Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
The New Smart Video Door Entry System
The document introduces the IpDoor smart video door entry system, a new product from the XM World Group. IpDoor uses IP technology to enable features like remote access and control via a smartphone app. It provides safety, comfort and convenience for customers. The system includes external door stations, internal monitors, licenses for additional features, and can integrate with other smart home and access control systems. IpDoor aims to simplify daily life through innovative, user-friendly technology.
Android 10 includes several new features and improvements including enhanced privacy and security features, expanded digital wellbeing tools, better support for new hardware, and under-the-hood optimizations. Key changes involve moving the root file system to the system image partition, adding new kernel utilities to help with ABI compatibility, and introducing services like SystemSuspend HIDL to leverage benefits of the Android HIDL infrastructure.
The document provides an overview of techniques for hunting rootkits with Windbg. It discusses how to find SSDT and Shadow SSDT hooks, including examples from the Runtime2, Rustock.B, and Alipop rootkits. It also covers finding hidden registry entries and IDT hooks in Rustock.B, GDT callgates in Alipop, ATAPI IRP hooks in TDL3, shared memory structures between kernel and user mode in TDL3, TDL3's mini file system, traces of TDL3 in system worker threads, how TDL4 hooks the ATAPI driver's DriverStartIO, and how Stuxnet uses IoFsRegistrationChange. The document is intended to
Linux uses /proc/iomem as a "Rosetta Stone" to establish relationships between software and hardware. /proc/iomem maps physical memory addresses to devices, similar to how the Rosetta Stone helped map Egyptian hieroglyphs to Greek and decode ancient Egyptian texts. This virtual file allows the kernel to interface with devices by providing address translations between physical and virtual memory spaces.
This document discusses the Android system server. It provides an overview of the bootup sequence where the system server is started. It then describes some of the key services run by the system server, such as the activity manager, package manager, window manager, and others. It also discusses how to observe the system server in action using logcat and how applications interface with system services via Binder.
RDMA programming design and case studies – for better performance distributed...
The document discusses applying RDMA (Remote Direct Memory Access) to improve performance in distributed deep learning frameworks. It describes implementing RDMA in MXNet, a distributed deep learning framework that uses a parameter server model. The implementation reduces memory copies and network overhead. Initial results showed a 1.5x speedup over the initial RDMA implementation, but the existing implementation using ZeroMQ was still faster. Further optimizations to RDMA are needed to fully realize its performance benefits.
SFO15-200: Linux kernel generic TEE driver
Speaker: Jens Wiklander
Date: September 22, 2015
★ Session Description ★
At this session we will get more knowledge about the TEE driver that Linaro has been working on for the last couple of months. Questions to be answered are for example: What are the API’s? How does the TEE driver work as a communication channel. What will a developer need to think of when adding support for another TEE solution?
★ Resources ★
Video: https://www.youtube.com/watch?v=BhLndLUQamM
Presentation: http://www.slideshare.net/linaroorg/sfo15200-linux-kernel-generic-tee-driver
Etherpad: pad.linaro.org/p/sfo15-200
Pathable: https://sfo15.pathable.com/meetings/302831
★ Event Details ★
Linaro Connect San Francisco 2015 - #SFO15
September 21-25, 2015
Hyatt Regency Hotel
http://www.linaro.org
http://connect.linaro.org
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.
The document discusses tools and techniques related to analyzing Android applications. It provides an overview of the Android operating system architecture and outlines various static and dynamic analysis methods. These include decompiling applications with Apktool and Dex2jar, reviewing manifest files, monitoring network traffic with Wireshark, and using tools like Burp Suite and Mallory. The document also highlights common mobile security issues discovered through analysis and provides recommendations for securing Android devices and applications.
Vold is the volume daemon in Android that manages storage volumes like external SD cards. It communicates with the Linux kernel via Netlink sockets to receive storage events and with the MountService via a local socket. When a new storage device is inserted, Vold receives the kernel event, mounts the volume if FAT format according to its configuration file, and notifies MountService to make the volume available to the user.
The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
LCU14-107: OP-TEE on ARMv8
---------------------------------------------------
Speaker: Jens Wiklander
Date: September 15, 2014
---------------------------------------------------
★ Session Summary ★
SWG is porting OP-TEE to ARMv8 using Fixed Virtual Platform. Initially OP-TEE is running secure world in aarch32 mode, but with the normal world code running in aarch64 mode. Since ARMv8 uses ARM Trusted Firmware we have patched it with an OP-TEE dispatcher to be able to communicate between secure and normal world.
---------------------------------------------------
★ Resources ★
Zerista: http://lcu14.zerista.com/event/member/137710
Google Event: https://plus.google.com/u/0/events/c0ef114n77bhgbns9vb85g9n6ak
Presentation: http://www.slideshare.net/linaroorg/lcu14-107-optee-on-ar-mv8
Video: https://www.youtube.com/watch?v=JViplz-ah9M&list=UUIVqQKxCyQLJS6xvSmfndLA
Etherpad: http://pad.linaro.org/p/lcu14-107
---------------------------------------------------
★ Event Details ★
Linaro Connect USA - #LCU14
September 15-19th, 2014
Hyatt Regency San Francisco Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.
