WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!
As well, UEFITool has new maintainers, Alex and Dmytro!!
Tag: LegbaCore
status of MITRE Copernicus
AFAIK, Copernicus was the first firmware vulnerability analysis tool. MITRE’s research in this area is required reading for anyone learning x86 firmware security. But then, half of the 4-person team left MITRE to create LegbaCore, and have since both joined Apple. These days, AFAIK, Copernicus is not actively maintained. I was not sure of status of MITRE Copernicus (or Copernicus2), so I asked MITRE, and K. Wright, their Public Affairs Lead gave me the current status of Copernicus:
“MITRE continues to research security risks associated with UEFI and firmware. However, development and feature enhancements on the proof-of-concept known as Copernicus is no longer active. Many of the emerging commercial offerings coming to the market show promise similar to what had been demonstrated in Copernicus as an off-the-shelf option.”
More information:
http://www.mitre.org/research/technology-transfer/technology-licensing/copernicus
Without fresh builds of Copernicus, Intel CHIPSEC is probably the main (only?) firmware vulnerability analysis tool actively maintained. It would be nice if there were a few other tools, ESPECIALY for non-Intel systems: ARM, AMD, MIPS, OpenPOWER, etc. I wish MITRE would open source their PoC so the open source community could help maintain/extend it (eg., port it to Linux).
Apple acquires Legbacore — in the news again!
Back in November, Apple hired Legbacore’s hardware/firmware experts to help secure Apple hardware.
https://firmwaresecurity.com/2015/11/10/apple-acquires-legbacore/
Ok, that was months ago. But for the last week, the above URL re-appeared on this blog’s stats as the most visited URL. Then, a few days later, there’s now a slew of stories on this, like it just happened today. Today, this is the top store on Google News for UEFI. Strange, how tech news works.
http://appleinsider.com/articles/16/02/02/apple-hires-firmware-security-experts-who-worked-on-thunderstrike-2-exploit
http://www.macrumors.com/2016/02/02/apple-acquired-legbacore/
http://thenextweb.com/apple/2016/02/03/apple-acquired-the-security-company-that-found-bugs-in-mac-firmware/
http://timesofindia.indiatimes.com/tech/tech-news/Apple-acquired-the-company-that-exposed-flaws-in-its-firmware/articleshow/50837174.cms
http://www.businessinsider.com/apple-hired-the-hackers-who-created-the-first-mac-firmware-virus-2016-2
http://www.engadget.com/2016/02/03/apple-legbacore-thunderstrike-acquisition/
http://www.patentlyapple.com/patently-apple/2016/02/apple-acquired-legbacore-to-advance-security-for-macs.html
http://gadgets.ndtv.com/laptops/news/apple-buys-security-firm-legbacore-that-exposed-vulnerabilities-in-os-x-797979
http://www.bidnessetc.com/62638-apple-inc-acquires-mac-virus-detector-legbacore/
I am eagerly awaiting to see the results of their work, I hope future macs have a “Legbacore”-ready logo on it, or something so I know it’s better than the older hardware. 🙂
Apple acquires LegbaCore!!
WOW, LegbaCore closes down, Xeno and Corey join Apple!!!!
https://twitter.com/XenoKovah/
I expect Apple will shortly have MUCH MORE secure firmware/hardware systems, with their help! Other OEMs should be a little scared today.
Whitepaper from Legbacore on Thunderstrike
At GSEC HITB Singapore 2015, Legbacore gave pre-conference training. As well, they gave a presentation on Thunderstrike. Beyond the presentation slides, the whitepaper is now available!
http://gsec.hitb.org/materials/sg2015/
Click to access D2%20-%20Xeno%20Kovah%20-%20Thunderstrike%202%20-%20Sith%20Strike.pdf
Click to access Xeno%20Kovah%20-%20Thunderstrike%202%20-%20Sith%20Strike.pdf
LegbaCore’s research timeline
LegbaCore has a nice bibliography of “Low Level PC Attack papers”, Intel hardware/firmware security research, using TimeGlider.
LegbaCore adds BIOS/SMM training to OpenSecurityTraining.Info!
They’ve added a 2-day training course on BIOS/SMM, “Advanced x86: Introduction to BIOS & SMM”! The BIOS researchers at MITRE — and half of them now at LebaCore — are one of the main pioneers of BIOS research, and this is one of ther main training sessions. Wow!
