This post introduces how one can start reverse engineering UEFI-based BIOS modules. Taking Absolute as an example, this post serves as a tutorial of BIOS module reverse engineering with free tools and approachable steps for beginners.
This post is not to explain how to disable or discover issues in Absolute.
With all the talk of using Rust to reduce memory unsafety bugs, such as Android using Rust in the Android Open Source Project, there’s a lot of extremely reasonable concern about the high cost of “rewriting it all in Rust” (or any other safer language), as it’s often phrased. Operating systems, web browsers, complex online services, and so on can be implemented with tens of millions of lines of C/C++ code. (Sometimes more.) Rewriting all that seems prohibitively expensive, and exacerbates what Alex Gaynor aptly calls grief — people stay in the denial stage longer when struck by the enormity of the memory unsafety problem.
Thankfully, replacing C/C++ with code in a safer language is not an all-or-nothing task. We can do it gradually; some parts we might never need to replace. Most safer languages can link in the same address space as C and/or C++, and call into and be called by C/C++. You can also normalize data structures such that the safe code handles arbitrary inputs, and the C/C++ code can focus on a single, simpler grammar.
People appear to enjoy the blog posts about me porting different compilers to OpenBSD. What I would like to do for the next couple of posts beginning with this one is to take a step back and de-complexify these programs. Both the D compiler and the GNU Modula-2 compiler are highly complex pieces of software. But at their core they are the exact same thing: a program that can create programs. We need not explore something so complex in order to learn how to create a program of our own that creates programs. In this series of blog posts, we will create two programs that will help us demystify programs that create programs: first, in this blog post, we will create a disassembler, or a program that reads a program and produces a higher-level representation (assembly); second, in a couple of subsequent blog posts, we will create an assembler, a program that understands that higher-level assembly language and produces a program from it.
Abuse of collaboration applications is not a new phenomenon and dates back to the early days of the internet. As new platforms and applications gain in popularity, attackers often develop ways to use them to achieve their mission objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused over the past several years to spread malware, used for command and control communications, and otherwise leveraged for nefarious purposes.
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP. Today I gave a talk at Zer0Con 2021 on this topic (slides).
I like this exploit. The race condition can be leveraged for very limited memory corruption, which I gradually turn into arbitrary read/write of kernel memory, and ultimately full power over the system. That’s why I titled this article “Four Bytes of Power.”
Given that the app is blowing up, I figure it’s a good time to roll out my periodic public service announcement: Signal was created and funded by a CIA spinoff. Yes, a CIA spinoff. Signal is not your friend.
Here are the cold hard facts.
Signal was developed by Open Whisper Systems, a for-profit corporation run by “Moxie Marlinspike,” a tall, lanky cryptographer who has a head full of dreadlocks and likes to surf and sail his boat. Moxie was an old friend of Tor’s now-banished chief radical promotor Jacob Appelbaum, and he’s played a similar fake-radical game — although he’s never been able to match Jake’s raw talent and dedication to the art of the con. Still, Moxie wraps himself in air of danger and mystery and hassles reporters about not divulging any personal information, not even his age. He constantly talks up his fear of Big Brother and tells stories about his FBI file.
So how big a threat is Moxie to the federal government?
I found and reported this vulnerability with @ginkoid.
This was actually the first report that paid out for me on HackerOne. At $35,000, it’s also the highest bounty I’ve received so far from HackerOne (and I believe the highest GitHub has paid out to date).
A lot of bugs seem to be a mix of both luck and intuition. In this blog post, I’ll illustrate my thought processes in approaching such a target.
A user in a low level hacking forum has published the phone numbers and personal data of hundreds of millions of Facebook users for free online.
The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.
Mandarin Chinese is the first foreign language I’m learning by myself, and I’m surprised there are so few universal best practices. Resources with hacks and tricks(like http://hackingchinese.com for Chinese) are a great starting point, but they still leave room for delusions.
Here are some of mine.
Once upon a time, a government auditor insisted to me that keystroke loggers had to run as root, otherwise they would not function properly. So, I wrote a keystroke logger that ran as a normal user and showed it to him.
He wasn’t amused. He said that I was violating government IT policy by demonstrating the program to him.
Some time later, another auditor was adamant that I would not be able to copy files from his secure enclave computers onto the Internet. He said that he had strong network security measures in place. So, I wrote another small program to copy files from his enclave computers onto the Internet.
He wasn’t amused either, but was far more appreciative when I showed him how it worked.
I’ve previously blogged about the possible backdoor threat to curl. This post might be a little repeat but also a refresh and renewed take on the subject several years later, in the shadow of the recent PHP backdoor commits of March 28, 2021. Nowadays, “supply chain attacks” is a hot topic.
Since you didn’t read that PHP link: an unknown project outsider managed to push a commit into the PHP master source code repository with a change (made to look as if done by two project regulars) that obviously inserted a backdoor that could execute custom code when a client tickled a modified server the right way.
The Wikipedia pages devoted to the Culture, a fictional civilization created by the Scottish writer Iain M. Banks, are fabulously extensive. The main article is about nine thousand words long, and contains links to more than thirty other pages that provide more detail on the various aspects of Banks’s imaginary world. (I would not be at all surprised if Banks himself, in the writing of Culture novels, consulted Wikipedia to ensure consistency with his previous work.) For purposes of comparison, it might be noted that the main page on Jane Austen is a little shorter and with fewer links to other Austen-related pages. Yet there are certainly far fewer readers of Iain M. Banks than of Jane Austen. How are we to account for this discrepancy?
The “eureka” or “aha” moment of insight is legendary in math and science, dating at least two millenniums back to the possibly apocryphal story of Archimedes rushing naked out of a bath, having hit upon the crucial idea for figuring out the composition of King Hiero’s crown. Many scientific discoveries have been credited to such moments, from Newton’s theory of gravity to Einstein’s. These “aha” insights often seem to emerge from a calm, Zen-like state, in which you’re not directly addressing the problem but it’s floating around in your mind.
But the problem needs to cooperate too. Many math and science problems require long, hard calculations, but some lend themselves to insight-given solutions. In these rare cases, a fresh perspective can suddenly provide clarity, reducing complexity to simplicity in a convincing and memorable way. Puzzles 1 and 3 from last month’s Insights column were of this type, while Puzzle 2 only seemed to be — a simple, clear resolution remained elusive. Let’s look at the easier pair first. In each case we will use a Zen-like aphorism which can be linked to a specific mathematical solving technique.
I have once stumbled upon an interesting article from 2018 published on retrocmp.de, discussing about provisions on connecting an 8″ floppy disk drive to a PC. You know, those huge “boat anchors” that accept flexible disks just four inches shy of an LP record, in exchange of a couple of hundred kilobytes data storage. That sort of type. The experiment there was to connect that big ol’ mainframe-era drive to a normal PC, as to be used under DOS as an archival tool. In 2019, the author got mixed results from his experiments: he was able to fool the system BIOS, tricking the 8″ drive to work with a geometry that of a 5 1/4″ 1,2MB DS HD drive. For the rest, he’d use a proprietary controller card paired with some paid software.
As a follow-up to his article, I’ve decided to tinker around on how to have fun with these clunkin’ beasts using a classic PC equipped with a vanilla floppy-disk controller (FDC); without any commercial hardware, software, or some USB controlled thing-a-magic with Windows 10 support. Besides, 8 inch drives predate PCs as we know them, and classic floppy drives with PCs were mostly used during the DOS/Win9x decades. Behold!
In the last days, I read the Qt Interest mailing list and was amazed about the very verbose discussion there about what is all bad with Qt in general and Qt 6. As for any mailing list discussion, that is not representative, but if you just read that, the world looks bleak.
A short (personal) digest could read like: Qt 5 => 6 is horrible, the Qt project (and company) doesn’t care for their (open source and other) users and the future is doomed for Qt.
One of the double-edged swords about having done some of this work for a while is that I have a bunch of random things that I take for granted. These are mostly just bits of data and other knowledge that I picked up a long time ago and don’t even talk about any more. This is actually a bad thing in certain situations, since everyone comes from a slightly different place in terms of what they know and do and their specialties.
To give an example, last month I wrote about some complaints I had about programs encountered in the real world. One of them was about garbage collection and how I didn’t like it. Some people wrote in seemingly unaware that their language of choice had it. This blew my mind since when I think of that language, “it uses GC” is right up there next to “it runs on a virtual machine”. It practically defines the thing for me, given that I’ve had to deal with it making my life interesting at times…
Three years ago, Spectre changed the way we think about security boundaries on the web. It quickly became clear that flaws in modern processors undermined the guarantees that web browsers could make about preventing data leaks between applications. As a result, web browser vendors have been continuously collaborating on approaches intended to harden the platform at scale. Nevertheless, this class of attacks still remains a concern and requires web developers to deploy application-level mitigations.
By sharing our findings with the security community, we aim to give web application owners a better understanding of the impact Spectre vulnerabilities can have on the security of their users’ data. Finally, this post describes the protections available to web authors and best practices for enabling them in web applications, based on our experience across Google.