It is funny and also sad to see the new MSFT docs include data about how long it’ll take to read the page, for those potential readers who’re worried it’ll be too long to read. “4 minutes to read”. I wonder what the current attention span is, that forces writers to dumb down documents for reduced attention spans of modern readers? 😦

https://blogs.technet.microsoft.com/mmpc/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/

VisualUEFI udpated

October 2, 2017 ~ hucktech ~ Leave a comment

Happy to report that VisualUEFI (https://t.co/uPKFeocOH5) has now been fully updated, including OpenSSL 1.1.0e and full SecureBoot support! pic.twitter.com/r6Q9VA3KF9

— Alex Ionescu (@aionescu) October 2, 2017

The latest EDK-II sources are used, no longer with any custom OpenSSL changes — we pull directly from both repositories.

— Alex Ionescu (@aionescu) October 2, 2017

With the latest SDL 2.0 compiled QEMU binaries, the UI slowdowns (unbearable before at high resolutions) are totally gone. It's *FAST*.

— Alex Ionescu (@aionescu) October 2, 2017

https://github.com/ionescu007/VisualUefi

Windows UEFI & ACPI Development

Microsoft seeks senior embedded Linux firmware engineer

September 25, 2017 ~ hucktech ~ Leave a comment

The Cloud Server Infrastructure Firmware Development (CSI-FW) team is responsible for server hardware definition, design and development of Server and Rack Infrastructure engineering for Microsoft’s online services.
This role will be for a highly-motivated Firmware Engineer with a solid background in embedded system design using embedded Linux.
* 5+ years professional experience in one or many of: designing, developing embedded solutions using ARM SoCs and Linux, extensive u-boot customization, Linux kernel internals and adding new hardware drivers.
* 2+ years proven and demonstrable programming skill in C/C++ for resource constrained embedded platforms.
* Experience with debugging tools such as JTAG, oscilloscopes and bus analyzers.

https://careers.microsoft.com/jobdetails.aspx?jid=321602&job_id=1070761

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

Microsoft Azure seeks senior UEFI engineer

September 18, 2017 ~ hucktech ~ Leave a comment

Senior UEFI / FW Development Engineer – CSI / Azure – Cloud Server Infrastructure

The Azure Cloud Server Infrastructure development team (CSI) is seeking a talented FW development engineer with UEFI based BIOS/FW development experience. Candidate will be a member of the MSFT Azure CSI/UEFI FW team and will be responsible for design and development of UEFI FW solutions for MSFT Cloud Platforms. The Senior BIOS/Firmware Developer candidate must have relevant industry experience in the development of UEFI firmware solutions. Candidate must demonstrate skills and experiences from early planning/concept architecture, platform bring-up, UEFI FW features development, board manufacturing support and field issues debug/servicing support.[…]

https://careers.microsoft.com/jobdetails.aspx?jid=320991&job_id=1070474&utm_source=Indeed&show_desc=0

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

UEFI-CheckScript: PowerShell script for SCCM/WinPE

September 18, 2017 ~ hucktech ~ Leave a comment

“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”

https://github.com/diablolot53/uefi-checkscript

Microsoft Azure introduces confidential computing

September 15, 2017 ~ hucktech ~ Leave a comment

Hardware (#SGX) and software enclaves available in Microsoft Azure https://t.co/JQ8LjLhBBE

— Felix Schuster (@flxflx) September 14, 2017

Introducing Azure confidential computing https://t.co/l2fyv3QJPY

— vincent zimmer (@vincentzimmer) September 14, 2017

[…]With Azure confidential computing, we’re developing a platform that enable developers to take advantage of different TEEs without having to change their code. Initially we support two TEEs, Virtual Secure Mode and Intel SGX. Virtual Secure Mode (VSM) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution. We’re also offering hardware-based Intel SGX TEE with the first SGX-capable servers in the public cloud. Customers that want their trust model to not include Azure or Microsoft at all can leverage SGX TEEs. We’re working with Intel and other hardware and software partners to develop additional TEEs and will support them as they become available.[…]

Introducing Azure confidential computing

Clarification of new Windows UEFI/SMM security feature

September 7, 2017 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/05/new-windows-uefi-security-protections-deciphered/

Here’s authoritative information from Jeremiah Cox of Microsoft:

Supporting Yuriy's comment, "SMM Security Mitigations 1.0" is the WSMT bit attesting SMM buffer validation is an allow list rather than deny

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

Supporting Dmytro's comment "UEFI Code Readonly" -> "VBS enablement of NX protection for UEFI runtime services" https://t.co/kcnzhX51ME

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/device-guard-and-credential-guard

Someone at Microsoft: please write a Technical Support KB article based on Jeremiah’s tweets.

