Nikolaj joins Apple!!

WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!

As well, UEFITool has new maintainers, Alex and Dmytro!!

status of MITRE Copernicus

AFAIK, Copernicus was the first firmware vulnerability analysis tool. MITRE’s research in this area is required reading for anyone learning x86 firmware security. But then, half of the 4-person team left MITRE to create LegbaCore, and have since both joined Apple. These days, AFAIK, Copernicus is not actively maintained.  I was not sure of status of MITRE Copernicus (or Copernicus2), so I asked MITRE, and K. Wright, their Public Affairs Lead gave me the current status of Copernicus:

“MITRE continues to research security risks associated with UEFI and firmware. However, development and feature enhancements on the proof-of-concept known as Copernicus is no longer active. Many of the emerging commercial offerings coming to the market show promise similar to what had been demonstrated in Copernicus as an off-the-shelf option.”

More information:

http://www.mitre.org/research/technology-transfer/technology-licensing/copernicus

 

Without fresh builds of Copernicus, Intel CHIPSEC is probably the main (only?) firmware vulnerability analysis tool actively maintained. It would be nice if there were a few other tools, ESPECIALY for non-Intel systems: ARM, AMD, MIPS, OpenPOWER, etc. I wish MITRE would open source their PoC so the open source community could help maintain/extend it (eg., port it to Linux).

Apple acquires Legbacore — in the news again!

Back in November, Apple hired Legbacore’s hardware/firmware experts to help secure Apple hardware.

https://firmwaresecurity.com/2015/11/10/apple-acquires-legbacore/

Ok, that was months ago. But for the last week, the above URL re-appeared on this blog’s stats as the most visited URL. Then, a few days later, there’s now a slew of stories on this, like it just happened today. Today, this is the top store on Google News for UEFI. Strange, how tech news works.

http://appleinsider.com/articles/16/02/02/apple-hires-firmware-security-experts-who-worked-on-thunderstrike-2-exploit
http://www.macrumors.com/2016/02/02/apple-acquired-legbacore/
http://thenextweb.com/apple/2016/02/03/apple-acquired-the-security-company-that-found-bugs-in-mac-firmware/
http://timesofindia.indiatimes.com/tech/tech-news/Apple-acquired-the-company-that-exposed-flaws-in-its-firmware/articleshow/50837174.cms
http://www.businessinsider.com/apple-hired-the-hackers-who-created-the-first-mac-firmware-virus-2016-2
http://www.engadget.com/2016/02/03/apple-legbacore-thunderstrike-acquisition/
http://www.patentlyapple.com/patently-apple/2016/02/apple-acquired-legbacore-to-advance-security-for-macs.html
http://gadgets.ndtv.com/laptops/news/apple-buys-security-firm-legbacore-that-exposed-vulnerabilities-in-os-x-797979
http://www.bidnessetc.com/62638-apple-inc-acquires-mac-virus-detector-legbacore/

I am eagerly awaiting to see the results of their work, I hope future macs have a “Legbacore”-ready logo on it, or something so I know it’s better than the older hardware. 🙂

Apple acquires LegbaCore!!

WOW, LegbaCore closes down, Xeno and Corey join Apple!!!!

https://twitter.com/XenoKovah/

I expect Apple will shortly have MUCH MORE secure firmware/hardware systems, with their help! Other OEMs should be a little scared today.

 

Whitepaper from Legbacore on Thunderstrike

At GSEC HITB Singapore 2015, Legbacore gave pre-conference training. As well, they gave a presentation on Thunderstrike. Beyond the presentation slides, the whitepaper is now available!

http://gsec.hitb.org/materials/sg2015/

http://gsec.hitb.org/materials/sg2015/D2%20-%20Xeno%20Kovah%20-%20Thunderstrike%202%20-%20Sith%20Strike.pdf
http://gsec.hitb.org/materials/sg2015/whitepapers/Xeno%20Kovah%20-%20Thunderstrike%202%20-%20Sith%20Strike.pdf

LegbaCore adds BIOS/SMM training to OpenSecurityTraining.Info!

They’ve added a 2-day training course on BIOS/SMM, “Advanced x86: Introduction to BIOS & SMM”! The BIOS researchers at MITRE — and half of them now at LebaCore — are one of the main pioneers of BIOS research, and this is one of ther main training sessions. Wow!

