22 May 2018
With more microcode patches expected in response to another Spectre variant, the difficult process of acquiring and applying firmware updates is starting again. While microcode updates for these vulnerabilities can be delivered through either updates to UEFI firmware or Operating System packages, not all vendors have proven to be timely and thorough in distributing these updates.
Operating systems like Windows that do not permit users to manually apply microcode updates sourced directly from CPU vendors are particularly impacted. Because these microcode patches need to be applied early in the boot flow for the kernel to detect and enable the new capabilities they provide, existing drivers aren’t sufficient to ensure the new protections are enabled. Earlier this year, millions of users were without a way to apply security updates to their systems while waiting for either Microsoft or their motherboard vendor to issue an update containing the new microcode (a new UEFI firmware was released for one of my systems in May).
Fortunately, there’s an alternative to waiting for vendors to release microcode updates. Micro-Renovator replaces the bootloader on an EFI partition with an application that applies a microcode update before launching the OS bootloader. This gives end-users the ability to load a microcode patch directly from the their processor vendor in a manner that enables the operating system to detect and enable Spectre mitigations.
MicroRenovator on Github
05 Apr 2018
After years of inactivity, the site has been moved from the old host to github.io,
improving both the appearance and usability. Unfortunately, this also means I can’t
use the terrible UI provided by the previous host as an excuse not to post anymore.
10 Feb 2018
Defending against firmware implants requires a different approach than what hardware vendors have
traditionally provided. Firmware signatures and secure boot implementations are designed to prevent
exploits, but don’t enable detection or recovery of firmware when they inevitably fail.
Fortunately, nearly every device has an existing mechanism to force it into a state which can be
used to restore the writable firmware components.
Shmoocon presentation of Securing BareMetal Hardware At Scale
06 Nov 2015
An overview of five methods for how to turn JTAG access into privileged software access on a system. Each
method is general enough to be broadly applicable across different hardware architectures and implementations.
44con presentation of Jtagsploitation
Jtagsploitation at Github
12 Sep 2015
Inspired by the NSA ANT catalog, the NSA Playset project aims to make cutting edge security tools more
accessible. SAVIORBURST and SOLDERPEEK are an implementation of a JTAG-based device and payload that
can be used to persistently compromise an implanted target system.
DEFCON 23 presentation of NSA Playset: JTAG Implants
SAVIORBURST at nsaplayset.org