new Windows UEFI security protections deciphered

September 5, 2017 ~ hucktech ~ Leave a comment

Microsoft added some new UEFI protections to Windows, but it is not well-documented, so the firmware security researcher community is guessing at what it does:

https://twitter.com/mattifestation/status/904849903934873600

I believe that "UEFI Code Readonly" means EPT enforced R-X permissions for code sections of runtime phase UEFI drivers

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) September 5, 2017

This is likely UEFI "protection flags" from WSMT. See here https://t.co/2iOoELk20G (slide 75) and WSMT spec https://t.co/aRs84cPjB2

— Yuriy Bulygin (@c7zero) September 5, 2017

"SMM security mitigations" prob indicates that UEFI fixed unprotected SMM comm buffer pointer vulns https://t.co/6Z9cyvIuVL (slides 53-76)

— Yuriy Bulygin (@c7zero) September 5, 2017

"Readonly UEFI code" probable indicates that UEFI has write protections enabled in SPI flash on that system (not sure abt NVRAM)

— Yuriy Bulygin (@c7zero) September 5, 2017

Microsoft Surface seeks UEFI engineer

September 2, 2017 ~ hucktech ~ Leave a comment

Senior Embedded Software Firmware Engineer- Surface

The Surface development team is seeking a talented software development engineer with a strong systems background and experience with hardware and firmware interaction. Job responsibilities will encompass designing and coding drivers, tools and firmware across various technologies in Surface devices within the Surface team as well as with partners to deliver high quality products to market.

A few of the Qualifications:

“High tolerance to ambiguity and ability make progress in the face of it.”

“Ability to quickly ramp-up on complex and unfamiliar code.”

https://careers.microsoft.com/jobdetails.aspx?jid=283564&job_id=1044422

PS: I recently briefly used a Surface Book, USB stopped working after 2 days of use, the only way to get it to work again was to disable UEFI Secure Boot and TPM support. I was expecting a lot more from the modern Microsoft w/r/t hardware QA. I hope the Microsoft OEM unit is also hiring STEs…

WinDbg updated

August 29, 2017 ~ hucktech ~ Leave a comment

New Blog post! New WinDbg! https://t.co/DeG0dzwhlD

— Andy Luhrs (@aluhrs13) August 28, 2017

The new WinDbgX is finally out! Enjoy it’s awesomeness. Integrated JS/LINQ, ribbons, modernized UI and runs in Centennial. Awesomesauce. https://t.co/I9Hi0juCo5

— Alex Ionescu (@aionescu) August 28, 2017

New WinDbg available in preview!
We are excited to announce a preview version of a brand new WinDbg. We’ve updated WinDbg to have more modern visuals, faster windows, a full-fledged scripting experience, built with the easily extensible debugger data model front and center. I’ll start this by saying that WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows you’re used to will still work just as they did before.

https://blogs.msdn.microsoft.com/windbg/2017/08/28/new-windbg-available-in-preview/

Windbg always had restrictions in what UI widgets it could use, since Windbg was used to debug those same UI widgets (OLE, COM, etc.) and had to work even those widgets did not work.

Microsoft Windows DMA Guard

August 6, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/865955829177925632

The "DMA Guard" prototype is not a "feature" in RS3. Test hooks have bypasses by design, and it does, so don't depend on unpublished APIs.

— Jay (Jeremiah) Cox (@int0x6) August 6, 2017

https://twitter.com/aionescu/status/893975728957607936

Boot Guard, BIOS Guard, OS Guard… we're in a competition

— Jay (Jeremiah) Cox (@int0x6) August 5, 2017

[…] New Bitlocker features in Windows 10, version 1507:
* DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
[…]

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage
https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies

Intel Graphics Driver for Windows: DoS vulnerability

August 3, 2017 ~ hucktech ~ Leave a comment

Excerpt of advisory below, see full one for list of drivers impacted.

DoS in Kernel in multiple versions of the Intel Graphics Driver allows local attacker to perform a DoS via an Out of Bounds Read

Intel ID: INTEL-SA-00077
Product family: Mobile, Desktop, Server, Workstation, and Embedded processors based on Intel® Core™ and Atom™ Processors using an affected driver.
Impact of vulnerability: Denial of Service
Severity rating: Moderate
Original release: Jul 31, 2017
Last revised: Aug 01, 2017

Out-of-bounds read condition in older versions of some Intel® Graphics Driver for Windows code branches allows local users to perform a denial of service attack. Intel recommends that users download and upgrade to the latest supported driver. Intel would like to thank Enrique Nissim of IOActive for reporting this issue and working with us on a coordinated disclosure.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00077&languageid=en-fr

Microsoft launches Windows Bounty Program

July 26, 2017 ~ hucktech ~ Leave a comment

Microsoft bounties++! Hyper-V payouts increased up to $250k, WDAG focus area, & a baseline bounty for Windows 10 https://t.co/0ihNnP1xSl

