crbus_scripts: IPC scripts for access to Intel CRBUS

Re: https://firmwaresecurity.com/2020/05/19/intel-x86-microcode-extracted/

https://github.com/chip-red-pill/crbus_scripts

 

IPC scripts allowing to extract Intel Microcode (msrom) from your own Atom Goldmont platform.

UBC: an UEFI BIOS Configurator based on GRUB2 with setup_var (Windows- and AMI-centric)

Here’s a few UEFI tools I’ve not seen before. But they’re binary-only Windows executables, no source code provided in the Github repro, so be careful if you try to run them. It appears you might need to have an AMI BIOS for some of the tools.

https://github.com/qianchendi/UBC

Most laptop manufactures lock down their BIOSes very securely with RSA signing nowadays. This bypasses the dillema of finding a bypass to flash a modified BIOS and instead modifies the NVRAM registers instead.[…]
This tool is based on Windows 7/10 and python 2.7, and works for AMI UEFI BIOS
1. Open Windows console
2. Call AMISetup_IFR.bat <motherboard-bios-file>
3. Call python main.py
4. Copy all files in ‘_Setup’ directory to GRUB2 config directory, overwrite the file if already exists
5. Reboot your computer from GRUB2 disk in UEFI mode
[…]

Gate: macOS app that uses Apple T2 Security Enclave

 

Gate is sample macOS app that contains a CryptoTokenKit (CTK) extension and demonstrates some new ways to work with tokens in macOS:
1. Insert and remove X.509 certificates into the keychain API without a physical smartcard insertion event. Applications can insert certificates into the keychain that are used for cryptographic operations with an embedded CryptoTokenKit extension.
2. Associate a certificate with a ECC private key created in the Secure Enclave on T2-enabled Macs.
3. Authenticate with built-in authentication (Login Window, Screen Saver, System Preferences locks, sudo, ssh, web) using an identity in the Secure Enclave.

https://bitbucket.org/twocanoes/gate-secure-enclave-token-management/src/master/README.md

Intel x86 microcode extracted

https://github.com/chip-red-pill/glm-ucode

Using Ptychographic X-ray laminography to detect hardware backdoors

Detecting backdoors in hardware is hard. I just noticed this paper from last year:

X-Ray Tech Lays Chip Secrets Bare: Researchers in Switzerland and the U.S. have a non-destructive technique that can reverse engineer an entire chip without damaging it[…]

https://spectrum.ieee.org/nanoclast/semiconductors/design/xray-tech-lays-chip-secrets-bare

https://zenodo.org/record/2657340

https://www.nature.com/articles/s41928-019-0309-z

https://en.wikipedia.org/wiki/Hardware_backdoor

Ptychographic X-ray laminography can scan an entire chip or zoom in on a particular spot to reveal its circuits.

BaseSAFE: Baseband SAnitized Fuzzing through Emulation

By: Dominik Maier, Lukas Seidel, Shinjo Park

Rogue base stations are an effective attack vector. Cellular basebands represent a critical part of the smartphone’s security: they parse large amounts of data even before authentication. They can, therefore, grant an attacker a very stealthy way to gather information about calls placed and even to escalate to the main operating system, over-the-air. In this paper, we discuss a novel cellular fuzzing framework that aims to help security researchers find critical bugs in cellular basebands and similar embedded systems. BaseSAFE allows partial rehosting of cellular basebands for fast instrumented fuzzing off-device, even for closed-source firmware blobs. BaseSAFE’s sanitizing drop-in allocator, enables spotting heap-based buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various parsers of the Nucleus RTOS-based MediaTek cellular baseband that are accessible from rogue base stations. The emulator instrumentation is highly optimized, reaching hundreds of executions per second on each core for our complex test case, around 15k test-cases per second in total. Furthermore, we discuss attack vectors for baseband modems. To the best of our knowledge, this is the first use of emulation-based fuzzing for security testing of commercial cellular basebands. Most of the tooling and approaches of BaseSAFE are also applicable for other low-level kernels and firmware. Using BaseSAFE, we were able to find memory corruptions including heap out-of-bounds writes using our proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE, the harness, and a large collection of LTE signaling message test cases will be released open-source upon publication of this paper.

