FreeBSD bhyve UEFI support improved

February 14, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/lattera/status/963126671963557888

MFC: r316746 Add UEFI support to vmrun.sh

Adds:
-E: Use UEFI mode
-f: path to UEFI firmware image (default: path to uefi-edk2-bhyve package)
-F: UEFI framebuffer size (default: w=1024,h=768)
-L: IP to listen for VNC connections on (default: 127.0.0.1)
-P: Port to listen for VNC connections on (default: 5900)
-T: Enable tablnet device (for VNC)
-v: Wait for VNC client before booting VM

https://svnweb.freebsd.org/base?view=revision&revision=329178

Dell Sputnik systems disable Secure Boot

February 14, 2018 ~ hucktech ~ Leave a comment

https://t.co/4tSwynJim9 is certainly confusing (Dell ship their Linux systems with UEFI Secure Boot enabled, but set a variable that causes Linux to disable validation)

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 13, 2018

Wow, that's just… wow. They had to invent a method that's actually more work than just enrolling the UEFI CA credentials that RedHat has already used to sign their UEFI loader.

— Brian Richardson (on LinkedIn) (@BrianOnChips) February 13, 2018

“Dell ship their Sputnik systems with a pre-populated MokSB variable that disables Secure Boot, so this is working as intended on the Fedora side.”

https://bugzilla.redhat.com/show_bug.cgi?id=1544794

adding BIOS Mode and Secure Boot state to BGInfo

February 14, 2018February 14, 2018 ~ hucktech ~ Leave a comment

Adding Windows 10 Version, BIOS Mode and Secure Boot State to BGInfo https://t.co/uqAhdZfPFV #AZSMUG @mmsmoa @skatterbrainzz #DreamTeam @gwblok @keithga1 @jeffctangsoo10 @abetterpc pic.twitter.com/9kftJOf1jx

— Mike Terrill [MVP] (@miketerrill) February 12, 2018

My Automation Framework now detecting BIOS/UEFI and Secure Boot thanks to @miketerrill https://t.co/jlfZG28omU pic.twitter.com/8KWZLNzSBM

— Trond Eirik Haavarstein (@xenappblog) February 13, 2018

Adding Windows 10 Version, BIOS Mode and Secure Boot State to BGInfo

Intel updates bug bounty program

February 14, 2018 ~ hucktech ~ Leave a comment

Awesome! Intel's bug bounty programs are now open to all researchers and side channel vulnerabilities are now in scope with awards up to $250,000 https://t.co/DIB0YpGiad

— Matt Miller (@epakskape) February 14, 2018

"Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000."https://t.co/4YKxqqCwt3

— David Schor (@david_schor) February 14, 2018

Updates to our program include

+ Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
+ Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
+ Raising bounty awards across the board, with awards of up to $100,000 for other areas.

https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/

dtrace for linux; Oracle does the right thing

February 14, 2018 ~ hucktech ~ Leave a comment

DTRACE FOR LINUX; ORACLE DOES THE RIGHT THING
That is right, dtrace dropped the CDDL and switched to the GPL!https://t.co/XSotKWxU9Q

— Alec Muffett (@AlecMuffett) February 14, 2018

dtrace for linux; Oracle does the right thing
Posted on February 14, 2018, 11:13.

[…]This changeset integrates DTrace module sources into the main kernel source tree under the GPLv2 license. Sources have been moved to appropriate locations in the kernel tree. That is right, dtrace dropped the CDDL and switched to the GPL![…]

dtrace for linux; Oracle does the right thing

Attacks Against Windows PXE Boot Images

February 13, 2018 ~ hucktech ~ Leave a comment

[BLOG] Attacks Against Windows PXE Boot Images https://t.co/d0BzClZp36
Super useful, thanks @thomas_elling!

— Scott Sutherland (@_nullbind) February 13, 2018

Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]

https://blog.netspi.com/attacks-against-windows-pxe-boot-images/

https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Nintendo NES ROM Disassembler 1.0

February 13, 2018 ~ hucktech ~ Leave a comment

NES ROM Disassembler 1.0 🎮
(coded in #JS and ~100 lines of code)
Code: https://t.co/7Q8rfUCAKg
Demo: https://t.co/ZcQBQfcZah
(Some weird ROMs like Zelda don't work well, sorry) pic.twitter.com/zMZhB11Aq5

— xem 🔵‏ (@MaximeEuziere) February 13, 2018

https://github.com/xem/nes/blob/gh-pages/disassembler.html

https://xem.github.io/nes/disassembler.html

Microsoft Windows Analytics now helps assess Meltdown and Spectre protections

February 13, 2018 ~ hucktech ~ Leave a comment

To help you understand your state of protection from Spectre & Meltdown vulnerabilities, we’ve updated our free Windows Analytics service to check on microcode, OS and anti-malware update statuses across all your systems. Check it out here: https://t.co/HhdLKkyAvn pic.twitter.com/XVh1ICKHFA