“Around 2011, the trustworthy system measurement research project that Xeno Kovah was running at MITRE decided to start digging deeper than the Windows kernel and rootkit detection, to try and detect malicious software at the BIOS level. Xeno & Corey Kallenberg continued to work on Kernel, while team member John Butterworth was tasked with starting to learn about BIOS in parallel. John’s work led to the “BIOS Chronomancy” work (published at both BlackHat and ACM CCS), porting the team’s existing Timing-Based Attestation system from the kernel level down to the BIOS. Xeno then asked John to start making an open source training class to capture his knowledge, the same way that Xeno & Corey had captured their past knowledge on the project and uploaded it to OST. John created a 2 day Intro BIOS class and got it public released from MITRE. The intention originally was that it would cover all basics of BIOS which would be applicable to both legacy BIOS, CoreBoot, or UEFI-based systems. And then it was expected there would be a follow on class digging deeper into the specifics of UEFI. Unfortunately time prohibited the creation of that 2nd 2 days of classes focusing on UEFI, so you can see that some minimal UEFI content was eventually shoehorned into this class, though frequently there isn’t enough time to get to it within 2 days. It is our hope that this Introductory BIOS & SMM class will help demystify how x86 systems work at the low levels, so that people can better understand the BIOS/SMM/SecureBoot vulnerabilities described in the team’s work while at MITRE, and later after Xeno & Corey founded LegbaCore. With this knowledge in hand, hopefully students can fully appreciate and explain to others why it is so critical that BIOS patch management be performed by organizations, to eliminate the vulnerabilities that lurk at this level.

http://opensecuritytraining.info/IntroBIOS.html

MITRE Copernicus

MITRE Copernicus was — AFAICT — the first public firmware vulnerability analysis tool. I’ve not given it enough coverage here, only a single post:

https://firmwaresecurity.com/2015/05/22/mitre-copernicus/

I presume that everyone already knows about it. If you don’t know about it, it is worth investigating

It appears that MITRE hasn’t updated Copernicus, in a while, at least I can’t find any. I just noticed that Xeno of LebaCore, formerly of MITRE and one of the Copernicus developers, gave an URL to the latest version of it, which is a public download:

The same URL to that zip is in the below mini-review for BIOS Diff, a cross-platform open source firmware utility that is included in Copernicus:

https://firmwaresecurity.com/2015/05/21/tool-mini-review-bios_diff-py/

Copernicus is Windows-centric, and public release is closed-source, including the driver. I wish there was another host for it, in addition to blackhat.com, a domain commonly attacked by hacker. I wish it was hosted in another place, and included a .SHA256 and OpenPGP .ASC sidecar files for verfication. I REALLY wish the sources to the Windows driver were published!

Looking forward to another version of Copernicus, or some other new tools from LegbaCore!

 

LegbaCore training announcement

The 2-day agenda:
    Introduction to BIOS concepts
        General system configuration responsibilities
        Security-specific configuration responsibilities
    Hardware architecture
        ICH/MCH/PCH
        SPI flash chip
    Usage of PCI for x86 system internals
    Talking to hardware through the PCI configuration space
    PCI Option ROMs (and their use in attack)
    BIOS access control mechanisms
        How they fail
        Tools to detect their failure
    System Management Mode (SMM)
        Why SMM is basically the best place for an attacker to live on an x86 system
        Discussion of how the BIOS instantiates SMM from flash chip contents
        Discussion of how attackers can break into SMM even without persisting on the flash chip
    Introduction to UEFI BIOS
        The UEFI phases and security parameters specific to UEFI
        UEFI Firmware Filesystem
    Reverse engineering UEFI modules
        Applying UEFI structure definitions in IDA Pro
    How Secure Boot & Measured Boot work
        Attacks against Secure Boot
        Attacks against Measured Boot
    Specific tools useful for performing further firmware security research
        RWEverything
        ChipSec

http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/

WPBT attacks from the past: Alex at SyScan12

The recent Lenovo LSE blunder made most of the world aware of Windows WBPT ACPI table and how the firmware injects an executable into the OS, a feature of Windows that all OEMs are likely using. While the media is wondering about WBPT and why it’s not prominently displayed on many web sites, Xeno of LegbaCore pointed out that Alex Ionescu gave a talk at SyScan 2012 on this specific topic:

