Category: Uncategorized

MacAdmins Podcast: Episode 70: Secure Boot

~ hucktech ~ Leave a comment

Synopsis: Tim Perfitt joins the pod to talk about SecureBoot, the iMac Pro, the future of securing everything, and the history of BootRunner and other products at Twocanoes.

Your Hosts:
Tom Bridge, Partner at Technolutionary LLC [@tbridge]
Pepijn Bruienne, R&D Engineer at Duo Security [@bruienne], Proprietor of EnterpriseMac.Bruienne.com
Charles Edge, Director of Marketplace at Jamf, [@cedge318]

Guests: Tim Perfitt, Founder of Twocanoes Software

Episode 70: Tim Perfitt, Twocanoes Software

show notes:

SecureBoot & the 2017 iMac Pro

Trusting bare-metal/on-premises cloud firmware

~ hucktech ~ Leave a comment

I’ve been learning a bit about ‘the Cloud’. In addition to the normal virtualized solutions, there is also ‘bare-metal cloud’, where the customer gets full access to the hardware. The ‘on-premises cloud’ is similar, vendor puts the hardware on yout site.  If you are the first client to use that hardware, you’re probably in good shape. However, the 2nd and subsequent customers need to trust the cloud vendor is verifying that previous customers didn’t infect the firmware with bootkits.

If I was an attacker, I would have sold grey-market (used) hardware, with infected firmware on ebay/craigslist to future targets. Now, I’d change tactics and rent as much bare-metal/on-premises cloud hardware as I could, infect it with rootkits, return it to the cloud vendor, and wait for future users of this hardware to phone home. Seems like a better investment for an attacker, multiple targets per infected device.

Before your company relies on a bare-metal/on-prem solution, ask the cloud vendor to clarify the steps they perform to ensure the firmware is not infected with bootkits.

https://en.wikipedia.org/wiki/Bare-metal_server

https://en.wikipedia.org/wiki/On-premises_software

new ChromeOS TPM security feature

~ hucktech ~ Leave a comment

https://www.androidpolice.com/2018/02/18/google-releases-optional-security-update-chromebooks-wipes-local-data/

https://www.techrepublic.com/article/chromebook-update-boosts-security-but-wipes-all-data-in-the-process/

TPM Update For Chrome OS: Why And How

https://www.chromium.org/chromium-os/tpm_firmware_update

https://productforums.google.com/forum/#!topic/chromebook-central/eo2HZeDVjr8

https://www.infineon.com/cms/en/product/promopages/tpm-update/

 

ARM’s Kigen OS for cellular IoT security

~ hucktech ~ Leave a comment

https://www.arm.com/products/iot-solutions/kigen-sim-solutions

https://www.arm.com/products/iot-solutions/kigen-sim-solutions

https://www.arm.com/news/2018/02/arm-delivers-integrated-sim-identity-to-secure-next-wave-of-cellular-iot-devices

Kigen Graphic 2

https://www.forbes.com/sites/patrickmoorhead/2018/02/21/arm-introduces-new-kigen-technologies-to-improve-iot-security

https://www.pcper.com/news/General-Tech/ARM-Introduces-Kigen-OS-Cellular-IoT

 

Intel announces firmware updates for multiple processors (and Retpoline document)

~ hucktech ~ Leave a comment

February 20, 2018

Latest Intel Security News: Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors, Intel Xeon Scalable Processors and More

Over the past several weeks, weā€™ve been developing and validating updated microcode solutions to protect Intel customers against the security exploits disclosed by Google Project Zero. This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production. On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process. Based on these efforts, we have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation IntelĀ® Coreā„¢ product lines as well as our latest IntelĀ® Coreā„¢ X-series processor family. It also includes our recently announced IntelĀ® XeonĀ® Scalable and IntelĀ® XeonĀ® D processors for data center systems. The new microcode will be made available in most cases through OEM firmware updates. I continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.[…]

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/

[…]We are mindful of the fact that, in some cases, there are multiple mitigation techniques available that may provide protection against these exploits. This includes ā€œRetpoline,ā€ a Google-developed mitigation technique for Variant 2. For those interested in more information on Retpoline and how it works, we recently published a new white paper. Google has also posted information about Retpoline.[…]

https://support.google.com/faqs/answer/7625886

Click to access Retpoline-A-Branch-Target-Injection-Mitigation.pdf

 

Coping with Spectre and Meltdown: What sysadmins are doing

~ hucktech ~ Leave a comment

Esther Schindler has a new article on Spectre and Meltdown for SysAdmins:

Coping with Spectre and Meltdown: What sysadmins are doing

The recent security vulnerabilities dumped a bunch of to-do items on system administrators’ desks. Feel like you’re alone? Here’s what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management.