— Terry Myerson (@tmyerson) February 13, 2018

To help IT professionals everywhere, we have added new capabilities to our free Windows Analytics service1 to report the status for all the Windows devices2 that they manage. These new capabilities include:
[…]
Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.
[…]

https://blogs.windows.com/business/2018/02/13/windows-analytics-now-helps-assess-meltdown-and-spectre-protections/

Windows Analyitcs

HPE MSA firmware site created

February 12, 2018 ~ hucktech ~ Leave a comment

Two suggestions: 1) use HTTPS not HTTP for web site. 2) Include a hash for the blobs.

Getting HPE MSA Storage firmware just got easier https://t.co/7dpoxbZwMH pic.twitter.com/lGDjFDU27w

— IT Godfather (@CalvinZito) February 12, 2018

Getting HPE MSA Storage firmware just got easier
HPEStorageGuy yesterday

Making things easier for customers is always a good idea. Kipp Glover from our HPE Storage Total Customer Experience & Quality team has been working to do that. Kipp wanted to make the process easy for HPE MSA Storage customers to get the latest firmware and related information like release notes and the firmware history for each of the last three generations of MSA models. Kipp and his team worked with our hpe.com people to create the website to make getting the latest MSA firmware easy. The website is hpe.com/storage/MSAFirmware. Kipp also created a short video that shows how to navigate the site so I wanted to share that with you.

https://community.hpe.com/t5/Around-the-Storage-Block/Getting-HPE-MSA-Storage-firmware-just-got-easier/ba-p/6996632

http://h41111.www4.hpe.com/storage/msafirmware.html

IETF draft-irtf-t2trg-iot-seccons: State-of-the-Art and Challenges for the IoT Security

February 12, 2018 ~ hucktech ~ Leave a comment

State-of-the-Art and Challenges for the Internet of Things Security

The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication. The security needs for IoT systems are well-recognized and many standardization steps to provide security have been taken, for example, the specification of Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS). However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities. In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats. Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems. This document can be used by IoT standards specifications as a reference for details about security considerations applying to the specified protocol.

https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-10

Razer doesn’t care about Linux [Firmware]

February 12, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/01/29/linux-oems-support-fwupd-org/

here’s the latest blog post by the fwupd developer, regarding the OEM Razer:

Razer doesn’t care about Linux

https://fwupd.org/lvfs/vendorlist#razer

This also pretty much sums things up:

http://support.razerzone.com/search?keywords=linux

ARM adds Shared Virtual Addressing (SVA) for IOMMU to Linux kernel

February 12, 2018 ~ hucktech ~ Leave a comment

Jean-Philippe Brucker of ARM sent a 37-part patch, adding SVA support to Linux kernel, excerpts of announcement below:

Shared Virtual Addressing (SVA) is the ability to share process address spaces with devices. It is called “SVM” (Shared Virtual Memory) by OpenCL and some IOMMU architectures, but since that abbreviation is already used for AMD virtualisation in Linux (Secure Virtual Machine), we prefer the less ambiguous “SVA”. Sharing process address spaces with devices allows to rely on core kernel memory management for DMA, removing some complexity from application and device drivers. After binding to a device, applications can instruct it to perform DMA on buffers obtained with malloc.

The device, buses and the IOMMU must support the following features:
* Multiple address spaces per device, for example using the PCI PASID (Process Address Space ID) extension. The IOMMU driver allocates a PASID and the device uses it in DMA transactions.
* I/O Page Faults (IOPF), for example PCI PRI (Page Request Interface) or Arm SMMU stall. The core mm handles translation faults from the IOMMU.
* MMU and IOMMU implement compatible page table formats.

This series requires to support all three features. I tried to facilitate using only a subset of them but enabling it requires more work. Upcoming patches will enable private PASID management, which allows device driver to use an API similar to classical DMA, map()/unmap() on PASIDs. In the future device drivers should also be able to use SVA without IOPF by pinning all pages, or without PASID by sharing the single device address space with a process. Although we don’t have any performance measurement at the moment, SVA will likely be slower than classical DMA since it relies on page faults, whereas classical DMA pins all pages in memory. SVA mostly aims at simplifying DMA management, but also improves security by isolating address spaces in devices. Intel and AMD IOMMU drivers already offer slightly differing public functions that bind process address spaces to devices. Because they don’t go through an architecture-agnostic API, only integrated devices could use them so far. […]

