Open Source Firmware Conference 2018, September, Germany

Mission: Change the way of firmware development, collaborate with others and share knowledge. Closed source firmware development has been the de-facto standard for the electronics industry since its inception. This didn’t change even as open-source took off in other areas. Now, with changing use cases and tighter security requirements, it’s more important than ever to take open-source firmware development to the next level.


SSTIC 2018

Many interesting presentations at this conference, including:

Subverting your server through its BMC: the HPE iLO4 case
Risques associés aux signaux parasites compromettants : le cas des câbles DVI et HDMI
WooKey: USB Devices Strike Back
Point d’accès Ruckus : Analyse du firmware, rétro-ingénierie MIPS et élévation de privilèges
Attacking serial flash chip: case study of a black box device
Sandbagility : un framework d’introspection en mode hyperviseur pour Microsoft Windows
A Practical Guide to Differential Power Analysis of USIM Cards

UEFI Forum Spring 2018 plugfest agenda

The UEFI Plugfest is in Seattle later this month.

I guess I missed the CFP, as the agenda is now available… 😦

* Intel: An Introduction to Platform Security
* Phoenix: TBD
* Arm:UEFI Updates, Secure Firmware and Secure Services on Arm
* Intel: The State of ASL Programming
* Intel: Implementing MicroPython in UEFI
* Insyde Software: UEFI and the Security Development Lifecycle
* Intel: Attacking and Defending the Platform
* Microsoft: Microsoft Security Features and Firmware Configurations
* Arm: Dynamic Tables Framework: A Step Towards Automatic Generation of ACPI & SMBIOS Tables
* Microsoft: Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates and WU
* Linaro: Edk2-Platforms Overview
* AMI: Enabling Advanced NVMe Features Through UEFI

Black Hat: System Firmware Attack and Defense for the Enterprise

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to interaction with system firmware components. This includes operating system loaders, secure boot mechanisms, runtime interfaces, and system management mode (SMM). This training will detail and organize objectives, attack vectors, vulnerabilities, and protection mechanisms in this fascinating environment. The training includes two parts.
1. Present a structured approach to system firmware security analysis and mitigations through lecture and hands-on exercises to test system firmware for vulnerabilities. After the training, students will have basic understanding of platform hardware components, system firmware components, attacks against system firmware, and available mitigations. Students can apply this knowledge to identify firmware vulnerabilities and perform forensic analysis.
2. Apply concepts to an enterprise environment. Using an understanding of security issues, students explore potential risks to operational environments including both supply chain and remote malware attacks. Students will perform assessments and basic forensic analysis of potential firmware attacks.


Eclypsium at OPCDE: UEFI BIOS firmware analysis at scale

UEFI BIOS firmware analysis at scale
By Oleksandr Bazhaniuk Chief Technology Officer, Eclypsium

Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software. System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems. We’ve discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We’ll present the process, findings and limitations of such offline analysis of vendor firmware update images.

Defensive firmware talks in Seattle: SASAG and BSides Seattle

There are two presentations in Seattle area on firmware security in January and February, in case you’re in the area.

1) On January 11th, PreOS Security CEO Paul English speaking on enterprise firmware defensive tools and techniques, for a SysAdmin target audience, at SASAG, the Seattle Area SysAdmin Guild (monthly user group).

SASAG: Firmware Security Defense

Thursday, Jan 11, 2018, 7:00 PM

Brian’s office
1111 3rd Ave #2500, Seattle, WA 98101 Seattle, WA

17 Systems Administrators Went

Paul English & Lee Fisher of PreOS Security will talk about firmware security. For attackers, platform firmware is the new Software. Most systems include hundreds of firmwares – UEFI or BIOS, PCIe expansion ROMs, USB controller drivers, storage controller host and disk/SSD drivers. Firmware-level hosted malware, bare-metal or virtualized, is nearly…

Check out this Meetup →


2) On February 3rd, I’ll be speaking at BSides Seattle, on similar topic, but for a target audience of DFIR/blue teams.

Disclaimer: Paul and I both work at PreOS Securty.


