From owner-freebsd-hackers@freebsd.org Sat Mar 25 03:29:27 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD336D0FF82; Sat, 25 Mar 2017 03:29:27 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 78024159; Sat, 25 Mar 2017 03:29:27 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vk0-x233.google.com with SMTP id r69so7559498vke.2; Fri, 24 Mar 2017 20:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Te0jIJKZTFGAutgQir6X+lltBWu6HsL9UcePTWXrUnk=; b=qpN7XMXtzsl763r2EuUI8fEMSCstHhJ246CgApowPgYfvYO2fSyIUmi7UyBSZ7BStQ lv6hYMEHpWq5/j/SZe9RYd7HagPuSZl3LvH+Y8ylkA1yk2BI89rsvyhvbVDO/8qsrvp4 SO3TQYh/NB7Zkf1jjZsUJ7HZNTHZc7K5/ddAhV5PhuN84LkRbRYVVPMpmLaakiMBN1Gg ByrpGMFNsatQIbbvKohLNZgqXaGx08IJIV4lokZayOgWOfY+pUcOSd9EUJuoOqbplHeZ 4FgfDY9U8XU229j1pHd8eT4hsdoFPNqouID8Lh5TuhjgqWxHLCTddoiwTM0lB9hRxkkh +r0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Te0jIJKZTFGAutgQir6X+lltBWu6HsL9UcePTWXrUnk=; b=eOaW3ktyjs2A1mBhx6nTGkNFi2gBFhCutEY6Rmu2gO3wOwPz5lLN5I8aR71kqcWPDd pI4a8TLBWs1u6QjuC+GyMog7u037jwuz0e9nsFxr92cOrchqN3TI7Tf4MmG/Nw8A7UvU JLgr9Gn7NJrkiuUXCYt+/0gR4gCipAHwqAzBZbb3ATWYeM3Y45sDDnDuKVeptlhg/hyF WJ0txqgvx7Nkhrjneu+APQwPHnZTUDSBG97CcS0hen63Jv+qQ5H9p083dQjOvBwV/vTk gg1308JZ2ytffnqFcWjUX4m80fiOoqZScPE3F4zJrmIuBvM0E97wqS4wvmEjwRUFcbK7 HFng== X-Gm-Message-State: AFeK/H3C8gUQMDgE6XOr8Qnt3JlwRNwZuSeu6ufQII2hrerVh5wGnGJ9MWvV+r7ue6fCzELyUn/g0b+a8ys0SQ== X-Received: by 10.176.83.141 with SMTP id k13mr4549508uaa.64.1490412566354; Fri, 24 Mar 2017 20:29:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.33.37 with HTTP; Fri, 24 Mar 2017 20:28:46 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Fri, 24 Mar 2017 23:28:46 -0400 Message-ID: Subject: Re: Filtering Against Persistent Firmware Rootkits - BadUSB, HDDHack, UEFI To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Mar 2017 03:29:27 -0000 Over two years ago this "trojans in the firmware" was mentioned here. These attacks are real and are in the wild. They are created and used by various hats from adversary to researcher to miscreant... and ultimately can end up passing unwittingly through degrees of separation to and among you and your peers over daily sharing and other physical transactions, use of unaudited application and systems code, dual booting, parking lot attacks, computer labs, libraries, component swapping, etc. Some mitigation may be possible through kernel filtering modes... - Filter and log all known firmware / bios writing opcodes. - Filter and log all opcodes except those required for daily use, such as: read, write, erase unit, inquiry, reset, etc. - Filter and log all opcodes execpt those in some user defined rulesets. Default permit / deny, the usual schemes. In a securelevel, this may provide some resistance and extra steps of defense in depth to attacks that presume they have direct access to firmware without needing to smash the kernel further beyond root (also, root access is foolishly yet often available to users). FreeBSD should consider addressing any oppurtunities to further inhibit these attack vectors. Details via links below. (CC'd to a few lists to promote general awareness. Replies are perhaps best made only to freebsd-security@ . This post is what people were replying to but never made it.) # CAM - hdd, tape, optical, etc https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://spritesmods.com/?art=hddhack http://s3.eurecom.fr/~zaddach/ https://www.ibr.cs.tu-bs.de/users/kurmus/ https://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html https://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html http://web.archive.org/web/20150615181236/http://malwaretech.net/MTSBK.pdf https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ http://web.archive.org/web/20130228090611/http://www.recover.co.il/SA-cover/SA-cover.pdf http://www.spiegel.de/media/media-35661.pdf # USB https://opensource.srlabs.de/projects/badusb https://github.com/robertfisk/USG/wiki # BIOS, UEFI http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ # CPU http://inertiawar.com/microcode/ https://wiki.archlinux.org/index.php/microcode http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf https://en.wikipedia.org/wiki/Intel_Active_Management_Technology # FreeBSD, UFS - supported https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-iratemonk.jpg https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg http://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg # various https://en.wikipedia.org/wiki/NSA_ANT_catalog https://firmwaresecurity.com/