While the number of IoT devices grows at an exhilarating pace their security remains stagnant. Imposing secure coding standards across all vendors is infeasible. Testing individual devices allows an analyst to evaluate their security post deployment. Any discovered vulnerabilities can then be disclosed to the vendors in order to assist them in securing their products. The search for vulnerabilities should ideally be automated for efficiency and furthermore be device-independent for scalability. We present FirmFuzz, an automated device-independent emulation and dynamic analysis framework for Linux-based firmware images. It employs a greybox-based generational fuzzing approach coupled with static analysis and system introspection to provide targeted and deterministic bug discovery within a firmware image. We evaluate FirmFuzz by emulating and dynamically analyzing 32 images (from 27 unique devices) with a network accessible from the host performing the emulation. During testing, FirmFuzz discovered seven previously undisclosed vulnerabilities across six different devices: two IP cameras and four routers. So far, 4 CVE’s have been assigned.
Matthew: if you’re reading this, please consider also supporting Tianocore/EDK2, not just Project Mu, as there is no Tianocore extension for VSCode, so your project would be useful to another community as well.
For other open source IDE support for UEFI, there’s an Eclipse plugin and Visual Studio-based VisualUEFI. For closed-source IDE support, there is Intel ISS and ARM DS-5. Maybe others, I’m not aware of, if you know of one, please leave a Comment.
Linaro Ltd, the open source collaborative engineering organization developing software for the Arm® ecosystem, today announced together with Riscure their collaboration enabling developers to deliver secure and robust TEE-based solutions. Under the terms of this partnership, Riscure, the globally recognized expert in embedded security research, will contribute to OP-TEE security with regular code review and fuzzing campaigns. OP-TEE is an open source project maintained by the Trusted Firmware project. Both projects are hosted by Linaro and work to provide security for Arm-based solutions. Riscure has created an open-source fuzzing tool specifically designed for OP-TEE.[…]
Some simple scripts for usage with a Raspberry Pi Zero as a Lights-Out Management controller for another system, such as a desktop computer or a server. Sends reset signals over GPIO pins, and uses the USB connection for transmitting keyboard signals to control the BIOS or UEFI remotely.
[…]In this paper, we propose an introspection framework called Nighthawk that transparently checks system integrity at runtime. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.[…]
This looks interesting: a boot disk that does a few things. But I’m not sure what this fully does. Little documentation, most of the binaries are provided without source and come pre-zipped. (Be careful with binary-only releases, they might contain malware…) Windows-centric. But it includes multiple bootloaders, dozens of scripts and executables…
The source code (Github site) appears to be new, but there are 2 blog posts >1year old on the topic:
This is a collection of shell functions to build secure Linux-based operating system images. They are highly specific to my setup and probably won’t be useful to anyone else. […] The primary goal here is swappable immutable disk images that are verified by verity, which is itself verified by the kernel’s Secure Boot signature.[…]
The script can run any arbitrary command and retrieve its exit code, wait for boot and skip the 5-second prompt (and optionally skip startup.nsh), or send reset/shutdown commands. Code written in (almost) pure BASH with no subprocesses spawned. Only print function calls ‘sed’ once.
NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.
Intel agrees this is a significant vulnerability, having awarded NetCAT a bounty and recommending users to “limit direct access from untrusted networks when DDIO & RDMA are enabled“. This essentially means that in untrusted network environments DDIO and/or RDMA should be disabled to provide security. To the best of our knowledge, this is the first time a major hardware vendor like Intel cautions against using a CPU feature in untrusted local networks.