Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Mar 2017 23:28:46 -0400
From:      grarpamp <grarpamp@gmail.com>
To:        freebsd-security@freebsd.org
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Filtering Against Persistent Firmware Rootkits - BadUSB, HDDHack, UEFI
Message-ID:  <CAD2Ti2-XTRTw1KXfVxqCyRASG6R95Zd6fyrt6jqnSucV0Ve=XA@mail.gmail.com>
In-Reply-To: <CAD2Ti28Lh7hr=kD0UbrDGm6rfCyNqd8%2BZvGJ=Do8etbU1gyTSQ@mail.gmail.com>
References:  <CAD2Ti28Lh7hr=kD0UbrDGm6rfCyNqd8%2BZvGJ=Do8etbU1gyTSQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Over two years ago this "trojans in the firmware" was mentioned here.

These attacks are real and are in the wild. They are created and
used by various hats from adversary to researcher to miscreant...
and ultimately can end up passing unwittingly through degrees of
separation to and among you and your peers over daily sharing and
other physical transactions, use of unaudited application and systems
code, dual booting, parking lot attacks, computer labs, libraries,
component swapping, etc.

Some mitigation may be possible through kernel filtering modes...

- Filter and log all known firmware / bios writing opcodes.
- Filter and log all opcodes except those required for daily use,
 such as: read, write, erase unit, inquiry, reset, etc.
- Filter and log all opcodes execpt those in some user defined
 rulesets. Default permit / deny, the usual schemes.

In a securelevel, this may provide some resistance and extra steps
of defense in depth to attacks that presume they have direct access
to firmware without needing to smash the kernel further beyond root
(also, root access is foolishly yet often available to users).

FreeBSD should consider addressing any oppurtunities to further
inhibit these attack vectors. Details via links below.


(CC'd to a few lists to promote general awareness.
Replies are perhaps best made only to freebsd-security@ .
This post is what people were replying to but never made it.)


# CAM - hdd, tape, optical, etc
https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html
http://spritesmods.com/?art=hddhack
http://s3.eurecom.fr/~zaddach/
https://www.ibr.cs.tu-bs.de/users/kurmus/
https://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html
https://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html
http://web.archive.org/web/20150615181236/http://malwaretech.net/MTSBK.pdf
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
http://web.archive.org/web/20130228090611/http://www.recover.co.il/SA-cover/SA-cover.pdf
http://www.spiegel.de/media/media-35661.pdf

# USB
https://opensource.srlabs.de/projects/badusb
https://github.com/robertfisk/USG/wiki

# BIOS, UEFI
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

# CPU
http://inertiawar.com/microcode/
https://wiki.archlinux.org/index.php/microcode
http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

# FreeBSD, UFS - supported
https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html
http://leaksource.files.wordpress.com/2013/12/nsa-ant-iratemonk.jpg
https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html
http://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg
http://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg

# various
https://en.wikipedia.org/wiki/NSA_ANT_catalog
https://firmwaresecurity.com/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2-XTRTw1KXfVxqCyRASG6R95Zd6fyrt6jqnSucV0Ve=XA>