Universal Flash Storage (UFS) is a NAND flash storage specification developed by JEDEC that improves on eMMC. UFS uses a serial interface for faster read/write speeds compared to eMMC's parallel interface. It has a layered architecture including a device manager layer, UFS command set layer, UFS transport protocol layer, and UFS interconnect layer. The document discusses these layers and covers UFS features like logical units, command formats like UPIU, and SCSI commands supported in UFS including MODE SELECT, MODE SENSE, and READ/WRITE commands.
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread.
AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU.
This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it.
Julien Thierry
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune.
Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars.
In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries
After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies.
We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights.
The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available.
This also shows that FI can affect pure HW implementations, with no SW involved.
The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch.
Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key.
This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure.
We also discuss countermeasures and possible mitigations throughout the whole presentation.
With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security.
The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
Chipsec is an open source framework for assessing platform security. It can be used to find vulnerabilities in system firmware like BIOS, UEFI and Mac EFI. Some examples shown include exploiting S3 resume boot script vulnerabilities to gain persistence, attacking hypervisors via SMM pointers, and checking for issues with MMIO BAR registers. The tool can also detect "problems" like unlocked firmware, missing hardware protections, and analyze real-world malware implants targeting firmware like DerStarke and HackingTeam UEFI rootkits.
The document discusses techniques for subverting the Windows Vista kernel protection mechanisms and loading unsigned code. It describes:
1) Forcing kernel drivers to page out to the pagefile by allocating large amounts of memory, then modifying the paged out code in the pagefile to inject shellcode without requiring a signature.
2) The concept of an undetectable "Blue Pill" malware that could install itself on-the-fly by exploiting AMD64 SVM virtualization extensions to move the operating system into a virtual machine controlled by a thin hypervisor.
3) Challenges of handling nested virtual machines to prevent detection when the system is already compromised by "Blue Pill" malware.
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...
Part 1 of the first session of the newly formed Christchurch Embedded .NET User Group.
Introduces the range of embedded platforms and technologies offered by Microsoft. Covers the .NET Micro and Compact Frameworks as well as operating systems such as Windows Embedded CE and Windows Mobile.
Presented by Andrew Leckie, Bryn Lewis and myself.
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
This document discusses Secure Boot and its implementation for Linux distributions. It begins by introducing UEFI firmware and Secure Boot, which verifies that only signed operating systems load. It then outlines the solution used by SUSE, which involves expanding the shim loader to give users freedom and flexibility by supporting enrollment of user-generated keys. The document concludes by detailing the various components like the kernel, bootloaders, build systems, and user tools that would need to be adapted to fully implement Secure Boot support for a Linux distribution.
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.
The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docx
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3
a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / d i i n
Using a software exploit to image RAM on an
embedded system
J.R. Rabaiotti*, C.J. Hargreaves
Centre for Forensic Computing and Security, Cranfield University, Shrivenham, UK
a r t i c l e i n f o
Article history:
Received 15 December 2009
Received in revised form
8 January 2010
Accepted 19 January 2010
Keywords:
Memory imaging
Live forensics
Exploits
Games consoles
Xbox
* Corresponding author.
E-mail addresses: [email protected]
1 Microsoft did eventually supply some
completed. None of the information provide
1742-2876/$ – see front matter ª 2010 Elsevi
doi:10.1016/j.diin.2010.01.005
a b s t r a c t
The research in this paper is the result of a court case involving copyright infringement,
specifically, a request for expert evidence regarding the proportion of copyrighted data
present in the RAM of a games console. This paper presents a novel method to image the
memory of an embedded device (a games console) where normal software and hardware
memory imaging techniques are not possible. The paper describes how a buffer overflow
exploit can be used in order to execute custom code written to create an image of the
console’s memory. While this work is concerned with the Microsoft Xbox, the principles of
vulnerability enabled data acquisition could be extended to other embedded devices,
including other consoles, smart phones and PDAs.
ª 2010 Elsevier Ltd. All rights reserved.
1. Introduction (such as a pirated game) that would otherwise be prevented
This paper describes research conducted as a result of a case
at the Court of Appeal involving the sale of ‘modchips’ for
games consoles, specifically the original Microsoft Xbox, the
Sony PlayStation 2 and the Nintendo GameCube. One aspect
of the case was concerned with whether a modchip counted
as a ‘device for circumventing an Effective Technological
Measure’ (ETM) within the meaning of Section 296ZA of the
Copyright, Designs and Patents Act 1988 (as amended), which
makes it a criminal offence to sell such devices. This was not
clear-cut, since the modchips did not enable the production of
a physical copy of a console game from its original protected
optical disc onto another permanent storage medium.
However, the Crown argued at the original trial that the
modchip caused an infringing copy to be made in the
console’s RAM since it permitted the execution of a program
.uk (J.R. Rabaiotti), c.j.har
technical information ab
d is included in this pape
er Ltd. All rights reserved
from executing by the ETM. This point was disputed by the
appellant, and so the court asked for expert evidence, specif-
ically concerning the proportion of the contents of a game disc
that would typically be copied into RAM during the execution
of a game.
In many cases of t.
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
This document discusses bootloaders for embedded systems. It defines a bootloader as the first code executed after a system powers on or resets that is responsible for loading the operating system kernel. The document then describes the tasks of a bootloader like initializing hardware, loading binaries from storage, and providing a shell. It outlines the booting process differences between desktops and embedded systems. Finally, it focuses on the universal bootloader U-Boot, describing its directory structure, configuration, building process, and commands.
