NSA Firmware Anti-Tamper Tech Will Be Made Publicly Available

Photo: “GettyImages“

“CYBERSCOOP“

“A years-long project from researchers at the National Security Agency that could better protect machines from firmware attacks will soon be available to the public.

The project will increase security in machines essentially by placing a machine’s firmware in a container to isolate it from would-be attackers. “

______________________________________________________________________________

“A layer of protection is being added to the System Management Interrupt (SMI) handler — code that allows a machine to make adjustments on the hardware level —as part of the open sourcefirmware platform Coreboot.

Eugene Myers, who works in the National Security Agency’s Laboratory for Advanced Cybersecurity, told CyberScoop that the end product — known as an SMI Transfer Monitor with protected execution (STM-PE) — will work with x86 processors that run Coreboot. Attackers are increasingly targeting firmware in order to run malicious attacks. Just last year, the first-ever documented UEFI rootkit was deployed in the wild, according to ESET researchers.

These type of attacks are particularly concerning because if an attacker compromises an endpoint’s firmware, they could gain control of the entire system. Many security software products do not detect firmware attacks.

“[Firmware] runs in a very privileged mode which means it has access to everything in the computer, which makes that piece of software very dangerous in, say, that an attacker can … put his software down there and he can do whatever he wants,” Myers said.

Intel security researcher Maggie Jauregui says firmware attacks are attractive to malicious actors because of how easy it is to avoid detection. When a device goes into the x86 processor mode in question (system management mode), the operating system and other applications get interrupted, making malicious firmware code difficult to detect. 

“All processing is interrupted for a very small period of time. So small that the user doesn’t even notice anything happened,” Jauregui said. “Malware [can] interrupt your OS and bypass every protection on your system to do pretty much whatever they want with it. You want passwords or secrets on your system? You got them. You want to run nefarious code? You can do that.”

The implementation Myers is building is intended to function as an anti-tamper technology, preventing this kind of nefarious activity. The STM is a hypervisor, meaning it can isolate physical hardware from a computer’s operating system and can prevent meddling with low-level code, such as power management.

“When [STM-PE is] run, it takes this code and puts it in a box such that it can only access the device system that it needs to access,” Myers said. “[The STM-PE] by that nature will improve the security of the system.”

Jauregui told CyberScoop she is excited about the open source Coreboot project, and the NSA’s contributions, because she says it should affect firmware security writ large since it will be open source.

“The big picture is defense. I think they are significantly increasing the bar of entry for any attacks, not just for U.S. citizens but across the board … That’s what I find to be powerful about these contributions,”Jauregui said. “I think they’re incentivizing everybody to increase their defenses.”

Coming to Linux, too

Although attackers are just starting to utilize firmware hacks, this particular NSA project has been in the works for approximately seven years, Myers tells CyberScoop.

“We had been working the STM internally … on a project and I came to my boss and said, ‘We can do this in the STM, I could put protected execution capability down there.’ And he says, ‘Oh, I didn’t realize you could do that,’” Myers explained.

The project picked up momentum when Intel released STM firmware that runs on its x86 platform as open source in 2015. Making it open source let the NSA build out the protected execution service.

“The Intel STM open sourcing allowed us to open source STM-PE,” Myers said.“What’s happened in the past is we’ve done a lot of one offs. By the time we [would be] done with the project everything’s obsolete. This way we don’t have to worry about obsolescence and being behind the curve.”

Just in the last few days, Myers told CyberScoop, he built out a way for anyone, even Linux users, to build their own implementation if they don’t want to rely on the NSA’s version.

“STM and STM-PE [could] only be built on a Microsoft Windows build system,” Myers said. “However, a huge portion of the open source community is on Linux, and this will make it available for them to directly build the STM.”

The Linux build system version is now available on GitHub. Myers’ contributions to the open source Coreboot project are still pending approvals.

The NSA has long contributed projects for public benefit, such as a secure version of Linux, SE Linux, or Ghidra, the malware reverse-engineering open source tool, which the NSA unveiled to the public earlier this year at the RSA conference.

You can read more about Myers’ work here. “

How an NSA researcher plans to allow everyone to guard against firmware attacks

NSA Makes Powerful Reverse Engineering Cyber Security Tool Open Source

Image: NSA – Ghidra, a Powerful Cybersecurity Tool, Open Source

“WIRED”

“Reverse engineering is a crucial process for malware threat intelligence researchers working backward from malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from.

Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.”

_____________________________________________________________________________

“THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does.

“If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.

Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool’s customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn’t as much of a priority in other platforms.

Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce’s personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn’t pan out.

The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn’t a concern.

“Malware authors already know how to make it annoying to reverse their code,” Aitel said. “There’s really no downside” to releasing Ghidra.

No matter what comes next for the NSA’s powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. “There’s no backdoor in Ghidra,” he said. “Come on, no backdoor. On the record. Scout’s honor.”

https://www.wired.com/story/nsa-ghidra-open-source-tool/

Open Source Software Went Nuclear This Year

Getty Images

“WIRED”

“2015 was the year open source software gained new significance, thanks to Apple and Google and Elon Musk.

Now more than ever, even the most powerful tech companies and entrepreneurs are freely sharing the code underlying their latest technologies.

They recognize this will accelerate not only the progress of technology as a whole, but their own progress as well. It’s altruism with self-interest. And it’s how the tech world now works.

“This is not just a turning point, but a tipping point,” says Brandon Keepers, the head of open source at GitHub, the online service that sits at the heart of the open source universe.

Apple Opens Up

This year, Apple open sourced the Swift programming language—a big departure from how it operated before. For the most part, Apple kept the code underpinning its previous language, Objective-C, to itself, ensuring that it ran only on Apple devices. By open sourcing Swift, Apple ensures the language can run on any device, including machines based on Linux, Android, and Microsoft Windows.

MORE OPEN SOURCE

• 

  Facebook Open Sources Its AI Hardware as It Races Google

---

• 

  Apple Open Sources Its Swift Programming Language

---

• 

  Google Just Open Sourced TensorFlow, Its Artificial Intelligence Engine

---

Yes, Apple is allowing its language to run on competing devices. But this is what it must do. Thanks in large part to the proliferation of open source software, the modern world no longer runs on a single computing platform the way it did in the ’90s, following the rise of Microsoft Windows. If Apple wants to keep pace, it must ensure that its coding tools run everywhere. That’s because the world’s software developers must build for all the platforms people around the world use. If Apple’s tools only work for Apple’s platform, developers will be less likely to use them.

Not convinced? Late in 2014, Microsoft came to the same conclusion when it open sourced .NET. For years, .NET was merely a way of building software that ran on Windows. Now that it’s open source, the wider software community can ensure that software built with Microsoft’s tools runs on Linux and Apple’s operating system, too.

Open Sourcing Intelligence

This also was the year Google open sourced TensorFlow, the software engine that drives its artificial intelligence services, including its image and speech recognition and language translation tools. Over the past 15 years, Google has built a wide range of data center technologies that have helped make it the most powerful company on the ‘net. These technologies allow all of the company’s online services to instantly handle requests from billions of people, no matter where in the world they may be. Typically, Google kept these technologies to itself, forcing others to engineer inferior imitations. With TensorFlow, Google has changed direction, freely sharing a creation that sits at the heart of its empire.

Why? Google realizes how important AI is to its future, and it knows that it can accelerate the progress of AI if it shares its software. Google employs many of the world’s smartest minds. But not all of them. Those beyond Google can help improve TensorFlow—improvements that Google can take advantage of. What’s more, it provides a means of identifying new talent. In a way, open sourcing TensorFlow helps the company train the smartest researchers for a career at Google.

Certainly, Google isn’t giving away all its secrets. It’s keeping parts of TensorFlow to itself. And its not sharing the mountains of data that are so essential to training its AI services. But it is sharing enough code to make a difference—both for others and for itself.

Elon for Everyone

Elon Musk went even further. In mid-December, he and Sam Altman, president of Y Combinator, unveiled OpenAI, a $1 billion nonprofit dedicated to the same breed of AI that Google is developing. They even snagged one of Google’s top researchers, Ilya Sutskever. And they’ve vowed to open source all their work. The idea is that by sharing the latest AI tech with everyone, they can ensure that no one AI operation becomes too powerful. That may sound counterinuitive. And we’re a long way from seeing how this plays out. But if there’s one thing we learned in 2015, it’s that we shouldn’t underestimate the power of open source.”

http://www.wired.com/2015/12/2015-the-year-that-open-source-software-went-nuclear/