This repository contains a Bareflank extension that aims to prove-out the concept of using chipsec as an integration testing tool for Bareflank-based VMMs. The chipsec_modules directory contains python modules for the Chipsec framework. Each module represents one integration test that verifies a specific behaviour of a loaded VMM.[…]
by Stephano Cetola, Software Applications Engineer, Intel Corportation
CHIPSEC is a firmware threat assessment tool used to help verify that systems meet basic security best practices. The tool’s threat model is primarily based on Unified Extensible Firmware Interface (UEFI). However, other firmware may have different threat models that will cause failures in different CHIPSEC modules. This session is a brief overview of CHIPSEC, limitations of the tool, failures seen on different types of firmware, and information on developing new test modules.
New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform
Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module
New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version
See release notes for list of Fixes.
3mdeb has a new video showing how to use BITS and CHIPSEC as coreboot payloads.
Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:
Detecting Evil Maid Firmware Attacks
UEFI and CHIPSEC development for Security Researchers
PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
[I just noticed this, it is a month old. Not many CHIPSEC-based projects on Github, and I was not searching for latest ones…]
This project wraps CHIPSEC and gathers the results of multiple CHIPSEC tools/tests/utils.
PreOS Security is working on fwaudit, a tool that also wraps CHIPSEC, and other tools. I’m in the middle of an update of fwaudit, for Black Hat.
Module name: ‘sgx_check’
Author: Sushmith Hiremath, INTEL DCG RED team
Check SGX related configuration
Reference: SGX BWG, CDI/IBP#: 565432
I’m unclear to the meaning of the numeric Reference #…
Lots of news are filled with news about the latest version of CHIPSEC released. I don’t see that, but there are some interesting new checkins w/r/t ACPI support:
ACPI_TABLE_SIG_BGRT = ‘BGRT’
ACPI_TABLE_SIG_LPIT = ‘LPIT’
ACPI_TABLE_SIG_ASPT = ‘ASPT’
+ACPI_TABLE_SIG_FIDT = ‘FIDT’
+ACPI_TABLE_SIG_HEST = ‘HEST’
+ACPI_TABLE_SIG_BERT = ‘BERT’
+ACPI_TABLE_SIG_ERST = ‘ERST’
+ACPI_TABLE_SIG_EINJ = ‘EINJ’
+ACPI_TABLE_SIG_TPM2 = ‘TPM2’
+ACPI_TABLE_SIG_WSMT = ‘WSMT’
+ACPI_TABLE_SIG_DBG2 = ‘DBG2’
+ACPI_TABLE_SIG_NHLT = ‘NHLT’
+ACPI_TABLE_SIG_MSCT = ‘MSCT’
+ACPI_TABLE_SIG_RASF = ‘RASF’
+ACPI_TABLE_SIG_SPMI = ‘SPMI’
+ACPI_TABLE_SIG_OEM1 = ‘OEM1’
+ACPI_TABLE_SIG_OEM2 = ‘OEM2’
+ACPI_TABLE_SIG_OEM3 = ‘OEM3’
+ACPI_TABLE_SIG_OEM4 = ‘OEM4’
+ACPI_TABLE_SIG_NFIT = ‘NFIT’
as well as some new SGX support… Fun!
CHIPSEC_GUI is a GUI front-end to CHIPSEC. There’s been little activity for a year, but it looks like a recent change, picking up some English language support patch, has happened recently:
Lenovo working throug an external pentest firm? Wish I saw more OEMs asking for appropriate job skills.
If you’re thinking about applying, look at some of the reviews for this consulting firm before doing so. Maybe look if Lenovo has a direct position open as well.
Diverse Lynx: Penetration tester
[…]It is also firmware analysis which according to Lenovo is analyzing anything that may be on disk. […] Chipsec needs to be used for this assessment. It’s for UEFI attacks, but it’s fairly automated.[…]
Looks like some of the videos from the recent plugfest are now online, there’s at least one security video online available:
Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.
I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.
Below is copy of slides:
There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.
Bsides didn’t record audio/video of their event.
I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.
If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:
Nice to see some recent CHIPSEC activity, given all the recent related CVEs…
…But this is not from the CHIPSEC team, it is from ex-CHIPSEC team member Yuriy of Eclypsium.
Added new module checking for Spectre variant 2
The module checks if system is affected by Speculative Execution Side Channel vulnerabilities. Specifically, the module verifies that the system supports hardware mitigations for Branch Target Injection a.k.a. Spectre Variant 2 (CVE-2017-5715)
See source comments for more info.
It is still rare enough to see “CHIPSEC” in a job posting, that I still point them out.
Given job posting is a pentest role, this is also a ‘leading indicator’ that pentesters are starting to attack your firmware. 🙂
Penetration Tester – Product
Join Resolvit as a Penetration Tester and be part of a creative, forward-thinking team. Our success at deploying skilled, highly knowledgeable experts has landed us on the Inc. 5000 list of America’s fastest-growing companies four times – and we’re just getting started. As the Penetration Tester, you will configure security test targets such as servers, storage, and networking environments; perform product security assessments; create assessment reports; and work with global product teams to review assessment results.[…]
Experience with multiple of these security assessment tools: AppAudit, Arachni, Burp Suite Pro, CHIPSEC, nmap, Nessus, Protecode SC, and Metasploit
[Strange, I was doing the previous blog post on Brian, and during that time, he did a new blog post…]
Brian Richardson of Intel has a new blog post on using CHIPSEC whitelist command to help with UEFI security:
Using Whitelists to Improve Firmware Security
Firmware has become more popular in the world of computer security research. Attacks operating at the firmware level can be difficult to discover, and have the potential to persist even in bare-metal recovery scenarios. This type of hack has been well documented by investigations of the HackingTeam and Vault7 exploits. Fortunately, there are methods for detecting and defending against such attacks. Firmware-based attacks typically attempt to add or modify system firmware modules stored in NVRAM. Tools provided by the open source CHIPSEC project can be used to generate and verify hashes of these modules, so users can detect unauthorized changes.[…]