This talk was presented during European coreboot Conference 2017 in Bochum. In this talk we walk through procedures required for enabling TPM 2.0 using LPC interface. We implemented that support as part of our ongoing maintainances of PC Engines apu series (AMD G-series) platform.
Video is available here: https://youtu.be/Yjb9n5p3giI
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
The document describes the ftrace function tracing tool in Linux kernels. It allows attaching to functions in the kernel to trace function calls. It works by having the GCC compiler insert indirect function entry calls. These calls are recorded during linking and replaced with nops at boot time for efficiency. This allows function tracing with low overhead by tracing the indirect function entry calls.
The Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor developed by the Trusted Computing Group to provide hardware-based security related features. It measures the boot process and software running on a device to ensure integrity and allows for remote attestation of the device's state. The TPM provides roots of trust for measurement, reporting, and storage and utilizes platform configuration registers, sealed storage, and keys to securely store and report information based on the device's configuration.
- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
The New Smart Video Door Entry System
The document introduces the IpDoor smart video door entry system, a new product from the XM World Group. IpDoor uses IP technology to enable features like remote access and control via a smartphone app. It provides safety, comfort and convenience for customers. The system includes external door stations, internal monitors, licenses for additional features, and can integrate with other smart home and access control systems. IpDoor aims to simplify daily life through innovative, user-friendly technology.
Android 10 includes several new features and improvements including enhanced privacy and security features, expanded digital wellbeing tools, better support for new hardware, and under-the-hood optimizations. Key changes involve moving the root file system to the system image partition, adding new kernel utilities to help with ABI compatibility, and introducing services like SystemSuspend HIDL to leverage benefits of the Android HIDL infrastructure.
The document provides an overview of techniques for hunting rootkits with Windbg. It discusses how to find SSDT and Shadow SSDT hooks, including examples from the Runtime2, Rustock.B, and Alipop rootkits. It also covers finding hidden registry entries and IDT hooks in Rustock.B, GDT callgates in Alipop, ATAPI IRP hooks in TDL3, shared memory structures between kernel and user mode in TDL3, TDL3's mini file system, traces of TDL3 in system worker threads, how TDL4 hooks the ATAPI driver's DriverStartIO, and how Stuxnet uses IoFsRegistrationChange. The document is intended to
Linux uses /proc/iomem as a "Rosetta Stone" to establish relationships between software and hardware. /proc/iomem maps physical memory addresses to devices, similar to how the Rosetta Stone helped map Egyptian hieroglyphs to Greek and decode ancient Egyptian texts. This virtual file allows the kernel to interface with devices by providing address translations between physical and virtual memory spaces.
Understanding the Android System ServerOpersys inc.
This document discusses the Android system server. It provides an overview of the bootup sequence where the system server is started. It then describes some of the key services run by the system server, such as the activity manager, package manager, window manager, and others. It also discusses how to observe the system server in action using logcat and how applications interface with system services via Binder.
The document discusses applying RDMA (Remote Direct Memory Access) to improve performance in distributed deep learning frameworks. It describes implementing RDMA in MXNet, a distributed deep learning framework that uses a parameter server model. The implementation reduces memory copies and network overhead. Initial results showed a 1.5x speedup over the initial RDMA implementation, but the existing implementation using ZeroMQ was still faster. Further optimizations to RDMA are needed to fully realize its performance benefits.
SFO15-200: Linux kernel generic TEE driver
Speaker: Jens Wiklander
Date: September 22, 2015
★ Session Description ★
At this session we will get more knowledge about the TEE driver that Linaro has been working on for the last couple of months. Questions to be answered are for example: What are the API’s? How does the TEE driver work as a communication channel. What will a developer need to think of when adding support for another TEE solution?
★ Resources ★
Video: https://www.youtube.com/watch?v=BhLndLUQamM
Presentation: http://www.slideshare.net/linaroorg/sfo15200-linux-kernel-generic-tee-driver
Etherpad: pad.linaro.org/p/sfo15-200
Pathable: https://sfo15.pathable.com/meetings/302831
★ Event Details ★
Linaro Connect San Francisco 2015 - #SFO15
September 21-25, 2015
Hyatt Regency Hotel
http://www.linaro.org
http://connect.linaro.org
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
Debugging linux kernel tools and techniquesSatpal Parmar
This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.
The document discusses tools and techniques related to analyzing Android applications. It provides an overview of the Android operating system architecture and outlines various static and dynamic analysis methods. These include decompiling applications with Apktool and Dex2jar, reviewing manifest files, monitoring network traffic with Wireshark, and using tools like Burp Suite and Mallory. The document also highlights common mobile security issues discovered through analysis and provides recommendations for securing Android devices and applications.
Vold is the volume daemon in Android that manages storage volumes like external SD cards. It communicates with the Linux kernel via Netlink sockets to receive storage events and with the MountService via a local socket. When a new storage device is inserted, Vold receives the kernel event, mounts the volume if FAT format according to its configuration file, and notifies MountService to make the volume available to the user.
