s a n d s i f t e r : the x86 processor fuzzer
The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.[…]
Tag: Intel
Intel SGX elevation of privilege update
Intel SGX security update for Intel Servers/NUC/ComputeStick. Excerpt of announcement:
Intel ID: INTEL-SA-00076
Product family: Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Jul 25, 2017
Intel has released updates that improve the security of Intel® Software Guard Extensions (SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Product Families. This update improves the security of Intel® Software Guard Extensions (SGX) and is strongly recommended. While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information. If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.
Full announcement:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00076&languageid=en-fr
XIOSim
https://twitter.com/corkmork/status/886197521797664769
XIOSim is a detailed user-mode microarchitectural simulator for the x86 architecture. It has detailed models for in-order (Atom-like) and out-of-order (Nehalem-like) cores and tightly-integrated power models. XIOSim supports multiprogram and multithreaded execution, regions-of-interest (including SimPoints). It runs at 100s KIPS per simulated core and uses cores on the simulation host to speed up multicore simulation (fastest runs use 2x the number of simulated cores). XIOSim builds up on and integrates a significant amount of others’ work:
* The out-of-order performance model from Zesto.
* The Pin binary instrumentation engine.
* The power models from McPAT.
* The DRAM models from DRAMSim2.
Intel releases LUV (Linux UEFI Validation) v2.1
Today Ricardo Neri of Intel announced the 2.1 release of LUV. In additon to updating Linux to v4.11, FWTS to V17.06.00, CHIPSEC to v1.3.1, BITS to v2079, and NDCTL v56, they also started doing nightly builds. Here are some of the other highlights of this release, from the announcement:
Gayatri Kammela won the prize of the most active contributor with many bug fixes and a new feature. She fixed our netboot image, which was missing the ramdisk(!). She added support for debugging and logging of BITS output via network. Likewise, she reworked the LUV configuration file to make more sense to both humans and computers by making clear when parameters are not used. She also investigated and fixed dependencies in systemd that caused delays in the execution of tests. Lastly, she fixed a couple of build-time bugs.
Naresh Bhat updated our Linux kernel recipe to retrieve the kernel configuration directly from the source tree rather than manually updating it. This helped us to remove those eyesore patches for updating our configuration that needed to be sent every time we bumped to a new kernel version. The overall result looks great and is closer to the intended use of the kernel and Yocto Projects’s scripts to merge multiple configuration fragments. I took this opportunity to sanitize the configuration for x86 to add missing configurations and reorganize them.
Sai Praneeth Prakhya added functionality to dump relevant and useful dumps as part of the testing results. Now LUV is capable of dumping the kernel’s boot log, the contents of the ACPI tables as well as the properties of the CPUs in the system. Very useful! Also, he helped us to bump to Linux v4.11. He also took burden of rebasing our implementation to detect firmware’s illegal memory access in this new version of Linux.
Matt Hart updated our GRUB configuration to automate boots across all CPU architectures by not waiting for human intervention to complete boots.
See the full announcement for lists of Known and Fixed Issues:
https://lists.01.org/mailman/listinfo/luv
In addition to stuff mentioned in LUV announcement, LUV also did some updates to how LUV calls CHIPSEC, see these posts:
https://lists.01.org/pipermail/chipsec/2017-July/thread.html
These days, LUV-live ships with BIOS MBR or UEFI GPT partition types, local or network boot types, and x86 or x64 architecture type, multiple choices for the image:
https://download.01.org/linux-uefi-validation/v2.1/
https://download.01.org/linux-uefi-validation/v2.1/sha256sums.asc
Intel AMT and JavaScript
Now that Intel® AMT 11.6 is released, it’s finally time to circle back and highlight a big new feature of 11.6 that has been in the works for a long time: Web Storage and the ability for the default Intel® AMT web UI to be replaced. Ever since the start, Intel® AMT has always had a basic web page you could access with any browser. Because it’s all out-of-band, you could access the web page from a browser even if the target computer was soft-off, sleeping or had a non-functioning operating system. Over the last 10 years, the web has come a long way. The built-in Intel® AMT web page offers basic capabilities, but we can do a lot better now with HTML5 and WebSockets.[…]
https://software.intel.com/en-us/blogs/2017/02/13/meshcommander-v044-released
https://software.intel.com/en-us/search/site/language/en?query=AMT
Alex at Black Hat: Where the Guardians of the BIOS Are Failing
Black Hat Vegas: Where the Guardians of the BIOS Are Failing
By Alex Matrosov
In our upcoming Black Hat Vegas talk, we will summarize our research about the UEFI firmware protections and our newly-discovered security problems. This talk raises awareness of these security challenges for hardware vendors, BIOS-level security researchers and defenders, and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.[…]
https://www.cylance.com/en_us/blog/black-hat-vegas-where-the-guardians-of-the-bios-are-failing.html
Siemens updates for Intel AMT
Siemens has updated their products for Intel AMT vulnerability:
Click to access siemens_security_advisory_ssa-874235.pdf
Siemens Patches Critical Intel AMT Flaw in Industrial Products
https://www.theregister.co.uk/2017/07/03/intel_amt_bug_bit_siemens_industrial_pcs/
UEFI-based IoT firmware updates
https://twitter.com/grjohnson10/status/880767835886301184
Simplify Secure, UEFI-Based IoT Firmware Updates
Rich Nass
In the age of the Internet of Things (IoT), where everything is becoming connected, each connection point can be viewed as a “Hack This” sign for the bad guys. To prevent this, developers need to be sure that all firmware and associated patches are kept up to date with verified and secure revision control. Any unpatched or outdated firmware can allow access to critical system functions. Unfortunately, this need to keep firmware updated often goes overlooked by the development team after a product has shipped. In many cases this is due to the resources required and complexities involved. But what if the whole process of updating and securing firmware remotely or over the air (OTA) could be standardized and encapsulated within an easy-to-use, reliable solution that works seamlessly with your underlying hardware? It turns out that such a solution is already in hand.[…]
http://www.insight.tech/industrial/simplify-secure-uefi-based-iot-firmware-updates
UDK2017 available
Brian Richardson of Intel has a new article talking about the latest UEFI dev kit. It includes a summary of the newly-added UEFI features.
