Secret of Intel Management Engine by Igor Skochinsky

- The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF. - It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level. - Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.

The New Smart Video Door Entry System The document introduces the IpDoor smart video door entry system, a new product from the XM World Group. IpDoor uses IP technology to enable features like remote access and control via a smartphone app. It provides safety, comfort and convenience for customers. The system includes external door stations, internal monitors, licenses for additional features, and can integrate with other smart home and access control systems. IpDoor aims to simplify daily life through innovative, user-friendly technology.

Android 10 includes several new features and improvements including enhanced privacy and security features, expanded digital wellbeing tools, better support for new hardware, and under-the-hood optimizations. Key changes involve moving the root file system to the system image partition, adding new kernel utilities to help with ABI compatibility, and introducing services like SystemSuspend HIDL to leverage benefits of the Android HIDL infrastructure.

The document provides an overview of techniques for hunting rootkits with Windbg. It discusses how to find SSDT and Shadow SSDT hooks, including examples from the Runtime2, Rustock.B, and Alipop rootkits. It also covers finding hidden registry entries and IDT hooks in Rustock.B, GDT callgates in Alipop, ATAPI IRP hooks in TDL3, shared memory structures between kernel and user mode in TDL3, TDL3's mini file system, traces of TDL3 in system worker threads, how TDL4 hooks the ATAPI driver's DriverStartIO, and how Stuxnet uses IoFsRegistrationChange. The document is intended to

Linux uses /proc/iomem as a "Rosetta Stone" to establish relationships between software and hardware. /proc/iomem maps physical memory addresses to devices, similar to how the Rosetta Stone helped map Egyptian hieroglyphs to Greek and decode ancient Egyptian texts. This virtual file allows the kernel to interface with devices by providing address translations between physical and virtual memory spaces.

This document discusses the Android system server. It provides an overview of the bootup sequence where the system server is started. It then describes some of the key services run by the system server, such as the activity manager, package manager, window manager, and others. It also discusses how to observe the system server in action using logcat and how applications interface with system services via Binder.

The document discusses applying RDMA (Remote Direct Memory Access) to improve performance in distributed deep learning frameworks. It describes implementing RDMA in MXNet, a distributed deep learning framework that uses a parameter server model. The implementation reduces memory copies and network overhead. Initial results showed a 1.5x speedup over the initial RDMA implementation, but the existing implementation using ZeroMQ was still faster. Further optimizations to RDMA are needed to fully realize its performance benefits.

SFO15-200: Linux kernel generic TEE driver Speaker: Jens Wiklander Date: September 22, 2015 ★ Session Description ★ At this session we will get more knowledge about the TEE driver that Linaro has been working on for the last couple of months. Questions to be answered are for example: What are the API’s? How does the TEE driver work as a communication channel. What will a developer need to think of when adding support for another TEE solution? ★ Resources ★ Video: https://www.youtube.com/watch?v=BhLndLUQamM Presentation: http://www.slideshare.net/linaroorg/sfo15200-linux-kernel-generic-tee-driver Etherpad: pad.linaro.org/p/sfo15-200 Pathable: https://sfo15.pathable.com/meetings/302831 ★ Event Details ★ Linaro Connect San Francisco 2015 - #SFO15 September 21-25, 2015 Hyatt Regency Hotel http://www.linaro.org http://connect.linaro.org

Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++. A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677 Enjoy!

This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.

The document discusses tools and techniques related to analyzing Android applications. It provides an overview of the Android operating system architecture and outlines various static and dynamic analysis methods. These include decompiling applications with Apktool and Dex2jar, reviewing manifest files, monitoring network traffic with Wireshark, and using tools like Burp Suite and Mallory. The document also highlights common mobile security issues discovered through analysis and provides recommendations for securing Android devices and applications.

Vold is the volume daemon in Android that manages storage volumes like external SD cards. It communicates with the Linux kernel via Netlink sockets to receive storage events and with the MountService via a local socket. When a new storage device is inserted, Vold receives the kernel event, mounts the volume if FAT format according to its configuration file, and notifies MountService to make the volume available to the user.