The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
LCU14-107: OP-TEE on ARMv8
---------------------------------------------------
Speaker: Jens Wiklander
Date: September 15, 2014
---------------------------------------------------
★ Session Summary ★
SWG is porting OP-TEE to ARMv8 using Fixed Virtual Platform. Initially OP-TEE is running secure world in aarch32 mode, but with the normal world code running in aarch64 mode. Since ARMv8 uses ARM Trusted Firmware we have patched it with an OP-TEE dispatcher to be able to communicate between secure and normal world.
---------------------------------------------------
★ Resources ★
Zerista: http://lcu14.zerista.com/event/member/137710
Google Event: https://plus.google.com/u/0/events/c0ef114n77bhgbns9vb85g9n6ak
Presentation: http://www.slideshare.net/linaroorg/lcu14-107-optee-on-ar-mv8
Video: https://www.youtube.com/watch?v=JViplz-ah9M&list=UUIVqQKxCyQLJS6xvSmfndLA
Etherpad: http://pad.linaro.org/p/lcu14-107
---------------------------------------------------
★ Event Details ★
Linaro Connect USA - #LCU14
September 15-19th, 2014
Hyatt Regency San Francisco Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.
Universal Flash Storage (UFS) is a NAND flash storage specification developed by JEDEC that improves on eMMC. UFS uses a serial interface for faster read/write speeds compared to eMMC's parallel interface. It has a layered architecture including a device manager layer, UFS command set layer, UFS transport protocol layer, and UFS interconnect layer. The document discusses these layers and covers UFS features like logical units, command formats like UPIU, and SCSI commands supported in UFS including MODE SELECT, MODE SENSE, and READ/WRITE commands.
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread.
AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU.
This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it.
Julien Thierry
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Cristofaro Mune
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune.
Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars.
In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries
After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies.
We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights.
The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available.
This also shows that FI can affect pure HW implementations, with no SW involved.
The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch.
Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key.
This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure.
We also discuss countermeasures and possible mitigations throughout the whole presentation.
With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security.
The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
Chipsec is an open source framework for assessing platform security. It can be used to find vulnerabilities in system firmware like BIOS, UEFI and Mac EFI. Some examples shown include exploiting S3 resume boot script vulnerabilities to gain persistence, attacking hypervisors via SMM pointers, and checking for issues with MMIO BAR registers. The tool can also detect "problems" like unlocked firmware, missing hardware protections, and analyze real-world malware implants targeting firmware like DerStarke and HackingTeam UEFI rootkits.
Joanna Rutkowska Subverting Vista Kernelguestf1a032
The document discusses techniques for subverting the Windows Vista kernel protection mechanisms and loading unsigned code. It describes:
1) Forcing kernel drivers to page out to the pagefile by allocating large amounts of memory, then modifying the paged out code in the pagefile to inject shellcode without requiring a signature.
2) The concept of an undetectable "Blue Pill" malware that could install itself on-the-fly by exploiting AMD64 SVM virtualization extensions to move the operating system into a virtual machine controlled by a thin hypervisor.
3) Challenges of handling nested virtual machines to prevent detection when the system is already compromised by "Blue Pill" malware.
Christchurch Embedded .NET User Group - Introduction to Microsoft Embedded pl...christopherfairbairn
Part 1 of the first session of the newly formed Christchurch Embedded .NET User Group.
Introduces the range of embedded platforms and technologies offered by Microsoft. Covers the .NET Micro and Compact Frameworks as well as operating systems such as Windows Embedded CE and Windows Mobile.
Presented by Andrew Leckie, Bryn Lewis and myself.
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
This document discusses Secure Boot and its implementation for Linux distributions. It begins by introducing UEFI firmware and Secure Boot, which verifies that only signed operating systems load. It then outlines the solution used by SUSE, which involves expanding the shim loader to give users freedom and flexibility by supporting enrollment of user-generated keys. The document concludes by detailing the various components like the kernel, bootloaders, build systems, and user tools that would need to be adapted to fully implement Secure Boot support for a Linux distribution.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.
The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 .docxtheodorelove43763
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3
a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / d i i n
Using a software exploit to image RAM on an
embedded system
J.R. Rabaiotti*, C.J. Hargreaves
Centre for Forensic Computing and Security, Cranfield University, Shrivenham, UK
a r t i c l e i n f o
Article history:
Received 15 December 2009
Received in revised form
8 January 2010
Accepted 19 January 2010
Keywords:
Memory imaging
Live forensics
Exploits
Games consoles
Xbox
* Corresponding author.
E-mail addresses: [email protected]
1 Microsoft did eventually supply some
completed. None of the information provide
1742-2876/$ – see front matter ª 2010 Elsevi
doi:10.1016/j.diin.2010.01.005
a b s t r a c t
The research in this paper is the result of a court case involving copyright infringement,
specifically, a request for expert evidence regarding the proportion of copyrighted data
present in the RAM of a games console. This paper presents a novel method to image the
memory of an embedded device (a games console) where normal software and hardware
memory imaging techniques are not possible. The paper describes how a buffer overflow
exploit can be used in order to execute custom code written to create an image of the
console’s memory. While this work is concerned with the Microsoft Xbox, the principles of
vulnerability enabled data acquisition could be extended to other embedded devices,
including other consoles, smart phones and PDAs.
ª 2010 Elsevier Ltd. All rights reserved.