“Around 2011, the trustworthy system measurement research project that Xeno Kovah was running at MITRE decided to start digging deeper than the Windows kernel and rootkit detection, to try and detect malicious software at the BIOS level. Xeno & Corey Kallenberg continued to work on Kernel, while team member John Butterworth was tasked with starting to learn about BIOS in parallel. John’s work led to the “BIOS Chronomancy” work (published at both BlackHat and ACM CCS), porting the team’s existing Timing-Based Attestation system from the kernel level down to the BIOS. Xeno then asked John to start making an open source training class to capture his knowledge, the same way that Xeno & Corey had captured their past knowledge on the project and uploaded it to OST. John created a 2 day Intro BIOS class and got it public released from MITRE. The intention originally was that it would cover all basics of BIOS which would be applicable to both legacy BIOS, CoreBoot, or UEFI-based systems. And then it was expected there would be a follow on class digging deeper into the specifics of UEFI. Unfortunately time prohibited the creation of that 2nd 2 days of classes focusing on UEFI, so you can see that some minimal UEFI content was eventually shoehorned into this class, though frequently there isn’t enough time to get to it within 2 days. It is our hope that this Introductory BIOS & SMM class will help demystify how x86 systems work at the low levels, so that people can better understand the BIOS/SMM/SecureBoot vulnerabilities described in the team’s work while at MITRE, and later after Xeno & Corey founded LegbaCore. With this knowledge in hand, hopefully students can fully appreciate and explain to others why it is so critical that BIOS patch management be performed by organizations, to eliminate the vulnerabilities that lurk at this level.
Legbacore research update
MITRE Copernicus
MITRE Copernicus was — AFAICT — the first public firmware vulnerability analysis tool. I’ve not given it enough coverage here, only a single post:
https://firmwaresecurity.com/2015/05/22/mitre-copernicus/
I presume that everyone already knows about it. If you don’t know about it, it is worth investigating
It appears that MITRE hasn’t updated Copernicus, in a while, at least I can’t find any. I just noticed that Xeno of LebaCore, formerly of MITRE and one of the Copernicus developers, gave an URL to the latest version of it, which is a public download:
The same URL to that zip is in the below mini-review for BIOS Diff, a cross-platform open source firmware utility that is included in Copernicus:
https://firmwaresecurity.com/2015/05/21/tool-mini-review-bios_diff-py/
Copernicus is Windows-centric, and public release is closed-source, including the driver. I wish there was another host for it, in addition to blackhat.com, a domain commonly attacked by hacker. I wish it was hosted in another place, and included a .SHA256 and OpenPGP .ASC sidecar files for verfication. I REALLY wish the sources to the Windows driver were published!
Looking forward to another version of Copernicus, or some other new tools from LegbaCore!
LegbaCore training announcement
The 2-day agenda:
Introduction to BIOS concepts
General system configuration responsibilities
Security-specific configuration responsibilities
Hardware architecture
ICH/MCH/PCH
SPI flash chip
Usage of PCI for x86 system internals
Talking to hardware through the PCI configuration space
PCI Option ROMs (and their use in attack)
BIOS access control mechanisms
How they fail
Tools to detect their failure
System Management Mode (SMM)
Why SMM is basically the best place for an attacker to live on an x86 system
Discussion of how the BIOS instantiates SMM from flash chip contents
Discussion of how attackers can break into SMM even without persisting on the flash chip
Introduction to UEFI BIOS
The UEFI phases and security parameters specific to UEFI
UEFI Firmware Filesystem
Reverse engineering UEFI modules
Applying UEFI structure definitions in IDA Pro
How Secure Boot & Measured Boot work
Attacks against Secure Boot
Attacks against Measured Boot
Specific tools useful for performing further firmware security research
RWEverything
ChipSec
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
WPBT attacks from the past: Alex at SyScan12
The recent Lenovo LSE blunder made most of the world aware of Windows WBPT ACPI table and how the firmware injects an executable into the OS, a feature of Windows that all OEMs are likely using. While the media is wondering about WBPT and why it’s not prominently displayed on many web sites, Xeno of LegbaCore pointed out that Alex Ionescu gave a talk at SyScan 2012 on this specific topic:
ACPI 5.0 Rootkit Attacks Againts Windows 8
Alex Ionescu
This talk will disclose certain new features of the ACPI 5.0 Specification which is now public and was primarily designed to support ACPI on ARM Embedded SoCs for the upcoming release of Windows 8. Some of these new features have important security considerations which have not been traditionally monitored by security products and/or users, specifically in the areas of covert code execution at Ring 0 privileges.
https://www.syscan.org/index.php/download/get/a722b1acb9396d82323da3a78235fdc0/SyScan12Slides.zip
https://www.syscan.org/index.php/archive/view/year/2012/city/sg/pg/program
https://www.syscan.org/index.php/archive/view/year/2012/city/sg/pg/speakers#004
https://www.syscan.org/index.php/download/previous
http://www.alex-ionescu.com/
Thanks for reminding us, Xeno!
