This repository contains a set of tools and proof of concepts related to PCI-E bus and DMA attacks. It includes HDL design which implements software controllable PCI-E gen 1.1 endpoint device for Xilinx SP605 Evaluation Kit with Spartan-6 FPGA. In comparison with popular USB3380EVB this design allows to operate with raw Transaction Level Packets (TLP) of PCI-E bus and perform full 64-bit memory read/write operations. To demonstrate applied use cases of the design, there’s a tool for pre-boot DMA attacks on UEFI based machines which allows executing arbitrary UEFI DXE drivers during platform init. Another example shows how to use pre-boot DMA attacks to inject Hyper-V VM exit handler backdoor into the virtualization-based security enabled Windows 10 Enterprise running on UEFI Secure Boot enabled platform. Provided Hyper-V backdoor PoC might be useful for reverse engineering and exploit development purposes, it provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest partition and perform the guest to host VM escape attacks.
SEC Xtractor: HW/FW tools for dumping memory chips and identifying on-chip debugging/programming interfaces
We have just made the “SEC Xtractor” tool (SEC Consult’s hardware exploitation and firmware extraction tool) open-source! It comes with an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). As its firmware and hardware are completely open-source, it can be easily extended. Interface identification is another requirement that was fulfilled by integrating JTAG brute-forcing and UART scanning. It can also be used as an OpenOCD adapter and it provides two UART-to-USB bridges. Most devices require anything between 1.8 and 5.5 volts, which is supported by the SEC Xtractor.[…]
SEC Xtractor (Hardware)
https://github.com/sec-consult/SEC-Xtractor_Hardware
SEC Xtractor (Firmware)
UefiGame: Bare metal game using EDK2
There is another UEFI game available, that’s over a dozen I think:
https://github.com/IyadHamid/UefiGame
riscv_exploitation: Collection of RISC-V exploits
For those getting into RISC-V security, here’s some examples that might be useful:
UL offering IoT security ratings
The IoT Security Rating, which is based on UL’s IoT Security Top 20 Design Principles, aims to serve two purposes:
1) Help manufacturers and developers improve the security posture of their solutions by leveraging proven security best practices
2) Rate the security posture of IoT solutions in order to make security more transparent and accessible to consumers.
https://ims.ul.com/IoT-security-rating
I wish these logos had more specifics, like what boot security technologies are available.
Redfish-Tacklebox: Python based utilities for performing common management operations with Redfish
DMTF has a relatively-new Redfish project, with tools (currently 6 Python-based tools) that’re useful for security researchers, system administrators, and firmware testers:
Sensor List (rf_sensor_list.py): walk a Redfish service and list sensor info
System Inventory (rf_sys_inventory.py): walk a Redfish service and list component information
Power/Reset (rf_power_reset.py): perform a power/reset operation of a system
Boot Override (rf_boot_override.py): perform a one time boot override of a system
Accounts (rf_accounts.py): manage user accounts on a Redfish service
Update (rf_update.py): perform an update with a Redfish service
TPM.dev
There is a new web site with multiple TPM resources, many things to see. And a physical event, if you are based in Germany.
Tastless CTF: tee-challenges: an exploitation challenge based on the Open Portable Trusted Execution Environment (OP-TEE)
https://github.com/tastelessctf/ctf2019
Offered with no further comments, I’ve not yet had a chance to play this CTF yet…
coreboot 4.11 released
“[…]Since 4.10 there were 1630 new commits by over 130 developers. Of these, about 30 contributed to coreboot for the first time.[…]
Verified Boot: The vboot feature that Chromebooks brought into coreboot was extended to work on devices that weren’t specially adapted for it: In addition to its original device family it’s now supported on various Lenovo laptops, Open Compute Project systems and Siemens industrial machines. Eltan’s support for measured boot continues to be integrated with vboot, sharing data structures and generally working together where possible.[…]”
Detailed blog post:
https://blogs.coreboot.org/blog/2019/11/19/announcing-coreboot-4-11/
Open Source Firmware Conference 2019: videos available
Videos for OSFC 2019, the Open Source Firmware Conference, are now online:
https://www.youtube.com/channel/UCUVk2lv2h2VbP3Dx4k2axyA/playlists
Slides are on the main site (on the schedule page, not yet on the archive page):
PrimeG2Pkg: UEFI for HP Prime G2 calculator
[…]Basically the UEFI consists a set of device drivers and core components from TianoCore. ACPI tables are copied from the Windows IoT iMX Project Mu Repo and stripped down. I chainload the UEFI from U-Boot. iMX does not enable unaligned memory access by default and this causes a lot of troubles in UEFI DXE and BDS phases.[…]
https://github.com/imbushuo/PrimeG2Pkg
blog post:
edk2-vscode: Visual Studio Code plugin for EDKII files
There is a Visual Studio Code plugin for working with Microsoft Project Mu:
MuSupport: A VS Code extension to support Project Mu
There is also another VS Code plugin for working with EDK2, which appears to be about 3 months old:
Develop smoothly EDKII/UEFI:
* Add FDF syntax highlight and destionation
* Add DSC syntax highlight and destionation
* Add DEC syntax highlight and destionation
* Add INF syntax highlight and destionation
* Add UNI syntax highlight
* Add VFR syntax highlight
Sourcetrail source code explorer for C/C++/Python/Java has been open-sourced
Coatia Software’s Sourcetrail is a source explorer for Linux/Windows/Mac which “uses static analysis on C, C++, Java and Python source code and lets you navigate the collected information within a user interface that interactively combines graph visualization and code display.” This closed-source codebase is now open-source.
