UEFI Forum Spring 2018 plugfest agenda

The UEFI Plugfest is in Seattle later this month.

I guess I missed the CFP, as the agenda is now available… 😦

* Intel: An Introduction to Platform Security
* Phoenix: TBD
* Arm:UEFI Updates, Secure Firmware and Secure Services on Arm
* Intel: The State of ASL Programming
* Intel: Implementing MicroPython in UEFI
* Insyde Software: UEFI and the Security Development Lifecycle
* Intel: Attacking and Defending the Platform
* Microsoft: Microsoft Security Features and Firmware Configurations
* Arm: Dynamic Tables Framework: A Step Towards Automatic Generation of ACPI & SMBIOS Tables
* Microsoft: Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates and WU
* Linaro: Edk2-Platforms Overview
* AMI: Enabling Advanced NVMe Features Through UEFI

http://uefi.org/SpringPlugfest2018

Defensive firmware talks in Seattle: SASAG and BSides Seattle

There are two presentations in Seattle area on firmware security in January and February, in case you’re in the area.

1) On January 11th, PreOS Security CEO Paul English speaking on enterprise firmware defensive tools and techniques, for a SysAdmin target audience, at SASAG, the Seattle Area SysAdmin Guild (monthly user group).

SASAG: Firmware Security Defense

Thursday, Jan 11, 2018, 7:00 PM

Brian’s office
1111 3rd Ave #2500, Seattle, WA 98101 Seattle, WA

17 Systems Administrators Went

Paul English & Lee Fisher of PreOS Security will talk about firmware security. For attackers, platform firmware is the new Software. Most systems include hundreds of firmwares – UEFI or BIOS, PCIe expansion ROMs, USB controller drivers, storage controller host and disk/SSD drivers. Firmware-level hosted malware, bare-metal or virtualized, is nearly…

Check out this Meetup →

 

2) On February 3rd, I’ll be speaking at BSides Seattle, on similar topic, but for a target audience of DFIR/blue teams.

http://www.securitybsides.com/w/page/121128486/BsidesSeattle2018#2018Presentations

Disclaimer: Paul and I both work at PreOS Securty.

http://preossec.com/

 

PreOS presentation from SeaGL online

Last week Paul English of PreOS Security gave a presentation at SeaGL Conference (spelled with the RMS-preferred prefix, “Seattle GNU/Linux Conference”, pronounced like the bird “Seagull”). The presentation was about about firmware defensive skills. Whereas my previous presentation presumed an audience of enterprise (SysAdmins, SREs, Blue Teams, or DFIR), Paul’s talk presumed an audience of end-users, with no enterprise to back them up.

Alas, with most SeaGL presentations, this presentation was not video/audio-taped. His blog post has pointer to his slides.

His blog post also mentions brief status update on the sysadmin ebook that Paul is driving, he’s nearly ready, it’ll be nice to have this resource available.

Also, note that the PreOS Security web site has been revamped. All known HTTP/HTTPS problems have been resolved, and the blog backlog is getting flushed.

https://preossec.com/SeaGL-2017/

 

UEFI security presentation at Seattle DC206 Meeting

If you missed the Intel presentation from BlackHat Briefings this summer, and if you are in the Seattle area this Sunday, Vincent Zimmer of Intel will be reprising this presentation at the DC206 Meeting at the Black Lodge Research hackerspace.

https://www.dc206.org/?p=216

What: Oct DC206 Meeting: Firmware is the New Black
When: October 15th, 1-3pm
Who: Vincent Zimmer
Where: Black Lodge Research

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).

https://www.blackhat.com/us-17/briefings.html#firmware-is-the-new-black-analyzing-past-three-years-of-bios-uefi-security-vulnerabilities
http://vzimmer.blogspot.com/2017/08/black-hat-usa-2017-firmware-is-new-black.html
https://github.com/rrbranco/BlackHat2017/blob/master/BlackHat2017-BlackBIOS-v0.13-Published.pdf

https://blacklodgeresearch.org/

https://www.facebook.com/events/1611758852222280/

UEFI slides from SOURCE Seattle uploaded

Last week I gave a presentation at SOURCE Seattle Conference, on defensive UEFI tools/guidance, mostly talking about NIST 147’s lifecycle, and how to use tools like (CHIPSEC, acpidump, FWTS) to look for signs of firmware attacks.

