RECENT BLOG NEWS
cURL Up Canceled
The cURL Project and wolfSSL are sorry to inform you that Daniel Stenberg tested positive for COVID-19 this morning, and is unable to fly to the US for the cURL Up event. We have decided to cancel the cURL Up event happening June 6th. We are planning on rescheduling cURL Up for sometime in September.
Thank you for your understanding. Stay tuned for more news.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Secure boot and glitching attacks
In general, a “glitch” is a momentary fault that may happen on a system, preventing it from working properly, for a brief amount of time. The effects of a single glitch on proper software execution may be multiple, including catastrophic consequences that may prevent the system from continuing the execution.
Glitching attacks are complex and expensive to execute, but can be a real issue for secure boot mechanisms, and often very hard to prevent or mitigate. They aim at exploiting predictable consequences of single glitches in order to take control of the execution or the data contained in the system. The glitch can be injected using different techniques, which often rely on well known weaknesses of the specific microcontroller or CPU. The most common glitch injection consists in varying the voltage supplied to the chip at a specific time, or modifying the profile of the clock signal to mangle the timing of the execution of the instructions. More advanced attacks can rely on irradiating the device with strong electromagnetic interference.
In the specific context of secure boot, the goal for an attacker is to circumvent the security checks in those critical sections of the code, e.g. the code that performs verifications on the firmware authenticity, integrity or versioning. These attacks could eventually defeat the security checks, and take control of the system by uploading an unauthorized firmware image. While they require an accurate synchronization and several attempts, these attacks will eventually succeed in injecting a fault in the hardware at the required time in order to skip the verification.
Our secure bootloader, wolfBoot, follows the indication of RFC9019 to provide a secure, public key based verification of the integrity and authenticity of the firmware and its updates. It runs on several different architectures, from small microcontrollers up to x86_64 systems. wolfBoot is OS-agnostic and provides best-in-class security thanks to the FIPS 140-2 certified algorithms implemented in the wolfCrypt security engine.
wolfBoot already comes with plenty of unique features. Now it is also the first open source secure bootloader to implement mitigations against glitching attacks. Our development team has recently added an optional feature that can be activated at compile time, to reinforce the security of the critical variables and decision points in the code. This has required an evaluation of the code flow of wolfBoot from a point of view that includes the possibility for an attacker to skip single specific instructions. Introducing these mitigations has been tricky, because redundant code written in C is usually discarded by the compiler. For this reason the countermeasures must be programmed in assembly, which makes this code architecture specific.
Our latest release of wolfBoot contains these countermeasures. Glitching support mitigation can be freely compiled and used in GPL projects for evaluation and auditing purposes.
To compile wolfBoot with glitching and side-channel attack mitigations turned on, it is sufficient to add ARMORED=1 to the configuration options (i.e. via command line when invoking make, or through the .config file). The ARMORED option is currently supported on ARM Cortex-M architecture. Support for other architectures will be added in the future.
You can download wolfBoot today from our download page or from our github repository
What is the next feature that you want to see implemented in wolfBoot? Is there any architecture or platform that we don’t yet support that could benefit from our glitch-resistant secure boot mechanism? Let us know!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSentry preview release 0.4.0 — the wolfSSL Embedded IDPS
Today wolfSSL Inc. releases the 4th preview release of wolfSentry, wolfSSL’s IDPS (Intrusion Detection and Prevention System) for embedded and IoT systems. wolfSentry is address- and bus-agnostic, and brings static and dynamic firewalls, event-driven notification and logging support, and unlimited extensibility, to deeply embedded and realtime systems.
This release has several new features of note:
- The JSON configuration format now allows user-defined key-value pairs. The JSON configuration can then be used as a unified configuration package for both the wolfSentry core and user-installed plugin logic. Binary objects can be supplied in the configuration using base64 encoding, and user plugins can then access it in the decoded raw binary form. The key-value facility also supports a custom validator callback to enforce constraints on user-defined config params in the JSON.
- User-defined address families are now available, allowing idiomatic formats for non-Internet addresses in the JSON config. This allows plugin support for various buses and device namespaces beyond the core builtin IP and MAC address support.
- A generic JSON DOM (random access) facility is now included, for use as a helper in user plugins and applications.
- This release also introduces substantial improvements in infrastructure to support default policies, statistics, notification, and logging.
Because this is a preview release, some capabilities are only partially implemented. In particular, dynamic defenses and thread safety are only partially implemented.
Follow this blog and our GitHub for the latest — the first production-ready release of wolfSentry is coming soon!
