Microsoft Device Health Attestation protocol

Re: https://firmwaresecurity.com/2018/02/22/hp-including-expected-pcr0-values-in-firmware-releases/

Microsoft Device Health Attestation protocol

Device Health Attestation
https://technet.microsoft.com/en-us/library/mt750346.aspx

[MS-DHA]: Device Health Attestation Protocol
https://msdn.microsoft.com/en-us/library/mt766195.aspx

EnclaveDB: A Secure Database using SGX

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html

EnclaveDB: A Secure Database using SGX
Christian Priebe , Imperial College London
Kapil Vaswani , Microsoft Research
Manuel Costa , Microsoft Research
We propose EnclaveDB, a database engine that guarantees confidentiality, integrity, and freshness for data and queries. EnclaveDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, and when the database runs in an untrusted host in the cloud. EnclaveDB achieves this by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware (such as Intel SGX). EnclaveDB has a small trusted computing base, which includes an in-memory storage and query engine, a transaction manager and pre-compiled stored procedures. A key component of EnclaveDB is an efficient protocol for checking integrity and freshness of the database log. The protocol supports concurrent, asynchronous appends and truncation, and requires minimal synchronization between threads. Our experiments using standard database benchmarks and a performance model that simulates large enclaves show that EnclaveDB achieves strong security with low overhead (up to 40% for TPC-C) compared to an industry strength in-memory database engine.

https://www.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405-abs.html

https://www.microsoft.com/en-us/research/publication/enclavedb-a-secure-database-using-sgx/

Click to access enclavedb.pdf

Windows AMSI (AntiMalware Scan Interface) bypass

http://standa-note.blogspot.ca/2018/02/amsi-bypass-with-null-character.html

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

See-also:

https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/

Attacks Against Windows PXE Boot Images

Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]

https://blog.netspi.com/attacks-against-windows-pxe-boot-images/

https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Microsoft Windows Analytics now helps assess Meltdown and Spectre protections


To help IT professionals everywhere, we have added new capabilities to our free Windows Analytics service1 to report the status for all the Windows devices2 that they manage. These new capabilities include:

[…]
Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.
[…]

https://blogs.windows.com/business/2018/02/13/windows-analytics-now-helps-assess-meltdown-and-spectre-protections/

Windows Analyitcs

Microsoft driver security checklist

Driver security checklist
01/26/2018
Don Marshall

This article provides a driver security checklist for driver developers to help reduce the risk of drivers being compromised.[…]

https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/driver-security-checklist

 

 

Microsoft BlueHat Israel talks uploaded

Click to access BlueHatIL18_Weston_Hardening_With_Hardware.pdf

https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations

 

Microsoft Azure team seeks senior security firmware engineer

“2 years using Secure Boot” 🙂

Senior Security Firmware Engineer-CSI/Azure-Cloud Server Infrastructure

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services. […] This role is for a highly motivated Senior Firmware Engineer with a background in embedded systems and security technologies. […] We are looking for someone with strong systems background and passion for security and Real Time OS internals. The successful candidate should have experience with some of the following: Real Time Operating Systems, Embedded Systems, Secure boot technologies and strong C development.

* 2+ years using or implementing Secure boot, and Protocol Security using I2C, SPI, USB or UART buses

https://careers.microsoft.com/jobdetails.aspx?jid=344972&job_id=1087878

 

Windows adds TXT-supported MLE to boot security

Interesting to hear that Microsoft has added TXT support alongside MLE. Sorry, no more info on it than above tweet….

From Wikipedia: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, Cloud Raxak, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.

 

Microsoft adds more enterprise security features to Windows 10

Enable virtualization-based protection of code integrity
11/28/2017
Contributors: Brian Lich Justinha Nick Brower Jason Gerend Jeffrey Sutherland

Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for remediation steps.[…]

https://docs.microsoft.com/en-us/windows/device-security/enable-virtualization-based-protection-of-code-integrity

 

more on Intel-SA-00068 (Intel ME) vuln

Intel has updated their advisory again, many more OEMs on the list now:

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Intel ME has impacted Intel WPA2:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00101&languageid=en-fr

Microsoft provides info, but the researchers argue with their conclusions:

https://blogs.technet.microsoft.com/surface/2017/12/11/intel-management-engine-vulnerability-and-surface-devices/

 

Pete Batard adds ARM support for VS2017 to Tianocore

Pete Batard  is adding Visual Studio for ARM support to the Tianocore UEFI dev toolchain:

This is a v2 of the previous patch, that takes into account the alignment of suppressed level 4 warnings between IA32, X64 and ARM, and that also removes compiler options that weren’t actually needed. The following series adds ARM compilation support for the VS2017 toolchain. With these patches, VS2017 toolchain users should be able to compile regular UEFI ARM applications using EDK2. Note that, unlike ARM64 support, ARM support does not require a specific update of Visual Studio 2017, as the ARM toolchain has been available from the very first release. We tested compiling and running the full UEFI Shell with this series, as well as a small set of applications and drivers, and found no issues. With an additional patch [1], it is also possible to use this proposal to compile a complete QEMU ARM firmware. As the patch shows, the changes that need to be applied to the EDK2 sources to achieve this are actually very minimal. However, the generated firmware does not currently boot, possibly because of the following warnings being generated by the MS compiler[…[]At this stage, since the goal of this series is to allow users to compile regular ARM UEFI applications using the VS2017 toolchain, I have non plans to spend more time on the QEMU firmware issues, especially as I suspect that reducing the firmware size back to 2 MB may not be achievable without Microsoft altering their compiler. I am however hopeful that ARM specialists can take this matter over eventually…

[1] https://github.com/pbatard/edk2/commit/c4ce41094a46f4f3dc7ccc64a90604813f037b13

More info:
http://pete.akeo.ie/2017/05/compiling-desktop-arm-applications-with.html
https://lists.01.org/mailman/listinfo/edk2-devel
https://visualstudio.uservoice.com/forums/121579-visual-studio-ide/suggestions/18614308-add-arm-support-back
https://blogs.msdn.microsoft.com/vcblog/2017/10/23/arm-gcc-cross-compilation-in-visual-studio/
https://github.com/microsoft/vslinux/issues
https://github.com/Microsoft/VSLinux/issues/110

See-also:
http://shadetail.com/blog/using-visual-studio-code-for-arm-development-introduction/

Note that Pete is not from the Microsoft Visual Studio team, he’s just doing their work for them… I hope the VS team gives Pete a complementary subscription to their commercial product! [Strange, I don’t think I’ve ever seen Microsoft add suppport for their own tools to Tianocore, it is always an external vendor that does Microsoft’s work…]

 

CERT/CC VU #817544 : Windows ASLR Vulnerability

U.S. Department of Homeland Security US-CERT National Cyber Awareness System: Windows ASLR Vulnerability

Original release date: November 20, 2017

The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system. US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.

https://www.us-cert.gov/ncas/current-activity/2017/11/20/Windows-ASLR-Vulnerability

http://www.kb.cert.org/vuls/id/817544

Microsoft launches Project Cerberus, NIST 800-193-compliant

[…]Today, we’re also introducing Project Cerberus, which provides a critical component for security protection that to date has been missing from server hardware – protection, detection and recovery from attacks on platform firmware.[…] Project Cerberus is a NIST 800-193 compliant hardware root of trust specifically designed to provide robust security for all platform firmware. It provides a hardware root of trust for firmware on the motherboard (UEFI BIOS, BMC, Options ROMs) as well as on peripheral I/O devices by enforcing strict access control and integrity verification from pre-boot and continuing to runtime.[…]

https://azure.microsoft.com/en-us/blog/microsofts-project-olympus-delivers-cloud-hardware-innovation-at-scale/

https://github.com/opencomputeproject/Project_Olympus

Very excited to see NIST SP 800-193-compliance mentioned!!

https://csrc.nist.gov/publications/detail/sp/800-193/draft

 

Microsoft adds Time Travel Debugging (TTD) to Windbg

Time Travel Debugging is now available in WinDbg Preview

We are excited to announce that Time Travel Debugging (TTD) features are now available in the latest version of WinDbg Preview. About a month ago, we released WinDbg Preview which provides great new debugging user experiences. We are now publicly launching a preview version of TTD for the first time and are looking forward to your feedback.[…]

https://blogs.msdn.microsoft.com/windbg/2017/09/25/time-travel-debugging-in-windbg-preview/

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-object-model

As I hear, TTD has been used at Microsoft internally for years, just now getting this feature out to the public. Though they are not identical in implementation, GDB has had reverse execution for a while.

https://www.gnu.org/software/gdb/news/reversible.html
https://sourceware.org/gdb/onlinedocs/gdb/Reverse-Execution.html
https://sourceware.org/gdb/wiki/ReverseDebug

Microsoft Windows OEM security standards updated

Standards for a highly secure Windows 10 device
11/05/2017

These standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows enterprise security features light up when you meet or exceed these standards and your device is able to provide a highly secure experience.[…]

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

It will actually take more than 2 minutes to read this …properly.