Embedded Linux Japan Technical Jamboree 63 slides/videos uploaded

Status of Embedded Linux, Tim Bird
Review of ELC Europe 2017, Tim Bird
mplementing state-of-the-art U-Boot port, 2017 edition, by Marek Vasut
Linux カーネルのメモリ管理の闇をめぐる戦い(協力者募集中, Tetsuo Handa (NTT Data)
Request for your suggestions: How to Protect Data in eMMC on Embedded Devices, Gou Nakatsuka (Daikin)
Fuego Status and Roadmap, Tim Bird
Multicast Video-Streaming on Embedded Linux environment, Daichi Fukui (TOSHIBA)
From 1 to many Implementing SMP on OpenRISC, Stafford Horne
Core Partitioning Technique on Multicore Linux systems, Kouta Okamoto (TOSHIBA)
Debian + YoctoProject Based Projects: Collaboration Status, Kazuhiro Hayashi (TOSHIBA)

See-also: Septemer 2017 Jamboree 62:

Status of Embedded Linux, Tim Bird
EdgeX Foundry: Introduction and demonstration of end to end IoT system, Victor Duan, Linaro
Lighting Talk: Integration between GitLab and Fuego, Tomohito Esaki, IGEL Co., Ltd.
DebConf17 Report, Kazuhiro Hayashi, TOSHIBA
Lightning Talk : About the LTS now, Shinsuke kato, Panasonic Corporation
Kernel Recipes 2015 – Linux Stable Release process, Greg KH
Lightning Talk: IPv6 Ready Logo Test for LTSI 4.9 and introduction about CVE-2016-5863 and CVE-2017-11164, Fan Xin, Fujitsu Computer Technologies Limited

Intel ME at CCC

It appears PTSecurity may have a GUI Debugger for Intel ME??

The “Minix Inside” stickers look great, click on the tweet from frdnd.

Hoping CCC staff does the great job they do ever year and get the videos for these events online quickly! 😉

PS: Of course, this isn’t all that is happening at CCC. There are multiple other interesting talks, eg:


Linux Power Management summit

Juri Lelli of Red Hat announced the OSPM-Summit 2018, on the Linux-(pm,acpi,pci,rt-user,kernel) lists. Edited version of that announcement below.

Power Management and Scheduling in the Linux Kernel II edition (OSPM-summit 2018)
April 16-18, 2018
Scuola Superiore Sant’Anna
Pisa, Italy

Deadline for submitting topics/presentations is 9th of December 2017.

Focus: Power management and scheduling techniques to reduce energy consumption while meeting performance and latency requirements are still receiving considerable attention from the Linux Kernel development community. After the success of the first edition, II edition of the Power Management and Scheduling in the Linux Kernel (OSPM) summit aims at replicating such focused discussions, understanding what has been achieved and what instead still remains to be addressed. The summit is organised to cover three days of discussions and talks. Topics:

* Power management techniques
* Real-time and non real-time scheduling techniques
* Energy awareness
* Mobile/Server power management real-world use cases (successes and failures)
* Power management and scheduling tooling (configuration, integration, testing, etc.)
* Tracing
* Recap lightning talks (what has been achieved w.r.t. I edition?)

Full announcement:

FOSDEM 2018 CfP: Hardware Enablement Devroom

FOSDEM is happening in Brussels, Belgium in early February.

FOSDEM Hardware Enablement Devroom Call for Participation

In this devroom we want to discuss topics surrounding hardware enablement. Subjects can range from the firmware running on the bare metal machine, drivers and plumbing all the way to the user interface. We welcome a board range of presentations, including but not limitied to technical talks, state of union summaries as well as discussions that facilitate the collaboration between community members, software vendors and OEMs. A particular emphasis will be given to talks covering a significant part of the software stack involved in hardware enablement, with an obvious focus on using open source throughout the whole stack.

Topics & Examples
* UX design to enable users to use their HW effectively
* Firmware:
– coreboot
– flashrom
– UEFI EDK2 (Tianocore)
– Security
– Lockdown of platform using firmware
– Updating
* Secure Boot
* Hardware testing / certification
* Thunderbolt 3 security modes
* Gaming input devices (keyboards, mice, piper)
* Biometric authentication
* Miracast or controlling remote devices
* Why vendors should facilitate upstream development

There are many more devrooms, as well:


Hardware startup events continue to ignore security

ATOMS 2017 by Hardware Club is happening in Paris, for hardware startups.

ATOMS is a one-day event combining a series of:
* Highly specialised talks about IoT, robotics, automation, investment in hardware
* Panels and fireside chats with hardware founders
* With a range of speakers drawn from top VCs, startups and corporate partners

* Creating strategic competitive advantage by leveraging crowdsourcing and community
* Navigating the VC landscape
* Capital efficiency & the use of capital
* How to build things with purpose
* From B2C to B2B: why all hardware founders should be B2B entrepreneurs
* Getting into mass production
* Why design matters
* Building communities that last

To date, I have NEVER seen a security presentation listed at a hardware startup event. 😦 I guess the default security presentation is “Build hardware with no thought for security, watch your products become part in the next botnet attack, get mocked by Internet of Shit, get sued by your customers, watch your business fail.“? Hardware Club: PLEASE add a security talk!

