slides from yesterday’s BSides Seattle presentation (and seeking archive of lost Intel ATR blog on Hacking Team)

February 4, 2018 ~ hucktech ~ Leave a comment

Slides available tomorrow or next week here re: firmware security and evil maid attack #BSidesSeattle https://t.co/y5skz3Nxw2

— Teri Radichel (@TeriRadichel) February 3, 2018

Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.

I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.

Below is copy of slides:

There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.

bsidesseattle2018.fisher.defending-firmware

Bsides didn’t record audio/video of their event.

I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.

If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
http://www.intelsecurity.com/advanced-threat-research/blog.html
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html

This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

Chipsec v1.3.4 released

October 24, 2017 ~ hucktech ~ Leave a comment

CHIPSEC 1.3.4 is released. @chipsec https://t.co/1StKLnACNH

— ALF (@Simiiforme) October 24, 2017

New or Updated Functionality:
* Updated support for 7th/8th generation Intel processors
* Added ability to undefine a configuration entry
* Added HAL and utilcmd for TPM Event Log
* Added utilcmd for TPM commands
* Added support for Apollo Lake
* added utilcmd to inspect PCI command/control registers

https://github.com/chipsec/chipsec/commits/master

https://github.com/chipsec/chipsec/releases/tag/v1.3.4

McAfee releases CHIPSEC 1.3.2

August 11, 2017 ~ hucktech ~ Leave a comment

Release 1.3.2 is out! /cc @c7zero @JohnLoucaides https://t.co/0TiIbHQl3f

— CHIPSEC (@CHIPSEC) August 10, 2017

New or Updated Modules:
* Updated X64 Python for UEFI Shell

New or Updated Functionality:
* Updated FREG definitions
* Added mmap support to kernel module and chipsec device

Fixes:
* Fixed memory reads with kernel 4.8+
* Fixed version display in chipsec_util
* Fixed UEFI Shell X64 calling convention for SW SMI generation
* Fixed range check in bios_wp
* Fixed P2SB register accesses
* Fixed IOCTL_WRMMIO for x86_64 in Linux driver

Above relnotes aside, there are some other smaller features not listed above, in the changelog:
https://github.com/chipsec/chipsec/commits/master

I wish the CHIPSEC team signed their binary-only release of CPython 2.7x for UEFI, and/or included their build tree of the EDK2 that generates this, so we can build our own, hopefully ‘reproducably’.

I don’t see any ARM support[1]. Obviously, the title of below blog post was wrong, it was not released at Black Hat, AFAICT. Was this patch lost in Las Vegas? Is the ARM code a non-McAfee patch by Eclypsium that won’t be upstreamed into the GPL’ed CHIPSEC codebase? I wish I knew…

[1] https://firmwaresecurity.com/2017/07/25/chipsec-for-arm-to-be-released-at-black-hat/

Alex and Yuriy form Eclypsium, Inc.

July 29, 2017July 29, 2017 ~ hucktech ~ Leave a comment

WOW! I just heard that Alex and Yuriy have left Intel Advanced Threat Research (McAfee) and have started Eclypsium, Inc.

Alex Bazhaniuk is the “Founder and VP of Technology at Eclypsium, Inc.”

Yuriy Bulygin is the “Founder and CEO at Eclypsium, Inc.”

http://www.eclypsium.com/
Twitter: @ABazhaniuk
Twitter: @c7zero/
https://github.com/chipsec/chipsec/blob/master/AUTHORS

Intel ATR releases UEFI firmware training materials!

May 25, 2017 ~ hucktech ~ 3 Comments

Good news: the Intel Advanced Threat Research (ATR) team has release some of their UEFI security training materials!

This repository contains materials for a hands-on training ‘Security of BIOS/UEFI System Firmware from Attacker and Defender Perspectives’. A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

0 Introduction to Firmware Security
1 BIOS and UEFI Firmware Fundamentals
2 Bootkits and UEFI Secure Boot
3 Hands-On Platform Hardware and Firmware
4 System Firmware Attack Vectors
5 Hands-On EFI Environment
6 Mitigations
7 System Firmware Forensics
N Miscellaneous Materials

https://github.com/advanced-threat-research/firmware-security-training

Intel ATR’s UEFI whitelist database

May 1, 2017 ~ hucktech ~ Leave a comment

Thanks to a friend for pointing this out to me, something I had not noticed.

