Uncategorized

Trammell: eficheck finds Thunderstrike 2

Trammell Hudson tests Apple macOS’s eficheck against Thunderstrike2:

https://trmm.net/Thunderstrike
https://trmm.net/Thunderstrike_2
https://support.apple.com/en-us/HT207475

Thunderstrike 2

Standard
Uncategorized

Purism and Trammell Hudson partnership

It looks like Purism is going to use Heads now! I hope other OEMs consider some of the features Heads offers.

http://www.marketwired.com/press-release/security-researcher-trammell-hudson-device-maker-purism-join-forces-set-new-standard-2209477.htm

http://finance.yahoo.com/news/security-researcher-trammell-hudson-device-160000558.html

https://puri.sm/posts/purism-collaborates-with-heads-project-to-co-develop-security-focused-laptops/

Standard
Uncategorized

Heads!

 

I’ve made one brief post on Heads. Earlier I thought it was a new Linux distribution, which is not the case, it is more of a coreboot payload.

Heads looks great! I am currently looking for a used Thinkpad  to test one out. I hope others add support for other systems.

If you have not watched the CCC video, check it out, it is very informative.

https://trmm.net/Installing_Heads

https://trmm.net/Category:Heads

33C3: If You Can’t Trust Your Computer, Who Can You Trust?

Standard
Uncategorized

33rd CCC

The 33rd Chaos Communication Congress (CCC) takes place in December in Germany. There are MANY great presentations, and CCC is great at making video archives available. Here’s a sample of a few of the presentations, starting with Trammell’s lecture on Heads:

Bootstraping a slightly more secure laptop
Trammell Hudson
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8314.html

What could possibly go wrong with <insert x86 instruction here>?: Side effects include side-channel attacks and bypassing kernel ASLR
Clémentine Maurice and Moritz Lipp
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8044.html

Untrusting the CPU: A proposal for secure computing in an age where we cannot trust our CPUs anymore
jaseg
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8014.html

Virtual Secure Boot: Secure Boot support in qemu, kvm and ovmf
Gerd Hoffmann
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8142.html

Full schedule:
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/schedule.html
https://events.ccc.de/congress/2016/wiki/Main_Page

Standard
Uncategorized

Heads

Heads is a very interesting new distro by Trammel Hudson. If you like Qubes or Subgraph or Tails, read about this new distro.

The threat model that Heads proposes to address is very different from that of Tails. Tails’s goal is to allow users to to do computation on a machine in a way that doesn’t leave in trace on that system. This requires that the hardware in the system is trusted, which unfortunately is not the case for many users. Additionally many users need a way to keep state in a permanent way and don’t want to expose this state to random machines. Their machines might be subject to physical attacks that might install untrusted firmware or other devices into the system.[1][2] For these reasons, Tails is not sufficient for many users who want a laptop that they can travel with and want to have some assurances that most adversaries won’t be able to modify the hardware underneath them. Complicating this goal is that modern x86 hardware is full of modifiable state[3] and it is full of dusty corners that can hide malware or unauthorized code. Additionally there is unverifable code running in the Intel Management Engine, which has access to memory, to the network and various other peripherals. As a result we must trust certain entities more than others and this does affect our threat model. This document discusses some of the threats that make building slightly more secure mobile systems very difficult. There is a separate guide on installing Heads on the Thinkpad x230, which covers the practical issues of hardening a laptop against some of the threats described here.  […]”

https://trmm.net/Heads

https://trmm.net/Installing_Heads

Standard
Uncategorized

tool: ReadPhysMem

Found on the Twitter feed of the The EFI Monster (@osxreverser):

ReadPhysMem is a small utility to read and write to Macs physical memory using default AppleHWAccess.kext. Quoting the readme:

(c) fG! – 2015 – reverser@put.ashttps://reverse.put.asA small utility to read and write to Macs physical memory using default AppleHWAccess.kext.

This kext is loaded by default on Mavericks and Yosemite. It has (finally) been disabled on El Capitan since beta 7 release, since it was a obvious way to bypass and disable the new rootless protection 😉

Trammell Hudson wrote a similar utility using DirectHW.kext (also blacklisted on El Capitan B7). Available at https://github.com/osresearch/rwmem.

The same warning as rwmem applies here. Use with caution, it can easily kernel panic your machine both on reads and writes (particularly on devices mapped areas, SMM ram, etc). If you already know PCI BAR addresses you need to use 4 bytes read size instead of default 8.

It works great to read kernel and other memory, and also BIOS (since it’s mapped/shadowed in physical memory). See also https://github.com/gdbinit/diagnostic_service2 for a real world rootkit application.

DirectHW.kext is a bit more powerful since it allows to read port info. AppleHWAccess.kext only implements memory reads and not ports. For example, it can’t be used to read PCI configuration.

Have fun,

fG!

https://github.com/gdbinit/readphysmem

Standard
Uncategorized

quiz: define ‘firmworm’

The pre-conference preview videos are coming out… 🙂 One firmware one that caught my attention:

Thunderstrike 2 “firmworm” for MacBooks Preview Video

Standard