Alexander Ermolov and Ruslan Zakirov will deliver their «NUClear explotion» talk. A major and most significant approach to UEFI BIOS security is preventing it from being illegitimately modified and the SPI flash memory from being overwritten. Modern vendors use a wide range of security mechanisms to ensure that (SMM BLE / SMM BWP / PRx / Intel BIOS Guard) and hardware-supported verification technologies (Intel Boot Guard). In other words, they do everything just not to let an attacker to place a rootkit into a system. Even the likelihood of execution in the most privileged mode of a processor – System Management Mode (can be achieved through vulnerable software SMI handlers) – is of no interest to adversaries since it does not guarantee they will be able to gain a foothold in a system. A single reboot and an attack must be started anew. However, there is a thing that can make all BIOS security mechanisms inefficient. And this thing is a vulnerable update mechanism implemented by a vendor. Moreover, quite often a legitimate updater adds lots and lots of critical security holes to a system. In this talk, we will speak about how vendors manage to throw all those security flaws together in one system using Intel NUC, a small home PC, as an example. Besides, we will demonstrate how an adversary can compromise BIOS from the userland.
by Behnam Eliyahu and Monika Sane
Telemetry refers to an umbrella of tools, utilities, and protocols to remotely extract and decode information for debugging potential issues with Intel® SSDs. Telemetry works over industry standard protocols, and eliminates or minimizes the need to remove SSDs from customer systems for retrieving debug logs. Telemetry thus enables host tools, Intel technical sales specialists, (TSS), Intel application engineers (AEs), and Intel engineering teams to better identify and debug performance excursions, exception events and critical failures in Intel® SSDs, without sending the physical drive to Intel for failure analysis. This capability is designed in accordance with NVMe* 1.3 telemetry specifications as well as corresponding ACS 4 SATA definitions (which are common industry standards), and is expected to accelerate debugging of external and internal bug sightings pertaining to Intel® SSDs. The key difference between NVMe and SATA is the fact that there is no controller-initiated capability on SATA drives.[…]
Responsible for secure design, development and operation of Intel’s hardware and software products and services. Responsibilities may include threat assessments, design of security components, and vulnerability assessment.
4+ years of experience in the field of system security research and exploring software and hardware techniques as a method of attack against targets within compute systems.
In-depth experience with security threats, vulnerability research, physical attack techniques (power analysis, fault injection, reverse engineering, etc.), side-channel attack methods.
Knowledge of security technologies: authentication, cryptography, secure protocol, etc.
Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others
When we switch on a computer, it goes through a series of steps before it is able to load the operating system. In this post we will see how a typical x86 processor boots. This is a very complex and involved process. We will only present a basic overall structure. Also what path is actually taken by the processor to reach a state where it can load an OS, is dependent on boot firmware. We will follow example of coreboot, an open source boot firmware.[…]
Intel® Server Boards Firmware Advisory
Intel® RAID Web Server 3 Service Advisory
Intel® NUC Bios Updater Advisory
Intel® NVMe and Intel® RSTe Driver Pack Advisory
Intel® Server Board Firmware Advisory
Brian Richardson of Intel has a new blog post, after the Open Source Firmware Conference, on open source firmware issues:
Vincent has a new blog post, covering some of his recent tour of speaking engagements, with a bit on UEFI, and even some FSP humor.
Intel® Distribution for Python 2018 for Windows Advisory
Intel® Centrino® Wireless-N and Intel® Centrino® Advanced-N products Bluetooth Driver Advisory
Intel® NUC Firmware Security Advisory
Intel® IoT Developers Kit Permissions Advisory
OpenVINO™ Toolkit for Windows Permissions Issue Advisory
Intel® Data Migration Software Improper Permissions Advisory
Intel® Driver & Support Assistant and Intel® Software Asset Manager Advisory
Intel® Extreme Tuning Utility Advisory
Intel® Baseboard Management Controller (BMC) firmware Advisory
Intel® Server Board TPM Advisory
Intel® Data Center Manager SDK Advisory
Intel® Platform Trust Technology (PTT) Update Advisory
Intel® Active Management Technology 9.x/10.x/11.x/12.x Security Review Cumulative Update Advisory
Power Management Controller (PMC) Security Advisory
Intel® CSME Assets Advisory
INTEL-SA-00086 Detection Tool DLL Injection Issue Advisory
A newly completed Trusted Platform Module 2.0 (TPM2) software stack is being introduced, developed to comply with the most recent Trusted Computing Group (TCG) v1.38 specification and work on any TPM2 implementation. Partnering with key players within the domain of Trusted Computing such as Infineon and Fraunhofer SIT, Intel has made large investments in code improvements and new functionality compared to the previous version. This includes the initialization of the TSS Stack development and the SAPI, TCTI and abrmd layer. Based on this development, Infineon and Fraunhofer SIT enabled the support of the Enhanced System API (ESAPI) layer, which is intended to reduce programming complexity and to simplify the use and integration of the TPM.[…]
“This is the first time Intel has staged a public TianoCore hack-a-thon event.”
Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version 126.96.36.1997).[…]
Intel updated their document today, and revised their microcode license:
If you use Binary Ninja and have to look at 8086 binaries, here’s a new plugin that should help:
EfiWrapper is a library which simulate a UEFI firmware implementation. Its first purpose is to run a subset of the Kernelflinger OS loader to run in a non-UEFI environment.
Created about 2 years ago. Recently updated.
In case technical issues weren’t enough, the lawyers at Intel have apparently made it more difficult for some open source operating systems to use the latest Intel microcode.
PS: AMD is apparently still blocked at technical issues:
An Intel response to a question about SGX support on Celadon (Intel’s flavor of Android, tuned for Intel systems):
“By now there is no plan to support SGX for Android. Hope it clarifies.”
MicroPython for UEFI systems is available, see Brian’s edk2-devel list posting and the Tianocore wiki for more details: