VUSec: ECCploit: ECC Memory Vulnerable to Rowhammer Attacks After All

~ hucktech ~ Leave a comment

Where many people thought that high-end servers were safe from the (unpatchable) Rowhammer bitflip vulnerability in memory chips, new research from VUSec, the security group at Vrije Universiteit Amsterdam, shows that this is not the case. Since prominent security researchers and companies have suggested that ECC provides pretty good protection [1,2,3], and exploitable bitflips on ECC memory are seen by many as the “unholy grail” for Rowhammer attacks, the new attack to reliably flip bits that completely bypass ECC protection is a major step forward in Rowhammer research.[…]

https://www.vusec.net/projects/eccploit/

cs.vu.nl/~lcr220/ecc/ecc-rh-paper-eccploit-press-preprint.pdf

https://www.wired.com/story/rowhammer-ecc-memory-data-hack/

https://www.vusec.net/projects/#hardware-vulnerabilities

U-Boot v2018.11 released

~ hucktech ~ Leave a comment

Tom Rini of Konsulko announced the latest release of U-Boot, including a bit of info about the two recent CVEs:

[…]I’m going to mention here as well that both CVE-2018-18439 and CVE-2018-18440 exist and are issues. As a community we’re still working on more robust fixes to them, but I want to thank Simon Goldschmidt for taking the lead on coming up with code changes for them. In the immediate term (and for older releases) note that the filesystem-based attack can be mitigated by passing a maximum size to the load command.[…]

https://lists.denx.de/pipermail/u-boot/2018-November/347424.html

Wolfgang Denk of DENX has some stats about the release at:

https://lists.denx.de/pipermail/u-boot/2018-November/347506.html

FWTS 18.11.00 is released

~ hucktech ~ Leave a comment

* ACPICA: Update to version 20181031
* olog:olog.json: Update OPAL skiboot errors to check on olog scan
* acpi: button: check fixed hardware & control method power buttons
* kernelscan: add -k option to specify klog json filename
* README: update package dependency notes for RHEL
* acpica: fix linker issues when building with ACPI disabled
* src/lib: add module probing helper functions
* lib: fwts_efi_module: use the new module loading helper functions
* lib/fwts_cpu: use new use the new module loading helper functions
* snapcraft: update confinement and plugs
* lib: fwts_coreboot_cbmem: don’t use void * pointer arithmetic
* lib: fwts_coreboot_cbmem: shift UL values rather than signed int values
* lib: fwts_log: shift UL values rather than signed int values
* acpi: syntaxcheck: rename syntaxcheck_table to syntaxcheck_single_table
* dmicheck: fix Maximum Capacity checking range
* mcfg: fix MMIO config space checking
* madt: fix the Local APIC NMI processor UID checking
* auto-packager: mkpackage.sh: add disco

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V18.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/18.11.00

CVE-2017-1000112: Linux Kernel Runtime Guard (LKRG) bypass

~ hucktech ~ Leave a comment

https://www.openwall.com/lists/lkrg-users/2018/11/16/2

This is a proof-of-concept local root exploit for the vulnerability in the UFO Linux kernel implementation CVE-2017-1000112.

https://www.openwall.com/lists/oss-security/2017/08/13/1

https://github.com/milabs/kernel-exploits/tree/master/CVE-2017-1000112

 

hardware-effects: Demonstration of various hardware effects in C++

~ hucktech ~ Leave a comment

This repository demonstrates various hardware effects that can degrade application performance in surprising ways and that may be very hard to explain without knowledge of the low-level CPU and OS architecture. For each effect I try to create a proof of concept program that is as small as possible so that it can be understood easily.

Those effects obviously depend heavily on your CPU microarchitecture and model, so the demonstration programs may not showcase the slowdown on your CPU, but I try to make them as general as I can. That said, the examples are targeting x86-x64 processors (Intel and AMD) and may not make sense on other CPU architectures. I try to make them compatible with Windows, but they are mainly tested on Linux.

Currently the following effects are demonstrated:

bandwidth saturation
branch misprediction
branch target misprediction
cache aliasing
cache/memory hierarchy bandwidth
data dependencies
denormal floating point numbers
false sharing
hardware prefetching
memory-bound program
non-temporal stores
software prefetching
write combining

https://github.com/Kobzol/hardware-effects

Tracing flash reads (and writes) during boot [on OpenPOWER systems]

~ hucktech ~ Leave a comment

On OpenPOWER POWER9 systems, we typically talk to the flash chips that hold firmware for the host (i.e. the POWER9) processor through a daemon running on the BMC (aka service processor) rather than directly. We have host firmware map “windows” on the LPC bus to parts of the flash chip. This flash chip can in fact be a virtual one, constructed dynamically from files on the BMC. Since we’re mapping windows into this flash address space, we have some knowledge as to what IO the host is doing to/from the pnor. We can use this to output data in the blktrace format and feed into existing tools used to analyze IO patterns. So, with a bit of learning of the data format and learning how to drive the various tools, I was ready to patch the BMC daemon (mboxbridge) to get some data out.[…]

Tracing flash reads (and writes) during boot

Beam me up, CFG (Control Flow Guard)

~ hucktech ~ Leave a comment

https://twitter.com/hh86_/status/1063347806948216833

What is CFG? Earlier in 2018 while revisiting the Delay Import Table, I used dumpbin to check the Load Configuration data of a file and noticed new fields in it: <figure omitted>. And at the time of writing this, more fields were added! The first CFGuard caught my attention and I learned about Control Flow Guard, it is a new security feature. To put it simple, it protects the execution flow from redirection – for example, from exploits that overwrite an address in the stack. Maybe they should call it the Security Directory instead. ;-)[…]

https://86hh.github.io/cfg.html

more info:

https://docs.microsoft.com/en-us/windows/desktop/secbp/control-flow-guard

Defensive Security: Playing with Linux Kernel Runtime Guard (LKRG)