https://github.com/tianocore/edk2/releases/tag/vUDK2017
https://github.com/tianocore/tianocore.github.io/wiki/UDK2017#udk2017-features–updates–changes
Intel Skylake/Kaby Lake: broken hyper-threading
Henrique de Moraes Holschuh of the Debian project posted a message about an Intel hyper-threading issue:
[WARNING] Intel Skylake/Kaby Lake processors: broken hyper-threading
This warning advisory is relevant for users of systems with the Intel processors code-named “Skylake” and “Kaby Lake”. These are: the 6th and 7th generation Intel Core processors (desktop, embedded, mobile and HEDT), their related server processors (such as Xeon v5 and Xeon v6), as well as select Intel Pentium processor models.
TL;DR: unfixed Skylake and Kaby Lake processors could, in some situations, dangerously misbehave when hyper-threading is enabled. Disable hyper-threading immediately in BIOS/UEFI to work around the problem. Read this advisory for instructions about an Intel-provided fix.
[…]
Full message:
DumpPartInfo
Hao Wu of Intel posted a patch to EDK2 which provides support for UEFI’s “EFI Partition Infomation Protocol”, and includes a DumpPartInfo tool:
Add the EFI Partition Information Protocol per the latest UEFI spec.
Test for the series:
A simple application called ‘DumpPartInfo’ is used to dump the contents of the Partition Information protocols when the following devices are attached:
a. MBR Hard disk
b. GPT Hard disk
c. CDROM
The source of the application and the series is available at:
https://github.com/hwu25/edk2 branch:partition_info_test
8 files changed, 216 insertions(+), 88 deletions(-)
Dmytro on PCI-E/SMM vulnerability
Dmytro has an interesting 6-part twitter post on PCI-e security:
Black Hat Briefings: Firmware is the New Black
Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
Bruce Monroe, Rodrigo Branco, Vincent Zimmer
In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).
Hardware is the new software
https://twitter.com/binitamshah/status/875375226690863105
Hardware is the new software
Andrew Baumann, Microsoft Research
Moore’s Law may be slowing, but, perhaps as a result, other measures of processor complexity are only accelerating. In recent years, Intel’s architects have turned to an alphabet soup of instruction set extensions such as MPX, SGX, MPK, and CET as a way to sell CPUs through new security features. Unlike prior extensions, which mostly focused on accelerating user-mode data processing, these new features exhibit complex interactions and give system designers plenty to think about. This calls for a rethink of how we approach the instruction set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and speculate about the longer-term implications.
Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)
Today Intel announced a NEW AMT security advisory:
Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017
Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr
More on malware use of Intel AMT
After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:
Intel: IoT Security in the Developer’s Mind
Ricardo Echevarria of Intel has a new blog post about IoT security:
Internet-enabled smart devices open up a new universe of possibilities for how consumers interact with the world. But those same smart lightbulbs or TVs may pose a serious threat if their designers fail to strengthen the devices’ security protocols. Last year’s Mirai distributed denial-of-service (DDOS) botnet attack was a wake-up call for the computing world. By targeting vulnerable Internet-connected cameras and other Internet of Things (IoT) devices, the massive botnet was able to redirect enough Internet traffic to a DNS provider to crash multiple high-profile websites. It is no surprise then that IoT developers worry more about security than anything else – including interoperability, connectivity, and hardware integration. The Eclipse IoT Working Group’s 2017 IoT Developer Survey shows that security has remained the number one concern among developers for the third straight year.[…]
https://software.intel.com/en-us/blogs/2017/06/07/iot-security-in-the-developers-mind
Microsoft on malware use of Intel AMT
If you thought the recent Intel AMT security issues was just theoretical, here’s an example of malware using AMT.
Intel Excite project
https://twitter.com/DevZoneBlog/status/872118468262473729
There is a new document out from Intel that describes their Excite project. No URL to source code, AFAICT.
Finding BIOS Vulnerabilities with Symbolic Execution and Virtual Platforms
By Engblom, Jakob (Intel), Added June 6, 2017
Finding BIOS Vulnerabilities With Excite
Finding vulnerabilities in code is part of the constant security game between attackers and defenders. An attacker only needs to find one opening to be successful, while a defender needs to search for and plug all or at least most of the holes in a system. Thus, a defender needs more effective tools than the attacker to come out ahead.[…]
https://software.intel.com/en-us/blogs/2017/06/06/finding-bios-vulnerabilities-with-excite
syscall_intercept
syscall_intercept: Userspace syscall intercepting library.
https://github.com/pmem/syscall_intercept
Firmware Security 
You must be logged in to post a comment.