Interview with LegbaCore (and: their OpROM checker ships!)
A while ago, I emailed Corey and Xeno of LegbaCore, and sent them a few questions for an ‘interview’ for this blog. Well, here’s the results (also see EOM for URLs):
Q: This October in Singapore you’re giving 3-days of training at HITB. Besides new Apple EFI skills, can you give us some other new things that’ll be in this training?
A: The course introduces the basics of evaluating firmware and SMM on modern platforms for security vulnerabilities, as well as for potential compromises. Specifically we work through methodologies for identifying whether or not your system contains publically known vulnerabilities (which a great majority of them do). We also introduce a firmware forensic and reverse engineering methodology for identifying potential firmware compromises… so say if you got comprised by something like the hacking team UEFI rootkit, we’d talk about the tools and procedures that would be useful for identifying and analyzing this threat both on one particular system and at scale across your enterprise.
The most important point of the training is it will be focused on real hardware that is deployed in real environments. A large portion of the course will involve evaluating the hardware that students bring with them. This way if you’re in charge of malware detection/response in an enterprise, you’ll walk away with actionable information related to the hardware you are deploying on your network.
Q: You had a Twitter post a few weeks (months?) back, saying that you were going to start releasing information about OEM systems’s vulnerabilities. What’s up with that project, I’m eager to see this data, as Consumer Reports and other computer review sources are useless for this most crucial pre-sales information. Any chance you could give FirmwareSecurity.com a teaser of this information, perhaps one new OEM model released in the last 6 months that’s insecure? 🙂
A: We anticipate that the project to start making some vendors’ firmware security failings more apparent (via a public website) will probably kick off in early 2016. We want to give all vendors that we think may have an interest in improving their security a chance to either talk with us about working with them, or show that they can make measurable security improvements on their own within this timeframe.
Q: You had a Twitter post a few days ago, pointing to a new LegbaCore Github repository for a new Option ROM checking tool. This sounds very interesting! What kinds of Option ROM(s) will it support? What platform(s) will it run on? When can we expect initial release?
A: It will only integrity check the Apple Thunderbolt to Ethernet adapter’s option ROM. It will work in conjunction with a port of the linux tg3 kernel driver to run on Macs to dump the OROM. The “ethtool” command can also be run to dump the OROM on linux systems that have a thunderbolt port and the tg3 driver available. The tool will be released to coincide with the talk at BlackHat, August 6th.
Q: Beyond this new Option ROM checker, does LegbaCore have any additional tool plans in the works? If so, any details to reveal?
A: Our current thinking on tools is that we expect that we will make clean-slate “best effort” tools freely available at some point in the future. These tools would be like all typical security tools, being not particularly trustworthy, and thus vulnerable to attacker subversion. They would mostly be useful for catching attackers as they first enter into the domain, and are not particularly sophisticated. However we will only make those tools available once we have commercial-grade tools available, that have a trust argument for why these paid tools have the ability to stand up to sophisticated and well-resourced adversaries. And in the background we will work with vendors to add capabilities such as SMM Dual Monitor mode, which significantly strengthen the trust arguments
Q: The Copernicus release is mostly Windows-centric, but also includes a cross-platform, bios_diff.py tool in the release. Will the new LegbaCore github tree include a open source bios_diff project, perhaps to get open source patches for improved BIOS parsing beyond EFIPWN, perhaps like that in UEFITool?
A: While bios_diff.py continues to provide the only simple, semantically aware integrity checking capability for BIOS, it has a number of issues. E.g. in the context of our latest work, it simply doesn’t work to integrity check Apple firmware, because Apple firmware update structure does not look the same as the structure on-disk.
Q: Post-October/HITB, what’s the next LegbaCore BIOS/UEFI security training event you’ll be giving?
A: Later in October I’ll be offering a similar training at Ruxcon breakpoint. Beyond that we are fairly busy with private training engagements.
