Chipsec-based integration tests for the Bareflank Hypervisor

Re: https://firmwaresecurity.com/2019/01/14/bareflanks-hypervisor-lightweight-hypervisor-sdk-written-in-c-with-support-for-windows-linux-and-uefi/

This repository contains a Bareflank extension that aims to prove-out the concept of using chipsec as an integration testing tool for Bareflank-based VMMs. The chipsec_modules directory contains python modules for the Chipsec framework. Each module represents one integration test that verifies a specific behaviour of a loaded VMM.[…]

https://github.com/JaredWright/chipsec_integration_tests

https://github.com/Bareflank/hypervisor

BareflankLovesChipsec

 

OCP Global Summit: : CHIPSEC on non-UEFI Platforms

by Stephano Cetola, Software Applications Engineer, Intel Corportation

CHIPSEC is a firmware threat assessment tool used to help verify that systems meet basic security best practices. The tool’s threat model is primarily based on Unified Extensible Firmware Interface (UEFI). However, other firmware may have different threat models that will cause failures in different CHIPSEC modules. This session is a brief overview of CHIPSEC, limitations of the tool, failures seen on different types of firmware, and information on developing new test modules.

https://2019ocpglobalsummit.sched.com/event/JinT

CHIPSEC v1.3.6 released

New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform

Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module

New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version

See release notes for list of Fixes.

https://github.com/chipsec/chipsec/commits/master

https://github.com/chipsec/chipsec/releases/tag/v1.3.6

UEFI workshops at BSidesPDX!

Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:

Detecting Evil Maid Firmware Attacks
https://bsidespdx.org/events/2018/workshops.html#Evil%20Maid

UEFI and CHIPSEC development for Security Researchers
https://bsidespdx.org/events/2018/workshops.html#Chipsec

PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
https://www.oregoncc.org/events/2018/10/portland-retro-gaming-expo-2018
http://www.retrogamingexpo.com/

CHIPSEC gets support for Nine more ACPI tables

Lots of news are filled with news about the latest  version of CHIPSEC released. I don’t see that, but there are some interesting new checkins w/r/t ACPI support:

ACPI_TABLE_SIG_BGRT = ‘BGRT’
ACPI_TABLE_SIG_LPIT = ‘LPIT’
ACPI_TABLE_SIG_ASPT = ‘ASPT’
+ACPI_TABLE_SIG_FIDT = ‘FIDT’
+ACPI_TABLE_SIG_HEST = ‘HEST’
+ACPI_TABLE_SIG_BERT = ‘BERT’
+ACPI_TABLE_SIG_ERST = ‘ERST’
+ACPI_TABLE_SIG_EINJ = ‘EINJ’
+ACPI_TABLE_SIG_TPM2 = ‘TPM2’
+ACPI_TABLE_SIG_WSMT = ‘WSMT’
+ACPI_TABLE_SIG_DBG2 = ‘DBG2’
+ACPI_TABLE_SIG_NHLT = ‘NHLT’
+ACPI_TABLE_SIG_MSCT = ‘MSCT’
+ACPI_TABLE_SIG_RASF = ‘RASF’
+ACPI_TABLE_SIG_SPMI = ‘SPMI’
+ACPI_TABLE_SIG_OEM1 = ‘OEM1’
+ACPI_TABLE_SIG_OEM2 = ‘OEM2’
+ACPI_TABLE_SIG_OEM3 = ‘OEM3’
+ACPI_TABLE_SIG_OEM4 = ‘OEM4’
+ACPI_TABLE_SIG_NFIT = ‘NFIT’

as well as some new SGX support… Fun!

https://github.com/chipsec/chipsec/commits/master

Diverse Lynx: seeks PenTester to use CHIPSEC [against Lenovo?]

Lenovo working throug an external pentest firm? Wish I saw more OEMs asking for appropriate job skills.

If you’re thinking about applying, look at some of the reviews for this consulting firm before doing so. Maybe look if Lenovo has a direct position open as well.

Diverse Lynx: Penetration tester
[…]It is also firmware analysis which according to Lenovo is analyzing anything that may be on disk. […] Chipsec needs to be used for this assessment. It’s for UEFI attacks, but it’s fairly automated.[…]

https://www2.jobdiva.com/candidates/myjobs/openjob_outside.jsp?id=10760288

https://www.diverselynx.com/

 

slides from yesterday’s BSides Seattle presentation (and seeking archive of lost Intel ATR blog on Hacking Team)

Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.

I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.

Below is copy of slides:

There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.

bsidesseattle2018.fisher.defending-firmware

Bsides didn’t record audio/video of their event.

I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.

If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
http://www.intelsecurity.com/advanced-threat-research/blog.html
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html

This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

chipsec/modules/common/cpu/spectre_v2.py

Re: https://firmwaresecurity.com/2018/01/17/yuriy-working-on-new-hipsec-spectre-test/

https://github.com/chipsec/chipsec/pull/330

Yuriy working on new CHIPSEC Spectre test

Nice to see some recent CHIPSEC activity, given all the recent related CVEs…
…But this is not from the CHIPSEC team, it is from ex-CHIPSEC team member Yuriy of Eclypsium.

Added new module checking for Spectre variant 2
The module checks if system is affected by Speculative Execution Side Channel vulnerabilities. Specifically, the module verifies that the system supports hardware mitigations for Branch Target Injection a.k.a. Spectre Variant 2 (CVE-2017-5715)

See source comments for more info.

https://github.com/c7zero/chipsec/commit/b11bce8a0ed19cbe1d6319ef9928a297b9308840

 

Resolvit seeks CHIPSEC-savvy Pentester

It is still rare enough to see “CHIPSEC” in a job posting, that I still point them out.

Given job posting is a pentest role, this is also a ‘leading indicator’ that pentesters are starting to attack your firmware. 🙂

Penetration Tester – Product
Join Resolvit as a Penetration Tester and be part of a creative, forward-thinking team. Our success at deploying skilled, highly knowledgeable experts has landed us on the Inc. 5000 list of America’s fastest-growing companies four times – and we’re just getting started. As the Penetration Tester, you will configure security test targets such as servers, storage, and networking environments; perform product security assessments; create assessment reports; and work with global product teams to review assessment results.[…]
Experience with multiple of these security assessment tools: AppAudit, Arachni, Burp Suite Pro, CHIPSEC, nmap, Nessus, Protecode SC, and Metasploit
[…]

http://careers.resolvit.com/Careers/tabid/55/jobid/21807/Penetration-Tester–Product-Morrisville-North-Carolina.aspx

Brian: Using CHIPSEC Whitelists to Improve Firmware Security

[Strange, I was doing the previous blog post on Brian, and during that time, he did a new blog post…]

Brian Richardson of Intel has a new blog post on using CHIPSEC whitelist command to help with UEFI security:

Using Whitelists to Improve Firmware Security

Firmware has become more popular in the world of computer security research. Attacks operating at the firmware level can be difficult to discover, and have the potential to persist even in bare-metal recovery scenarios. This type of hack has been well documented by investigations of the HackingTeam and Vault7 exploits. Fortunately, there are methods for detecting and defending against such attacks. Firmware-based attacks typically attempt to add or modify system firmware modules stored in NVRAM. Tools provided by the open source CHIPSEC project can be used to generate and verify hashes of these modules, so users can detect unauthorized changes.[…]

https://software.intel.com/en-us/blogs/2017/12/05/using-whitelists-to-improve-firmware-security
https://github.com/chipsec/chipsec

CHIPSEC in Ubuntu Linux