Black Hat: System Firmware Attack and Defense for the Enterprise

January 25, 2018January 26, 2018 ~ hucktech ~ Leave a comment

Well, this should be fun… first time attending @BlackHatEvents as a trainer with @c7zero, @ABazhaniuk & @JohnLoucaides (Aug 4-7, 2018).

"SYSTEM FIRMWARE ATTACK AND DEFENSE FOR THE ENTERPRISE"https://t.co/CGYcjUybVD https://t.co/vKUjFVDVb8

— Brian Richardson (@Intel_Brian) January 25, 2018

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to interaction with system firmware components. This includes operating system loaders, secure boot mechanisms, runtime interfaces, and system management mode (SMM). This training will detail and organize objectives, attack vectors, vulnerabilities, and protection mechanisms in this fascinating environment. The training includes two parts.
1. Present a structured approach to system firmware security analysis and mitigations through lecture and hands-on exercises to test system firmware for vulnerabilities. After the training, students will have basic understanding of platform hardware components, system firmware components, attacks against system firmware, and available mitigations. Students can apply this knowledge to identify firmware vulnerabilities and perform forensic analysis.
2. Apply concepts to an enterprise environment. Using an understanding of security issues, students explore potential risks to operational environments including both supply chain and remote malware attacks. Students will perform assessments and basic forensic analysis of potential firmware attacks.

https://www.blackhat.com/us-18/training/schedule/index.html#system-firmware-attack-and-defense-for-the-enterprise-9792

chipsec/modules/common/cpu/spectre_v2.py

January 19, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/01/17/yuriy-working-on-new-hipsec-spectre-test/

New module for @CHIPSEC verifies that
system supports CPU based mitigations for #Spectre variant 2 (branch target injection): https://t.co/eA04N78QUD

— Yuriy Bulygin (@c7zero) January 18, 2018

Thanks @c7zero and @ABazhaniuk – new module for @CHIPSEC now added that checks if system includes hardware mitigation's for #Spectre (variant 2) https://t.co/h0Vnz9JyJY

— Raj Samani (@Raj_Samani) January 19, 2018

https://github.com/chipsec/chipsec/pull/330

Yuriy working on new CHIPSEC Spectre test

January 17, 2018January 18, 2018 ~ hucktech ~ 1 Comment

Working on this… https://t.co/w6GOLV0Ue9

— Yuriy Bulygin (@c7zero) January 17, 2018

Nice to see some recent CHIPSEC activity, given all the recent related CVEs…
…But this is not from the CHIPSEC team, it is from ex-CHIPSEC team member Yuriy of Eclypsium.

Added new module checking for Spectre variant 2
The module checks if system is affected by Speculative Execution Side Channel vulnerabilities. Specifically, the module verifies that the system supports hardware mitigations for Branch Target Injection a.k.a. Spectre Variant 2 (CVE-2017-5715)

See source comments for more info.

https://github.com/c7zero/chipsec/commit/b11bce8a0ed19cbe1d6319ef9928a297b9308840

Alex and Yuriy form Eclypsium, Inc.

July 29, 2017July 29, 2017 ~ hucktech ~ Leave a comment

WOW! I just heard that Alex and Yuriy have left Intel Advanced Threat Research (McAfee) and have started Eclypsium, Inc.

Alex Bazhaniuk is the “Founder and VP of Technology at Eclypsium, Inc.”

Yuriy Bulygin is the “Founder and CEO at Eclypsium, Inc.”

http://www.eclypsium.com/
Twitter: @ABazhaniuk
Twitter: @c7zero/
https://github.com/chipsec/chipsec/blob/master/AUTHORS

CHIPSEC for ARM: to be released at Black Hat

July 25, 2017 ~ hucktech ~ Leave a comment

I nearly missed this CHIPSEC announcement in the below Black Hat abstract. Exciting.