As I understand it, SOURCE Conference will have video of this presentation online sometime in the near future.

https://www.sourceconference.com/copy-of-seattle-2016-agenda-details

Slides have been uploaded to this blog, and are available here:.srcsea17. (PreOS Security will have an archive of all of our post-conference materials on Github shortly.)

At the conference, Bryan of the Brakeing Security podcast interviewed PreOS Security co-founder Paul English and myself, along with some other SOURCE Seattle speakers. I am not sure when that podcast is queued up for. I hate public speaking in general, but I cringe at completely unprepared interviews like this podcast. Sorry I didn’t have better concise answers to the questions put to me. I think the normal podcast drinking game is to drink whenever you hear ‘um’ or ‘I mean’. Be careful if you’re playing that game during my brief audio clips. 😦

http://www.brakeingsecurity.com/

http://brakeingsecurity.com/rss

@bryanbrake

 

A slide in the presentation pre-announces an upcoming tool we’re working on. That tool should be ready in a few weeks, more details soon.

SyScan360 Seattle

https://www.syscan360.org/

UEFI lab at Cascadia IT Conference in Seattle March 10th

[DISCLAIMER: FirmwareSecurity is my personal blog. I work at PreOS Security.]

PreOs Security is offering a half-day training lab for System Administrators, SRE/DevOps in the Seattle area at Cascadia IT Conference, for those interested in learning about UEFI/ACPI/BIOS/SMM/etc security. Here’s the text for the training:

Defending System Firmware

Target audience: System administrators, SRE, DevOps who work with Intel UEFI-based server hardware

Most enterprises only defend operating system and application software; system and peripheral firmware (eg., BIOS, UEFI, PCIe, Thunderbolt, USB, etc) has many attack vectors. This workshop targets enterprise system administrators responsible for maintaining the security of their systems. The workshop is: an introduction to UEFI system firmware, an overview of the NIST secure BIOS platform lifecycle model of SP-(147,147b,155) and how to integrate that into normal enterprise hardware lifecycle management, and an introduction to the available open source firmware security tools created by security researchers and others, and how to integrate UEFI-based systems into the NIST lifecycle using available tools, to help protect your enterprise. It will be a 3.5 hour presentation, and at the end, you can optionally can run some tests on your laptop: Intel CHIPSEC, Linux UEFI Validation distribution (LUV-live), FirmWare Test Suite live boot distribution (FWTS-live), and a few other tools. Attendees trying to participate in the lab will need to have a modern Intel x86 or x64-based (not AMD), UEFI-based firmware, running Windows or Linux OS software. That means no AMD systems, no Apple Macbooks, no ARM systems. Any system used in the lab must have all data backed up, in case some tool bricks the device. Attendees should understand the basics of system hardware/firmware, be able to use a shell (eg, bash, cmd.exe, UEFI Shell), and able to use Python-based scripts.

https://www.casitconf.org/casitconf17/tutorials/

Seattle firmware presentation at DC206 Meeting this Sunday

Many cities have “DC<areacode>” groups, the local DEF CON community. The Seattle-area DC206 group is having it’s monthly meeting this Sunday, and is firmware-centric, in case you are in the Seattle-area.

An Introduction To Pulling Software From Flash via I2C, SPI and JTAG
by Matt DuHarte

This beginners talk is as jargon free as possible and a great introduction to the world inside all those little devices that make up our world.  Not every device we have makes it easy to see the software they run.  How do you analyze the firmware of a device that does not have a display or even a serial port?  Simple – pull the software directly from the flash on the device.  A new generation of simple and inexpensive hardware devices make it fast and easy.  This talk will introduce just enough of the protocols involved, the devices used to pull a firmware image and the software we use to modify the images and put them back. Following the talk there will be a hands on area for watching demonstrations and you to try your hand at pulling images off various devices.

Matt DuHarte is the Security Lead at a major networking hardware manufacturer but is still a software guy.  Matt is an avid BSides presenter in hardware topics like USB hacking and embedded electronics. He started doing electronics as a kid, later for a UGA and now does it because it is fun.  He is a firm believer that password brute forcing is for wimps and that it is easier to open the case, attach a few wires and ask hardware nicely in their own language to spill their secrets. Hardware likes him, except FPGAs, they say his timing is off.

http://blacklodgeresearch.org/
http://dc206.org/

What: October DC206 Meeting
When: October 16, 1pm-3pm
Where: Black Lodge Research (17725 NE 65th St, A-155; Evans Business Park, Building A); Redmond, WA 98052 USA

UEFI Forum plugfest videos online

The PDFs of the presentations were uploaded earlier, now the videos are online on YouTube.

