Glad to see forensic community realizing that there is more under the hood than they’ve been paying attention to. A new PDF in the SANS Digital Forensics reading room:
Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI)
Author: Jean-François Agneessens (firstname.lastname@example.org)
Advisor: Manuel Humberto Santander Pelaez
While Operating Systems have seen tremendous and very visible developments, driven by the evolution of hardware components, there are still some remnants from the 8086-era, one of which is the BIOS. Led by a consortium of vendors, the industry is now implementing a new style of BIOS which, by design, appears to overcome all the issues introduced by the Intel 8086 engineering decisions back in 1978. The Unified Extensible Firmware Interface (UEFI), replacement of the legacy BIOS, is a blank-sheet design based on modular pieces of code following the well-known Portable Executable/Common Object File Format (PE/COFF), found on all Microsoft OS-based executable code. The UEFI code can therefore be reverse-engineered using similar techniques learned during GREM. The concepts of UEFI, and some of its VMware implementation, are presented here, as well as an insight into the possible paths open for further exploitation of the extended capabilities offered by UEFI.