https://arxiv.org/abs/2005.07797

Maybe we need to wait until WiSec2020 to see code?

https://www.isti.tu-berlin.de/security_in_telecommunications/menue/research/publications/

https://wisec2020.ins.jku.at/

H2Lab: French hardware hacking lab targetting tools for embedded security

H2Lab is a French non-profit association targetting the development and production of hardware, software and tools for embedded, security and is building is expertise against the passion and skills of all its members.

https://h2lab.org/blogposts/h2lab_comming/

H2Lab is born

NuXT v2.0: new 10MHz PC with BIOS

A modern newly-available classic BIOS-based PC? How is it that I’m just learning about this?! 🙂

https://yeokhengmeng.com/2020/05/review-of-a-new-old-motherboard-nuxt-v2.0/

https://github.com/skiselev/micro_8088

https://github.com/monotech/NuXTv2

https://monotech.fwscart.com/NuXT_v20_-_MicroATX_Turbo_XT_-_10MHz_832K_XT-IDE_Multi-IO_SVGA/p6083514_19777986.aspx

ARM: Arm-centric features in GCC 10

 

This is nice overview of the Arm ISA-centric features available in the latest version of GCC.

I wish each ISA vendor would do a blog post like this for each major Clang/GCC compiler release!

https://community.arm.com/developer/tools-software/tools/b/tools-software-ides-blog/posts/making-the-most-of-the-arm-architecture-in-gcc-10

Trusted Objects: Trusted Objects Secure Firmware (TOSF)

Trusted Objects is a French company doing IoT Security. They are  offering a firmware security solution:

“Trusted Objects Secure Firmware (TOSF) is a configurable secure firmware solution designed for Secure Element-based hardware implementation.”

https://www.trusted-objects.com/news/21/12/Trusted-Objects-publishes-a-Position-Paper-on-Software-IP-Protection-for-OEM/d,buddy012-newsDetail.html

https://www.trusted-objects.com/doc.html

https://www.trusted-objects.com/en-corporate/documentation-technical.html

Hyper-V backdoor updated

 

Hyper-V backdoor […] provides an interface for inspecting of hypervisor state (VMCS, physical/virtual memory, registers, etc.) from guest or host partition and perform the VM escape attacks.

https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv

Blue Frost security: Exploiting CVE-2020-0041 – Part 2: Escalating to root

From last month’s CVE, excerpt from XDA-Developers.com page:

[…]Moreover, Android Verified Boot 2.0 may kick in and brick your phone if you try to make permanent changes to protected partitions such as boot, system, and vendor without an unlocked bootloader. That being said, the exploit is currently available in its compiled form, while the developer will soon release the source code.[…]

https://github.com/bluefrostsecurity/CVE-2020-0041

https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/

https://source.android.com/security/bulletin/2020-03-01

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0041

LG V50 ThinQ gets root on locked bootloader thanks to an exploit

coreboot 4.12 released

[…]2692 new commits by over 190 developers[…] Besides a whole lot of Chrome OS devices (again), this release features a whole bunch of retrofits for devices originally shipping with non-coreboot OEM firmware, but also support for devices that come with coreboot right out of the box. For that, a shout out to System76, Protectli, Libretrend and the Open Compute Project![…]

Announcing coreboot 4.12

DMTF Redfish updated, includes UEFI Secure Boot changes

 

[…]New schemas include the addition of SecureBootDatabase and Signatures for managing UEFI Secure Boot databases using Redfish. The schema updates include SecureBoot, Certificate, CertificateCollection, and CertificateLocations.[…]

https://www.dmtf.org/content/new-redfish-release-20201-adds-support-network-device-registry-secure-boot-database-and

It looks like the main DMTF Redfish web sites are not yet updated with pointers to above spec, beyond the above press release page. Use that page for download links.