1. Introduction (such as a pirated game) that would otherwise be prevented
This paper describes research conducted as a result of a case
at the Court of Appeal involving the sale of ‘modchips’ for
games consoles, specifically the original Microsoft Xbox, the
Sony PlayStation 2 and the Nintendo GameCube. One aspect
of the case was concerned with whether a modchip counted
as a ‘device for circumventing an Effective Technological
Measure’ (ETM) within the meaning of Section 296ZA of the
Copyright, Designs and Patents Act 1988 (as amended), which
makes it a criminal offence to sell such devices. This was not
clear-cut, since the modchips did not enable the production of
a physical copy of a console game from its original protected
optical disc onto another permanent storage medium.
However, the Crown argued at the original trial that the
modchip caused an infringing copy to be made in the
console’s RAM since it permitted the execution of a program
.uk (J.R. Rabaiotti), c.j.har
technical information ab
d is included in this pape
er Ltd. All rights reserved
from executing by the ETM. This point was disputed by the
appellant, and so the court asked for expert evidence, specif-
ically concerning the proportion of the contents of a game disc
that would typically be copied into RAM during the execution
of a game.
In many cases of t.
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
This document discusses bootloaders for embedded systems. It defines a bootloader as the first code executed after a system powers on or resets that is responsible for loading the operating system kernel. The document then describes the tasks of a bootloader like initializing hardware, loading binaries from storage, and providing a shell. It outlines the booting process differences between desktops and embedded systems. Finally, it focuses on the universal bootloader U-Boot, describing its directory structure, configuration, building process, and commands.
Enabling TPM 2.0 on coreboot based devicesPiotr Król
This talk was presented during European coreboot Conference 2017 in Bochum. In this talk we walk through procedures required for enabling TPM 2.0 using LPC interface. We implemented that support as part of our ongoing maintainances of PC Engines apu series (AMD G-series) platform.
Video is available here: https://youtu.be/Yjb9n5p3giI
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Tony Chen
Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.
Similar to Secret of Intel Management Engine by Igor Skochinsky (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
An invited talk given by Mark Billinghurst on Research Directions for Cross Reality Interfaces. This was given on July 2nd 2024 as part of the 2024 Summer School on Cross Reality in Hagenberg, Austria (July 1st - 7th)
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus��they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Secret of Intel Management Engine by Igor Skochinsky
1. Intel ME Secrets
Hidden code in your chipset and how to discover what exactly it does
Igor Skochinsky
Hex-Rays
CODE BLUE 2014
Tokyo
2. 2(c) 2014 Igor Skochinsky
OutlineOutline
High-level overview of the ME
Low-level details
ME security and attacks
Dynamic Application Loader
Results
Future work
3. 3(c) 2014 Igor Skochinsky
About myself
Was interested in software reverse engineering for around
15 years
Longtime IDA user
Working for Hex-Rays since 2008
Helping develop IDA and the decompiler (also doing
technical support, trainings etc.)
Have an interest in embedded hacking (e.g. Kindle, Sony
Reader)
Recently focusing on low-level PC research (BIOS, UEFI,
ME)
Moderator of reddit.com/r/ReverseEngineering/
4. 4(c) 2014 Igor Skochinsky
ME: High-level overview
Management Engine (or Manageability Engine) is a
dedicated microcontroller on all recent Intel platforms
In first versions it was included in the network card, later
moved into the chipset (GMCH, then PCH, then MCH)
Shares flash with the BIOS but is completely independent
from the main CPU
Can be active even when the system is hibernating or
turned off (but connected to mains)
Has a dedicated connection to the network interface; can
intercept or send any data without main CPU's knowledge
6. 6(c) 2014 Igor Skochinsky
ME: High-level overview
Communicating with the Host OS and network
HECI (MEI): Host Embedded Controller Interface;
communication using a PCI memory-mapped area
Network protocol is SOAP based; can be plain HTTP or
HTTPS
7. 7(c) 2014 Igor Skochinsky
ME: High-level overview
Some of the ME components
Active Management Technology (AMT): remote
configuration, administration, provisioning, repair, KVM
System Defense: lowest-level firewall/packet filter with
customizable rules
IDE Redirection (IDE-R) and Serial-Over-LAN (SOL): boot
from a remote CD/HDD image to fix non-bootable or
infected OS, and control the PC console
Identity Protection: embedded one-time password (OTP)
token for two-factor authentication
Protected Transaction Display: secure PIN entry not
visible to the host software
8. 8(c) 2014 Igor Skochinsky
ME: High-level overview
Intel Anti-Theft
PC can be locked or disabled if it fails to check-in with the
remote server at some predefined interval; if the server
signals that the PC is marked as stolen; or on delivery of a
"poison pill"
Poison pill can be sent as an SMS if a 3G connection is
available
Can notify disk encryption software to erase HDD
encryption keys
Reactivation is possible using previously set up recovery
password or by using one-time password
10. 10(c) 2014 Igor Skochinsky
ME: Low-level details
Sources of information
Intel's whitepapers and other publications (e.g. patents)
Intel's official drivers and software
HECI driver, management services, utilities
AMT SDK, code samples
Linux drivers and supporting software; coreboot
BIOS updates for boards on Intel chipsets
Even though ME firmware is usually not updateable
using normal means, it's commonly still included in
the BIOS image
Sometimes separate ME firmware updates are
available too
11. 11(c) 2014 Igor Skochinsky
ME firmware kits
Sources of information
Intel's ME Firmware kits are not supposed to be distributed
to end users
However, many vendors still put up the whole package
instead of just the drivers,
or forget to disable the
FTP listing
With a few picked keywords
you can find the good stuff :)
12. 12(c) 2014 Igor Skochinsky
Intel FSP
Intel Firmware Support Package was released in 2013
Low-level initialization code from Intel for firmware writers
Freely downloadable from Intel's site
The package for HM76/QM77 includes ME firmware, tools
and documentation
http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp-overview
Documentation still contains
"confidential" markings :)
13. 13(c) 2014 Igor Skochinsky
SPI flash layout
The SPI flash is shared between BIOS,
ME and GbE
For security, BIOS (and OS) should not
have access to ME region
The chipset enforces this using
information in the Descriptor region
The Descriptor region must be at the
lowest address of the flash and contain
addresses and sizes of other regions,
as well as their mutual access
permissions.