Q: Any hints what kind of new firmware vulnerability research you’re working on, and when we might see some of the results?
A: We are branching out to the security of peripheral devices such as network cards, HDs/SSDs, embedded controllers, GPUs, the Intel Management Engine, etc. We are shooting to have our first talk on one of these topics around December.
Q: Recently Stephan of coreboot mentioned that in the past MITRE said that Chrome OS firmware was more secure than UEFI. Both coreboot+depthcharge’s Verified Boot and UEFI’s Secure Boot both seem pretty similar, in terms of PKI usage. Have you an opinion on the security strength of either of these firmware solutions?
A: We have never evaluated CoreBoot to any level of depth. Hardware-wise, we like the Chromebook requirement to provide physical write protection for the flash chip via a screw. The way that Chromebooks supposedly root their boot trust in the embedded controller hardware, as described to us, sounded like a good idea. But without having actually spent time looking at the platforms, we cannot say much in terms of the security (or lack thereof) relative to UEFI-based systems.
—-[End of interview.]
Thanks Corey and Xeno!
Links:
<blink>THEIR OPROM CHECKER IS RELEASED!</blink>
The code was added 5 days ago, and I missed it!
https://github.com/legbacore/t2e_integrity_check
Upcoming training:
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://ruxconbreakpoint.com/training/bios/
http://www.legbacore.com/Training.html
Stephan’s comment on coreboot security:
More details on Thunderstrike 2
Beyond this media:
https://firmwaresecurity.com/2015/08/07/thunderstrike-2-research-available/
there is more presentation materials available:
Nicely annotated!!
https://trmm.net/Thunderstrike2_details
Thunderstrike 2 research available
The slides from the Black Hat Briefings’ talk on Thunderstrike2 are now online:
This talk won a Pwnie!
Thunderstrike 2: Sith Strike
Click to access ts2-blackhat.pdf
http://legbacore.com/Research_files/ts2-blackhat.pptx
http://legbacore.com/Research_files/ts2-blackhat.key
http://legbacore.com/Research.html
https://trmm.net/Thunderstrike_2
quiz: define ‘firmworm’
The pre-conference preview videos are coming out… 🙂 One firmware one that caught my attention:
Thunderstrike 2 “firmworm” for MacBooks Preview Video
Wired on Apple EFI vulnerabilities
Wired magazine has a new story focusing on Apple Mac EFI vulnerabilties. Well-written article, nice background details.
http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/
US CERT BIOS Vulnerability Note VU#577140!
Today, US CERT released a Vulernability Notice for UEFI firmware:
Vulnerability Note VU#577140
BIOS implementations fail to properly set UEFI write protections after waking from sleep mode
Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
Description
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):
There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware’s point of view.
Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.
A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vilaça’s blog disclosure.
See URL for full Notice.
DEF CON 23
In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:
ThunderStrike 2: Sith Strike
Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC
The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.
and:
Attacking Hypervisors Using Firmware and Hardware
Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher
In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.
And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.
More Information:
https://www.defcon.org/html/defcon-23/dc-23-schedule.html
https://plus.google.com/+DefconOrgplus/posts
https://www.defcon.org/html/links/dc-goons.html
LegbaCore Mac firmware bricking demo and upcoming training
Yesterday LegbaCore published a video of a bricking demo of a a Mac Mini firmware vulnerability.
https://www.youtube.com/watch?v=LEEEazuc8Dg&feature=youtu.be
“Apple does not follow Intel’s recommended best practices for protecting their firmware. Consequently Macs are vulnerable to being disabled in such a way that they can never be made bootable again either by attempting to boot off external media (like a DVD/USB) and reinstalling the OS, or by changing the entire HD/SSD with a known working one. The only way to recover from such attacks is to reflash the SPI flash chip with a known-clean copy of the firmware. This attack does not require physical presence. It can be launched via a remote connection to the system (e.g. SSH/VNC).”
https://twitter.com/legbacore/status/624062348324528128
LegbaCore has some upcoming training at HackInTheBox Singapore in October, and it appears this 3-day training will cover some of this new Apple EFI research:
https://twitter.com/coreykal/status/624210503766663168
http://www.legbacore.com/Training.html
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://firmwaresecurity.com/2015/06/08/legbacore-summer-tour-announced/
LegbaCore Option ROM Integrity Checker in the works…
The only information available at this time is this Twitter post:
Firmware Security 
You must be logged in to post a comment.