Patching hypervisor on ARM based phone to give user app R/W permissions to kernel memory #BHUSA with @ABazhaniuk https://t.co/utxFBTdbzR pic.twitter.com/9pM9aQqf2t

— Yuriy Bulygin (@c7zero) July 24, 2017

Blue Pill for Your Phone
By Oleksandr Bazhaniuk & Yuriy Bulygin

In this research, we’ve explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels. We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.

https://www.blackhat.com/us-17/briefings.html#blue-pill-for-your-phone

Exploring Your System Deeper presentation uploaded

April 7, 2017 ~ hucktech ~ Leave a comment

Slides from our Exploring your system deeper @CanSecWest talk with @ABazhaniuk is a good source of @CHIPSEC how to's https://t.co/YRrwH79V9G pic.twitter.com/zhIGwlCHjw

— Yuriy Bulygin (@c7zero) April 6, 2017

Click to access csw2017_ExploringYourSystemDeeper_updated.pdf

http://www.c7zero.info/stuff/csw2017-chipsec.ppt

SyScan360 Seattle

April 5, 2017 ~ hucktech ~ Leave a comment

announcing the next 8 presentations at SyScan360 in Seattle 2017 #SyScan360 @SyScan360

— thomas lim (@thomas_coseinc) April 3, 2017

Oleksandr Bazhaniuk & Yuriy Bulygin will speak about "Exploring Your System Deeper is Not Naughty (Updated)" at SyScan360 Seattle #SyScan360

— thomas lim (@thomas_coseinc) April 3, 2017

Joe Fitzpatrick will speak about "Nation-State Capabilities, Lone Wolf Budget" at SyScan360 in Seattle #SyScan360 @SyScan360

— thomas lim (@thomas_coseinc) April 3, 2017

https://www.syscan360.org/

AMI and Gigabyte UEFI vulnerability

April 5, 2017 ~ hucktech ~ Leave a comment

Good work & thanks for using @CHIPSEC but you guys re-discovered some issues (https://t.co/gSIW1Zf6lE) we reported to AMI in June 2014 pic.twitter.com/X0LXR7iasN

— Yuriy Bulygin (@c7zero) April 1, 2017

That batch I reported ~ a dozen vulns including S3 boot script. Old vulns never die, fixed by BIOS vendor years ago, still in recent systems https://t.co/yosLuG2Apn

— Yuriy Bulygin (@c7zero) April 1, 2017

I wish more user-mode security researchers would study how OEM/IBV/OSV implementations of UEFI firmware update, from the OS-present appplication, looking for problems. For example: https://firmwaresecurity.com/2016/06/05/asus-liveupdate-of-uefi-sent-authenticated/

CHIPSEC REcon talk slides available

March 17, 2017 ~ hucktech ~ Leave a comment

BARing the System: New vulnerabilities in Coreboot & UEFI based systems

Slides from our "New vulnerabilities in Coreboot and UEFI based firmware" talk at @reconbrx : https://t.co/i4cmlqLNNt [pdf]

— Yuriy Bulygin (@c7zero) February 22, 2017

CHIPSEC gets new UEFI Whitelist command

March 12, 2017 ~ hucktech ~ Leave a comment

CHIPSEC already has a Blacklist command. Now there is a UEFI whitelist command.

I've added blacklisting module in chipsec long before, whitelisting module was logical next step in the works, so not just now

— Yuriy Bulygin (@c7zero) March 12, 2017

Added module to generate a white-list of firmware execs and check it against BIOS image to @chipsec run:chipsec_main -m tools.uefi.whitelist

— Alex Bazhaniuk (@ABazhaniuk) March 9, 2017

DerStarke/Darkmatter EFI firmware implant injects/patches PEI/DXE binaries in the firmware. With tools.uefi.whitelist you can find the mods

— Yuriy Bulygin (@c7zero) March 9, 2017

this is how it would look like on the original "clean" firmware image without rootkit's mods. 276 executables instead of 279 pic.twitter.com/DWDFV7bPEM

— Yuriy Bulygin (@c7zero) March 9, 2017

Run chipsec_main -m tools.uefi.whitelist on a clean system. It extracts firmware from flash & creates baseline list of EFI executables in it

— CHIPSEC (@CHIPSEC) March 9, 2017

Below example is detecting modifications to UEFI firmware done by HackingTeam's UEFI rootkit. original.json was generated from clean image pic.twitter.com/mBJXYanvLN

— Yuriy Bulygin (@c7zero) March 9, 2017

New module added to generate & check the "whitelist" of EFI executables: chipsec_main -m tools.uefi.whitelist https://t.co/OBagBMtyL4

— CHIPSEC (@CHIPSEC) March 9, 2017

more on CIA UEFI malware

March 8, 2017 ~ hucktech ~ Leave a comment

Some comments from Yuriy of the Intel ATR team:

DerStarke 2.0 appears to include darkmatter Mac EFI persistence implant with 8 DXE & PEI EFI binaries with heavy use of EFI vars for config pic.twitter.com/7kZxjYPS7J

— Yuriy Bulygin (@c7zero) March 8, 2017

So the first EFI malware that doesn't rely on fully unlocked flash or physical access like e.g. HackingTeam's UEFI rootkit?