Full patch:
https://lists.linuxfoundation.org/pipermail/iommu/2018-February/025992.html
More info on IOMMUs:
http://pages.cs.wisc.edu/~basu/isca_iommu_tutorial/index.htm
https://github.com/chipsec/chipsec/blob/master/chipsec/hal/iommu.py
https://www.spinics.net/lists/arm-kernel/msg609771.html
https://www.spinics.net/lists/kernel/msg2651481.html
https://www.spinics.net/lists/kvm/msg148819.html
https://developer.arm.com/products/architecture/a-profile/docs/100940/latest/separation-of-kernel-and-application-virtual-address-spaces
https://software.intel.com/en-us/articles/opencl-20-shared-virtual-memory-overview
https://www.khronos.org/registry/OpenCL/sdk/2.1/docs/man/xhtml/sharedVirtualMemory.html
https://lwn.net/Articles/726606/

Click to access 48882_IOMMU.pdf

https://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware
https://software.intel.com/en-us/blogs/2009/03/02/intels-virtualization-for-directed-io-aka-iommu-part-1

XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen – Yi Liu, Intel from The Linux Foundation

DelegaTEE: Brokered Delegation Using Trusted Execution Environments

February 12, 2018 ~ hucktech ~ Leave a comment

S. Matetic et al., “DelegaTEE: Brokered Delegation Using Trusted Execution Environments” (more SGX…) https://t.co/GXAT9soLtR

— Arrigo Triulzi (@cynicalsecurity) February 12, 2018

DelegaTEE: Brokered Delegation Using Trusted Execution Environments

Sinisa Matetic and Moritz Schneider and Andrew Miller and Ari Juels and Srdjan Capkun

We introduce a new concept called brokered delegation. Brokered delegation allows users to flexibly delegate credentials and rights for a range of service providers to other users and third parties. We explore how brokered delegation can be implemented using novel trusted execution environments (TEEs). We introduce a system called DelegaTEE that enables users (Delegatees) to log into different online services using the credentials of other users (Owners). Credentials in DelegaTEE are never revealed to Delegatees and Owners can restrict access to their accounts using a range of rich, contextually dependent delegation policies. DelegaTEE fundamentally shifts existing access control models for centralized online services. It does so by using TEEs to permit access delegation at the user’s discretion. DelegaTEE thus effectively reduces mandatory access control (MAC) in this context to discretionary access control (DAC). The system demonstrates the significant potential for TEEs to create new forms of resource sharing around online services without the direct support from those services. We present a full implementation of DelegaTEE using Intel SGX and demonstrate its use in four real-world applications: email access (SMTP/IMAP), restricted website access using a HTTPS proxy, e-banking/credit card, and a third-party payment system (PayPal).

https://eprint.iacr.org/2018/160

Click to access 160.pdf

FACT: Firmware Analysis and Comparison Tool

February 12, 2018 ~ hucktech ~ Leave a comment

Automate firmware security analysis with “FACT” to mitigate pain points and find new vulnerabilities faster #BHASIA Arsenal Tool https://t.co/whCHp3LXC4

— Black Hat (@BlackHatEvents) February 12, 2018

Firmware Analysis and Comparision Tool (FACT)
Peter Weidenbach
The Firmware Analysis and Comparison Tool (FACT) is intended to automate Firmware Security analysis. Thereby, it shall be easy to use (web GUI), extend (plug-in system) and integrate (REST API). When analyzing Firmware, you face several challenges: unpacking, initial analysis, identifying changes towards other versions, find other firmware images that might share vulnerabilities you just found. FACT is able to automate many aspects of these challenges leading to a massive speedup in the firmware analysis process. This means you can focus on the fun part of finding new vulnerabilities, whereas FACT does all the boring stuff for you.[…]

https://fkie-cad.github.io/FACT_core/

https://github.com/fkie-cad/FACT_firmadyne_analysis_plugin

https://www.blackhat.com/asia-18/arsenal/schedule/index.html#firmware-analysis-and-comparision-tool-fact-9712

FACT Logo

Low-level iOS forensics: iBoot ‘metadata whitening’

February 11, 2018 ~ hucktech ~ Leave a comment

Since 2010 Apple is using 0x50F4546A in #iBoot ("randomly chosen by a fair roll of ssh-keygen") for a proces called "metadata whitening". The 12 bytes of the SpareData structure are XORed with pseudorandom values depending on the physical page number. https://t.co/Y8THxmaiFq pic.twitter.com/Oq4GtE2Snw

