If you’re in the Seattle area and want to see Vincent Zimmer of Intel give a recap of his presentations at the Platform Security Summit and the Open Source Firmware Conference, attend the December DC206 Meeting, the monthly Seattle-area DEF CON user group:
What: December Seattle Locksport and DC206 Meeting When: Dec 16th (3rd Sundays), 11:00am-~4:00pm Where: Black Lodge Research Who: (Vincent, Noah, Zach, Dune, Panic, and the DC206 community)
Open Source IA Firmware
by
Vincent Zimmer, Intel Corp.
Provide highlights on the open source firmware ecosystem, including
details from the Platform Security Summit[1] and Open Source Firmware
Conference[2].
Many cities have “DC<areacode>” groups, the local DEF CON community. The Seattle-area DC206 group is having it’s monthly meeting this Sunday, and is firmware-centric, in case you are in the Seattle-area.
An Introduction To Pulling Software From Flash via I2C, SPI and JTAG by Matt DuHarte
This beginners talk is as jargon free as possible and a great introduction to the world inside all those little devices that make up our world. Not every device we have makes it easy to see the software they run. How do you analyze the firmware of a device that does not have a display or even a serial port? Simple – pull the software directly from the flash on the device. A new generation of simple and inexpensive hardware devices make it fast and easy. This talk will introduce just enough of the protocols involved, the devices used to pull a firmware image and the software we use to modify the images and put them back. Following the talk there will be a hands on area for watching demonstrations and you to try your hand at pulling images off various devices.
Matt DuHarte is the Security Lead at a major networking hardware manufacturer but is still a software guy. Matt is an avid BSides presenter in hardware topics like USB hacking and embedded electronics. He started doing electronics as a kid, later for a UGA and now does it because it is fun. He is a firm believer that password brute forcing is for wimps and that it is easier to open the case, attach a few wires and ask hardware nicely in their own language to spill their secrets. Hardware likes him, except FPGAs, they say his timing is off.
What: October DC206 Meeting When: October 16, 1pm-3pm Where: Black Lodge Research (17725 NE 65th St, A-155; Evans Business Park, Building A); Redmond, WA 98052 USA
I am reminded of this talk, since we just got Vincent to reprise this talk today at BlackLodgeResearch.org, at the monthly DC206 Meeting, which was also the meeting of the Pacific NorthWest FirmWare Hackers (PNWFWH). Vincent was a guest speaker and spoke on UEFI security for a while, mostly QA w/o slides.
BLR would like to thank @vincentzimmer for braving the heat and teaching us about the UEFI security model today. Thank you Vincent!
— Black Lodge Research (@the_black_lodge) July 20, 2015
Nice having the opportunity to speak with security researchers @the_black_lodge today about firmware #UEFI and other topics.
I also gave a talk, on UEFI security tools (CHIPSEC, UEFItool, UEFI Firmware Parser, BIOS Diff, BIOS Extract, LUV-live, FWTS, etc.). I’ll cleanup the slides and post them on this blog shortly. Our scheduled lab was a bit flat, due to 2x the presentations, and a BLR-hosted BBQ, and the interest in listening to the QA with Vincent, and the miserable heat. But some of the attendees had already gotten LUV-live working on their systems, and had learned to dump ROMs, which is the first step.
Vincent also helped me understand the UEFI 2.5 feature list, I’ll be working on more blog posts with spec/source and other info on these ~63 items in some upcoming blog posts.
One change of plans for the lab: I’ve been having problems getting LUV-live to boot on various machines, so don’t want to tie the lab to booting thumbdrives to use CHIPSEC.
So let’s use CHIPSEC installed natively on your laptop. So please bring a Intel UEFI-based laptop running Windows or Linux, where you can install CHIPSEC on it. (The CHIPSEC kernel driver is not a safe thing to keep loaded, see their warning.txt. Only load it when you are using CHIPSEC.) I’ll bring some scripts to make it easier to use CHIPSEC on Linux systems. Watch the Youtube video of DEFCON22 talk on CHIPSEC to see when/why to use some of it’s commands. https://firmwaresecurity.com/2015/06/10/chipsec-v1-2-0-released/ https://github.com/chipsec/chipsec
Regardless, please don’t use your primary laptop, backup anything important, in case you brick the box.
The lab will be fairly free-form, people trying to use CHIPSEC on their system, hopefully to save a ROM and share with others, and to some analysis of the ROM using CHIPSEC, UEFITool, UEFI Firmware Parser. If you are willing to share some ROMs with the rest of the lab attendees, please try to bring a system with a CD-R/DVD-R burner. I’ll bring some blank discs. CHIPSEC and most of the below tools are Python-based, so install CPython 2.7x on your system. Install any of the below tools if you want to use these to examine ROMs:
Most of these tools are Python-based, but UEFITool is a C++-based Qt GUI app. You need to get Qt Creator installed, open Qt Creator, open the UEFI Tools’s .pro file, then Build it. UEFITool builds on most platforms pretty painlessly. If you don’t want to install Qt on your system, you can download pre-built binaries of UEFITool for Windows and Mac OSX. For Linux, no binaries provided, you must build from source. http://www.qt.io/download-open-source/ https://github.com/LongSoft/UEFITool/releases
One potential direction for the lab is to look at Intel’s analysis of the Hacking Team’s UEFI malware, and how to use CHIPSEC and UEFITool, using the GUIDs and strings from the below analysis to see if you have Hacking Team bootkit. http://www.intelsecurity.com/advanced-threat-research/blog.html
Unfortunately, it looks like the PNWFHW (Pacific NorthWest FirmWare Hackers) stickers likely won’t arrive in time, probably next week, so no stickers this time, sorry.
Firmware Security 