— Yuriy Bulygin (@c7zero) March 8, 2017

S3Sleep is most interesting. Launches DarkDream exploit which prob bypasses flash protections? on resume from S3 sleep to write PeiUnlocker

— Yuriy Bulygin (@c7zero) March 8, 2017

DxeInjector module seems to be used to "re-infect" EFI firmware updates (capsules) with implants already "installed" in the firmware

— Yuriy Bulygin (@c7zero) March 8, 2017

PeiUnlock is a temporary firmware flash unlocker dropped by DarkDream exploit then removed after permanently patching flash locking DXE drvr

— Yuriy Bulygin (@c7zero) March 8, 2017

Slides for coreboot/UEFI talk from REcon available

February 22, 2017 ~ hucktech ~ Leave a comment

Slides from our "New vulnerabilities in Coreboot and UEFI based firmware" talk at @reconbrx : https://t.co/i4cmlqLNNt [pdf]

— Yuriy Bulygin (@c7zero) February 22, 2017

Our slides from #reconbrx "Baring the system" (analysis of BAR overlapping vuln.) at https://t.co/BKTogCYPch // @c7zero @reconbrx @reconmtl

— Alex Bazhaniuk (@ABazhaniuk) February 22, 2017

Click to access REConBrussels2017_BARing_the_system.pdf

http://www.intelsecurity.com/advanced-threat-research/index.html

Yuriy and Oleksandr at REcon

January 18, 2017 ~ hucktech ~ Leave a comment

"Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems" @reconbrx by @ABazhaniuk & myself https://t.co/Yq1mO4fpl8

— Yuriy Bulygin (@c7zero) January 17, 2017

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
By: Yuriy Bulygin, Oleksandr Bazhaniuk

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.

https://recon.cx/2017/brussels/talks/baring_the_system.html

https://firmwaresecurity.com/2017/01/05/yuriy-to-speak-at-recon-brussels/

Yuriy to speak at REcon Brussels

January 5, 2017 ~ hucktech ~ Leave a comment

We'll talk about a class of new vulnerabilities affecting systems with both (U)EFI & Coreboot based firmware @reconbrx

— Yuriy Bulygin (@c7zero) January 4, 2017

If you follow system firmware security, you may like our "Baring the system" talk at RECon Brussels @reconbrx

— Yuriy Bulygin (@c7zero) January 4, 2017

Recon Brussels 2017 talks list has been released https://t.co/5n6vgC4PA7

— REcon Brussels (@reconbrx) December 27, 2016

https://recon.cx/2017/brussels/

CHIPSEC updates

June 8, 2016 ~ hucktech ~ Leave a comment

The CHIPSEC team have tweeted about an upcoming 1.2.3 release with more Xen, Hyper-V, IOMMU, EPT support.

Also, Yuriy Bulygin of the Intel CHIPSEC team has posted some videos of their REcon training showing CHIPSEC usage:

Another PoC demo (from last @reconmtl) disables BIOS hardware protection via S3 vuln in UEFI BIOS impl (VU# 976132): https://t.co/ALTPqV5L2o

— Yuriy Bulygin (@c7zero) June 7, 2016

This shows PoC exploit for unchecked pointer vuln in SMI firmware presented at #csw15 (https://t.co/psZeKZAKQC): https://t.co/XnmFaW1F6R

— Yuriy Bulygin (@c7zero) June 6, 2016

Recorded a demo on how to find [unchecked pointer] vulns in SMI firmware on a system w/o reversing using @CHIPSEC: https://t.co/hK1bYrDfFa

— Yuriy Bulygin (@c7zero) June 6, 2016

https://github.com/chipsec/chipsec
It looks like their last checkin to the public git repo was in April:
https://github.com/chipsec/chipsec/commits/master

DarkReading article on firmware protection

May 21, 2016 ~ hucktech ~ Leave a comment

Yuriy and John of the Intel CHIPSEC team are quoted in a new Dark Reading article on firmware security.

