Microsoft seeks Director Firmware Development

~ hucktech ~ Leave a comment

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services. We are seeking a Director for our Firmware Development team. In this role it will be your job to help the firmware development team deliver on its product roadmap and strategy. You are also expected to educate and grow the software engineers on your team as well as help teach the engineers across our organization to see the vision you help us create. The candidate should have strong coding skills, debugging and troubleshooting abilities, with experience in leading and driver development in either Linux Kernel or Windows Kernel. The successful candidate should have experience with some or all of the following: firmware development, driver development, Windows OS development, yocto, UEFI, network sockets, platform initialization, Board Support Packages, peripherals interfaces such as PCIe, I2C, eMMC, SPI, USB, UARTs. OS primitives, memory management, scheduling, interrupts requests, threading and synchronization.

https://careers.microsoft.com/us/en/job/577536/Director-Firmware-Development

IL2C – A translator for ECMA-335 CIL/MSIL to C language (including UEFI Shell target)

~ hucktech ~ Leave a comment
Interesting, this may help enable porting C# and other .NET IL-based) languages to target UEFI Shell….
IL2C is a translator (transpiler) for ECMA-335 CIL/MSIL to C language.

We’re aiming for:
Better predictability for runtime costs, better human readability for the IL2C translated C source code.
Very tiny footprint requirements, we are thinking about how fit between tiny embedded system and large system with many resources.
Better code/runtime portability, minimum requirements are only C99 compiler.
Better interoperabilities for exist C libraries, we can use standard .NET interop technics (likely P/Invoke.)
Contains seamless building system for major C toolkits, for example: CMake system, Arduino IDE, VC++ …

[…]

“Calculator.UEFI” can execute directly on UEFI platform.
Exactly, this code absolutely contains non-OSes, can boot up from USB flash memory 🙂
It contains platform-dependent glue functions.
Bypass from-to UEFI console service functions.
ConIn, ConOut, OutputString, WaitForEvent, WaitForKey, ReadKeyStroke.

https://github.com/kekyo/IL2C

https://github.com/kekyo/IL2C/tree/master/samples/Calculator

C Compiler Warnings

~ hucktech ~ Leave a comment

Spoiler alert:

[…]All the flags presented so far can be combined into the following list, provided below for copy-pasting purposes :
-Wall -Wextra -Wcast-qual -Wcast-align -Wstrict-aliasing -Wpointer-arith -Winit-self -Wshadow -Wswitch-enum -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wfloat-equal -Wundef -Wvla -Wdeclaration-after-statement -Wc++-compat

https://fastcompression.blogspot.com/2019/01/compiler-warnings.html

SIMCom: Statistical Sniffing of Inter-Module Communications for Run-time Hardware Trojan Detection

~ hucktech ~ Leave a comment

Faiq Khalid, Syed Rafay Hasan, Osman Hasan, Falah Awwad, Muhammad Shafique

Timely detection of Hardware Trojans (HT) has become a major challenge for secure integrated circuits. We present a run-time methodology for HT detection that employs a multi-parameter statistical traffic modeling of the communication channel in a given System-on-Chip (SoC). Towards this, it leverages the Hurst exponent, the standard deviation of the injection distribution and hop distribution jointly to accurately identify HT-based online anomalies. At design time, our methodology employs a property specification language to define and embed assertions in the RTL, specifying the correct communication behavior of a given SoC. At runtime, it monitors the anomalies in the communication behavior by checking the execution patterns against these assertions. We evaluate our methodology for detecting HTs in MC8051 microcontrollers. The experimental results show that with the combined analysis of multiple statistical parameters, our methodology is able to detect all the benchmark Trojans (available on trust-hub) inserted in MC8051, which directly or indirectly affect the communication-channels in SoC.

https://arxiv.org/abs/1901.07299

Patching Yourself into Windows Code Integrity, Part 1: On-Disk Patching

~ hucktech ~ Leave a comment

I started this whole thing because I wanted to run my own kernel-mode code while still having access games protected by anti-cheat that don’t allow test signing, and I didn’t want to shell out the time and money required to get an EV certificate. […]I’m going to start out by patching binaries on disk, but the end result will be a UEFI application that patches all binaries in memory. […]

https://github.com/Avery3R/re-writeups/blob/master/windows-ci/part1_on_disk_patching.md

RIP: Dave Beaver

~ hucktech ~ Leave a comment

[This is off-topic of firmware security.]