Intel ATR has a new github project which hosts the whitelist database that CHIPSEC uses:

https://github.com/advanced-threat-research/efi-whitelist

CHIPSEC 1.3.0 released

March 31, 2017 ~ hucktech ~ Leave a comment

CHIPSEC release v1.3.0 has been published. Thank you to all contributors! https://t.co/8bnMQ4kV7r

— CHIPSEC (@CHIPSEC) March 29, 2017

New/updated modules:
* tools.uefi.whitelist – The module can generate a list of EFI executables from (U)EFI firmware file or extracted from flash ROM, and then later check firmware image in flash ROM or file against this list of [expected/whitelisted] executables
* tools.uefi.blacklist – Improved search of blacklisted EFI binaries, added exclusion rules, enhanced blacklist.json config file
* tools.smm.rogue_mmio_bar – Experimental module that may help checking SMM firmware for MMIO BAR hijacking vulnerabilities described in “BARing the System: New vulnerabilities in Coreboot & UEFI based systems” (http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf) by Intel Advanced Threat Research team at RECon Brussels 2017
* tools.uefi.uefivar_fuzz – The module is fuzzing UEFI Variable interface. The module is using UEFI SetVariable interface to write new UEFI variables to SPI flash NVRAM with randomized name/attributes/GUID/data/size.

New/updated functionality:
* Debian packaging support
* Compiling in setup.py and automated loading of chipsec.kext kernel module on macOS
* Internal Graphics Device support including software DMA via Graphics Aperture
* Improved parsing andsearch within UEFI images including update capsules
* Export of extracted EFI firmware tree in JSON format
* Export of CHIPSEC results in JSON format via –json command-line argument
* EFI (de-)compression ported from uefi-firmware-parser project
* Decompression to macOS helper to parse Mac EFI firmware images
* Support of command-line arguments in chipsec_util.py
* SMI count command
* Improved platform dependent Flash descriptor parsing
* ReadWriteEverything helper to work with RWE driver
* map_io_space to improve SPI read performance on Linux
* Native (OS based) access PCI, port I/O and CPU MSR to Linux helper
* Improved chipsec_util.py unit testing

See full announcement for list of bugfixes.

https://github.com/chipsec/chipsec/releases/tag/v1.3.0

Slides for coreboot/UEFI talk from REcon available

February 22, 2017 ~ hucktech ~ Leave a comment

Slides from our "New vulnerabilities in Coreboot and UEFI based firmware" talk at @reconbrx : https://t.co/i4cmlqLNNt [pdf]

— Yuriy Bulygin (@c7zero) February 22, 2017

Our slides from #reconbrx "Baring the system" (analysis of BAR overlapping vuln.) at https://t.co/BKTogCYPch // @c7zero @reconbrx @reconmtl

— Alex Bazhaniuk (@ABazhaniuk) February 22, 2017

Click to access REConBrussels2017_BARing_the_system.pdf

http://www.intelsecurity.com/advanced-threat-research/index.html

Alex leaves Intel ATR!

September 24, 2016 ~ hucktech ~ Leave a comment

Wow, Alex Matrosov is leaving Intel Advanced Threat Research (ATR).

As I understand it, he is one of the CHIPSEC team. I hope the project can handle his loss.

It is unclear what he’ll be doing next. Maybe he’ll be joining Apple? They are hiring all the great researchers…)

Today is my last day at Intel. It was interesting time with ATR and SeCoE. But I need moving forward for new RE adventures. Stay tuned!

— Alex Matrosov (@matrosov) September 24, 2016

Tweets by matrosov

https://keybase.io/matrosov

CHIPSEC 1.2.3 released!

July 2, 2016 ~ hucktech ~ Leave a comment

CHIPSEC 1.2.3 is out! https://t.co/LoXtDLrHuR

— CHIPSEC (@CHIPSEC) July 1, 2016

Excerpt of CHIPSEC 1.2.3 release notes:

New/updated modules:
* tools.vmm.vbox_crash_apicbase — test for CVE-2015-0377
* udated common.bios_ts, common.uefi.s3bootscript, remap
* added template config file smm_config.ini for tools.smm.smm_ptr SMI fuzzer
* added template config file te.cfg for tools.secureboot.te tool