[…] Yuriy Bulygin and John Loucaides, security researchers at Intel Security, point out that hackers attack firmware because they know many security and IT managers aren’t paying attention to it. They say security teams are so overwhelmed by the prevailing threat landscape, that they have their hands full just deploying the basics, like firewalls, intrusion prevention systems and sandboxes. […]

http://www.darkreading.com/iot/5-tips-for-protecting-firmware-from-attacks/d/d-id/1325604

CHIPSEC training at REcon

April 20, 2016 ~ hucktech ~ Leave a comment

The Intel CHIPSEC team doesn’t give training often, so when they do, it is worth mentioning.

Like last year, CHIPSEC will be offering training at REcon!

Once again this year we are teaching Security of System Firmware training at #reconmtl: https://t.co/uJhzhxka02

— Yuriy Bulygin (@c7zero) April 20, 2016

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

https://recon.cx/2016/training/trainingfirmware.html

BIOS analysis presentation at Analyze 2016

February 26, 2016 ~ hucktech ~ Leave a comment

Alex Bazhaniuk (@ABazhaniuk) and Yuriy Bulygin (@c7zero) will present "Different methods of BIOS analysis" at #AnalyzeCON '16

— Analyze Conference (@AnalyzeCON) February 25, 2016

Analyze 2016 takes place in March in San Francisco. It is a “Security community event for malware and exploit analysis research”. Amongst the presentations is one on BIOS analysis by two of the Intel Advanced Threat Research (ATR) team!

Talks:
Tom Bennett – Whose RAT Is It Anyways?
Aaron Shelmire – Sections, Segments, and Functions, oh my! Hashing your way to analytical shortcuts.
Edward Miles – Making sense of ProGuard’s mess
Oleksandr Bazhaniuk/Yuriy Bulygin – Different methods of BIOS analysis: Static, Dynamic and Symbolic execution
Darren Spruell – Malicious Traffic Distribution: Tactics and Response
Rick Wesson – Static Malware Analysis on GPUs
Chip McSweeney – DGA Antivenom: Stopping new configurations before analysis
Jing Xie – Risks of iOS Remote Hot-Patching
Alexander Matrosov – Distributing the reconstruction of IR for large scale malware analysis
http://www.analyze.cc/Waylon Grange – Wherefore by their crypto ye shall know them
Armin Buescher – Sanzoku APT

http://www.analyze.cc/

CHIPSEC training at TROOPERS

February 17, 2016 ~ hucktech ~ Leave a comment

Don't miss a out on a great 2 day #TR16 training wi/@ABazhaniuk & @c7zero https://t.co/Pt1kxLfW5N

— TROOPERS Conference (@WEareTROOPERS) February 17, 2016

The Intel CHIPSEC team doesn’t get out much to give training to the public often, so this upcoming 2-day of CHIPSEC training at TROOPERS is nice!

Security below the OS with CHIPSEC framework
Oleksandr Bazhaniuk, Yuriy Bulygin

A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and OS loaders. This workshop provides a hands-on opportunity to learn how to use an open source CHIPSEC framework https://github.com/chipsec/chipsec to test systems for vulnerabilities in low-level platform firmware components, problems with firmware security protections as well as develop your own modules in CHIPSEC which test for known issues or implement tools identifying new issues. Agenda:

* Introduction to platform hardware and access with CHIPSEC
* Introduction to platform firmware such as BIOS, UEFI firmware, SMI handlers
* Overview of main components of CHIPSEC framework
* Analyzing main firmware components and configuration
* Assessing systems for vulnerabilities in the BIOS and other firmware
* Developing vulnerability testing modules
* Developing fuzzers for firmware interfaces and other security tools
* BIOS forensics with CHIPSEC

https://www.troopers.de/events/troopers16/567_security_below_the_os_with_chipsec_framework/

CHIPSEC training at TROOPERS!

November 19, 2015 ~ hucktech ~ Leave a comment

It appears that two of the Intel CHIPSEC team — Oleksandr Bazhaniuk and Yuriy Bulygin — will be teaching CHIPSEC at TROOPERS next year in Germany!

"Security below the OS with CHIPSEC framework" sounds awesome https://t.co/dyKOTdwTWL https://t.co/HPCbUQVSYt

— Daniel Bilar (@daniel_bilar) November 19, 2015

https://www.troopers.de/events/troopers16/567_security_below_the_os_with_chipsec_framework/

CHIPSEC aside, there is other hardware security training going on at TROOPERS as well.

https://www.troopers.de/troopers16/trainings/