William Leara of Dell has a new blog post reviewing Alex Ionescu’s VisualUEFI tool:
https://www.basicinputoutput.com/2018/10/alex-ionescus-visualuefi.html
ToshibaComExtractor: tool to extract Toshiba .COM firmware files
Multiple new FreeRTOS network vulns
Intel seeks Security Researcher
Responsible for secure design, development and operation of Intel’s hardware and software products and services. Responsibilities may include threat assessments, design of security components, and vulnerability assessment.
4+ years of experience in the field of system security research and exploring software and hardware techniques as a method of attack against targets within compute systems.
In-depth experience with security threats, vulnerability research, physical attack techniques (power analysis, fault injection, reverse engineering, etc.), side-channel attack methods.
Knowledge of security technologies: authentication, cryptography, secure protocol, etc.
Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others
https://jobs.intel.com/ShowJob/Id/1826346/Security%20Researcher
MIT: DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors
[…]As a playful counterpoint to Intel’s CAT system, the researchers dubbed their method “DAWG”, which stands for “Dynamically Allocated Way Guard.” (The “dynamic” part means that DAWG can split the cache into multiple buckets whose size can vary over time.)[…]
https://www.csail.mit.edu/news/better-approach-preventing-meltdownspectre-attacks
Click to access dawg-micro18.pdf
EPT-Based Sub-page Write Protection On Xen
custom_nvram: Shared Library to intercept nvram get/set/match calls for emulating libnvram.so used by many IoT firmware software
Protocol: a tool to display ASCII RFC-like protocol header diagrams for protocols
boot-lab: learn about OS booting using BIOS and UEFI (in Russian)
fb-ask-pass-rs: asks the user for a password on the framebuffer showing the firmware image
Primary usage: run it from a initcpio hook (on archlinux) to ask for the LUKS passphrase, while showing the firmware picture. The passphrase is saved in a file (/crypto_keyfile.bin) which the encrypt hook uses to unlock LUKS volumes.
https://github.com/gdamjan/fb-ask-pass-rs
get-efi-images: dump all UEFI images (PE-files) from firmware
https://github.com/yeggor/get-efi-images
It uses UEFI Firmware Parser:
macOS EFI Unlocker V1.0 for VMware: allows non-server versions of MacOS to be run with VMWare
The macOS EFI Unlocker removes the check for server versions of Mac OS X verisons:
* 10.5 Leopard
* 10.6 Snow Leopard
allowing the non-server versions of Mac OS X to be run with VMware products. Later versions of Mac OS X and macOS
do not need the modified firmware due to Apple removing the restrictions imposed on 10.5 and 10.6.
EFI Unlocker 1 is designed for the following products:
* VMware Workstation and Player versions 14/15
* VMware Fusion versions 10/11
The checks for the server versions are done in VMware’s virtual EFI firmware and looks for a file called
ServerVersion.plist in the installation media and the installed OS. The patch modifies the firmware to check
for a file present on all versions of Mac OS X called SystemVersion.plist.
The patch uses a tool called UEFIPatch to make the modifications.
Please note you may need to use macOS Unlocker version 3 to run on non-Apple hardware.
Basic BMC and IPMI Management Security Practices
From Serve The Home https://www.servethehome.com/basic-bmc-and-ipmi-management-security-practices/
In light of multiple stories about BMC security breaches, we wanted to put a basic BMC and IPMI management security practices article together. This is likely a piece we will update over time. It is also one where there is an entire industry catering to management interface security, so this is only going to provide some bare minimum basics. If you are a new administrator, this should help avoid the top mistakes at a minimal incremental cost.
Editorial side-note – BMC, IPMI, ILo, Redfish, Intel AMT, Intel ME, AMD PSP – these are *computers* that control your computer. Sure, they run firmware, but in almost every case it is a full blown multi-tasking, typically multi-user networked computer. So.. their security, is networked computer security. It is really boring (credit to James Mickens). Encrypted network connections. Strong, non-default passwords.. for all users. 2FA if you can manage it!
Just because you think you might not have connected it to a network, or you think the “management network” to which you attached it is secure….
Automatically Mapping Binaries with Debug Print using IDAPython
This blog gives a short overview on a script I wrote that replaces the default function names in IDA with names constructed from debug prints, hopefully it will also provide the basic knowledge for you to create one of your own.[…]
Redfish-finder: utility to parse dmidecode output for Host Management Controllers, and setup canonically named access to them
One of the difficulties of using the Redfish host api is the translation of the SMBIOS data above into meaningful application configuration data.[…]redfish-finder: parses the smbios data for Redfish access, translates the device specification to an OS interface name, uses NetworkManager to configure the network interface with the appropriate settings, and adds an entry to /etc/hosts mapping the name redfish-localhost to the Discovered Redfish service address.[…]
https://github.com/nhorman/redfish-finder
Microcode Updates for the USENIX 2017 paper: Reverse Engineering x86 Processor Microcode
Re: https://firmwaresecurity.com/2017/08/19/new-x86-microcode-tool/
x86 Microcode Framework and Example Programs
This repository contains the framework used during our work on reverse engineering the microcode of AMD K8 and K10 CPUs. It includes an assembler and disassembler as well as example programs implemented using these tools. We also provide our custom written minimal operating system that can rapidly apply and test microcode updates on AMD CPUs.[…]
Introducing the Windows Internals Series: One Windows Kernel
OpenBSD 4.6 released
https://twitter.com/reykfloeter/status/1052911755410726913
Some highlights that ‘caught my eye’:
* On sparc64 ldomctl(8) now supports more modern firmware found on SPARC T2+ and T3 machines in particular such as T1000, T5120 and T5240. NVRAM variables can now be set per logical domain.
* ACPI support on OpenBSD/arm64 platforms.
* New acpisurface(4) driver providing ACPI support for Microsoft Surface Book laptops.
* New acpipci(4/arm64) driver providing support for PCI host bridges based on information provided by ACPI.
* Added a sensor for port replicatior status to acpithinkpad(4).Implemented MAP_STACK option for mmap(2). At pagefaults and syscalls the kernel will check that the stack pointer points to MAP_STACK memory, which mitigates against attacks using stack pivots.
* New RETGUARD security mechanism on amd64 and arm64: use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets.
* clang(1) includes a pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386.
* The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386.
* Added SpectreRSB mitigation on amd64.
* Added Intel L1 Terminal Fault mitigation on amd64.
* Meltdown mitigation was added to i386.
amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
* Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.
https://www.openbsd.org/64.html
ARM announces ServerReady – a compliance program for Arm-based servers
Server partners expect to be able to deploy new systems directly from the shipping box, with straightforward integration of the operating systems and applications of their choosing. To achieve this, it is necessary for the Arm server ecosystem to define and comply to a minimal set of standards. This is of particular importance for the server and infrastructure market, as unlike the mobile sector, it is not acceptable to have to modify the operating system for every platform. Standards allow compatibility across different products, while enabling the individual partners to innovate and differentiate within these boundaries.[…]
Firmware Security 
You must be logged in to post a comment.