New/improved functionality:
* Added basic TPM access and TPM 1.2 support
        hal/tpm.py and hal/tpm12_commands.py HAL components
* Added basic Embedded Controller (EC) support
        hal/ec.py HAL component and chipsec_util ec util
* Added processing of x86 paging hierarchy
        hal/paging.py and hal/cpu.py HAL components and chipsec_util cpu pt util
* Added processing of Second Level Address Translation paging hierarchy (EPT)
        hal/vmm.py HAL component and chipsec_util vmm pt util
* Added processing of IOMMU (VT-d) paging hierarchy
        hal/iommu.py HAL component and chipsec_util iommu pt util
* Basic support for hypervisor hypercall interfaces
        hal/vmm.py HAL component and chipsec_util vmm hypercall util
* Added message bus interface for Atom SoC (Linux)
        hal/msgbus.py HAL component and chipsec_util msgbus util
* CPUID functionality moved from hal/cpuid.py to hal/cpu.py HAL component
        Use chipsec_util cpu cpuid util
* Added parsing of RAW images in UEFI firmware volumes
* Updated smbus and SPD HAL components to use XML config
* Added qrk.xml configuration file for Quark CPUs, updated configuration for Haswell Server (hsx.xml)
* Fixed location of MMCFG in server platforms. Results from prior versions may need to be recollected on server platforms.

See full release notes for list of bugfixes.

New module: tools.vmm.vbo.vbox_crash_apicbase (CVE-2015-0377)

— CHIPSEC (@CHIPSEC) July 1, 2016

Added support of Embedded Controller (EC) access on laptop devices and access to TPM hardware with a few initial TPM 1.2 commands

— CHIPSEC (@CHIPSEC) July 1, 2016

Added support of VMM hypercall interface for Xen and Hyper-V (from Windows guest OS at the moment). VMBus support & fuzzers are coming soon

— CHIPSEC (@CHIPSEC) July 1, 2016

Added support of paging hierarchy including dumping regular page tables, extended page tables (EPT) and VT-d page tables!

— CHIPSEC (@CHIPSEC) July 1, 2016

Heavy focus on low-level virtualization security testing in latest @CHIPSEC 1.2.3

— Yuriy Bulygin (@c7zero) July 2, 2016

https://github.com/chipsec/chipsec

DarkReading article on firmware protection

May 21, 2016 ~ hucktech ~ Leave a comment

Yuriy and John of the Intel CHIPSEC team are quoted in a new Dark Reading article on firmware security.

[…] Yuriy Bulygin and John Loucaides, security researchers at Intel Security, point out that hackers attack firmware because they know many security and IT managers aren’t paying attention to it. They say security teams are so overwhelmed by the prevailing threat landscape, that they have their hands full just deploying the basics, like firewalls, intrusion prevention systems and sandboxes. […]

http://www.darkreading.com/iot/5-tips-for-protecting-firmware-from-attacks/d/d-id/1325604

Intel ATR seeks Intern

May 16, 2016 ~ hucktech ~ Leave a comment

If you are a student, the Intel Advanced Threat Research (ATR) team, the team that produces CHIPSEC, is looking for a Summer Intern:

Intel ATR is looking for a summer intern for cool security projects in SW/HW. Contact me in DM or apply here: https://t.co/orbp2XNpaV

— Alex Bazhaniuk (@ABazhaniuk) May 16, 2016

http://jobs.intel.com/ShowJob/Id/819549/Security-Research-Intern/

Intel ATR site updates it’s research on web site

April 29, 2016 ~ hucktech ~ Leave a comment

Intel Advanced Threat Research (ATR) is home of the CHIPSEC team. They just updated their web site with more presentation archives.

http://www.intelsecurity.com/advanced-threat-research/index.html

A few materials which we never published are now on the web-site: https://t.co/Cqd8AQWc98

— Yuriy Bulygin (@c7zero) April 28, 2016

Finally ATR website updated: https://t.co/d2PIGDCcRu with all presentations/papers. Check it out. Special thanks @c7zero and John Loucaides

— Alex Bazhaniuk (@ABazhaniuk) April 28, 2016

BIOS analysis presentation at Analyze 2016

February 26, 2016 ~ hucktech ~ Leave a comment

Alex Bazhaniuk (@ABazhaniuk) and Yuriy Bulygin (@c7zero) will present "Different methods of BIOS analysis" at #AnalyzeCON '16

— Analyze Conference (@AnalyzeCON) February 25, 2016

Analyze 2016 takes place in March in San Francisco. It is a “Security community event for malware and exploit analysis research”. Amongst the presentations is one on BIOS analysis by two of the Intel Advanced Threat Research (ATR) team!

