiu Chen
(Submitted on 10 Feb 2018)

Intel SGX provisions shielded executions for security-sensitive computation, but lacks support for trusted system services (TSS), such as clock, network and filesystem. This makes \textit{enclaves} vulnerable to Iago attacks~\cite{DBLP:conf/asplos/CheckowayS13} in the face of a powerful malicious system. To mitigate this problem, we present Aurora, a novel architecture that provides TSSes via a secure channel between enclaves and devices on top of an untrusted system, and implement two types of TSSes, i.e. clock and end-to-end network. We evaluate our solution by porting SQLite and OpenSSL into Aurora, experimental results show that SQLite benefits from a \textit{microsecond} accuracy trusted clock and OpenSSL gains end-to-end secure network with about 1ms overhead.

https://arxiv.org/abs/1802.03530

HP including expected PCR0 values in firmware releases

~ hucktech ~ 1 Comment

PCR0 (TPM 1.2, TXT disabled) = 3864B052A7A5E8D0D68C6B525CE7C264042FFD9C (SHA1)
PCR0 (TPM 1.2, TXT enabled) = A53040199863DE972A57CDCCBA5A1D595B8D622F (SHA1)
PCR0 (TPM 2.0 SHA256, TXT disabled) = 8F6FD3E49706E7EFDAFD56FB55FB8E02FC9766BE482C07D80D8AB2081CF5B196 (SHA256)
PCR0 (TPM 2.0 SHA256, TXT enabled) = B0D9EC8871DABC7D931A6EB0783CDFB3DAA2422F8999301CC4954D1FD2879E77 (SHA256)

https://support.hp.com/soar-attachment/567/col59842-wk-199952-1-wk-199952-1_sp82736_releasedoc.html

Google introduces Android Enterprise Recommended program

~ hucktech ~ Leave a comment

https://www.android.com/enterprise/recommended/requirements/

https://www.android.com/enterprise/recommended/

https://androidenterprisepartners.withgoogle.com/#!/results/browse-all/2

REcon Brussels 2018 slides uploaded

~ hucktech ~ Leave a comment

Starcraft: Emulating a buffer overflow for fun and profit – Elias Bachaalany
Subverting your server through its BMC: the HPE iLO4 case – Alexandre Gazet, Joffrey Czarny, Fabien Perigaud
Breaking state-of-the-art binary code obfuscation – Tim Blazytko, Moritz Contag
Decompiler internals: microcode – Ilfak Guilfanov
Mess with the best, die like the rest (mode) – Volodymyr Pikhur
Hacking Toshiba Laptops – Michał Kowalczyk, Serge Bazanski
Dissecting QNX – Ali Abbasi, Jos Wetzels
Robin Hood vs Cisco ASA AnyConnect – Cedric Halbronn
Linux Vulnerabilities, Windows Exploits: Escalating Privileges with WSL – Saar Amar
DIY ARM Debugger for Wi-Fi Chips- Matthias Schulz
Reversing IoT: Xiaomi ecosystem – Dennis Giese, Daniel Wegemer
Visiting The Snake Nest – Matthieu Faou, Jean-Ian Boutin
Reverse Engineering Windows Defender’s JavaScript Engine – Alexei Bulazel

https://recon.cx/2018/brussels/slides/

Upcoming Intel SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing

~ hucktech ~ Leave a comment

Upcoming Intel® SGX Features Explained: Improved Virtualization, Configuration Management, and Key Sharing
Jethro Beekman
February 22nd, 2018
In an update to the Intel Software Developer’s Manual (SDM), Intel detailed upcoming changes to the Intel® SGX instruction set. The new features improve Enclave Page Cache management in virtualized environments and allow the addition of additional information to sealing key derivation and attestation reports. The improvements allow for better multi-tenancy with EPC oversubscription and easier configuration and software update management. I will go into detail on each of these in this post.[…]

https://www.fortanix.com/blog/2018/02/upcoming-intel-sgx-features-explained/

Criminal use of code signing certificates

~ hucktech ~ Leave a comment

The Use of Counterfeit Code Signing Certificates Is on the Rise
Andrei Barysevich
February 22, 2018

In 2017, security researchers around the world started seeing a sudden increase in code signing certificates being used as a layered obfuscation technique for malicious payload distribution campaigns. Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates. Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective.

https://www.recordedfuture.com/code-signing-certificates/

Product List