[Presentation] Analytics, and Scalability, and UEFI Exploitation! Oh my! (Infiltrate 2014)
[Video] Infiltrate 2014 demonstration of a subzero exploitation workflow
[Github] Subzero firmware (UEFI) analysis platform
[Github] UEFI Firmware Parser, a general UEFI-focused firmware manipulation python module
Subzero is term for environments, protocols, architectures, and code running below the traditional ring 0 concept of an operating system kernel. This firmware-like code is traditionally thought to be difficult to analyze, exploit, or defend. There are epic researchers and research projects creating security around this world! This research attempts to augment the area by exploring the heterogenious environments and platforms from big data perspective. Subzero analytics includes proof of concept exploitation workflows, analysis platforms for vulnerability discovery, and open source defensive services.
[Presentation] DIY: Using Trust to Secure Embedded Projects (Shmoocon 2013)
[Video] DIY: Using Trust to Secure Embedded Projects (Shmoocon 2013)
[Github] U-Boot Secure Boot using TPM
[Github] AT97SC3204T TPM Driver for Linux (U-Boot and UEFI also)
This set of interests/projects focuses on trust relationships in embedded devices. It begins with a series of embedded development curiosities and extends into trusted computing and chip security APIs, specifications, and implementations.
SkyNET - UAV Mobile Botmaster
The SkyNET project originated as a research idea for the impact of physical devices on botnet command and control. Could physical locality affect C2, more importantly, could it enhance botnet C2. The project used a proof-of-concept UAV as a proxy botmaster as an attempt to shield the real botmaster's interaction with the botnet. We were able to prove several of our hypothesises: (1) a malicious UAV can be a cost-effective tool for criminals, (2) the power consumption for a malicious UAV allows for sufficient time to perform both network and host based attacks, (3) in a metropolitan area, enough networks exist to conduct a statistically feasible attack for botnet recruitment.
The original paper was accepted to Usenix's Workshop on Offensive Technology (WOOT) in 2011. Minor work continued to enhance the UAV's performance and investigate the potential of using more cost and power efficient hardware. Of course, there are many more questions and investigations to be done with respect to hypothetically-malicious UAV platforms.
RTFn (Rock The Flag network)
RTFn is a project created to assist a new cyber Capture the Flag (CTF) teams organize their players and understand their strengths and weaknesses. When it was created RTFn was a modded netgear router that ran a VPN to connect to an Etherpad server. RTFn included Etherpad to allow collaborative editing per-CTF challenge. Finally, it included a set of lessons for used to bring the club up to speed, largely based on previous CTF challenge write-ups.
The project grew as we started asking more from it: what are our best types CTF challenges, how can we improve our performance, and are we learning anything. We wanted features to extract and report on this data so we proposed this as a research project. We created the idea and an proof-of-concept client and mined data from test-challenges to help prove that CTF-type challenges might be used in an educational setting to promote learning, and provide an assessment tool.
The proof-of-concept code, with some developmental changes, can be found on the project's SourceForge page. But more recently, we've moved from providing a tool for assessment, to a tool for collaboration. We want to now leverage the power of project management systems and Etherpad (with some GUI flavoring) to provide a simple CTF team whiteboard. This version of the tool, RTFn-lite, is still in conceptual development.