Insyde Software security updates for Windows 10

Hurray, UEFI vendors focusing on security! 🙂

Insyde® Software Highlights Strategies to Strengthen Firmware Security at the Fall UEFI Plugfest

Company’s Chief Technology Officer to Present at The UEFI Forum Plugfest in Taipei, Taiwan

[…]In related UEFI-security news, Insyde Software announced its full compliance with the latest firmware security updates needed by Microsoft’s upcoming Windows® release. The Windows 10 Fall Creators Update adds new requirements that include improved support for TPMs (Trusted Platform Modules) and new functionality for Secure Boot BIOS update, all of which is fully supported by InsydeH2O® UEFI BIOS.[…]

European Coreboot Conference 2017: some presentations online

Multiple PDFs from the European Coreboot Conference 2017, are already online, linked off their individual event pages, eg:

And hopefully we can watch videos of the other presentations soon:

PS: The Coreboot event is happening in Europe nearly the same time the UEFI event is happening in Asia. I with those two firmware communities would sync their events and host them adjacently.

SMM presentation at ACSA2017

Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode

Ronny Chevalier, Maugan Villatel, David Plaquin, Guillaume Hiet

Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect runtime attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach is generic. It can monitor different targets (e.g., firmware, kernel, or hypervisor) and does not depend on a specific model of the behavior. In this work, we apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We use the control-flow of the code as a model of its behavior. We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 µs threshold defined by Intel).


Fastly Security Speaker Series

If you are in San Francisco later this month, the Fastly Security Speaker Series has a new event, with two firmware security-related presentations!

We’re excited to announce the third installment of the Fastly Security Speaker Series. Fastly will bring some of the most innovative and thoughtful security researchers to San Francisco to share their work. Speakers include Alex Bazhaniuk, of Eclypsium, Inc. and Stephen Checkoway, whose most recent papers include: A Systematic Analysis of the Juniper Dual EC Incident, Run-DMA and On the Security of Mobile Cockpit Information Systems.

Talk 1: Exploring Your System Deeper
Alex Bazhaniuk of Eclypsium, Inc.

Ever wanted to explore deep corners of your system but didn’t know how? This could include system boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors — you could discover if any of these have known vulnerabilities, configured insecurely, or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective the platform security defenses are: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation… Or maybe you just want to explore hardware and firmware components your system has. CHIPSEC framework can help you with all of that. Since its release at CanSecWest 2014, significant improvements have been made in the framework — from making it easy to install and use to adding lots of new security capabilities. We’ll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images, and more.

Talk 2: The Juniper Dual EC incident
Stephen Checkoway, Assistant Professor at University of Illinois at Chicago

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker. The second is far more intriguing: a change to the Q parameter used by the Dual EC pseudorandom number generator. It is widely known that Dual EC has the unfortunate property that an attacker with the ability to choose Q can, from a small sample of the generator’s output, predict all future outputs. In a 2013 public statement, Juniper noted the use of Dual EC but claimed that ScreenOS included countermeasures that neutralized this form of attack. In this talk, Stephen Checkoway presents the results of a thorough independent analysis of the ScreenOS randomness subsystem, as well as its interaction with the IKE VPN key establishment protocol. This work sits at the intersection of cryptography, protocol design, and forensics, and is a fascinating look at a problem that received a great deal of attention at the time but whose details are less well known.

PreOS presentation from SeaGL online

Last week Paul English of PreOS Security gave a presentation at SeaGL Conference (spelled with the RMS-preferred prefix, “Seattle GNU/Linux Conference”, pronounced like the bird “Seagull”). The presentation was about about firmware defensive skills. Whereas my previous presentation presumed an audience of enterprise (SysAdmins, SREs, Blue Teams, or DFIR), Paul’s talk presumed an audience of end-users, with no enterprise to back them up.

Alas, with most SeaGL presentations, this presentation was not video/audio-taped. His blog post has pointer to his slides.

His blog post also mentions brief status update on the sysadmin ebook that Paul is driving, he’s nearly ready, it’ll be nice to have this resource available.

Also, note that the PreOS Security web site has been revamped. All known HTTP/HTTPS problems have been resolved, and the blog backlog is getting flushed.