OpenVisla was invented 10 years ago, created almost 6 years ago and to be fair, it was very unlucky. Many people have forgotten about it, but it still can be very useful. It has a lot of potential for being used in security development. We are going to continue our research and maybe, maybe in some time, we will show what this small and relatively cheap board is capable of.
Modern Techniques to Deobfuscate UEFI/BIOS Malware and Virtualized Packers
https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Modern%20Techniques%20to%20Deobfuscate%20UEFI:BIOS%20Malware%20-%20Alexandre%20Borges.pdf
https://conference.hitb.org/hitbsecconf2019ams/sessions/modern-techniques-to-deobfuscate-uefi-bios-malware-and-virtualized-packers/
Tianocore Bug 1614 – BootGuard TOCTOU vulnerability
https://bugzilla.tianocore.org/show_bug.cgi?id=1614
Setting up Windows boxes to be usable…
I just noticed that Microsoft has a project to help setup a dev box:
“The goal of this project is to provide a central place to share ideas for streamlining dev box setup and provide sample scripts for common dev scenarios. It’s likely you will want to take the scripts here and modify them to fit your particular needs.”
https://github.com/Microsoft/windows-dev-box-setup-scripts
For the last few years, they’ve been releasing Windows as a prebuilt VM, with most of the developer tools preinstalled. These VMs expire after a few weeks, so you’ll have to download a new VM every few weeks. [There’ve been periods of multiple weeks where there’s no VM available, waiting for the next build of Windows, so keep your old bits and hope expiration policy does not become more draconian.]
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines
FLARE-VM is a nice script from Fireeye that sets up a Windows box with lots of security tools. Requires a fresh Windows install before use.
https://github.com/fireeye/flare-vm
https://www.fireeye.com/blog/threat-research/2018/11/flare-vm-update.html
Fireeye also has Commando-VM:
https://github.com/fireeye/commando-vm
Half a dozen open source projects (and an unknown number of closed source products) have nice scripts to setup a Windows system for development, but are project-centric.
Google: Quantifying Measurable Security
Google has a new blog post about the security status of their platforms, and will be live-streaming an event on Thursday with more info:
https://security.googleblog.com/2019/05/quantifying-measurable-security.html
https://events.google.com/io/schedule/events/debb8c6e-df05-4644-bdde-116155300abf
Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
Hardware security boundaries are really difficult to support and correctly design. On modern x86 platforms exist a lot of different hardware components. It’s clear they should be included in the usual threat model’s obvious external paths, but what if the attacker can compromise one of the trusted components? We have previously seen when researchers compromise TPM and start the initial point of the attack from inside of trusted boundary. All these points create concerns on the current threat modeling process because after attacker crosses a trusted boundary, the attack surface significantly changes. Does this mean the attack surface is dynamic and not static? In our presentation, we focus on reverse engineering Embedded Controller (EC) from one of the recent Lenovo Thinkpad laptops, attacks from EC trusted boundary the main platform firmware (BIOS) and we manage to bypass Intel BIOS Guard technology (Lenovo specific implementation). We will present multiple topics across security boundaries problems on x86 platforms, as well as demonstrate platform design problems with trust to third-party components as EC and show the real attacks from OS-level to EC/from EC to BIOS. This research targeting reverse engineering topics of EC firmware are based on ARC processor architecture, the internals of EC architecture and specific operating modes to support SMI-handlers on EC side (include BIOS Guard). Also, we reverse engineered the most interesting parts of communications and relations between BIOS and EC. The attack surface from EC with attacker perspective is quite large and can include DMA attacks, disclose of PCI memory space to attack devices and the possibility of persistent rootkit/implant installation.