https://github.com/CoatiSoftware/Sourcetrail
https://www.sourcetrail.com/
https://www.sourcetrail.com/blog/open_source/
https://www.patreon.com/sourcetrail
Intel ATR training: no longer publicly-available
Re: https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/
It appears training materials that used to be on Github are no longer there, unsure why. Hopefully it has moved (from the “Advanced-Threat-Research” top-level Github project and moved to some Intel/McAfee/Eclypsium project, and I just don’t know the new URL.
As I understand it, the training was created by Intel employees, mostly from the CHIPSEC team, before many of the CHIPSEC team left to create Eclypsium, and also during the Intel/McAfee split of Intel Advanced Threat Research. I have a copy of the Github project that’s been taken down somewhere, in case the authors at (Intel, McAfee, Eclypsium) mistakenly deleted it and want a copy.
https://github.com/advanced-threat-research/firmware-security-training
The current CHISPEC team offers training, but appears to use a different set of of materials, which are online:
https://github.com/chipsec/chipsec/wiki/BSidesPDX-2018-Workshop
The MinnowBoard Chronicles: A Journey into x86, UEFI, and Linux
Even if you don’t have a SourcePoint hardware debugger, you’ll probably still get a benefit from reading this 45-chapter blog post series.
Over the last two and a half years, I’ve intermittently chronicled my explorations into some fairly esoteric technical topics, using the MinnowBoard Turbot board as a platform. And yes, time flies, and I’ve covered a lot of ground. All 45 chapters are listed below. Enjoy!
GospelRoom: Data Storage in UEFI NVRAM Variables
Click on the URL in the above Twitter URL, as WordPress chokes on Github Gist URLs.
Static analysis framework for GCC by Red Hat
David Malcolm of Red Hat has submitted a 49-part patch to GCC which gives GCC a static analysis feature:
This patch kit introduces a static analysis pass for GCC that can diagnose various kinds of problems in C code at compile-time (e.g. double-free, use-after-free, etc). The analyzer runs as an IPA pass on the gimple SSA representation. It associates state machines with data, with transitions at certain statements and edges. It finds “interesting” interprocedural paths through the user’s code, in which bogus state transitions happen.[…\
Paged Out! #2 released
ANSSI: Hardware security requirements for x86 platforms (and bootable CHIPSEC thumbdrive)
This guide presents some security features and configuration options applying to hardware devices. These features are defined in the form of requirements and can apply to a provider of these hardware configurations. The intended goal is to enforce security of new hardware acquired by an IT department. Each requirement is followed by a security objective specifying the goal.[…]
Provided tools can be used to build two bootable USB keys:
* the first around the chipsec tool edited by Intel, integrated in a Debian live distribution, which can be used to check the platform configuration registers.
* the second one is built around the keytool.efi binary which can be use to inspect and modify the SecureBoot key list. The key can be used to check that the platform will accept new, custom SecureBoot keys
https://www.ssi.gouv.fr/en/guide/hardware-security-requirements-for-x86-platforms/
AMD: AGESA update (on Reddit)
I often see news about AMD AGESA in the news, often starting on Gamer web sites talking about gamer-centric boxes. I wish there was a primary source of this data, but it appears that AMD tells it’s vendors and the vendors tell the media about the updates, and there was no direct AMD source of this information. At least that’s what I thought until a few days ago. The “AMD Official” user on Reddit has posted a status update on the next AGESA release:
An Update on the AM4 Platform & AGESA 1004
AMD has recently released a new AGESA to manufacturers, version 1004. With over 150 changes, this is a significant milestone release in the development of the AM4 platform. We wanted to share some background in support of our release and particularly in advance of the AMD Ryzen 9 3950X processor launch on Nov. 25th.[…]
Let’s hope there are regular updates on AGESA on this Reddit site:
https://www.reddit.com/user/AMDOfficial/
More info:
https://en.wikipedia.org/wiki/AGESA
Intel’s equivalent to AMD AGESA is FSP. By comparision, there is a bit more metadata to see what’s happening with FSP, I wish AMD had similar resources for AGESA:
https://github.com/IntelFsp/FSP/commits/master
https://github.com/IntelFsp/FSP/issues
Firmware Security 
You must be logged in to post a comment.