The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less: It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.

LCU14-107: OP-TEE on ARMv8 --------------------------------------------------- Speaker: Jens Wiklander Date: September 15, 2014 --------------------------------------------------- ★ Session Summary ★ SWG is porting OP-TEE to ARMv8 using Fixed Virtual Platform. Initially OP-TEE is running secure world in aarch32 mode, but with the normal world code running in aarch64 mode. Since ARMv8 uses ARM Trusted Firmware we have patched it with an OP-TEE dispatcher to be able to communicate between secure and normal world. --------------------------------------------------- ★ Resources ★ Zerista: http://lcu14.zerista.com/event/member/137710 Google Event: https://plus.google.com/u/0/events/c0ef114n77bhgbns9vb85g9n6ak Presentation: http://www.slideshare.net/linaroorg/lcu14-107-optee-on-ar-mv8 Video: https://www.youtube.com/watch?v=JViplz-ah9M&list=UUIVqQKxCyQLJS6xvSmfndLA Etherpad: http://pad.linaro.org/p/lcu14-107 --------------------------------------------------- ★ Event Details ★ Linaro Connect USA - #LCU14 September 15-19th, 2014 Hyatt Regency San Francisco Airport --------------------------------------------------- http://www.linaro.org http://connect.linaro.org

This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.

Universal Flash Storage (UFS) is a NAND flash storage specification developed by JEDEC that improves on eMMC. UFS uses a serial interface for faster read/write speeds compared to eMMC's parallel interface. It has a layered architecture including a device manager layer, UFS command set layer, UFS transport protocol layer, and UFS interconnect layer. The document discusses these layers and covers UFS features like logical units, command formats like UPIU, and SCSI commands supported in UFS including MODE SELECT, MODE SENSE, and READ/WRITE commands.

As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread. AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU. This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it. Julien Thierry

This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.

This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune. Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars. In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies. We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights. The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available. This also shows that FI can affect pure HW implementations, with no SW involved. The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch. Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key. This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure. We also discuss countermeasures and possible mitigations throughout the whole presentation. With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security. The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.

Chipsec is an open source framework for assessing platform security. It can be used to find vulnerabilities in system firmware like BIOS, UEFI and Mac EFI. Some examples shown include exploiting S3 resume boot script vulnerabilities to gain persistence, attacking hypervisors via SMM pointers, and checking for issues with MMIO BAR registers. The tool can also detect "problems" like unlocked firmware, missing hardware protections, and analyze real-world malware implants targeting firmware like DerStarke and HackingTeam UEFI rootkits.

The document discusses techniques for subverting the Windows Vista kernel protection mechanisms and loading unsigned code. It describes: 1) Forcing kernel drivers to page out to the pagefile by allocating large amounts of memory, then modifying the paged out code in the pagefile to inject shellcode without requiring a signature. 2) The concept of an undetectable "Blue Pill" malware that could install itself on-the-fly by exploiting AMD64 SVM virtualization extensions to move the operating system into a virtual machine controlled by a thin hypervisor. 3) Challenges of handling nested virtual machines to prevent detection when the system is already compromised by "Blue Pill" malware.

Part 1 of the first session of the newly formed Christchurch Embedded .NET User Group. Introduces the range of embedded platforms and technologies offered by Microsoft. Covers the .NET Micro and Compact Frameworks as well as operating systems such as Windows Embedded CE and Windows Mobile. Presented by Andrew Leckie, Bryn Lewis and myself.

Slides of the Hackito Ergo Sum 2012 presentation. Backdooring hardware. As in hundreads of different motherboards.

This document discusses Secure Boot and its implementation for Linux distributions. It begins by introducing UEFI firmware and Secure Boot, which verifies that only signed operating systems load. It then outlines the solution used by SUSE, which involves expanding the shim loader to give users freedom and flexibility by supporting enrollment of user-generated keys. The document concludes by detailing the various components like the kernel, bootloaders, build systems, and user tools that would need to be adapted to fully implement Secure Boot support for a Linux distribution.

Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.

This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.

This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.

Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

The document discusses how modern Intel CPUs contain debugging features like JTAG that could enable hardware trojans if activated. It describes how the Intel Direct Connect Interface allows activating JTAG-like debugging over USB, potentially allowing full system control. It demonstrates activating DCI on a laptop through the UEFI and explains how to detect if DCI is enabled. The document warns that DCI could lead to a "new age of BadUSB" if used maliciously.

d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 1 0 ) 9 5 – 1 0 3 a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / d i i n Using a software exploit to image RAM on an embedded system J.R. Rabaiotti*, C.J. Hargreaves Centre for Forensic Computing and Security, Cranfield University, Shrivenham, UK a r t i c l e i n f o Article history: Received 15 December 2009 Received in revised form 8 January 2010 Accepted 19 January 2010 Keywords: Memory imaging Live forensics Exploits Games consoles Xbox * Corresponding author. E-mail addresses: [email protected] 1 Microsoft did eventually supply some completed. None of the information provide 1742-2876/$ – see front matter ª 2010 Elsevi doi:10.1016/j.diin.2010.01.005 a b s t r a c t The research in this paper is the result of a court case involving copyright infringement, specifically, a request for expert evidence regarding the proportion of copyrighted data present in the RAM of a games console. This paper presents a novel method to image the memory of an embedded device (a games console) where normal software and hardware memory imaging techniques are not possible. The paper describes how a buffer overflow exploit can be used in order to execute custom code written to create an image of the console’s memory. While this work is concerned with the Microsoft Xbox, the principles of vulnerability enabled data acquisition could be extended to other embedded devices, including other consoles, smart phones and PDAs. ª 2010 Elsevier Ltd. All rights reserved. 1. Introduction (such as a pirated game) that would otherwise be prevented This paper describes research conducted as a result of a case at the Court of Appeal involving the sale of ‘modchips’ for games consoles, specifically the original Microsoft Xbox, the Sony PlayStation 2 and the Nintendo GameCube. One aspect of the case was concerned with whether a modchip counted as a ‘device for circumventing an Effective Technological Measure’ (ETM) within the meaning of Section 296ZA of the Copyright, Designs and Patents Act 1988 (as amended), which makes it a criminal offence to sell such devices. This was not clear-cut, since the modchips did not enable the production of a physical copy of a console game from its original protected optical disc onto another permanent storage medium. However, the Crown argued at the original trial that the modchip caused an infringing copy to be made in the console’s RAM since it permitted the execution of a program .uk (J.R. Rabaiotti), c.j.har technical information ab d is included in this pape er Ltd. All rights reserved from executing by the ETM. This point was disputed by the appellant, and so the court asked for expert evidence, specif- ically concerning the proportion of the contents of a game disc that would typically be copied into RAM during the execution of a game. In many cases of t.

Uploaded as a courtesy by: Dave Sweigert

Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system. Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform: GB-BSi7H-6500 – firmware version: vF6 (2016/05/18) GB-BXi7-5775 – firmware version: vF2 (2016/07/19)

Presentation from ESET researchers Eugene Rodionov and David Harley, featured by Alex Matrosov about the history and evolution of bootkits.

This document discusses bootloaders for embedded systems. It defines a bootloader as the first code executed after a system powers on or resets that is responsible for loading the operating system kernel. The document then describes the tasks of a bootloader like initializing hardware, loading binaries from storage, and providing a shell. It outlines the booting process differences between desktops and embedded systems. Finally, it focuses on the universal bootloader U-Boot, describing its directory structure, configuration, building process, and commands.

This talk was presented during European coreboot Conference 2017 in Bochum. In this talk we walk through procedures required for enabling TPM 2.0 using LPC interface. We implemented that support as part of our ongoing maintainances of PC Engines apu series (AMD G-series) platform. Video is available here: https://youtu.be/Yjb9n5p3giI

This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.