Dave Beaver passed away Saturday. He was a friend of mine. He was a Developer at DEC, who was one of the initial NT developers who came over to MSFT with Dave Cutler. He created the initial dev kit for NT file system filter vendors, so all the NT antivirus security products had him to thank for their NT products. Here’s a more detailed remembrance:

https://community.osr.com/discussion/290973/rip-dave-beaver/

CVE-2019-6260: PantsDown: Gaining control of BMC from the host processor

~ hucktech ~ 1 Comment

CVE-2019-6260: Gaining control of BMC from the host processor
Posted on 23/01/2019 by Stewart Smith

This is details for CVE-2019-6260 – which has been nicknamed “pantsdown” due to the nature of feeling that we feel that we’ve “caught chunks of the industry with their…” and combined with the fact that naming things is hard, so if you pick a bad name somebody would have to come up with a better one before we publish.

I expect OpenBMC to have a statement shortly.[…]

CVE-2019-6260: Gaining control of BMC from the host processor

 

Sculpt OS: based on Genode

~ hucktech ~ Leave a comment

“Sculpt is an open-source general-purpose OS. It combines Genode’s microkernel architecture, capability-based security, sandboxed device drivers, and virtual machines in a novel operating system for commodity PC hardware. Sculpt is used as day-to-day OS by the Genode developers.”

https://genode.org/download/sculpt

Linux kernel patch: x86/speculation: add L1 Terminal Fault / Foreshadow demo

~ hucktech ~ Leave a comment

https://lkml.org/lkml/2019/1/21/606

Raymond Chen: The Intel 80386, blog series

~ hucktech ~ 1 Comment

Part 1: https://blogs.msdn.microsoft.com/oldnewthing/20190121-00/?p=100745

Part 2: https://blogs.msdn.microsoft.com/oldnewthing/20190122-00/?p=100755

https://blogs.msdn.microsoft.com/oldnewthing/

BlackHat Asia: Ghosts in a Nutshell

~ hucktech ~ Leave a comment

Claudio Canella, Moritz Lipp

At the beginning of 2018, two severe attacks, called Meltdown and Spectre, have been published. These attacks exploit that the CPU either lazily enforces exceptions or speculates on the outcome of branch predictions or data dependencies. While the results of those computations are never made visible on the architectural level, secret data can still leak on the microarchitectural level and be observed by an attacker. Since then, many different versions of these attacks have been found by various research teams around the world, e.g., Spectre Variant 1, Spectre Variant 2, Variant 4, Meltdown, Foreshadow, Foreshadow-NG, LazyFP. Due to the confusing naming scheme and the large amounts of papers and articles published, it has quickly become difficult to differentiate them all. Additionally, researchers, as well as companies, have proposed various countermeasures to mitigate these attacks, making it even more confusing and difficult to keep a clear overview of the current state. Many of the proposed mitigation techniques involve substantial overhead, basically reducing the processing power of modern CPUs. With all these defences, one question remains: Do they actually work or are they just reducing the performance of our CPUs? Did the operating system implement them correctly? Is everything fixed now or are there even more variants that have so far been overlooked? In this talk, we will discuss all existing variants and introduce a newer, easier to understand naming scheme based on the microarchitectural element the attacks exploit. We will discuss all mitigation techniques proposed so far and classify them based on how they attempt to stop leakage. We will also discuss which of those mitigations work in practice and which ones we were able to circumvent with our experiments. We will present new variants of Meltdown and Spectre attacks that have not been published so far and which we were able to discover due to our systematisation.

https://www.blackhat.com/asia-19/briefings/schedule/#ghosts-in-a-nutshell-13755

BlackHat Asia: Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software

~ hucktech ~ Leave a comment

Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software
Alex Matrosov | Offensive Security Lead, NVIDIA

Many hardware vendors are armoring modern Secure Boot by moving Root of Trust to the hardware. While it is definitely the right direction to create more difficulties for the attacker, many layers of code exist between hardware and firmware. Also, hardware vendors are always fighting for boot performance, which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass a specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.

https://www.blackhat.com/asia-19/briefings/schedule/index.html#modern-secure-boot-attacks-bypassing-hardware-root-of-trust-from-software-13950

Using SMM to Circumvent OS Security Functions

~ hucktech ~ 1 Comment

Using CPU System Management Mode to Circumvent Operating System Security Functions

Loı̈c Duflot, Daniel Etiemble, Olivier Grumelard

Abstract. In this paper we show how hardware functionalities can be misused by an attacker to extend her control over a system. The originality of our approach is that it exploits seldom used processor and chipset functionalities, such as switching to system management mode, to escalate local privileges in spite of security restrictions imposed by the operating system. As an example we present a new attack scheme against OpenBSD on x86-based architectures. On such a system the superuser is only granted limited privileges. The attack allows her to get full privileges over the system, including unrestricted access to physical memory. Our sample code shows how the superuser can lower the “secure level” from highly secure to permanently insecure mode. To the best of our knowledge, it is the first time that documented processor and chipset functionalities have been used to circumvent operating system security functions.

https://www.semanticscholar.org/paper/Using-CPU-System-Management-Mode-to-Circumvent-Duflot-Etiemble/62beba49b7a9eb50c0a860547cceb2863e994aa2