From owner-freebsd-questions@freebsd.org Wed Mar 22 08:57:10 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AB3FD16BB2; Wed, 22 Mar 2017 08:57:10 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vk0-x244.google.com (mail-vk0-x244.google.com [IPv6:2607:f8b0:400c:c05::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4807210BD; Wed, 22 Mar 2017 08:57:10 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vk0-x244.google.com with SMTP id y16so9689604vky.1; Wed, 22 Mar 2017 01:57:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=0CmpfFWDZEN8wBuCAKHNdvLYKhmv4K9gfaRrYobSi6Y=; b=pZN8btwMpLgjixZ3bSgBLkPc2dHv0sfFlFkfg7lP/rTVpk3TxwoL1E60HVJ3St7j73 Pui3uoo2iNDkgOCl4q7XdziCfhO6/NXcm33lDTsjG41b6XBBYmobmCcic31L8YCBlqGc K9TM4TKGh07uzc7da8aKB1//H77erxXYGQhfSe612KYC7tebb4ssA9/s+bt2bax8V1N1 9WTQWNqwnIE5zKr86+3+RCoWE1Jma0VS71UjA3Lcg6XZHPBwNAOPEu1k0vjwDS+ofxKR ZUYW4t18o3RnkMQRto2NWSHX63ulxL2e3NOnFri/yK99Fzr11VU/wnkA0bXnt6HIr6/b rhcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=0CmpfFWDZEN8wBuCAKHNdvLYKhmv4K9gfaRrYobSi6Y=; b=qHcikDxb1Oj5pRboewIz4cXJFNJ7vvjSkrQdnDUVSQyGN2W812sBcOfpH1tD/++06H S6mbILvW+jjotxFn302Tc3dEum5ovosGBdDtuCkN+DgAahAgJSTKJHExHHR00RrcbGTx gFqYU3GObQnyUJ48MpwdMXKNi+IfG5OUO+2jIj7cLXsrcZImmgg/rlNC9gBZCXGN0PEQ C3EZsGGaxXqkRlOytclqMDpscZYz0vZcKFlpJ9ihwYRuWR0GSYadx8Ff7ii/slhV23Ul yBtnttjEdWypYeUXBh3Hy1lJRMCsU08nFurtLDM/l8IodQCFOw8jTukaDUo4ptR3BpwY P5iQ== X-Gm-Message-State: AFeK/H2dVQxuOb2sUGliDQfhCABePFpK2irodlZwOA8DKgZETtx05Do6g/UFxSreY3FrYnF9GYJcC/ntUTwO7A== X-Received: by 10.176.18.205 with SMTP id o13mr1091216uac.44.1490173029101; Wed, 22 Mar 2017 01:57:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.33.37 with HTTP; Wed, 22 Mar 2017 01:56:28 -0700 (PDT) From: grarpamp Date: Wed, 22 Mar 2017 04:56:28 -0400 Message-ID: Subject: Filtering Against Persistent Firmware Rootkits - BadUSB, HDDHack, UEFI To: freebsd-security@freebsd.org Cc: freebsd-hardware@freebsd.org, freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 08:57:10 -0000 Over two years ago this "trojans in the firmware" was mentioned. These attacks are real and are in the wild. They are created and used by various hats from adversary to researcher to miscreant... and ultimately can end up passing unwittingly through degrees of separation to and among you and your peers over daily sharing and other physical transactions, use of unaudited application and systems code, dual booting, parking lot attacks, computer labs, libraries, component swapping, etc. Some mitigation may be possible through kernel filtering modes... - Filter and log all known firmware / bios writing opcodes. - Filter and log all opcodes except those required for daily use, such as: read, write, erase unit, inquiry, reset, etc. - Filter and log all opcodes execpt those in some user defined rulesets. Default permit / deny, the usual schemes. In a securelevel, this may provide some resistance and extra steps of defense in depth to attacks that presume they have direct access to firmware without needing to smash the kernel further beyond root (also, root access is foolishly yet often available to users). FreeBSD should consider addressing any oppurtunities to further inhibit these attack vectors. Details via links below. (CC'd to a few lists to promote general awareness. Replies are perhaps best made only to freebsd-security@ .) # CAM - hdd, tape, optical, etc https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://spritesmods.com/?art=hddhack http://s3.eurecom.fr/~zaddach/ https://www.ibr.cs.tu-bs.de/users/kurmus/ https://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html https://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html http://web.archive.org/web/20150615181236/http://malwaretech.net/MTSBK.pdf https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ http://web.archive.org/web/20130228090611/http://www.recover.co.il/SA-cover/SA-cover.pdf http://www.spiegel.de/media/media-35661.pdf # USB https://opensource.srlabs.de/projects/badusb https://github.com/robertfisk/USG/wiki # BIOS, UEFI http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ # CPU http://inertiawar.com/microcode/ https://wiki.archlinux.org/index.php/microcode http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf https://en.wikipedia.org/wiki/Intel_Active_Management_Technology # FreeBSD, UFS - supported https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-iratemonk.jpg https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg http://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg # various https://en.wikipedia.org/wiki/NSA_ANT_catalog https://firmwaresecurity.com/