We particularly seek to enable researchers with this release. We want wolfSentry to be fully vetted by the best in the OSS community. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Download wolfSentry now from https://github.com/wolfSSL/wolfsentry, and tell us what your IDPS priorities are!
wolfSSL Support for OpenSSH 9.0
wolfSSL has updated support for OpenSSH to version 9.0! The patch and instructions for applying and testing the patch are available here. OpenSSH 9.0 is the first exciting version to add support for the Streamlined NTRU Prime key encapsulation mechanism. It is a small lattice-based quantum-safe KEM. It is paired with the X25519 ECDH KEM to provide a fallback in the event of flaws being discovered in Streamlined NTRU Prime. This “quantum resistant” algorithm prevents adversaries from collecting and storing encrypted traffic now and decrypting it at a later date when quantum computers become a feasible attacking tool on current public key cryptographic algorithms. NTRU Prime makes use of the SHA-512 hashing algorithm. When compiling with wolfSSL, the SHA-512 algorithm is supplied by wolfSSL.
Read about all of the changes in OpenSSH 9.0 here.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Post-Quantum SSH v2.0 with wolfSSH
For a while now, wolfSSL has supported post-quantum algorithms in the TLS 1.3 protocol. Now, we also support it in the SSH v2.0 protocol as well!
Our wolfSSH library has long had support for SSH v2.0 both as a client and server. Recently, we integrated the SABER NIST Level 1 KEM into wolfSSH allowing you to start experimenting with a post-quantum algorithm with wolfSSH. For instruction on how to try it out on Linux, please see the Post-Quantum section of wolfSSH’s README.md file which can be found at https://github.com/wolfSSL/wolfssh#post-quantum . This is done via an integration with the OpenQuantumSafe project’s liboqs.
Want other post-quantum algorithms? Want other security levels? Want to us hybridize with other algorithms?
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Upcoming Webinar: Migrating from Mocana to wolfSSL
Join us Thursday, May 26th at 9AM Pacific Time.
wolfSSL Engineer, Eric, talks about the top reasons why people migrate from Mocana to wolfSSL as well as how to get started.
As always bring your questions for the live Q&A at the end of the presentation!
Watch the webinar here: Migrating from Mocana to wolfSSL
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfBoot has RISC-V Support
We have added support for RISC-V hardware in our wolfBoot library. The reference example uses the SiFive HiFive1 FE310 board to demonstrate a secure bootloader and firmware upgrade.
The HiFive1 is a 32-bit E31 RISC-V core capable of running at 320MHz. It includes 4MB of external flash and 16KB of internal RAM.
The wolfBoot library provides:
- Boot validation of the firmware image using hash and signature
- Reliable firmware update (power fail safe).
- Rollback support if application does not report “success”
- Version checking to prevent downgrade attack
- Support for external flash on updates
This adds support for:
- RV32 Hardware Access Layer (HAL) support for:
- PLL Clock configuration
- Flash eSPI
- UART
- RTC
- Firmware update example using the serial interface
Full setup and installation instructions can be found in “docs/Targets.md”.
These new features can be found on GitHub here:
https://github.com/wolfSSL/wolfBoot/pull/14
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSH release version 1.4.10
wolfSSH release version 1.4.10 is available! It includes many useful code additions including some fixes. To name a few the ESP–IDF use has been expanded on, small stack improvements made, some SFTP use fixes, fixes for warnings with older GCC compilers and more….
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
European Webinar Week
Welcome to European Webinar Week! Thank you to all our viewers who attended our first session today about DO-178 – check out the rest of this week’s schedule to learn more and register in advance!
- 5PM Central European Time, Tuesday, May 17th
- Watch the webinar: Looking Under the Hood – Everything you need to know about Automotive security
- Watch the webinar: How to Get Started with wolfSSL
We can’t wait to see you and answer all of your questions!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfCrypt-py and wolfSSL-py 5.3.0 Released
wolfSSL has released version 5.3.0 of the Python wrappers for wolfCrypt and wolfSSL called wolfCrypt-py and wolfSSL-py.
This is a significant release because the build system has been completely refactored to make it easier to build and install the Python wrappers.
In addition, wolfCrypt-py now works in Windows and has several new APIs to support some of the newer features of wolfCrypt.
For more information the release notes for wolfCrypt-py can be found here, and wolfSSL-py can be found here. In addition the releases can be found on PyPi to be installed using `pip` here for wolfCrypt-py and here for wolfSSL-py.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Weekly updates
Archives
- December 2024 (19)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)