Talks:
Tom Bennett – Whose RAT Is It Anyways?
Aaron Shelmire – Sections, Segments, and Functions, oh my! Hashing your way to analytical shortcuts.
Edward Miles – Making sense of ProGuard’s mess
Oleksandr Bazhaniuk/Yuriy Bulygin – Different methods of BIOS analysis: Static, Dynamic and Symbolic execution
Darren Spruell – Malicious Traffic Distribution: Tactics and Response
Rick Wesson – Static Malware Analysis on GPUs
Chip McSweeney – DGA Antivenom: Stopping new configurations before analysis
Jing Xie – Risks of iOS Remote Hot-Patching
Alexander Matrosov – Distributing the reconstruction of IR for large scale malware analysis
http://www.analyze.cc/Waylon Grange – Wherefore by their crypto ye shall know them
Armin Buescher – Sanzoku APT

http://www.analyze.cc/

CHIPSEC training at TROOPERS

February 17, 2016 ~ hucktech ~ Leave a comment

Don't miss a out on a great 2 day #TR16 training wi/@ABazhaniuk & @c7zero https://t.co/Pt1kxLfW5N

— TROOPERS Conference (@WEareTROOPERS) February 17, 2016

The Intel CHIPSEC team doesn’t get out much to give training to the public often, so this upcoming 2-day of CHIPSEC training at TROOPERS is nice!

Security below the OS with CHIPSEC framework
Oleksandr Bazhaniuk, Yuriy Bulygin

A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and OS loaders. This workshop provides a hands-on opportunity to learn how to use an open source CHIPSEC framework https://github.com/chipsec/chipsec to test systems for vulnerabilities in low-level platform firmware components, problems with firmware security protections as well as develop your own modules in CHIPSEC which test for known issues or implement tools identifying new issues. Agenda:

* Introduction to platform hardware and access with CHIPSEC
* Introduction to platform firmware such as BIOS, UEFI firmware, SMI handlers
* Overview of main components of CHIPSEC framework
* Analyzing main firmware components and configuration
* Assessing systems for vulnerabilities in the BIOS and other firmware
* Developing vulnerability testing modules
* Developing fuzzers for firmware interfaces and other security tools
* BIOS forensics with CHIPSEC

https://www.troopers.de/events/troopers16/567_security_below_the_os_with_chipsec_framework/

REcon2015 CHIPSEC video online

January 27, 2016January 27, 2016 ~ hucktech ~ Leave a comment

Video of the Intel CHIPSEC team from 2015’s REcon is now online.

.@ABazhaniuk & @c7zero on "Attacking and Defending BIOS in 2015"
slides https://t.co/qtdkekHEmP
mp4 https://t.co/BjE7FXh8Mb

— TROOPERS Conference (@WEareTROOPERS) January 27, 2016

https://firmwaresecurity.com/2015/07/21/intel-atr-posts-recon-and-csw-presentations/

https://firmwaresecurity.com/2015/07/21/recon-2015-presentation-on-firmware-security-available/

CHIPSEC training at TROOPERS!

November 19, 2015 ~ hucktech ~ Leave a comment

It appears that two of the Intel CHIPSEC team — Oleksandr Bazhaniuk and Yuriy Bulygin — will be teaching CHIPSEC at TROOPERS next year in Germany!

"Security below the OS with CHIPSEC framework" sounds awesome https://t.co/dyKOTdwTWL https://t.co/HPCbUQVSYt

— Daniel Bilar (@daniel_bilar) November 19, 2015

https://www.troopers.de/events/troopers16/567_security_below_the_os_with_chipsec_framework/

CHIPSEC aside, there is other hardware security training going on at TROOPERS as well.

https://www.troopers.de/troopers16/trainings/

CHIPSEC 1.2.2 released!

November 7, 2015 ~ hucktech ~ Leave a comment

After nearly a quarter without an update, CHIPSEC 1.2.2 has been released!!

CHIPSEC 1.2.2 is finally out! https://t.co/3tFc4IZySo

— CHIPSEC (@CHIPSEC) November 7, 2015

Updated tools.smm.smm_ptr module to automatically discover "bad input pointer" type of vulns in SMI FW described in https://t.co/cegAgPDeO6

— CHIPSEC (@CHIPSEC) November 7, 2015

Hypervisor security testing with CHIPSEC! Simple tools.vmm.* modules to fuzz I/O, MSR, PCIe dev mem-mapped I/O & CPUID emulation by VMMs

— CHIPSEC (@CHIPSEC) November 7, 2015

This release includes multiple new VMM tests — including new fuzzers — hinted at DEF CON and elsewhere, a VENOM test, some S3 tests, support for more Intel CPUs, as well as a bunch of new/updated features:

NEW modules:
* tools.vmm.cpuid_fuzz to test CPUID instruction emulation by VMMs
* tools.vmm.iofuzz to test port I/O emulation by VMMs
* tools.vmm.msr_fuzz to test CPU Model Specific Registers (MSR) emulation by VMMs
* tools.vmm.pcie_fuzz to test PCIe device memory-mapped I/O (MMIO) and I/O ranges emulation by VMMs
* tools.vmm.pcie_overlap_fuzz to test handling of overlapping PCIe device MMIO ranges by VMMs
* tools.vmm.venom to test for VENOM vulnerability

Updated modules:
* tools.smm.smm_ptr to perform exhaustive fuzzing of SMI handler for insufficient input validation pointer vulnerabilities
* smm_dma to remove TSEGMB 8MB alignment check and to use XML “controls”. Please recheck failures in smm_dma.py with the new version.
* common.bios_smi, common.spi_lock, and common.bios_wp to use XML “controls”
* common.uefi.s3bootscript which automatically tests protections of UEFI S3 Resume Boot Script table
* tools.uefi.s3script_modify which allows further manual testing of protections of UEFI S3 Resume Boot Script table

NEW functionality:
* hal.cpu component to access x86 CPU functionality. Removed hal.cr which merged to hal.cpu
* hipsec_util cpu utility, removed chipsec_util cr
* S3 boot script opcodes encoding functionality in hal.uefi_platform
* hal.iommu, cfg/iommu.xml and chipsec_util iommu to access IOMMU/VT-d hardware
* chipsec_util io list to list predefined I/O BARs
* support for Broadwell, Skylake, IvyTown, Jaketown and Haswell Server CPU families
* ability to define I/O BARs in XML configuration using register attriute similarly to MMIO BARs
* UEFI firmware volume assembling functionality in hal.uefi
* Implemented alloc_phys_mem in EFI helper

See the full readme on the github page, which also includes short lists of bugfixes and known-issues:

https://github.com/chipsec/chipsec

If you haven’t been following current security research by Intel’s ATR team, who produces CHIPSEC, watch this video to see why you need to run this new version of CHIPSEC on any machine — after reading CHIPSEC’s warning.txt first — that runs a VMM:

ATR's presentation on hypervisor security at #bhusa15 https://t.co/00Y2wpGl78

— Yuriy Bulygin (@c7zero) November 7, 2015

[Hopefully we’ll see Intel LUV team add this release to their project, including LUV-live, soon. There has been a recent patch to LUV that may fix CHIPSEC’s usage in LUV-live, a second important reason to update your LUV-live images.]

Intel ATR demo videos from Blackhat

September 15, 2015 ~ hucktech ~ Leave a comment

Yuriy Bulygin of the Intel Advanced Threat Research (ATR) team, who includes the CHIPSEC team, has released some videos of their Blackhat demos:

Videos of our attacks on Xen & Hyper-V via UEFI/BIOS firmware issues at #bhusa #defcon23: https://t.co/dpbu13HfeI & https://t.co/WoW36NUNGQ

— Yuriy Bulygin (@c7zero) September 14, 2015

I’m looking forward to that new CHIPSEC s3 security test that is supposed to be in the works as a result of some of the Intel ATR talk at Blackhat!

Intel ATR on firmware security threats

August 19, 2015 ~ hucktech ~ Leave a comment

Jim Walter, Director of Advanced Threat Research for Intel Security, with contributions from Yuriy Bulygin and John Loucaides, wrote a blog for Dark Reading that summarizes some recent firmware attacks.

Vulnerable From Below: Attacking Hypervisors Using Firmware And Hardware
Malicious attacks with firmware privileges can compromise an entire system, so it is especially important to apply measures to reduce the risks.

Read the full article here:

http://www.darkreading.com/partner-perspectives/intel/vulnerable-from-below-attacking-hypervisors-using-firmware-and-hardware/a/d-id/1321834