The presentations are all very interesting. The Microsoft talk gives more background on clarifying the “Secure Boot” golden keys being leaked. Style points go to that speaker with his ‘golden key’ necklace. 🙂

https://www.youtube.com/user/UEFIForum

http://uefi.org/events/past

http://uefi.org/learning_center/presentationsandvideos

UEFI Fall plugfest schedule announced

More details for this:
https://firmwaresecurity.com/2016/06/13/fall-uefi-forum-plugfest-is-in-september-in-seattle/

The details for the Fall UEFI Forum plugfest have been announced:

Out of Band BIOS Remote Management – AMI
This session will provide an overview of Out of Band BIOS remote management. The REST protocol, which allows for operations with server processes staging Out Of Band requests, can be layered on the platform interface with an integrated baseboard management controller (BMC) or with remote servers. UEFI provides extensive networking support for the pre-boot environment, including secure communication protocols like HTTPS. Checking for staged Out Of Band requests provides a highly manageable solution applicable to a variety of platform with or without a BMC.

Innovative Software Tools & Methods to Profile, Test and Optimize UEFI Firmware Improving Test Coverage and Debug Results – Kevin Davis, VP of Kernel Engineering, Insyde Software
How effective are your test tools for analyzing UEFI firmware applications? Learn how using key x86 processor capabilities and UEFI executable analysis, like Insyde’s tools can report exactly which lines of code were executed during boot.

Microsoft Security Built on UEFI Security 2.n (P1 and P2)
Attend this interactive session to learn about: The Hardware Security Test Interface (HSTI) v2, Customized Deployment of UEFI Secure Boot, including user mode, audit mode and deployment mode, Device Guard  and Credential Guard, VSM (Virtualization enabled by default), WSMT (Windows SMM Security Mitigations Table)

UEFI Network and Security Update – Vincent Zimmer, Sr. PE, Intel Corporation
How does the UEFI Forum evolve new capabilities for networking and security?  From business requirements to use-cases, threat models, and adjacent industry efforts, the Forum has evolved the footprint of capabilities in this area. This session will provide a brief history of features for networking and security, future areas of application and a depiction of how these technologies are evolving.

Update on TPM 2.0 Firmware Requirements – Dick Wilkins, Ph.D.  Phoenix Technologies Ltd.
As a follow-up to the last session at the UEFI Plugfest in Taipei, “The TPM 2.0 Specs Are Here, Now What?” the Trusted Computing Group (TCG) PC Client Working Group has incorporated several changes in their specifications, requiring updates to the functionality and the addition of new features. The updated TCG specifications will be ready for public review soon. Join this session to learn more about the upcoming enhancements and new requirements for these specifications.

More info:
http://uefi.org/events/upcoming

Hardware security at Security B-Sides Seattle

This month is B-Sides Seattle, and there are 3 hardware workshops (Attacking USB, JTAG, and Arduino) one by Joe (SecurelyFitz) and two by Matt (CryptoMonkey):

http://www.securitybsides.com/w/page/103147483/BsidesSeattle2015
https://www.eventbrite.com/e/bsides-seattle-2016-tickets-19822367234

I think I heard Matt say this was the last time he was offering this  Attacking USB training…

Note that Joe also has training at CanSecWest and Black Hat, in addition to B-Sides Seattle..
https://www.blackhat.com/us-16/training/applied-physical-attacks-on-x86-systems.html
https://cansecwest.com/dojos/2016/advanced_hardware.html

U-Boot and UEFI at Seattle Hardware Startups event

The January 2016 Seattle Hardware Startups event will be firmware focused, hosted by our local group, the Pacific NorthWest FirmWare Hackers (PNWFWH), topics will be on U-Boot and UEFI, Meetup announcement below. If you are in the Seattle area later this month, drop by!

Seattle Hardware Startup: Kirkland Edition @ Nytec

Thursday, Jan 28, 2016, 6:00 PM

Nytec Innovation Center
416 6th Street South Kirkland, WA

71 Members Went

Welcome to 2016!This month we are welcoming Pacific NorthWest FirmWare Hackers. PNWFHW meets randomly at various places, speaking on development and security topics of modern system firmware (UEFI, U-Boot, core boot, etc.). I am pleased to have them lead an event for us.Speakers: 1. The first speaker is Emergency Mexican (his DEF CON goon nym)….