14. 14(c) 2014 Igor Skochinsky
ME region layout
ME region itself is not monolithic
It consists of several partitions, and the table at the start
describes them
15. 15(c) 2014 Igor Skochinsky
ME code partition
Code partitions have a header called "manifest"
It contains versioning info, number of code modules,
module header, and an RSA signature
16. 16(c) 2014 Igor Skochinsky
ME core evolution
It seems there have been two generations of the
microcontroller core, and corresponding changes in
firmware layout
Following discussion covers mostly Gen 2: Intel 5 Series
(aka Ibex Peak) and later chipsets
Gen 1 Gen 2
ME versions 1.x-5.x 6.x-9.x
Core ARCTangent-A4 ARC 600(?)
Instruction set ARC (32-bit) ARCompact (32/16)
Manifest tag $MAN $MN2
Module header tag $MOD $MME
Code compression None, LZMA None, LZMA, Huffman
17. 17(c) 2014 Igor Skochinsky
ME code modules
Module name Description
BUP Bringup (hardware initialization/configuration)
KERNEL Scheduler, low-level APIs for other modules
POLICY Secondary init tasks, some high-level APIs
HOSTCOMM Handles high-level protocols over HECI/MEI
CLS Capability Licensing Service – enable/disable
features depending on SKU, SKU upgrades
TDT Theft Deterrence Technology (Intel Anti-Theft)
Pavp Protected Audio-Video Path
JOM Dynamic Application Loader (DAL) – used to
implement Identity Protection Technology (IPT)
Some common modules found in recent firmwares
18. 18(c) 2014 Igor Skochinsky
ME: code in ROM
To save flash space, various common routines are stored
in the on-chip ROM and are not present in the firmware
They are used in the firmware modules by jumping to
hardcoded addresses
This complicates reverse-engineering somewhat because
a lot of code is missing
However, one of the ME images I found contained a new
partition I haven't seen before, named "ROMB"...
19. 19(c) 2014 Igor Skochinsky
ME: ROM Bypass
Apparently, the pre-release hardware allows to override
the on-chip ROM and boot using code in flash instead
This is used to work around bugs in early silicon
20. 20(c) 2014 Igor Skochinsky
ME: ROM Bypass
If this option is on, the first instruction of the ME region is
executed
It jumps to the code in ROMB partition
21. 21(c) 2014 Igor Skochinsky
ME: ROM Bypass
By looking at the code in the ROMB region, the inner
workings of the boot ROM were discovered
The boot ROM exposes for other modules:
common C functions (memcpy, memset, strcpy etc.)
ThreadX RTOS routines
Low-level hardware access APIs
It does basic hardware init
It verifies signature of the FTPR partition, loads the BUP
module and jumps to it
Unfortunately, BUP and KERNEL employ Huffman
compression with unknown dictionary, so their code is not
available for analysis :(
23. 23(c) 2014 Igor Skochinsky
ME: Security
ME includes numerous security features
Code signing: all code that is supposed to be running on the
ME is signed with RSA and is checked by the boot ROM
“During the design phase, a Firmware Signing Key (FWSK) public/private pair is
generated at a secure Intel Location, using the Intel Code Signing System. The
Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM
includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus
fixed. Each approved production firmware image is digitally signed by Intel with
the private FWSK. The public FWSK and the digital signature are appended to
the firmware image manifest.
At runtime, a secure boot sequence is accomplished by means of the boot ROM
verifying that the public FWSK on Flash is valid, based on the hash value in
ROM. The ROM validates the firmware image that corresponds to the manifest’s
digital signature through the use of the public FWSK, and if successful, the
system continues to boot from Flash code.”
From "Architecture Guide: Intel® Active Management Technology", 2009
24. 24(c) 2014 Igor Skochinsky
ME: Unified Memory Architecture (UMA) region
ME requires some RAM (UMA) to put unpacked code and
runtime variables (MCU's own memory is too limited and
slow)
This memory is reserved by BIOS on ME's request and
cannot be accessed by the host CPU once locked.
A memory remapping attack was demonstrated by
Invisible Things Lab in 2009, but it doesn't work on newer
chipsets
Cold boot attack might be possible, though...
