Uncategorized

Attacking Hypervisors Again!

There’s another version of this talk’s presentation, a PowerPoint file with animations not in the previous PDF.

Attacking Hypervisors Using Firmware and Hardware
Yuriy Bulygin, Mikhail Gorobets, Alexander Matrosov, Oleksandr Bazhaniuk, Andrew Furtak

Strangely, WordPress doesn’t show the ‘friendly’ URL for things today, just the numeric ones:
https://firmwaresecurity.com/2015/08/08/689/

Standard
Uncategorized

Intel ATR research on hypervisor vulnerability

As mentioned earlier, one of the interesting firmware talks at DC/BHB was on hypervisor vulnerabilities. The slides from the talk are now available:

Attacking Hypervisors Using Firmware and Hardware
Yuriy Bulygin, Mikhail Gorobets, Alexander Matrosov, Oleksandr Bazhaniuk, Andrew Furtak

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

http://www.intelsecurity.com/advanced-threat-research/content/AttackingHypervisorsViaFirmware_bhusa15_dc23.pdf

http://www.intelsecurity.com/advanced-threat-research/index.html

Standard
Uncategorized

DEF CON 23

In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:

ThunderStrike 2: Sith Strike

Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.

and:

 
Attacking Hypervisors Using Firmware and Hardware

Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.

More Information:
https://www.defcon.org/html/defcon-23/dc-23-schedule.html
https://twitter.com/_defcon_
https://plus.google.com/+DefconOrgplus/posts
https://www.defcon.org/html/links/dc-goons.html

Standard
Uncategorized

Recon 2015 presentation on firmware security available

At Recon 2015 this talk happened:

Attacking and Defending BIOS in 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using “S3 resume boot script” vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We’ll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail “SMI input pointer” and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues.

Speakers: Yuriy Bulygin, Mikhail Gorobets, Andrew Furtak, Oleksandr Bazhaniuk, Alexander Matrosov, Mickey Shkatov

Check out this Twitter post for an URL to the newly-available presentation:

 

Standard