ACPI 5.0 Rootkit Attacks Againts Windows 8
Alex Ionescu
This talk will disclose certain new features of the ACPI 5.0 Specification which is now public and was primarily designed to support ACPI on ARM Embedded SoCs for the upcoming release of Windows 8. Some of these new features have important security considerations which have not been traditionally monitored by security products and/or users, specifically in the areas of covert code execution at Ring 0 privileges.

https://www.syscan.org/index.php/download/get/a722b1acb9396d82323da3a78235fdc0/SyScan12Slides.zip
https://www.syscan.org/index.php/archive/view/year/2012/city/sg/pg/program
https://www.syscan.org/index.php/archive/view/year/2012/city/sg/pg/speakers#004
https://www.syscan.org/index.php/download/previous
http://www.alex-ionescu.com/

Thanks for reminding us, Xeno!

Interview with LegbaCore (and: their OpROM checker ships!)

A while ago, I emailed Corey and Xeno of LegbaCore, and sent them a few questions for an ‘interview’ for this blog. Well, here’s the results (also see EOM for URLs):

Q: This October in Singapore you’re giving 3-days of training at HITB. Besides new Apple EFI skills, can you give us some other new things that’ll be in this training?
A: The course introduces the basics of evaluating firmware and SMM on modern platforms for security vulnerabilities, as well as for potential compromises. Specifically we work through methodologies for identifying whether or not your system contains publically known vulnerabilities (which a great majority of them do). We also introduce a firmware forensic and reverse engineering methodology for identifying potential firmware compromises… so say if you got comprised by something like the hacking team UEFI rootkit, we’d talk about the tools and procedures that would be useful for identifying and analyzing this threat both on one particular system and at scale across your enterprise.
    The most important point of the training is it will be focused on real hardware that is deployed in real environments. A large portion of the course will involve evaluating the hardware that students bring with them. This way if you’re in charge of malware detection/response in an enterprise, you’ll walk away with actionable information related to the hardware you are deploying on your network.

Q: You had a Twitter post a few weeks (months?) back, saying that you were going to start releasing information about OEM systems’s vulnerabilities. What’s up with that project, I’m eager to see this data, as Consumer Reports and other computer review sources are useless for this most crucial pre-sales information. Any chance you could give FirmwareSecurity.com a teaser of this information, perhaps one new OEM model released in the last 6 months that’s insecure? 🙂
A: We anticipate that the project to start making some vendors’ firmware security failings more apparent (via a public website) will probably kick off in early 2016. We want to give all vendors that we think may have an interest in improving their security a chance to either talk with us about working with them, or show that they can make measurable security improvements on their own within this timeframe.

Q: You had a Twitter post a few days ago, pointing to a new LegbaCore Github repository for a new Option ROM checking tool. This sounds very interesting! What kinds of Option ROM(s) will it support? What platform(s) will it run on? When can we expect initial release?
A: It will only integrity check the Apple Thunderbolt to Ethernet adapter’s option ROM. It will work in conjunction with a port of the linux tg3 kernel driver to run on Macs to dump the OROM. The “ethtool” command can also be run to dump the OROM on linux systems that have a thunderbolt port and the tg3 driver available. The tool will be released to coincide with the talk at BlackHat, August 6th.

Q: Beyond this new Option ROM checker, does LegbaCore have any additional tool plans in the works? If so, any details to reveal?
A: Our current thinking on tools is that we expect that we will make clean-slate “best effort” tools freely available at some point in the future. These tools would be like all typical security tools, being not particularly trustworthy, and thus vulnerable to attacker subversion. They would mostly be useful for catching attackers as they first enter into the domain, and are not particularly sophisticated. However we will only make those tools available once we have commercial-grade tools available, that have a trust argument for why these paid tools have the ability to stand up to sophisticated and well-resourced adversaries. And in the background we will work with vendors to add capabilities such as SMM Dual Monitor mode, which significantly strengthen the trust arguments

Q: The Copernicus release is mostly Windows-centric, but also includes a cross-platform, bios_diff.py tool in the release. Will the new LegbaCore github tree include a open source bios_diff project, perhaps to get open source patches for improved BIOS parsing beyond EFIPWN, perhaps like that in UEFITool?
A: While bios_diff.py continues to provide the only simple, semantically aware integrity checking capability for BIOS, it has a number of issues. E.g. in the context of our latest work, it simply doesn’t work to integrity check Apple firmware, because Apple firmware update structure does not look the same as the structure on-disk.

