Positive Technologies: Intel VISA: Through the Rabbit Hole

December 19, 2018 ~ hucktech ~ 1 Comment

BlackHat Asia 2019 presentation:

The complexity of x86-based systems has become so great that not even specialists can know everything. The recently discovered Meltdown/Spectre vulnerabilities, as well as numerous issues in Intel Management Engine, underscore the platform’s mindboggling intricacies. So, the chips manufacturer has to actively use of various means for manufacturing verification and post-silicon debugging. We found that modern Platform Controller Hub (PCH) and CPU contain a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time—a gold mine for researchers. A vulnerability previously discovered by us, INTEL-SA-00086, enabled studying this technology, which is called Intel Visualization of Internal Signals Architecture (VISA). We believe it is used for manufacturing line verification of chips. With an enormous number of settings, VISA allows for the creating of custom rules for capturing and analyzing signals. VISA documentation is subject to an NDA and not available to ordinary users. However, we will show how, with the help of publicly available methods, one can access all the might of this technology WITHOUT ANY HARDWARE MODIFICATIONS on publicly available motherboards. With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data. In our talk, we will demonstrate how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices.

https://www.blackhat.com/asia-19/briefings/schedule/index.html#intel-visa-through-the-rabbit-hole-13513

Synacktiv: Code Check(mate) in SMM

December 18, 2018 ~ hucktech ~ Leave a comment

Fifty shades of UEFI: an initiation to SMM practices https://t.co/HKgZmKc4sC

— Synacktiv (@Synacktiv) December 18, 2018

Written by Bruno · 2018-12-18 · in Exploit

[…]In summary, if we consider we have found a vulnerability allowing to call an arbitrary address in SMM, the final steps for the exploitation are:[…]

https://www.synacktiv.com/posts/exploit/code-checkmate-in-smm.html

OffensiveCon: Attacking Hardware Root of Trust from UEFI Firmware

December 18, 2018 ~ hucktech ~ 1 Comment

Attacking Hardware Root of Trust from UEFI Firmware by @matrosov https://t.co/1oYDFLwC66

— offensivecon (@offensive_con) December 17, 2018

Many hardware vendors armoring modern Secure Boot by moving Root of Trust to the hardware. It is definitely the right direction to create more difficulties for the attacker. But usually, between hardware and firmware exist many layers of code. Also, hardware vendors always fighting for boot performance which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.

https://www.offensivecon.org/speakers/2019/alex-matrosov.html

clang: Automatic variable initialization

December 18, 2018 ~ hucktech ~ Leave a comment

💥 Automatic variable initialization has just landed in clang! 💥
Let me know if it finds bugs or if you find performance issues.https://t.co/b5pY2LK57c

— JF Bastien 🔗 @jfbastien@mastodon.social (@jfbastien) December 18, 2018

Automatic variable initialization: Add an option to initialize automatic variables with either a pattern or with zeroes. The default is still that automatic variables are uninitialized. Also add attributes to request uninitialized on a per-variable basis, mainly to disable initialization of large stack arrays when deemed too expensive.[…]

https://reviews.llvm.org/rL349442

Msc_UefiHda_PreOs_Accessibility: UEFI app which processes sound streams

December 18, 2018 ~ hucktech ~ Leave a comment

This is the sample code developed during my Msc, where I created a UEFI application capable of processing sound streams at UEFI environment […]

https://github.com/RafaelRMachado/Msc_UefiHda_PreOs_Accessibility

Wave Computing to open source MIPS ISA

December 18, 2018 ~ hucktech ~ Leave a comment

@wavecomputing announces intent to open source MIPS instruction set architecture via new MIPS Open initiative. #OpenSource pic.twitter.com/kdScBo2QHl

— wavecomputing (@wavecomputing) December 17, 2018

Wave Computing®, the Silicon Valley company that is accelerating artificial intelligence (AI) from the edge to the data center, announced it will open source its MIPS instruction set architecture (ISA) to accelerate the ability for semiconductor companies, developers and universities to adopt and innovate using MIPS for next-generation system-on-chip (SoC) designs. Under the MIPS Open program, participants will have full access to the most recent versions of the 32-bit and 64-bit MIPS ISA free of charge – with no licensing or royalty fees. Additionally, participants in the MIPS Open program will be licensed under MIPS’ hundreds of existing worldwide patents.

https://wavecomp.ai/wave-computing-launches-the-mips-open-initiative

libredfish: Rust Redfish library

December 17, 2018 ~ hucktech ~ Leave a comment

libredfish is a new Rust-based Redfish library. Not to be confused by the libredfish library in C by the DMTF.

https://github.com/cholcombe973/libredfish

https://github.com/DMTF/libredfish

LiveCloudKd: VM memory forensics tool

December 17, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/msuiche/status/1074217301602254849

LiveCloudKd was the first utility to focus on Virtual Machine introspection for memory forensics purposes, it was released in 2010 after some initial research on Hyper-V v1.

https://github.com/comaeio/LiveCloudKd

Eurocom GdrSecInfo computer security workshop: presentations online

December 17, 2018 ~ hucktech ~ Leave a comment

As part of @GdrSecInfo I organized a one day computer security workshop @Eurecom slides and videos are online (all in English):https://t.co/EVt8gfX7cZ

— Aurélien Francillon (@aurelsec) December 17, 2018

Presentations:

An honest look at the state of enterprise security
The need for Hardware roots of trust
Understanding Linux Malware
Security and privacy issues in avionics communications
Formal methods: from source-level safety to binary-level security
BinCAT: purrfecting binary static analysis

https://gdr-securite-ssl.loria.fr/pmwiki.php/SSL/Sophia21112018

Kous-OS: a CP/M-like OS that runs on UEFI and runs on X86-64

December 17, 2018 ~ hucktech ~ Leave a comment

A new UEFI-centric project. I wish I had time this month to look at what this is, the docs hint at Java being used? and there is Rust code. Via Google Translate:

It is a CP / M-like OS that runs on UEFI and runs on X86-64 architecture.
This program group starts with UEFI and forms an OS that runs on the X86-64 architecture.

https://github.com/kousoz80/Kous-OS

screen shot

IDC_Importer: A Binary Ninja plugin for importing IDC database dumps from IDA Pro

December 15, 2018 ~ hucktech ~ Leave a comment

If you want to give Binary Ninja a try/are using it but need to port your symbols over from IDA, I've written a plugin that'll take IDC database dumps and import them into binja. It'll bring over function definitions + names, string names, and comments.https://t.co/vviaDNta2J

— Specter (@SpecterDev) December 13, 2018

IDC Importer (Plugin)

Author: SpecterDev

Allows users to import idc database dumps from IDA into Binary Ninja. Making the switch from IDA to Binary Ninja but need your function names and symbols to carry over? This plugin will take an IDC file and automatically import the functions, strings, and comments.

https://github.com/Cryptogenic/idc_importer

What is Keystone and it’s first open-source release?

December 15, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/11/12/keystone-open-source-secure-hardware-enclave/

There is a new document on their site, with more info on this project.

Really excited about our first open source release for Keystone Secure Hardware Enclave! Looking forward to working together with community! Available for download and run today: https://t.co/nvuo9LM0nj

— Dawn Song (@dawnsongtweets) December 13, 2018

https://keystone-enclave.org/2018/12/13/what-is-keystone.html

tools to create UEFI USB boot drives

December 15, 2018 ~ hucktech ~ Leave a comment

Regarding tools/scripts to generate a UEFI USB thumbdrive boot disk, there’s:

1) Rufus (a native GUI app for Windows), which has been around for years.

https://rufus.ie/

2) USB_UEFI_Shell, a Unix script, came out two weeks ago.

https://github.com/skyskyshinysky/usb_uefi_shell

3) WinInst-UEFI-USB is a macOS script that generates a Windows-centric drive, and this was initially released yesterday.

https://github.com/core-process/wininst-uefi-usb

[[I think there are a few other scripts that I’ve blogged about, but forget the project names at the moment, will create a future post when I can extend the list. There’s also the Tianocore/EDK2 script that DUET uses (or rather used, DUET was just deprecated from EDK2); I think Cloverboot has variations of that script. I guess I should also create a list of documentation that describes how to do this in the future as well. The CHIPSEC user documentation’s UEFI install instructions are one example app that includes this. There’re about a dozen other documents…]]

rust-guide: Guide to develop secure applications with Rust

December 14, 2018 ~ hucktech ~ Leave a comment

GitHub – ANSSI-FR/rust-guide: Recommendations for secure applications development with Rust – https://t.co/jpbDwTvv2s

