This is a great story about hacking a BIOS-level locked Toshiba laptop. There will be plenty of hardware hacking, reverse engineering and perseverance. And some crypto as well.[…] The whole process took 3 years – but the actual work took about 2 weeks, the rest was Michał waiting for Sergiusz to dump the chips. They reported their findings to Toshiba, which promised to deliver updates and change the encryption scheme.[…]
Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world. Furthermore, since malware that tampers with the boot process (aka bootkits) execute before the operating system, such compromises often persist even after incident responders think the incident has been remediated. This post details the challenges FireEye faced examining boot records at scale and our solution to find evil boot records in large enterprise networks.[…]
In the olde days of the early Personal Computer, the BIOS-based firmware’s default bootloader would be a resident BASIC interpreter REPL. Companies made money licensing that BASIC interpreter to vendors!
So a built-in default BASIC interpreter bootloader app was one feature that BIOS had which UEFI did not. ….until now (and this one is not closed-source):
A BASIC interpreter for UEFI.
Nice, another online source to this classic document. There are a few other sources online, if you search. If you’ve never read this book, it is a great read, with the source to the PC BIOS listed, a great way to learn assembly language.
There’s also a nyan for BIOS, not only the above UEFI one!
NYAN ALL THE MBRs!
A 16 bit Nyan cat demo small enough to fit in the master boot record of a disk.
BEFORE YOU CONTINUE: USE ON YOUR OWN RISK, PLAYING WITH MBRs IS LIKE PLAYING WITH FIRE. DO NOT BE ON FIRE!
Step by step guide for how to build your own PXE boot server supporting both legacy BIOS and EFI hardare
Build your own PXE boot server
This article is a step by step guide for building your own PXE boot infrastructure which can be used to boot both legacy BIOS and EFI based hardware from network. There are many articles on the Internet for building PXE boot infrastructure however I found most of them does not work for EFI based hardware. I use iPXE as the boot image and dnsmasq as DHCP & TFTP server and I found it’s dead simple to setup those two software.
This is a Win32 console application for Windows Preinstall Environment system. The gaol is checking PC uses UEFI BIOS (or with CSM) must ensures the disk type is GPT format, otherwise the legacy BIOS must using MBR format for disk layout. C++ code only does windows executing diskpart and reg commands and checks results to improve function, because requester is lazy and having lack knowledge on his job to design commands flow.
PS: Another tool by author:
UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities
Alexander Ogolyuk, Andrey Sheglov, Konstantin Sheglov
Saint Petersburg National Research University of Information Technologies, Mechanics and Optics
St. Petersburg, Russia
We describe principles and implementation details of UEFI BIOS attacks and vulnerabilities, suggesting the possible security enhancement approaches. We describe the hidden Intel Management Engine implementation details and possible consequences of its security possible discredit. Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of “invulnerable” malicious applications. We highlight the base principles and actual state of Management Engine (which is a part of UEFI BIOS firmware) and its attack vectors using reverse engineering techniques.
* Disable all SMM code (if possible by patching or other methods)
* Disable any external firmware components (PCI boot)
* Disable S3 Bootscript (after sleep mode)
* SMI transaction Monitor extensive usage (to find malicious SMI calls)
* Enable Secure Boot mode
* Enable BIOS password
* Extensive reverse engineering of vendor’s firmware samples to find and report vulnerabilities
* Code reviews (of open sourced UEFI based systems like Tiano-Core)
BIOS-UEFI Firmware Tools Engineer
As BIOS-UEFI Firmware Tools Engineer you will develop tools and scripts needed for build and test automation infrastructure that is the backbone of the the Continuous Integration process in Intel’s Data Center UEFI firmware BIOS team.[…]
PS: I need to figure out a way to get some swag/etc from jobs that’re filled via this blog. ;-(
PS: Intel HR: spaces in URLs is generally frowned upon.
UPDATE: adding URL, which I forgot in original post:
DiskImageCreator : A python utility to process the input raw disk image and sign MBR/partitions with given corresponding keys.
Signing Tool for boot security validation.
This python utility is designed to provide a baseline for people who may be interested in attaching the machine with secure boot process built-in. The secure boot process is a customized chain-of-trust boot flow in UEFI BIOS. It will exam the target disk image(in MBR) and see if it is properly signed by the root key controlled by owner. This utility is to help owner to create a signed image with owner keys.
This tool is designed to help people attack the machine with a secure chain-of-trust boot process in UEFI BIOS.
The UEFI Forum likes to frame UEFI -vs- BIOS, and has a 3-5 Class heirarchy of those systems, including having to deal with UEFI systems that also provide BIOS via Compatibility Support Module (CSM), referring to BIOS as Legacy Mode. If you look at BIOS outside of the framing of the UEFI Forum, it is usually based security, and UEFI has some security where BIOS has none. But there’s another ‘class’: non-UEFI coreboot, optionally secured with Verified Boot, with a BIOS payload. UEFI Forum doesn’t include this in their Class heirarchy… AFAICT, the mainstream IBVs have given up on BIOS and migrated to UEFI. The only places where BIOS will probably remain are in Purism boxes, where they will use TPM+Heads to secure BIOS, or on Chrome boxes, where they will use coreboot Verified Boot to secure BIOS, or in SeaBIOS-based VMs. When Intel stops offering Intel’s implementation of BIOS, maybe this means that the remaining BIOS users will switch to the open source SeaBIOS project, which is great news. Getting rid of the complex class of dual UEFI/BIOS systems will be a joy. 🙂
Kaspersky Security Bulletin: Threat Predictions for 2018
Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner
Sophisticated UEFI and BIOS attacks.
The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start. The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.[…]
Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:
The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.
In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….
Michał Kowalczyk has an interesting presentation on Intel BIOS reversing, focusing on a Toshiba system. Presentation is in Polish. If you have a Toshiba, see the excerpt below with advisory info.
Oficjalne stanowisko Toshiby
Toshiba is working on a temporary BIOS update that can be used to prevent the security issue that has been raised and expects to release this update on its website within the next 2 weeks.
Toshiba plans to start the release of a permanent fix for some models from January, 2018 and will complete the releases of permanent fix for all applicable models by the end of March 2018.
New in this release:
* Initial support for NVME drives
* Support for vga emulation over a serial port in SeaBIOS (sercon)
* Support for serial debugging using MMIO based serial ports
* Support for scsi devices with multiple LUNs
* Support for boot-to-boot persistent coreboot cbmem logs
* Improved coreboot vga (cbvga) mode setting compatibility
* Several bug fixes and code cleanups
For full announcement, see Kevin O’Connor’s posting to the SeaBIOS list.
Gabriel Majeri has created “biors”, a BIOS implementation written in Rust! It is only a few days old, does not appear to be ready for use yet.
biors – The Basic Input / Output Rust System
This repository contains an x86 platform firmware implementation – more commonly known as a BIOS. It is written in Rust, and is designed for modern x86_64 processors. Similarly to CoreBoot, it is designed to deliver a “payload” – this could be a PC-AT compatible BIOS, or a UEFI implementation. BIOS is pronounced “BY-oss”, this project is pronounced “BY-orss”.[…]
PS: Gabriel has also written C++ bindings for UEFI! 😉