— Matt Miller (@epakskape) July 26, 2017

Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]

https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/

https://aka.ms/BugBounty

Hagfish: UEFI Bootloader for Barrelfish

July 24, 2017 ~ hucktech ~ Leave a comment

Barrelfish is a new research operating system being built from scratch and released by ETH Zurich in Switzerland, originally in collaboration with Microsoft Research and now partly supported by HP Enterprise Labs, Huawei, Cisco, Oracle, and VMware. […]

Hagfish is the Barrelfish/ARMv8 UEFI loader prototype: Hagfish (it’s a basal chordate i.e. something like the ancestor of all fishes). Hagfish is a second-stage bootloader for Barrelfish on UEFI platforms, most importantly the ARMv8 server platform. […]

http://www.barrelfish.org/

https://github.com/BarrelfishOS/hagfish

https://github.com/BarrelfishOS/uefi-sdk

Microsoft security conf presentation archive

July 9, 2017 ~ hucktech ~ Leave a comment

We've created a GitHub repo to host security research from @msftsecresponse and have posted some conf presentations: https://t.co/0uEQZpOdPV

— Matt Miller (@epakskape) July 7, 2017

https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations

Microsoft Windows Defender ATP

June 27, 2017 ~ hucktech ~ Leave a comment

If you're a fan of EMET you'll definitely want to check out Windows Defender Exploit Guard: https://t.co/vJ4hwp8uyk https://t.co/zT61vQEwaw

— Matt Miller (@epakskape) June 27, 2017

What’s new in Windows Defender ATP Fall Creators Update:
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving. We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents. Here are some highlights of the Windows Fall Creators Update:[…]

https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/

https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Adaptiva Secure 10: BIOS to UEFI

June 22, 2017 ~ hucktech ~ Leave a comment

EXTRA EXTRA! Adaptiva Releases BIOS to UEFI Solution Update to Speed #Windows10 Migrations https://t.co/bEPGoxe2Bq #ConfigMgr #SCCM pic.twitter.com/t7GURPBCGX

— Adaptiva (@adaptiva) June 22, 2017

New registration-required freeware from Adaptiva:

Adaptiva’s free Secure 10 is a complete automation solution for ConfigMgr admins to make the BIOS to UEFI conversion process simple and unattended. With Secure 10, migrations take much less time and no IT staff need to be on-site during the process. Now including support for new MBR2GPT.exe tool for retaining data while making the switch, as well as ConfigMgr 1610+ WinPE boot image pre-staging. Also new: two complete task sequences to save time integrating into your deployments! […] The open solution includes detailed documentation to help SCCM system administrators overcome the complexities of automating the conversion from:

* BIOS to UEFI – Secure 10 automates the conversion process from the legacy BIOS firmware typically used in Windows 7/8 systems to the more powerful Unified Extensible Firmware Interface (UEFI) technology. UEFI is required to enable key enterprise security features available in Windows 10.

* MBR to GPT – Secure 10 now includes support for the MBR2GPT.exe tool, which helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). The new tool is the only Microsoft-supported tool to convert a production disk from MBR to GPT without data loss, greatly speeding in-place upgrades to Windows 10.

* WinPE Pre-staging – Microsoft recently introduced the capability to pre-stage a WinPE boot image to a partition from within an SCCM Task Sequence and have that image persist during the conversion from MBR to GPT. Secure 10 supports this capability for refresh/replace scenarios.

https://www.adaptiva.com/blog/2017/adaptiva-releases-bios-uefi-solution-update-speed-windows-10-migrations/

Hardware is the new software

June 15, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/binitamshah/status/875375226690863105

Hardware is the new software
Andrew Baumann, Microsoft Research

Moore’s Law may be slowing, but, perhaps as a result, other measures of processor complexity are only accelerating. In recent years, Intel’s architects have turned to an alphabet soup of instruction set extensions such as MPX, SGX, MPK, and CET as a way to sell CPUs through new security features. Unlike prior extensions, which mostly focused on accelerating user-mode data processing, these new features exhibit complex interactions and give system designers plenty to think about. This calls for a rethink of how we approach the instruction set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and speculate about the longer-term implications.

Click to access baumann-hotos17.pdf

Mike on Windows Config Mgr and Secure Boot

June 12, 2017 ~ hucktech ~ Leave a comment

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

BIOS and Secure Boot State Detection during a Task Sequence Part 1

BIOS and Secure Boot State Detection during a Task Sequence Part 2

Microsoft on malware use of Intel AMT

June 7, 2017 ~ hucktech ~ Leave a comment

PLATINUM attackers can use Intel AMT SOL for stealthy C2 even with network cards disabled. Analysis and demo at https://t.co/Gx5MrfkGe9 pic.twitter.com/JhMJgDzQwE

— Microsoft Threat Intelligence (@MsftSecIntel) June 7, 2017

If you thought the recent Intel AMT security issues was just theoretical, here’s an example of malware using AMT.

https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?platform=hootsuite

Tag: Microsoft

Microsoft renames VBS