— Victor Gevers (@0xDUDE) February 11, 2018

Low-level iOS forensics
Thu 28 June 2012 by jean

iOS filesystem encryption and data protection mechanisms are now well documented and supported by many forensics tools. iOS devices use NAND flash memory as their main storage area, but physical imaging usually refers to a “dd image” of the logical partitions. The iOS Flash Translation Layer for current devices is software-based (implemented in iBoot and the kernel), which means that the CPU has direct access to raw NAND memory. In this post we will describe how to acquire a NAND image and use FTL metadata to recover deleted files on A4 devices. The information presented here is based on the great reverse engineering work done by the iDroid/openiBoot team.[…]

http://esec-lab.sogeti.com/posts/2012/06/28/low-level-ios-forensics.html

https://code.google.com/archive/p/iphone-dataprotection/wikis

Teddy Reed: Exploring secured boot on the Sabre Lite i.MX6S (v1.3) SBC and NXP HABv4

February 11, 2018February 11, 2018 ~ hucktech ~ Leave a comment

Exploring secured boot on the Sabre Lite i.MX6S (v1.3) SBC and NXP HABv4
February 10, 2018

This document is a linear review of my notes taken while exploring the Sabre Lite single-board-computer. It is a mildly expensive ($200 from Boundary Devices) SBC but it has a well documented secure boot implementation rooted in silicon ROM. It is a very good example of a vendor proprietary firmware verification mechanism. The goal of this article is purely an overview of notes, nothing here is novel or groundbreaking and it is not intended to be a tutorial.[…]

https://prosauce.org/blog/2018/2/10/exploring-secured-boot-on-the-sabre-lite-imx6s-v13-sbc-and-nxp-habv4

Apple baseband comm driver kext source leaked?

February 10, 2018 ~ hucktech ~ Leave a comment

none 🙂 i’m totally for opensourcing, but this leak is just crap, there’s no real source of the baseband.. #disappointed

— paπcake 🌱 🏴󠁥󠁳󠁣󠁴󠁿 (@trufae) February 9, 2018

https://twitter.com/Mario_Vilas/status/962023148806750208

https://twitter.com/chronic/status/962090476072525826

https://twitter.com/internals_apple/status/962143308070957057

https://twitter.com/i_droid_phone/status/961770262894186497

https://twitter.com/Apple_External/status/962147625221767168

https://twitter.com/internals_apple/status/961391228771332097

https://twitter.com/kittenpies3/status/962343688373440513

Lenovo: Intel AMT MEBx Access Control Bypass

February 10, 2018 ~ hucktech ~ Leave a comment

Intel Active Management Technology MEBx Access Control Bypass
2018-02-08
Initial Release

Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568
Potential Impact: Remote access and control
Severity: Critical

Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]

ThinkPad – Updates coming soon
ThinkServer- Researching

https://support.lenovo.com/us/en/solutions/LEN-19568

https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt

https://www.intel.com/content/www/us/en/support/articles/000020917/software/manageability-products.html

Click to access Intel_AMT_Security_Best_Practices_QA.pdf

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

LAVA 2018.2 released

February 9, 2018 ~ hucktech ~ Leave a comment

Neil Williams of Linaro announced the 2018.2 release of LAVA. Here’s 3 changes excerpted from the announcement below:

* Bootloader support changes: Better detect errors in the bootloader – this adds support to distinguish between a bootloader failure and a kernel failure to detect problems when the bootloader tries to start the kernel. This has an important effect on how some test jobs run – see Quiet Kernels below. The parallel change (7a2b3a68 Change the flow of bootloader commands so they are executed individually) supports detecting failures to download artifacts as distinct from failures to execute once downloaded.

* Bootloader action optimisations: To support the better error detection, several bootloader actions have been optimised. This means that different actions may be used, changing the names you may be using for timeouts. e.g.
https://staging.validation.linaro.org/scheduler/job/209814/definition#defline10
The timeout name was u-boot-interrupt – now it is bootloader-interrupt. The UI shows you which actions have been assembled into the pipeline.
e.g.: bootloader-interrupt: Wait for prompt Hit any key to stop autoboot (timeout 00:02:00)

* Quiet Kernels: The bootloader support changes wait for an indication that the bootloader has completed and that the kernel has started, by watching for a kernel_start_message. If your kernel is configured to be quiet, then each test job using that kernel *must* clear the kernel_start_message:
context:
kernel_start_message: ”
In most cases, the test job should not use ‘quiet’ as this hides important debugging information from the kernel boot process.
[…]

https://lists.linaro.org/pipermail/lava-announce/2018-February/000048.html
https://www.linaro.org/initiatives/lava
https://validation.linaro.org/
https://wiki.linaro.org/LAVA
https://github.com/search?q=org%3ALinaro+lava