— grumpy (@grumpyfr) December 14, 2018

The object of this document is to provide hints and recommendations for secure applications development using the Rust programming language. It is not intended to be a course on how to write Rust programs, there are already plenty of good learning resources for this purpose (see the External references section below). The purpose is rather to guide the programmer and to inform him about certain pitfalls, especially in case he is involved in the development of applications with strong security requirements. These recommendations form a complement to the good level of trust the Rust language already provides. That said, recalls are sometimes necessary for clarity, and the experienced Rust programmer may rely solely on Recommendation or Warning inserts.

https://github.com/ANSSI-FR/rust-guide

Rootkits and Bootkits: all chapters now available in Early Access (~600 p)

December 14, 2018 ~ hucktech ~ 1 Comment

Happy to announce all the chapters of https://t.co/6mhn9NUS9a now available in Early Access (~600 p). 4 years of writing/rewriting. The book almost a double the size from the original proposal (rootkits/bootkits, UEFI threats and modern forensics) Thx @billpollock and @nostarch!!

— Alex Matrosov (@matrosov) December 13, 2018

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
April 2019 (estimated), 504 pp.
ISBN-13: 9781593277161

https://nostarch.com/rootkits

PS: While you’re ordering this at NoStarch.com, note:

The Proof of Concept||GTFO buy-one-get-one promotion ends Saturday, December 15th at 11:59pm PST.

— No Starch Press (@nostarch) December 13, 2018

ZeroNights 2018: videos uploaded

December 13, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/12/13/embedi-nuclear-explotion/ video is here:

https://twitter.com/ZeroNights/status/1072889954622164992

https://www.youtube.com/channel/UCtQ0fPmP4fCGBkYWMxnjh6A

https://2018.zeronights.ru/en/materials.html

Onur Mutlu: Rowhammer and Beyond

December 13, 2018 ~ hucktech ~ Leave a comment

My talk on "#Rowhammer and Beyond" from @MSFTResearch Faculty Summit is online:https://t.co/xx8RRgmaXA

Slides (pptx): https://t.co/TMUeZIpCwZ
Slides (pdf): https://t.co/KLMiFjGqGI #rowhammer #memory #errors #security #hardware #dram #EmergingTech pic.twitter.com/AccVqFFi2z

— Onur Mutlu (@_onurmutlu_) December 13, 2018

Click to access onur-Rowhammer-MSR-Faculty-Summit-talk-August-2-2018-short-final.pdf

flare-emu: IDA Pro + Unicorn Engine

December 13, 2018 ~ hucktech ~ Leave a comment

here's my new tool, flare-emu, that marries IDA Pro’s binary analysis capabilities with @unicorn_engine to provide the user with an easy to use and flexible interface for scripting emulation tasks. https://t.co/oqhMjviHsr pic.twitter.com/bfnKRL7WSo

— James T. Bennett (@jtbennettjr) December 12, 2018

flare-emu marries IDA Pro’s binary analysis capabilities with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. It is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems. Currently, flare-emu supports the x86, x86_64, ARM, and ARM64 architectures.[…]

https://github.com/fireeye/flare-emu

Embedi: NUClear explotion

December 13, 2018 ~ hucktech ~ 1 Comment

https://twitter.com/_embedi_/status/1072876745383124992

It is widely known, that UEFI BIOS security aims at preventing the SPI flash memory tampering in the first place. […] Let’s see how such an update process is implemented in our well-known rolling stone Intel NUC Kit NUC7i3BNH. As we can see from the CHIPSEC framework output below, all the mentioned protections are enabled. […]

https://embedi.org/blog/nuclear-explotion/

binaryanalysis-ng: Binary Analysis Next Generation (BANG): framework for checking firmware

December 12, 2018 ~ hucktech ~ Leave a comment

Binary Analysis Next Generation (BANG) is a new project I am working on. It is a bit rough around the edges and mostly focused on unpacking at the moment, but this should change before the end of the year. https://t.co/jZjsMkpuDT

— Armijn Hemel (@armijnhemel) December 12, 2018

The Binary Analysis Tool (BAT) is dead. Long live BANG! https://t.co/aP0dmyJW3i

— binaryanalysis (@binaryanalysis) December 12, 2018

Binary Analysis Next Generation (BANG) is a framework for unpacking files (like firmware) recursively and running checks on the unpacked files. Its intended use is to be able to find out the provenance of the unpacked files and classify/label files, making them available for further analysis.

https://github.com/armijnhemel/binaryanalysis-ng