Check out this Meetup →

What: Seattle Hardware Startup: Kirkland Edition
When: Thursday, January 28, 2016, 6:00 PM to 8:00 PM
Where: Nytec Innovation Center, 416 6th Street South, Kirkland, WA

This month we are welcoming Pacific NorthWest FirmWare Hackers. PNWFHW meets randomly at various places, speaking on development and security topics of modern system firmware (UEFI, U-Boot, core boot, etc.). I am pleased to have them lead an event for us.

Speakers:

1. The first speaker is Emergency Mexican (his DEF CON goon nym). He works at a local hardware startup working on ARM32 systems. He’ll be speaking on using building custom payloads with the U-Boot boot loader.

2. The second speaker is Vincent Zimmer, a senior principal engineer at Intel, working on UEFI. Vincent chairs the UEFI Forum network and security subteams. Vincent will talk about the latest updates in the UEFI specifications for security and networking. He’ll also discuss open source community updates.

Please RSVP early so we call the pizza man and make proper arrangements.

Adam
PS: Did you know that January 15th is Hardware Freedom Day?
http://www.hardwarefreedomday.org/main/about.html

Reminder: Seattle-area sysadmin firmware talk Thursday

This SASAG talk on firmware security for system administrators is this Thursday.

It will be an attempt to integrate NIST SP147’s firmware lifecycle model with the various hardware/software models sysadmins use (Hardware Lifecycle Model, ITIL, ITAM, etc.), to better represent firmware in that model, as well as recommend some open source tools to use.

It appears I had the location confused (correct address, incorrect name) in my initial post. The SASAG post has the proper name of and a Google Maps pointer to the event location:

Stamatatos Lab, 2211 Elliot Ave, 1st Floor, Seattle WA

http://www.sasag.org/2015/08/14/sept-10th-mtg-defending-intel-uefi-systems-from-firmware-attackers/

https://firmwaresecurity.com/2015/08/18/seattle-area-sysadmin-firmware-talk-910/

Seattle-area SysAdmin firmware talk 9/10

What: Seattle Area SysAdmin Guild (SASAG) September Meeting
When: September 10, 2015, 19:00-21:00
Where: WTC-E 1st floor conference room (2211 Elliott Avenue, 6th Floor, 6S139, Seattle, WA 98121)
Why: Defending Intel UEFI systems from firmware attackers

In this talk, we’ll give an overview of the open source firmware security tools you can use to help detect ‘bootkits’, ‘firmworms’, and other firmware-level malware (as well as other defects and system failures), as well as some ideas how you might integrate firmware security into your long-term maintenance plan. Tools include: CHIPSEC, UEFITool, UEFI Firmware Parser, and some others discussed in this blog. (I’m not sure about the location, I think it’s the Washington Trade Center.) Unlike most talks on this topic, this talk will target system administrators, not security researchers.

https://github.com/chipsec/chipsec
https://github.com/LongSoft/UEFITool
https://github.com/theopolis/uefi-firmware-parser
http://sasag.org/

LinuxCon North America this August in Seattle

LinuxCon North America is happening this August, in Seattle for the first time (I think). A quick look at their schedule shows a variety of interesting presentations related to firmware security:

* Extending the Secure Boot Certificate and Signature Chain of Trust in the OS – Fionnuala Gunter, Hypori
* Resurrecting Internet Booting – Boot Boot, Booting Over the Internet – John Hawley, Intel
* Demystifying ACPI and EFI via Python and BITS – Josh Triplett
* ACPI for Network Switches – Dustin Byford, Cumulus Networks
* Tying TPMs Throughout The Stack – Matthew Garrett, CoreOS
* Turtles All The Way: Running Linux on Open Hardware – Rob Landley
* ACPI 6 and Linux – Rafael J. Wysocki, Intel
* The Bare-Metal Hypervisor as a Platform for Innovation – Russell Pavlicek, Citrix
* Suspend/Resume at the Speed of Light – Len Brown, Intel

Josh Triplett on BIOS BITS sounds especially interesting. It’ll be interesting to see if the boot boot reboot will get integrated with UEFI HTTP Boot support.

More information:
http://events.linuxfoundation.org/events/linuxcon-north-america
http://events.linuxfoundation.org/events/linuxcon-north-america/program/schedule