https://www.hpe.com/us/en/insights/articles/coping-with-spectre-and-meltdown-what-sysadmins-are-doing-1802.html

https://groups.google.com/a/lopsa.org/forum/#!topic/discuss/OSk4U32ShGs

Nintendo’s new KDE Linux tablet :-)

~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/01/16/dumping-the-playstation4-kernel/

https://twitter.com/fail0verflow/status/964954316892119040

https://liliputing.com/2018/02/fail0verflow-turns-a-nintendo-switch-into-a-full-fledged-linux-pc.html

https://www.theverge.com/circuitbreaker/2018/2/19/17029916/nintendo-switch-hack-linux-fail0verflow

https://www.forbes.com/sites/jasonevangelho/2018/02/09/hackers-are-running-linux-on-the-switch-and-claim-nintendo-cant-patch-it/#73bc32eb512c

https://www.nintendo.com/switch/

I have never once considered purchasing a Nintendo Switch …until now. šŸ™‚

 

DeepState: C/C++ symbolic execution unit test framework from Trail of Bits

~ hucktech ~ Leave a comment

DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. DeepState currently targets Linux, with macOS support in progress.

https://github.com/trailofbits/deepstate

Click to access bar18.pdf

EnclaveDB: A Secure Database using SGX

~ hucktech ~ Leave a comment

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html

EnclaveDB: A Secure Database using SGX
Christian Priebe , Imperial College London
Kapil Vaswani , Microsoft Research
Manuel Costa , Microsoft Research
We propose EnclaveDB, a database engine that guarantees confidentiality, integrity, and freshness for data and queries. EnclaveDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, and when the database runs in an untrusted host in the cloud. EnclaveDB achieves this by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware (such as Intel SGX). EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures. A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads. Our experiments using standard database benchmarks and a performance model that simulates large enclaves show that EnclaveDB achieves strong security with low overhead (up to 40% for TPC-C) compared to an industry strength in-memory database engine.

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405-abs.html

EnclaveDB ā€“ A Secure Database using SGX

Click to access enclavedb.pdf

Windows AMSI (AntiMalware Scan Interface) bypass

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/964953997311328256

http://standa-note.blogspot.ca/2018/02/amsi-bypass-with-null-character.html

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

See-also:

https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/

SHA_Performance_Review_In_UEFI: UEFI SHA1/SHA256 perf tests with C (and asm)

~ hucktech ~ Leave a comment

Background of The work: To compare the SHA1/SHA-256 performance in different implementation, different optimization flags and with different compilers(GCC48/GCC5). See how the performance difference in UEFI(Pre-boot environment). As a UEFI developer, while using these CPU intensive algorithms, we need to take into account the performance between them.

https://github.com/tsunghowu/SHA_Performance_Review_In_UEFI

 

UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)

~ hucktech ~ Leave a comment

UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)

Some of UEFI Toys by me. Taken from my early forked of Clover and ‘others’ below. No sources available yet, just binary (EAT that!).

ShellOpt:Ā  Port of GNUEFI Finnbarr P. Murphy ShellOpt (>>>) to EDK2, to set / delete various Shell options.

ShellExpand: To eliminate known Shell bugs edit command by translating TABS to SPACES with custom size.

DBounce: An UEFI driver to load all required drivers first before finally calling a chainloader. Originally introduced by Christoph Pfisterer (rEFIts author). The original source can be found here. Later I port this module to work with EDK2 with following changes (compared to original):

KernextPatcher: KernextPatcher (stand for Kernel & Kext Patcher) is an Darwin kernel & extensions patcher UEFI driver based on Clover Memfix by dmazar. This driver try to hook ExitBootServices event and patching kernelcache including kernel it self and kexts.

AcpiPatcher: AcpiPatcher is an Darwin ACPI patcher UEFI driver. Yes, its a MEGA stripped version compare to original one. At least, we can now get rid from some of complexity to load custom ACPI tables with some fixes. This driver try to hook ExitBootServices event and patching ACPI as below.

https://github.com/cecekpawon/UEFTW

Careful, these are closed-source binaries. Freeware is hard to trust, these decades… I have not tried them.

Windows 10: storing system-tracking data in UEFI variables

~ hucktech ~ Leave a comment

https://twitter.com/dakotathekat/status/963086883621408768

https://docs.microsoft.com/en-us/uwp/api/Windows.System.Profile.SystemIdentification

As one comment above notes, make sure you know how to reset this firmware-stored data before you dispose of any such systems.

Interesting, I would have guessed that this data would be stored in UEFI SMM LockBox, but some forms of UEFI variables are also hard to access. Ah, but this is for persistent data…

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c

I’d swear I saw some MacOSX (before change to macOS) components moved from system libraries up into Apple EFI, I wonder if Apple also implements SmmLockBox?