SYNCSRC Verifiably Insecure

Micro-Renovator, a microcode updater

With more microcode patches expected in response to another Spectre variant, the difficult process of acquiring and applying firmware updates is starting again. While microcode updates for these vulnerabilities can be delivered through either updates to UEFI firmware or Operating System packages, not all vendors have proven to be timely and thorough in distributing these updates.

Operating systems like Windows that do not permit users to manually apply microcode updates sourced directly from CPU vendors are particularly impacted. Because these microcode patches need to be applied early in the boot flow for the kernel to detect and enable the new capabilities they provide, existing drivers aren’t sufficient to ensure the new protections are enabled. Earlier this year, millions of users were without a way to apply security updates to their systems while waiting for either Microsoft or their motherboard vendor to issue an update containing the new microcode (a new UEFI firmware was released for one of my systems in May).

Fortunately, there’s an alternative to waiting for vendors to release microcode updates. Micro-Renovator replaces the bootloader on an EFI partition with an application that applies a microcode update before launching the OS bootloader. This gives end-users the ability to load a microcode patch directly from the their processor vendor in a manner that enables the operating system to detect and enable Spectre mitigations.

MicroRenovator on Github

New Website

After years of inactivity, the site has been moved from the old host to github.io, improving both the appearance and usability. Unfortunately, this also means I can’t use the terrible UI provided by the previous host as an excuse not to post anymore.

Securing BareMetal at Shmoocon 2018

Defending against firmware implants requires a different approach than what hardware vendors have traditionally provided. Firmware signatures and secure boot implementations are designed to prevent exploits, but don’t enable detection or recovery of firmware when they inevitably fail.

Fortunately, nearly every device has an existing mechanism to force it into a state which can be used to restore the writable firmware components.

Shmoocon presentation of Securing BareMetal Hardware At Scale

Slides

Jtagsploitation at 44con 2015

An overview of five methods for how to turn JTAG access into privileged software access on a system. Each method is general enough to be broadly applicable across different hardware architectures and implementations.

44con presentation of Jtagsploitation

Jtagsploitation at Github

JTAG Implants at DEFCON 23

Inspired by the NSA ANT catalog, the NSA Playset project aims to make cutting edge security tools more accessible. SAVIORBURST and SOLDERPEEK are an implementation of a JTAG-based device and payload that can be used to persistently compromise an implanted target system.

DEFCON 23 presentation of NSA Playset: JTAG Implants

SAVIORBURST at nsaplayset.org