Kai Michaelis

Nowadays, it’s difficult to find any hardware vendor who develops all the components present in its products. Many of these components, including firmware, are outsourced to ODMs. As a result, this limits the ability of hardware vendors to have complete control over their hardware products. In addition to creating extra supply chain security risks, this also produces security gaps in the threat modeling process. Through this research, ​we wanted to raise awareness about the risks in the firmware supply chain and the complexity of fixing known vulnerabilities. The firmware patch cycles last typically around 6-9 months (sometimes even longer) due to the complexity of the firmware supply chain and the lack of a uniform patching process. The 1-day and n-day vulnerabilities in many cases have a large impact on enterprises since the latest firmware update wasn’t installed or the device vendor had not released a patch yet. Each vendor follows their own patch cycle. Even known issues may not be patched until the next firmware update is available. We decided to build an open-source framework to identify known vulnerabilities in the context of UEFI specifics, classify them based on their impact and detect across the firmware ecosystem with the help of the LVFS project. We will be sharing our approach as well as the tooling we have created to help industry identify the problems and get patched. Workshop outline: * Why it's important to get patched in time, and why your EDR won't help you with compromised firmware? * The uefi_r2 scanner details internals (https://github.com/binarly-io/uefi_r2) * How semantic code annotations work to bring UEFI codentext for code analysis * How to scale uefi_r2 scanner in enterprise infrastructure? * Deep dive into FwHunt rules format * What is the difference between detecting new and known issues? * How does the FwHunt detection work on different layers PEI/DXE/SMM? * LVFS integration of uefi_r2 and FwHunt * How patch the industry deal with the help of LVFS? * Future plans and upcoming updates for FwHunt technology

Other people: Richard Hughes Alex Matrosov Alex Ermolov

Nowadays, it’s difficult to find any hardware vendor who develops all the components present in its products. Many of these components, including firmware, are outsourced to ODMs. As a result, this limits the ability of hardware vendors to have complete control over their hardware products. In addition to creating extra supply chain security risks, this also produces security gaps in the threat modeling process. Through this research, ​we wanted to raise awareness about the risks in the firmware supply chain and the complexity of fixing known vulnerabilities. The firmware patch cycles last typically around 6-9 months (sometimes even longer) due to the complexity of the firmware supply chain and the lack of a uniform patching process. The 1-day and n-day vulnerabilities in many cases have a large impact on enterprises since the latest firmware update wasn’t installed or the device vendor had not released a patch yet. Each vendor follows their own patch cycle. Even known issues may not be patched until the next firmware update is available. We decided to build an open-source framework to identify known vulnerabilities in the context of UEFI specifics, classify them based on their impact and detect across the firmware ecosystem with the help of the LVFS project. We will be sharing our approach as well as the tooling we have created to help industry identify the problems and get patched.

Other people: Richard Hughes Alex Matrosov Alex Ermolov

Panopticon is a graphical disassembler written in Rust that runs on GNU/Linux, Windows and OS X. It aims to create a free replacement for tools like IDA Pro and BinDiff.

Analysis of closed source applications is necessary for security practitioners and FLOSS-developers. Roughly 1/3 of the FSF High Priority Projects will likely involve analysis of binary applications, on top of the dedicated reverse engineering projects. Yet, the majority of the tools to do this are closed source themselves. This problem extends to academia where the lack of stable and extensible binary analysis tools forces scientist to implement their prototypes on top of proprietary software. This further hampers adoption of the -- publicly funded -- research by practitioners.

The Panopticon project aims to develop a tool to end the dominance of proprietary software for reverse engineering. What sets Panopticon apart from other free disassembler is that we believe an intuitive GUI is paramount to aid human analysts to understand as much of the binary as possible. As such Panopticon comes with an Qt 5 UI written in QML that allows browsing and annotating control flow graphs. Panopticon implements semantic-based analysis to resolve dynamic jumps and calls. We believe that a disassembler that knows assembly code semantics allows automation of common reverse engineering tasks and provide aids for manual analysis.

The talk will touch on the vision and architecture of Panopticon. The target audience are reverse engineers interested in FLOSS tools and/or advanced static analysis as well as developers who want to contribute to the project.