Q: Post-October/HITB, what’s the next LegbaCore BIOS/UEFI security training event you’ll be giving?
A: Later in October I’ll be offering a similar training at Ruxcon breakpoint. Beyond that we are fairly busy with private training engagements.

Q: Any hints what kind of new firmware vulnerability research you’re working on, and when we might see some of the results?
A: We are branching out to the security of peripheral devices such as network cards, HDs/SSDs, embedded controllers, GPUs, the Intel Management Engine, etc. We are shooting to have our first talk on one of these topics around December.

Q: Recently Stephan of coreboot mentioned that in the past MITRE said that Chrome OS firmware was more secure than UEFI. Both coreboot+depthcharge’s Verified Boot and UEFI’s Secure Boot both seem pretty similar, in terms of PKI usage. Have you an opinion on the security strength of either of these firmware solutions?
A: We have never evaluated CoreBoot to any level of depth. Hardware-wise, we like the Chromebook requirement to provide physical write protection for the flash chip via a screw. The way that Chromebooks supposedly root their boot trust in the embedded controller hardware, as described to us, sounded like a good idea. But without having actually spent time looking at the platforms, we cannot say much in terms of the security (or lack thereof) relative to UEFI-based systems.

—-[End of interview.]

Thanks Corey and Xeno!
Links:

<blink>THEIR OPROM CHECKER IS RELEASED!</blink>
The code was added 5 days ago, and I missed it!
https://github.com/legbacore/t2e_integrity_check

Upcoming training:
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://ruxconbreakpoint.com/training/bios/
http://www.legbacore.com/Training.html

Stephan’s comment on coreboot security:

Thunderstrike 2 research available

The slides from the Black Hat Briefings’ talk on Thunderstrike2 are now online:

This talk won a Pwnie!

Thunderstrike 2: Sith Strike
http://legbacore.com/Research_files/ts2-blackhat.pdf
http://legbacore.com/Research_files/ts2-blackhat.pptx
http://legbacore.com/Research_files/ts2-blackhat.key

http://legbacore.com/Research.html
https://trmm.net/Thunderstrike_2

quiz: define ‘firmworm’

The pre-conference preview videos are coming out… 🙂 One firmware one that caught my attention:

Thunderstrike 2 “firmworm” for MacBooks Preview Video

US CERT BIOS Vulnerability Note VU#577140!

Today, US CERT released a Vulernability Notice for UEFI firmware:

Vulnerability Note VU#577140
BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

    There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware’s point of view.

    Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.

A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vilaça’s blog disclosure.

See URL for full Notice.

http://www.kb.cert.org/vuls/id/577140

DEF CON 23

In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:

ThunderStrike 2: Sith Strike

Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.

and:

 
Attacking Hypervisors Using Firmware and Hardware

Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.

More Information:
https://www.defcon.org/html/defcon-23/dc-23-schedule.html

https://plus.google.com/+DefconOrgplus/posts
https://www.defcon.org/html/links/dc-goons.html

LegbaCore Mac firmware bricking demo and upcoming training

Yesterday LegbaCore published a video of a bricking demo of a a Mac Mini firmware vulnerability.

https://www.youtube.com/watch?v=LEEEazuc8Dg&feature=youtu.be

“Apple does not follow Intel’s recommended best practices for protecting their firmware. Consequently Macs are vulnerable to being disabled in such a way that they can never be made bootable again either by attempting to boot off external media (like a DVD/USB) and reinstalling the OS, or by changing the entire HD/SSD with a known working one. The only way to recover from such attacks is to reflash the SPI flash chip with a known-clean copy of the firmware. This attack does not require physical presence. It can be launched via a remote connection to the system (e.g. SSH/VNC).”

https://twitter.com/legbacore/status/624062348324528128

LegbaCore has some upcoming training at HackInTheBox Singapore in October, and it appears this 3-day training will cover some of this new Apple EFI research:

https://twitter.com/coreykal/status/624210503766663168

http://www.legbacore.com/Training.html
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://firmwaresecurity.com/2015/06/08/legbacore-summer-tour-announced/