PS: Looks like ru.efi picked a good time to start adding EC support: 🙂
http://ruexe.blogspot.com/2019/05/reading-ec-controllers.html
Defending Against Out-of-Band Management BMC Attacks
My slides from the recent LinuxFestNW talk with an intro to BMCs is linked here:
Click to access lfnw2019-bmc.pdf
I need to work with Paul and get both his and my slides from LFNW up on our Github page, along with our previous talks. For now, the above PDF is hosted on this blog site. 😦
This is an INTRODUCTORY talk. If you’re a regular reader of this blog, you probably don’t need to waste your time watching this. 🙂 This talk did not mention u-bmc or the bmclib projects, something I’ll fix the next time I give this a variation of this talk. Video is here:
Jessie Frazelle: Why open source firmware is important
The Rise of Evil HID Devices
Extracting Firmware from Microcontrollers’ Onboard Flash Memory, Part 4: Texas Instrument RF Microcontrollers
BootKeeper, a static analysis of security properties on boot firmware images
BootKeeper: Validating Software Integrity Properties on Boot Firmware Images
Ronny Chevalier, Stefano Cristalli, Christophe Hauser, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, Danilo Bruschi, Andrea Lanzi
(Submitted on 29 Mar 2019)
Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware’s loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.
Dell: Enhanced BIOS Verification Protects PC Firmware Against Sophisticated Threats
BIOS Verification. This utility provides customers with assurance that devices are secured below the OS, a place where visibility has been lacking up to now. This utility stores the BIOS measurements and performs the verification off-host, to ensure the user has an untampered version of the BIOS. This utility supports Window 10 (both 32 and 64bit) on the following platforms: Tablet, Precision, OptiPlex, Latitude, and some XPS Notebooks.
Now You See It: TOCTOU Attacks Against Secure Boot and BootGuard
BootGuard’s Verified Boot mode on modern Intel CPUs is the core root of trust and measurement during the boot process, and preserves the chain of trust by only executing firmware with a valid vendor signature. These protections are supposed to be secure against physical attacks on the SPI flash, although we’ve found multiple errors in handling the firmware volumes as well as a new technique for changing the firmware after the signature check has been done. In this talk we’ll demonstrate how to build an inexpensive open source tool for investigating these TOCTOU techniques and how to use it to test the security of your own systems.
Microsoft open sources CCF (Confidential Consortium Framework)
The Confidential Consortium Framework (CCF) is an open-source framework for building a new category of secure, highly available, and performant applications that focus on multi-party compute and data. While not limited just to blockchain applications, CCF can enable high-scale, confidential blockchain networks that meet key enterprise requirements — providing a means to accelerate production enterprise adoption of blockchain technology.
Remote Code Execution on most Windows-based Dell computers
Dell SupportAssist Client has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.
https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
Fiddle: instrumentation for bootloaders and beyond
bootloader_instrumentation_suite – Bootloader research tools (very much a work in progress)
This test suite helps you keep track of different versions of
u-boot/build tools, static analysis of that build’s binaries, and
runtime trace results of running that binary on a given hardware
configuration. For each u-boot/build configuration it keeps a database
of information it statically gathered for each boot stage, boot stage
images/ELF files, a prepared SD card image, and test results of
runtime trace analyses. If it detects changes in the u-boot source or
build tools it will create a new set of test result directories with a
new sdcard image and static analysis results.
96Boards’ OpenHours episode 144: secure firmware
ARM’s Linaro hosts a weekly OpenHours on 96boards.org:
https://www.96boards.org/openhours/
Epsidoe 144 was about secure firmware, video is available:
FishTank: CLI for the Redfish API
There is a new Redfish command line tool being worked on (just getting started, not ready for use yet):
TechSpot: Update your BIOS: Utilities from Top Motherboard Makers
Erik Orejuela and Julio Franco have a new article on TechSpot, discussing BIOS vendor tools, covering these vendors’ tools:
Asus Live Update
Gigabyte @Bios
MSI Live Update
ASRock Live Update
Biostar BIOS Update Utility
https://www.techspot.com/article/1824-update-motherboard-bios/
Crowdstrike’s Falcon adds firmware security
https://www.crowdstrike.com/blog/crowdstrike-first-to-deliver-bios-visibility/
Ugh, their web page has some obnoxious code that changes the HTML header every few seconds to try and get your attention.
Firmware Security 
You must be logged in to post a comment.