Now You See It: TOCTOU Attacks Against Secure Boot and BootGuard

BootGuard’s Verified Boot mode on modern Intel CPUs is the core root of trust and measurement during the boot process, and preserves the chain of trust by only executing firmware with a valid vendor signature. These protections are supposed to be secure against physical attacks on the SPI flash, although we’ve found multiple errors in handling the firmware volumes as well as a new technique for changing the firmware after the signature check has been done. In this talk we’ll demonstrate how to build an inexpensive open source tool for investigating these TOCTOU techniques and how to use it to test the security of your own systems.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s