Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software
Alex Matrosov | Offensive Security Lead, NVIDIA
Many hardware vendors are armoring modern Secure Boot by moving Root of Trust to the hardware. While it is definitely the right direction to create more difficulties for the attacker, many layers of code exist between hardware and firmware. Also, hardware vendors are always fighting for boot performance, which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass a specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.
BlackHat Asia 2019 presentation:
The complexity of x86-based systems has become so great that not even specialists can know everything. The recently discovered Meltdown/Spectre vulnerabilities, as well as numerous issues in Intel Management Engine, underscore the platform’s mindboggling intricacies. So, the chips manufacturer has to actively use of various means for manufacturing verification and post-silicon debugging. We found that modern Platform Controller Hub (PCH) and CPU contain a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time—a gold mine for researchers. A vulnerability previously discovered by us, INTEL-SA-00086, enabled studying this technology, which is called Intel Visualization of Internal Signals Architecture (VISA). We believe it is used for manufacturing line verification of chips. With an enormous number of settings, VISA allows for the creating of custom rules for capturing and analyzing signals. VISA documentation is subject to an NDA and not available to ordinary users. However, we will show how, with the help of publicly available methods, one can access all the might of this technology WITHOUT ANY HARDWARE MODIFICATIONS on publicly available motherboards. With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data. In our talk, we will demonstrate how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices.
The UEFI Firmware Rootkits: Myths and Reality
Alex Matrosov | Principal Research Scientist, Cylance
Eugene Rodionov | Senior Specialized Software Engineer, ESET
In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).
In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC.
In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard – hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) – is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks.
Black Hat Asia 2016:
March 29 – 30
Harvard Architecture Embedded Systems Reverse Engineering and Exploitation
IoT and embedded systems became ubiquitous. However, security analysis and exploitation of its firmware could be painful. The world of embedded systems isn’t limited to just ARM and MIPS but includes many other microcontroller architectures with Harvard architecture being one of the prevalent. Such MCUs are found in the cars and airplanes, ICS and smart devices, home automation systems, armature electronic projects — almost everywhere. During the workshop the attendees will learn basic and advanced methods of reverse-engineering and exploitation of firmware in microcontrollers. The course is focused on memory corruption vulnerabilities, but some other bugs will be also covered. Main reviewed architectures are: AVR (8-bit), STM8 and PIC. However, presented principles could be used against other architectures. We will also talk about how to use radare2 and IDA Pro for reversing and exploiting MCU firmware as well as how to develop own tools that help you with your tasks. […]
Alexander Bolshev is an information security researcher. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, S4.