25. 25(c) 2014 Igor Skochinsky
ME: attacking UMA
I decided to try and dump the UMA region since it
contains unpacked Huffman code and runtime data
Idea #1: simply disable the code which sets the MESEG
lock bit in the BIOS
[some time spent reversing memory init routines...]
Patched out the code which sets the lock bit
Updated necessary checksums in the UEFI volume
Reflashed the firmware and rebooted
Result: dead board
Good thing I had another board and could restore the old
firmware using hotswap flashing...
26. 26(c) 2014 Igor Skochinsky
ME: attacking UMA
Idea #2: cold boot attack
Quickly swap the DRAM sticks so that UMA content
remains in memory
Unfortunately, dumped memory contains only garbage...
First Boot: Let ME
unpack code into UMA
Second boot: after swapping,
Old UMA should be accessible
27. 27(c) 2014 Igor Skochinsky
ME: attacking UMA
Tried lower-speed memory – did not help
Bought professional grade freezing spray – did not help
Eventually discovered that DDR3 used in my board can
employ memory scrambling
“The memory controller incorporates a DDR3 Data
Scrambling feature to minimize the impact of excessive di/dt
on the platform DDR3 VRs due to successive 1s and 0s on
the data bus. [...] As a result the memory controller uses a
data scrambling feature to create pseudo-random patterns on
the DDR3 data bus to reduce the impact of any excessive
di/dt.”
(from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor
Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel®
Celeron® Processor Family Datasheet)
28. 28(c) 2014 Igor Skochinsky
ME: attacking UMA
Idea #3: use different UMA sizes across boots
The required UMA size is a field in the FPT
The FPT is protected only by checksum – not signature –
so it's easy to change
Idea:
1) Flash FPT that requests 32MB, reboot. BIOS will reserve top
32MB but ME will use only 16MB
2) Flash FPT that requests 16MB, reboot. BIOS will reserve top
16MB, so previously used 16MB will be accessible again
Unfortunately got garbage again. It seems that memory is
reinitialized with different scrambling seed between boots.
29. 29(c) 2014 Igor Skochinsky
ME: attacking UMA
Idea #4: disable memory scrambling
Scrambling can be turned off using a BIOS setting on
some boards
On my board the option is hidden but it's possible to
change it by editing the UEFI variable "Setup" direclty
(see my Breakpoint 2012 presentation)
However, it is not enough – the memory is still garbage
30. 30(c) 2014 Igor Skochinsky
ME: attacking UMA
Idea #5: ?
I still had some ideas to try but they require more time and
effort
So I started investigating code using other approaches
For example...
31. 31(c) 2014 Igor Skochinsky
Server Platform Services
On Intel's server boards, ME is present too
However, it runs a different kind of firmware
It's called Server Platform Services (SPS)
It has a reduced set of modules, however it does include
BUP and KERNEL
Good news #1: BUP module is not compressed!
KERNEL is Huffman "compressed", but...
Good news #2: all blocks use trivial compression (i.e. no
compression)
So I now can investigate how these two modules work
There are probably differences from desktop but it's a start
32. 32(c) 2014 Igor Skochinsky
JOM aka DAL
JOM is a module which appeared in ME 7.1
It implements what Intel calls "Dynamic Application Loader"
(DAL)
It allows to upload and run applications (applets) inside ME
dynamically
This feature is used to implement Intel Identity Protection
Technology (Intel IPT)
In theory, it allows a much easier way for running custom
code on the ME
Let's have a look at how it's implemented...
33. 33(c) 2014 Igor Skochinsky
JOM aka DAL
Some interesting strings from the binary:
Looks like Java!
Could not allocate an instance of
java.lang.OutOfMemoryError
linkerInternalCheckFile: JEFF format version not
supported
com.intel.crypto
com.trustedlogic.isdi
Starting VM Server...
34. 34(c) 2014 Igor Skochinsky
JOM aka DAL
Apparently it's a Java VM implementation
In Intel ME drivers, there is a file "oath.dalp" with a Base64
blob
After decoding, a familiar manifest header appears
It has a slightly different module header format, and a single
module named "Medal App"
The module contains a chunk with signature "JEFF", which
is mentioned in the strings of JOM
Strings in this JEFF chunk also point to it being Java code
However, the opcode values look different from normal Java
I was so sure it's a custom format, I spent quite a lot of time
reversing it from scratch
35. 35(c) 2014 Igor Skochinsky
JOM aka DAL
There was one string in the module...
There is no such instruction in standard Java. Let's try
Google...
.ascii "Invalid constant offset in the SLDC instruction"
36. 36(c) 2014 Igor Skochinsky
JEFF File Format
Turns out the JEFF format is a standard
Was proposed in 2001 by the now-defunct J Consortium
Has been adopted as an ISO standard (ISO/IEC 20970)
Draft specification is still available in a few places
Optimized for embedded applications
Combines several classes in one file, in a form which is
ready for execution
Shared constant pool also reduces size
Introduces several new opcodes
Supports native methods defined by the implementation
37. 37(c) 2014 Igor Skochinsky
JEFF File Format
I made a dumper/disassembler in Python based on the spec
Dumped code in oath.dalp and the internal JEFF in the
firmware
No obfuscation was used by Intel, which is nice
Most basic Java classes are implemented in bytecode, with
a few native helpers
There are classes for:
Cryptography
UI elements (dialogs, buttons, labels etc.)
