Fastly Security Speaker Series

If you are in San Francisco later this month, the Fastly Security Speaker Series has a new event, with two firmware security-related presentations!


We’re excited to announce the third installment of the Fastly Security Speaker Series. Fastly will bring some of the most innovative and thoughtful security researchers to San Francisco to share their work. Speakers include Alex Bazhaniuk, of Eclypsium, Inc. and Stephen Checkoway, whose most recent papers include: A Systematic Analysis of the Juniper Dual EC Incident, Run-DMA and On the Security of Mobile Cockpit Information Systems.

Talk 1: Exploring Your System Deeper
Alex Bazhaniuk of Eclypsium, Inc.

Ever wanted to explore deep corners of your system but didn’t know how? This could include system boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors — you could discover if any of these have known vulnerabilities, configured insecurely, or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective the platform security defenses are: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation… Or maybe you just want to explore hardware and firmware components your system has. CHIPSEC framework can help you with all of that. Since its release at CanSecWest 2014, significant improvements have been made in the framework — from making it easy to install and use to adding lots of new security capabilities. We’ll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images, and more.

Talk 2: The Juniper Dual EC incident
Stephen Checkoway, Assistant Professor at University of Illinois at Chicago

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker. The second is far more intriguing: a change to the Q parameter used by the Dual EC pseudorandom number generator. It is widely known that Dual EC has the unfortunate property that an attacker with the ability to choose Q can, from a small sample of the generator’s output, predict all future outputs. In a 2013 public statement, Juniper noted the use of Dual EC but claimed that ScreenOS included countermeasures that neutralized this form of attack. In this talk, Stephen Checkoway presents the results of a thorough independent analysis of the ScreenOS randomness subsystem, as well as its interaction with the IKE VPN key establishment protocol. This work sits at the intersection of cryptography, protocol design, and forensics, and is a fascinating look at a problem that received a great deal of attention at the time but whose details are less well known.


PreOS presentation from SeaGL online

Last week Paul English of PreOS Security gave a presentation at SeaGL Conference (spelled with the RMS-preferred prefix, “Seattle GNU/Linux Conference”, pronounced like the bird “Seagull”). The presentation was about about firmware defensive skills. Whereas my previous presentation presumed an audience of enterprise (SysAdmins, SREs, Blue Teams, or DFIR), Paul’s talk presumed an audience of end-users, with no enterprise to back them up.

Alas, with most SeaGL presentations, this presentation was not video/audio-taped. His blog post has pointer to his slides.

His blog post also mentions brief status update on the sysadmin ebook that Paul is driving, he’s nearly ready, it’ll be nice to have this resource available.

Also, note that the PreOS Security web site has been revamped. All known HTTP/HTTPS problems have been resolved, and the blog backlog is getting flushed.




UEFI security presentation at Seattle DC206 Meeting

If you missed the Intel presentation from BlackHat Briefings this summer, and if you are in the Seattle area this Sunday, Vincent Zimmer of Intel will be reprising this presentation at the DC206 Meeting at the Black Lodge Research hackerspace.


What: Oct DC206 Meeting: Firmware is the New Black
When: October 15th, 1-3pm
Who: Vincent Zimmer
Where: Black Lodge Research

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).





UEFI slides from SOURCE Seattle uploaded

Last week I gave a presentation at SOURCE Seattle Conference, on defensive UEFI tools/guidance, mostly talking about NIST 147’s lifecycle, and how to use tools like (CHIPSEC, acpidump, FWTS) to look for signs of firmware attacks.

As I understand it, SOURCE Conference will have video of this presentation online sometime in the near future.


Slides have been uploaded to this blog, and are available here:.srcsea17. (PreOS Security will have an archive of all of our post-conference materials on Github shortly.)

At the conference, Bryan of the Brakeing Security podcast interviewed PreOS Security co-founder Paul English and myself, along with some other SOURCE Seattle speakers. I am not sure when that podcast is queued up for. I hate public speaking in general, but I cringe at completely unprepared interviews like this podcast. Sorry I didn’t have better concise answers to the questions put to me. I think the normal podcast drinking game is to drink whenever you hear ‘um’ or ‘I mean’. Be careful if you’re playing that game during my brief audio clips. 😦





A slide in the presentation pre-announces an upcoming tool we’re working on. That tool should be ready in a few weeks, more details soon.


European coreboot conference 2017: Call for Papers

Note the request for SECURITY talks!

We are particularly interested in advances in the application of technology in a particular discipline primarily around coreboot, hardware, firmware, and security. As a result, the conference will be structured around the following topics:
– Free and Open Source hardware and firmware.
– Attacks against current hardware and firmware, like side and covert channel attacks.
– Firmware and hardware reverse engineering.
– coreboot payloads, extensions, and features.
– Advances of coreboot and UEFI on the market.
– Applications of free and open source hardware/firmware in practice.
– State-of-the-art security in embedded devices.

Conference talks, lightning talks, and workshops will be video taped and published afterwards. If a recording is not desired by a speaker or workshop instructor, no recordings will be made (notification in advance of the talk / workshop requested)[…]



Radare Conference 2017



Beginner Training (pancake, alvarofe)
Intro to Unpacking on Windows (newlog, Giomismo, zlowram)
Beginner Training (maijin, xvilka)
Tiny uControllers firmware reversing and exploiting (dark_k3y)

r2frida (@mrmacete)
SIOL – condret
CFG-based fussy hash for malware classification using r2 (robin marsollier)
zdbg (@zutle)
GSoC talks (gdbserver, windows support and backstepping) @xvilka
r2anal (alvaro) + limits of esil (killabyte)
RAIR (@oddcoder)
r2 module for Yara (@plutec_net + @mmorenog)
Anal clemency (@raysong)
Intro to Reversing Windows Malware Using r2 @ newlog
Surprise talk by @oleavr
Diaphora and r2 (@pancake, @matalaz)
Road to the kernel (@nighterman)
Pimp my Triton (ak42)


TPM microconf at 2017 Linux Plumbers Conference

Matthew Garrett has announced a TPM microconference at the upcoming Linux Plumbers Conference:

I’m pleased to say that after the success last year, there will be another TPM microconference at this year’s Linux Plumbers Conference. The current schedule has this taking place on Wednesday the 13th of September, so just under 4 weeks from now. We have a list of proposals for discussion at http://wiki.linuxplumbersconf.org/2017:tpms but please feel free to add more! I intend to finalise the schedule by the end of next week, so please do so as soon as you can. For those of you who weren’t there, the Linux Plumbers conference is an event dedicated to bringing together people working on various infrastructural components (the plumbing) of Linux. Microconferences are 3 hour long events dedicated to a specific topic, with the focus on identifying problems and having enough people in the room to start figuring out what the solutions should be – the format is typically some short presentations coupled with discussion.

From James Bottomley’s comments on the LPC entry on this microconf:

Following on from the TPM Microconference last year, we’re pleased to announce there will be a follow on at Plumbers in Los Angeles this year. The agenda for this year will focus on a renewed attempt to unify the 2.0 TSS; cryptosystem integration to make TPMs just work for the average user; the current state of measured boot and where we’re going; using TXT with TPM in Linux and using TPM from containers.



Full text of Matthew’s email: