grarpamp
2017-Mar-25 03:28 UTC
Filtering Against Persistent Firmware Rootkits - BadUSB, HDDHack, UEFI
Over two years ago this "trojans in the firmware" was mentioned here. These attacks are real and are in the wild. They are created and used by various hats from adversary to researcher to miscreant... and ultimately can end up passing unwittingly through degrees of separation to and among you and your peers over daily sharing and other physical transactions, use of unaudited application and systems code, dual booting, parking lot attacks, computer labs, libraries, component swapping, etc. Some mitigation may be possible through kernel filtering modes... - Filter and log all known firmware / bios writing opcodes. - Filter and log all opcodes except those required for daily use, such as: read, write, erase unit, inquiry, reset, etc. - Filter and log all opcodes execpt those in some user defined rulesets. Default permit / deny, the usual schemes. In a securelevel, this may provide some resistance and extra steps of defense in depth to attacks that presume they have direct access to firmware without needing to smash the kernel further beyond root (also, root access is foolishly yet often available to users). FreeBSD should consider addressing any oppurtunities to further inhibit these attack vectors. Details via links below. (CC'd to a few lists to promote general awareness. Replies are perhaps best made only to freebsd-security@ . This post is what people were replying to but never made it.) # CAM - hdd, tape, optical, etc https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://spritesmods.com/?art=hddhack http://s3.eurecom.fr/~zaddach/ https://www.ibr.cs.tu-bs.de/users/kurmus/ https://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html https://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html http://web.archive.org/web/20150615181236/http://malwaretech.net/MTSBK.pdf https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ http://web.archive.org/web/20130228090611/http://www.recover.co.il/SA-cover/SA-cover.pdf http://www.spiegel.de/media/media-35661.pdf # USB https://opensource.srlabs.de/projects/badusb https://github.com/robertfisk/USG/wiki # BIOS, UEFI http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ # CPU http://inertiawar.com/microcode/ https://wiki.archlinux.org/index.php/microcode http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf https://en.wikipedia.org/wiki/Intel_Active_Management_Technology # FreeBSD, UFS - supported https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-iratemonk.jpg https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html http://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg http://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg # various https://en.wikipedia.org/wiki/NSA_ANT_catalog https://firmwaresecurity.com/