Flash storage access
Implementing loadable applets
38. 38(c) 2014 Igor Skochinsky
JEFF File Format
Fragment of a class implementation (without bytecode)
Class com.intel.util.IntelApplet
private:
/* 0x0C */ boolean m_invokeCommandInProcess;
/* 0x00 */ OutputBufferView m_outputBuffer;
/* 0x0D */ boolean m_outputBufferTooSmall;
/* 0x04 */ OutputValueView m_outputValue;
/* 0x08 */ byte[] m_sessionId;
public:
void <init>();
final int getResponseBufferSize();
final int getSessionId(byte[], int);
final int getSessionIdLength();
final String getUUID();
final abstract int invokeCommand(int, byte[]);
int onClose();
final void onCloseSession();
final int onCommand(int, CommandParameters);
int onInit(byte[]);
final int onOpenSession(CommandParameters);
final void sendAsynchMessage(byte[], int, int);
final void setResponse(byte[], int, int);
final void setResponseCode(int);
39. 39(c) 2014 Igor Skochinsky
IPT applets
The applet interface seems to be rather simple
The OATH applet implementation looks like this:
package com.intel.dal.ipt.framework;
public class AppletImpl extends com.intel.util.IntelApplet
{
final int invokeCommand(int, byte[])
{
...
}
int onClose()
{
...
}
int onInit(byte[])
{
...
}
}
40. 40(c) 2014 Igor Skochinsky
IPT applets
Unfortunately, even if I create my own applets, I can't run
them inside ME
Applet binaries have a signed manifest header and are
verified before running
Still, there may be vulnerabilities in the protocol, which is
pretty complicated
Let's have a look at how it works...
41. 41(c) 2014 Igor Skochinsky
IPT communication
Intel provides several DLLs with high-level APIs which are
usable from C/C++, Java, or .NET applications
These DLLs send requests to the JHI service, using COM or
TCP/IP (depending on the driver version)
The service serializes requests and sends them over
HECI/MEI to the ME
ME dispatches the requests to JOM
JOM parses the requests and passes them to the applet
Reply undergoes the opposite conversion and is eventually
sent back to the application
Because arbitrary buffers can be sent and received, there is
a potential for out-of-bounds memory read or write
42. 42(c) 2014 Igor Skochinsky
Trusted Execution Environment
From the strings inside JOM, it's apparent that Intel is using
a Trusted Execution Environment (TEE) provided by Trusted
Logic Mobility (now Trustonic), called "Trusted Foundations"
Source:
Trusted Foundations flyer
43. 43(c) 2014 Igor Skochinsky
Trusted Execution Environment
Trusted Foundations is also used in several smartphones
Implemented there using ARM's TrustZone
Due to GPL, source code of drivers which communicate with
Trusted Foundations is made available
The protocol is not the same as what Intel uses
For example, TrustZone communications employ shared
memory, while ME/JOM only talks over HECI/MEI
Still, there are some common parts, so it helps in reverse
engineering
44. 44(c) 2014 Igor Skochinsky
Trusted Execution Environment
There is a TEE specification released by the GlobalPlatform
association (Trusted Logic Mobililty/Trustonic is a member)
Describes overall architecture, client API and internal API
(for services running inside TEE)
Again, it does not exactly match what runs in the ME but is
still a useful reference
http://www.globalplatform.org/specificationsdevice.asp
45. 45(c) 2014 Igor Skochinsky
Results
I still have not managed to run my own rootkit on the ME
But I'm getting a more complete picture of how ME works
The code of boot ROM, BUP and KERNEL modules has
been discovered
This allowed me to map many APIs used in other modules
JEFF dumper is a good starting point for investigating
DAL/IPT applets
ARC support was released with IDA 6.4 and improved in IDA
6.5
46. 46(c) 2014 Igor Skochinsky
Future work
Dynamic Application Loader
Make a JEFF to .class converter, or maybe a direct JEFF
decompiler
Reverse and document the host communication protocol
Linux IPT client?
EFFS parsing and modifying
Most of the ME state is stored there
If we can modify flash, we can modify EFFS
Critical variables are protected from tampering but the
majority isn't
Complicated format because of flash wear leveling
47. 47(c) 2014 Igor Skochinsky
Future work
Huffman compression
Used in newer firmwares for compressing the kernel and
some other modules
Apparently the dictionary is hardcoded in silicon
Dumping the UMA should help recover it
There is still some hope in that area
ME ↔ Host protocols
Most modules use different message format
A lot of undocumented messages; some modules seem to
be not mentioned anywhere
Some client software has very verbose debugging
messages in their binaries...
Anti-Theft is a good target
48. 48(c) 2014 Igor Skochinsky
Future work
BIOS RE
In early boot stages ME accepts some things which are
not possible later
Reversing BIOS modules that talk to ME is a good source
of info
Some messages can be sent only during BIOS boot
UEFITool by Nikolaj Schlej helps in editing UEFI images
https://github.com/NikolajSchlej/UEFITool
Coreboot has support for ME on some boards
Simulation and fuzzing
Open Virtual Platform (www.ovpworld.org) has modules
for ARC600 and ARC700 (ARCompact-based)
Supposedly easy to extend to emulate custom hardware
Debugging and fuzzing should be possible