~ hucktech ~ Leave a comment

https://www.defensive-security.com/blog/playing-with-linux-kernel-runtime-guard-lkrg

SeaBIOS 1.12.0 released

~ hucktech ~ Leave a comment

Kevin O’Connor announced release 1.12.0 of SeaBIOS:

New in this release:
* Initial support for “TPM CRB” hardware
* Improved cdrom media reporting in the boot menu on QEMU
* Improved floppy support on real floppy hardware
* SeaVGABIOS support for QEMU “bochs-display” and QEMU “ramfb” displays
* Several bug fixes and code cleanups

https://seabios.org/Releases#SeaBIOS_1.12.0

more info about this release:
https://mail.coreboot.org/pipermail/seabios/2018-November/012576.html

ZFS Boot Environments

~ hucktech ~ Leave a comment

As long as sysadmins need to maintain, change and update operating systems there is always need to protect against problems that may occur during these operations. Various solutions were used starting from simple backup/restore procedures or copying the contents of system filesystems into spare disks to snapshots and clones recently. None of these solutions were transparent enough or bulletproof enough to provide complete and consistent protection again failures in the change or update process. One of such holy grails is ZFS Boot Environments solution. It protects entire system (and even additional data when needed) against almost any change or update process. As ZFS Boot Environments matured in Solaris/Illumos systems and then on FreeBSD UNIX other systems started to copy its principles to provide similar solutions such as snapper with BTRFS in SUSE or Boot Environment Manager for DragonFly BSD with their HAMMER filesystem. The presentation aims to walk through the history of these solutions with the focus on practical ZFS Boot Environments solutions and examples.

ZFS Boot Environments Reloaded at NLUUG Autumn Conference 2018

https://www.nluug.nl/activiteiten/events/nj18/abstracts/ab12.html

Phantom Device Attack: Uncovering the Security Implications of the Interactions among Devices, IoT Cloud, and Mobile Apps

~ hucktech ~ Leave a comment

(Submitted on 8 Nov 2018)

Smart home connects tens of home devices into the Internet, running a smart algorithm in the cloud that sends remote commands to the devices. While bringing unprecedented convenience, accessibility, and efficiency, it also introduces safety hazards to users. Prior research studied smart home security from various aspects. However, we found that the complexity of the interactions among the participating entities (device, IoT cloud, and mobile app) has not yet been systematically investigated. In this work, we conducted an in-depth analysis to four widely used smart home solutions. Combining firmware reverse-engineering, network traffic interception, and black-box testing, we distill the general state transitions representing the complex interactions among the three entities. Based on the state machine, we reveal several vulnerabilities that lead to unexpected state transitions. While these minor security flaws appear to be irrelevant, we show that combining them in a surprising way poses serious security or privacy hazards to smart home users. To this end, five concrete attacks are constructed and illustrated. We also discuss the implications of the disclosed attacks in the context of business competition. Finally, we propose some general design suggestions for building a more secure smart home solution.

https://arxiv.org/abs/1811.03241

USBCaptchaIn: Preventing (Un)Conventional Attacks from Promiscuously Used USB Devices in Industrial Control Systems

~ hucktech ~ Leave a comment

(Submitted on 11 Oct 2018)

Industrial Control Systems (ICS) are sensible targets for high profile attackers and advanced persistent threats, which are known to exploit USB thumb drives as an effective spreading vector. In ICSes, thumb drives are widely used to transfer files among disconnected systems and represent a serious security risks, since, they may be promiscuously used in both critical and regular systems. The threats come both from malware hidden in files stored in the thumb drives and from BadUSB attacks [16]. BadUSB leverages the modification of firmware of USB devices in order to mimic the behaviour of a keyboard and send malicious commands to the host. We present a solution that allows a promiscuous use of USB thumbs drives while protecting critical machines from malware, that spread by regular file infection or by firmware infection. The main component of the architecture we propose is an hardware, called USBCaptchaIn, intended to be in the middle between a critical machine and all USB devices. We do not require users to change the way they use thumb drives. To avoid human-errors, we do not require users to take any decision. The proposed approach is highly compatible with already deployed products of a ICS environment and proactively blocks malware before they reach their targets. We describe our solution, provide a thorough analysis of the security of our approach in the ICS context, and report the informal feedback of some experts regarding our first prototypes.

https://arxiv.org/abs/1810.05005

Interface-Based Side Channel Attack Against Intel SGX

~ hucktech ~ Leave a comment

(Submitted on 8 Oct 2018)

Intel has introduced a trusted computing technology, Intel Software Guard Extension (SGX), which provides an isolated and secure execution environment called enclave for a user program without trusting any privilege software (e.g., an operating system or a hypervisor) or firmware. Nevertheless, SGX is vulnerable to several side channel attacks (e.g. page-fault-based attack and cache-based attack). In this paper, we explore a new, yet critical side channel attack in SGX, interface-based side channel attack, which can infer the information of the enclave input data. The root cause of the interface-based side channel attack is the input dependent interface invocation information (e.g., interface information and invocation patterns) which can be observed by the untrusted privilege software can reveal the control flow in the enclave. We study the methodology which can be used to conduct the interface-based side channel attack. To illustrate the effectiveness of the interface-based side-channel attacks, we use our methodology to infer whether tracked web pages have been processed by the SGX-assisted NFV platforms and achieve the accuracy of 87.6% and recall of 76.6%. We also identify the packets which belong to the tracked web pages, with the accuracy of 67.9%and recall of 71.1%. We finally propose some countermeasures to defense the interface-based side channel attack in SGX-assisted applications.

https://arxiv.org/abs/1811.05378