Closing Keynote: Betraying the BIOS: Where are the limits of AV for modern UEFI Firmware?
For UEFI firmware, the barbarians are at the gate — and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants — by HackingTeam and state-sponsored actors alike — hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS? In this presentation, I’ll explain UEFI security from the competing perspectives of attacker and defender. I’ll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.
“My @offensive_con slides released! Include all 010 templates for Intel ACM and Boot Guard (KM + IBBM). All these details been REconstructed from AMI FW. Discovered few Intel Boot Guard bypasses: 2 SW + 1 HW. Never underestimate RE in your Threat Model!!”
Betraying the BIOS: Where the Guardians of the BIOS are Failing
For UEFI firmware, the barbarians are at the gate — and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants — by HackingTeam and state-sponsored actors alike — hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS? In this presentation, I’ll explain UEFI security from the competing perspectives of attacker and defender. I’ll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering. This talk is a revisited version of the Black Hat Vegas 2017 research with new details about Intel BIOS Guard and Intel ACM’s including new vulnerabilities.
010 editor templates:
NE Alpha 44:
+ support of MS Surface implementation of Intel Boot Guard
+ optional disabling Intel Boot Guard marking
This is great news for NVIDIA security!!
Also anyone from ARM Ltd must be quite excited to see recent career paths of ex-CHIPSEC Project members. Alex and Yuriy of Eclypsium has an ARM port of CHIPSEC, which they says they they’re going to release (when!?!). Now Alex is joining Nvidia and will also be focusing on ARM. Note to the Linaro team working on the AArch64 port of LUV-live, once CHIPSEC works on ARM, you really need to get this project active again.
I hope the CHIPSEC team, and or (ARM Ltd, Linaro, Eclypsium, or now NVIDIA) helps update the CHIPSEC Project’s release of CPython. Today it is a binary-only release for x86 and x64, in the Github source tree. It’ll need ARM versions of CPython, and hopefully make CPython build for CHIPSEC transparent, or at least sign the blobs. Actually, this points out an upstream problem to Tianocore: CHIPSEC is an example of an ISV with a UEFI app that needs CPython, and has to ship it themselves. Tianocore should consider shipping CPython binaries along with ShellPkgBin binaries.
PS: I also just noticed that their book has a nice (new?) domain name: http://bootkits.io/ (no HTTPS).
Double entry for Alex: he’s got a new blog post on Intel Boot Guard, plus he’s updated UEFITool!
“[…]Today I released a new build of UEFITool with visual validation of Intel Boot Guard coverage. The code pushed to the github repository. A standalone binary of UEFITool can be downloaded here.[…]”
View story at Medium.com
Black Hat Vegas: Where the Guardians of the BIOS Are Failing
By Alex Matrosov
In our upcoming Black Hat Vegas talk, we will summarize our research about the UEFI firmware protections and our newly-discovered security problems. This talk raises awareness of these security challenges for hardware vendors, BIOS-level security researchers and defenders, and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.[…]
Table of Contents
Chapter 1: Observing Rootkit Infections
Chapter 2: What’s in a Rootkit: The TDL3 Case Study (NOW AVAILABLE)
Chapter 3: Festi Rootkit: The Most Advanced Spam Bot (NOW AVAILABLE)
Chapter 4: Bootkit Background and History (NOW AVAILABLE)
Chapter 5: Operating System Boot Process Essentials (NOW AVAILABLE)
Chapter 6: Boot Process Security (NOW AVAILABLE)
Chapter 7: Bootkit Infection Techniques (NOW AVAILABLE)
Chapter 8: Static Analysis of a Bootkit Using IDA Pro (NOW AVAILABLE)
Chapter 9: Bootkit Dynamic Analysis: Emulation and Virtualization (NOW AVAILABLE)
Chapter 10: Evolving from MBR to VBR Bootkits: Olmasco (NOW AVAILABLE)
Chapter 11: IPL Bootkits: Rovnix & Carberp (NOW AVAILABLE)
Chapter 12: Gapz: Advanced VBR Infection (NOW AVAILABLE)
Chapter 13: Rise of MBR Ransomware (NOW AVAILABLE)
Chapter 14: UEFI Boot vs. the MBR/VBR Boot Process (NOW AVAILABLE)
Chapter 15: Contemporary UEFI Bootkits
Chapter 16: UEFI Firmware Vulnerabilities
Chapter 17: How Secure Boot Works
Chapter 18: HiddenFsReader: Bootkits Forensic Approaches
Chapter 19: CHIPsec: BIOS/UEFI Forensics
The UEFI Firmware Rootkits: Myths and Reality
Alex Matrosov | Principal Research Scientist, Cylance
Eugene Rodionov | Senior Specialized Software Engineer, ESET
In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).
In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC.
In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard – hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) – is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks.
If you haven’t heard of this book yet, see the Nostarch tags for a few older posts.
Wow, Alex Matrosov is leaving Intel Advanced Threat Research (ATR).
As I understand it, he is one of the CHIPSEC team. I hope the project can handle his loss.
It is unclear what he’ll be doing next. Maybe he’ll be joining Apple? They are hiring all the great researchers…)
WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!
As well, UEFITool has new maintainers, Alex and Dmytro!!
An update on this book, the early-access ebook edition has a new chapter on UEFI BIOS vulnerablities — and NoStarch has a 30% off earlybird discount:
Alex Matrosov’s presentations — one of which is on attacking hypervisors — from Zero Nights are now online!