We are pleased to invite you to The First Israeli Conference on Hardware and Side-channel Attacks to be held in Barkan Hall, Ben-Gurion University of the Negev, Beer Sheva, from May 5-7, 2019. The conference will bring together researchers from industry and academia, as well as independent hackers. The objective of the conference is to form active research collaborations between Israeli and international researchers in the field of hardware and side-channel attacks, and to bridge the gap between designers, evaluators and attackers of secure systems. In this conference attackers and protectors will have the opportunity to talk about how things fail and how one may aim at protecting our valuables.[…]
Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software
Alex Matrosov | Offensive Security Lead, NVIDIA
Many hardware vendors are armoring modern Secure Boot by moving Root of Trust to the hardware. While it is definitely the right direction to create more difficulties for the attacker, many layers of code exist between hardware and firmware. Also, hardware vendors are always fighting for boot performance, which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass a specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.
Lots of stuff is happening at CCC…
Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.
We don’t know how much of the Bloomberg story about hardware implants installed in Supermicro servers shipped to Apple and Amazon is true, nor do we know the story behind the story and the reasons for the vehement denials by all the parties involved.
However, a technical assessment of details of the describe implants reveals that a supply chain attack on the hardware is definitely possible, that the capabilities of the BMC can be used to bypass OS protections, and that there are means to access the BMC that would not necessarily generate readily identified network traffic.
In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.
9 out of 10 x86_64 firmware vendors will hate this talk!
We’ll give a short introduction what you might find in your machines firmware and tell the story of two hackers that magically found tens of thousands x86_64 firmware images in their backyard as well as their journey to explore common configuration fuckups, update frequencies and potential security risks.
(Let’s hope the publish this repository of images….)
CCC has talks on: Open Source Firmware, Sednik UEFI malware, LibreSilicon, Self-Encrypting Drives, and more!
If you’re in the Seattle area and want to see Vincent Zimmer of Intel give a recap of his presentations at the Platform Security Summit and the Open Source Firmware Conference, attend the December DC206 Meeting, the monthly Seattle-area DEF CON user group:
What: December Seattle Locksport and DC206 Meeting
When: Dec 16th (3rd Sundays), 11:00am-~4:00pm
Where: Black Lodge Research
Who: (Vincent, Noah, Zach, Dune, Panic, and the DC206 community)
Open Source IA Firmware
Vincent Zimmer, Intel Corp.
Provide highlights on the open source firmware ecosystem, including
details from the Platform Security Summit and Open Source Firmware
Vincent Zimmer @vincentzimmer is a sr. principal engineer at Intel
Corporation. He leads the UEFI Security Subteam of the UEFI Forum.
The UEFI Forum has specified the date/location of the next plugfest:
Event Date: April 8-12, 2019
Location: Bellevue, WA
[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]
Alexander Ermolov and Ruslan Zakirov will deliver their «NUClear explotion» talk. A major and most significant approach to UEFI BIOS security is preventing it from being illegitimately modified and the SPI flash memory from being overwritten. Modern vendors use a wide range of security mechanisms to ensure that (SMM BLE / SMM BWP / PRx / Intel BIOS Guard) and hardware-supported verification technologies (Intel Boot Guard). In other words, they do everything just not to let an attacker to place a rootkit into a system. Even the likelihood of execution in the most privileged mode of a processor – System Management Mode (can be achieved through vulnerable software SMI handlers) – is of no interest to adversaries since it does not guarantee they will be able to gain a foothold in a system. A single reboot and an attack must be started anew. However, there is a thing that can make all BIOS security mechanisms inefficient. And this thing is a vulnerable update mechanism implemented by a vendor. Moreover, quite often a legitimate updater adds lots and lots of critical security holes to a system. In this talk, we will speak about how vendors manage to throw all those security flaws together in one system using Intel NUC, a small home PC, as an example. Besides, we will demonstrate how an adversary can compromise BIOS from the userland.
Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:
Detecting Evil Maid Firmware Attacks
UEFI and CHIPSEC development for Security Researchers
PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
France in December!
System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules
Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images using UEFI Capsules and the Firmware Management Protocol (FMP). This session describes the EFI Development Kit II (EDK II) capsule implementation, implementing FMP using FmpDevicePkg, creating Signed UEFI Capsules using open source tools, and an update workflow based on the Linux Vendor Firmware Service (fwupd.org).