Uncategorized

microparse

“Microparse: Microcode update parser for AMD, Intel, and VIA processors written in Python 3.x.”

Security Analysis of x86 Processor Microcode
Daming D. Chen, Gail-Joon Ahn
December 11, 2014

Modern computer processors contain an embedded firmware known as microcode that controls decode and execution of x86 instructions. Despite being proprietary and relatively obscure, this microcode can be updated using binaries released by hardware manufacturers to correct processor logic faws (errata). In this paper, we show that a malicious microcode update can potentially implement a new malicious instructions or alter the functionality of existing instructions, including processor-accelerated virtualization or cryptographic primitives. Not only is this attack vector capable of subverting all software-enforced security policies and access controls, but it also leaves behind no postmortem forensic evidence due to the volatile nature of write-only patch memory embedded within the processor. Although supervisor privileges (ring zero) are required to update processor microcode, this attack cannot be easily mitigated due to the implementation of microcode update functionality within processor silicon. Additionally, we reveal the microarchitecture and mechanism of microcode updates, present a security analysis of this attack vector, and provide some mitigation suggestions. A tool for parsing microcode updates has been made open source, in conjunction with a listing of our dataset.

https://github.com/ddcc/microparse

 

https://www.dcddcc.com/docs/2014_paper_microcode.pdf

 

Standard
Uncategorized

Intel cancels Intel Developer Forum

http://www.anandtech.com/show/11279/intel-discontinues-the-intel-developer-forum-idf17-cancelled

http://www.intel.com/content/www/us/en/intel-developer-forum-idf/san-francisco/2017/idf-2017-san-francisco.html

PS: In other event news, the Fall UEFI Plugfest will be in Taipei instead of Seattle. See the presentations from the last plugfest for details.

Standard
Uncategorized

details on Intel’s Bug Bounty Program

The Intel Security Center now has a new page that describes Intel’s Bug Bounty Program:

Intel® launches its first bug bounty program
Intel® Bug Bounty Program

At the CanSecWest Security conference on March 14, 2017, Intel launched its first Bug Bounty program targeted at Intel Products. We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability. By partnering constructively with the security research community, we believe we will be better able to protect our customers.

Scope and Severity Ratings

Intel Software, Firmware, and Hardware are in scope. The harder a vulnerability is to mitigate, the more we pay
Vulnerability Severity     Intel Software     Intel Firmware     Intel Hardware
Critical     Up to $7,500     Up to $10,000     Up to $30,000
High     Up to $2,500     Up to $5,000     Up to $10,000
Medium     Up to $1,000     Up to $1,500     Up to $2,000
Low     Up to $500     Up to $500     Up to $1,000

A few details on items that are not in the program scope:

    Intel Security (McAfee) products are not in-scope for the bug bounty program.
    Third-party products and open source are not in-scope for the bug bounty program.
    Intel’s Web Infrastructure is not in-scope for the bug bounty program.
    Recent acquisitions are not in-scope for the bug bounty program for a minimum period of 6 months after the acquisition is complete.

https://security-center.intel.com/BugBountyProgram.aspx

https://security-center.intel.com/default.aspx

 

Standard
Uncategorized

Intel updates Minnowboard firmware, and Firmware Engine for Windows

Intel has updated their UEFI firmware for the Minnowboard, and has updated Intel Firmware Engine for Windows.

 

 

Standard
Uncategorized

CHIPSEC 1.3.0 released

New/updated modules:
* tools.uefi.whitelist – The module can generate a list of EFI executables from (U)EFI firmware file or extracted from flash ROM, and then later check firmware image in flash ROM or file against this list of [expected/whitelisted] executables
* tools.uefi.blacklist – Improved search of blacklisted EFI binaries, added exclusion rules, enhanced blacklist.json config file
* tools.smm.rogue_mmio_bar – Experimental module that may help checking SMM firmware for MMIO BAR hijacking vulnerabilities described in “BARing the System: New vulnerabilities in Coreboot & UEFI based systems” (http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf) by Intel Advanced Threat Research team at RECon Brussels 2017
* tools.uefi.uefivar_fuzz – The module is fuzzing UEFI Variable interface. The module is using UEFI SetVariable interface to write new UEFI variables to SPI flash NVRAM with randomized name/attributes/GUID/data/size.

New/updated functionality:
* Debian packaging support
* Compiling in setup.py and automated loading of chipsec.kext kernel module on macOS
* Internal Graphics Device support including software DMA via Graphics Aperture
* Improved parsing andsearch within UEFI images including update capsules
* Export of extracted EFI firmware tree in JSON format
* Export of CHIPSEC results in JSON format via –json command-line argument
* EFI (de-)compression ported from uefi-firmware-parser project
* Decompression to macOS helper to parse Mac EFI firmware images
* Support of command-line arguments in chipsec_util.py
* SMI count command
* Improved platform dependent Flash descriptor parsing
* ReadWriteEverything helper to work with RWE driver
* map_io_space to improve SPI read performance on Linux
* Native (OS based) access PCI, port I/O and CPU MSR to Linux helper
* Improved chipsec_util.py unit testing

See full announcement for list of bugfixes.

https://github.com/chipsec/chipsec/releases/tag/v1.3.0

 

Standard
Uncategorized

6-part Youtube BIOS system architecture series

 

BIOS Session 1 – System Memory Map
BIOS Session 2 – Legacy Region
BIOS Session 3 – HIgh Level Overview of the BOOT flow
BIOS Session 4 – Transaction flows and address decoding part 1
BIOS Session 5 – Transaction flows and address decoding part 2
BIOS Session 6 – PCI Basics and Bus Enumeration

 

 

 

Standard
Uncategorized

UEFI Plugfest slides uploaded

https://uefi.blogspot.com/2017/03/uefi-plugfest-2017-in-nanjing.html

Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!

 State of UEFI – Mark Doran (Intel)
 Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
 The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
 ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
 SMM Protection in EDK II – Jiewen Yao (Intel)
 Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
 A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
 UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
 Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
 Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
 Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
  UEFI Development Anti-Patterns – Chris Stewart (HP)

http://www.uefi.org/learning_center/presentationsandvideos

Standard