UEFI security presentation at Seattle DC206 Meeting

If you missed the Intel presentation from BlackHat Briefings this summer, and if you are in the Seattle area this Sunday, Vincent Zimmer of Intel will be reprising this presentation at the DC206 Meeting at the Black Lodge Research hackerspace.


What: Oct DC206 Meeting: Firmware is the New Black
When: October 15th, 1-3pm
Who: Vincent Zimmer
Where: Black Lodge Research

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).


Click to access BlackHat2017-BlackBIOS-v0.13-Published.pdf



VZ CanSecWest slides and July PNWFWH follow-up

In case you missed Vincent Zimmer of Intel speaking at CanSecWest  back in March 2015, it gives a good overview of UEFI security technologies.

“UEFI, Open Platforms and the Defender’s Dillema”

I am reminded of this talk, since we just got Vincent to reprise this talk today at BlackLodgeResearch.org, at the monthly DC206 Meeting, which was also the meeting of the Pacific NorthWest FirmWare Hackers (PNWFWH). Vincent was a guest speaker and spoke on UEFI security for a while, mostly QA w/o slides.

I also gave a talk, on UEFI security tools (CHIPSEC, UEFItool, UEFI Firmware Parser, BIOS Diff, BIOS Extract, LUV-live, FWTS, etc.). I’ll cleanup the slides and post them on this blog shortly. Our scheduled lab was a bit flat, due to 2x the presentations, and a BLR-hosted BBQ, and the interest in listening to the QA with Vincent, and the miserable heat. But some of the attendees had already gotten LUV-live working on their systems, and had learned to dump ROMs, which is the first step.

Vincent also helped me understand the UEFI 2.5 feature list, I’ll be working on more blog posts with spec/source and other info on these ~63 items in some upcoming blog posts.

Reminder: firmware talk/lab at July DC206 Meeting

This Sunday we’re having a class on using CHIPSEC and related firmware security tools:

One change of plans for the lab: I’ve been having problems getting LUV-live to boot on various machines, so don’t want to tie the lab to booting thumbdrives to use CHIPSEC.

So let’s use CHIPSEC installed natively on your laptop. So please bring a Intel UEFI-based laptop running Windows or Linux, where you can install CHIPSEC on it. (The CHIPSEC kernel driver is not a safe thing to keep loaded, see their warning.txt. Only load it when you are using CHIPSEC.) I’ll bring some scripts to make it easier to use CHIPSEC on Linux systems. Watch the Youtube video of DEFCON22 talk on CHIPSEC to see when/why to use some of it’s commands.

Or, instead of running CHIPSEC from w/i your installed OS, make your own LUV-live thumbdrive and see if it works on your system: if so, use CHIPSEC there.

Regardless, please don’t use your primary laptop, backup anything important, in case you brick the box.

The lab will be fairly free-form, people trying to use CHIPSEC on their system, hopefully to save a ROM and share with others, and to some analysis of the ROM using CHIPSEC, UEFITool, UEFI Firmware Parser. If you are willing to share some ROMs with the rest of the lab attendees, please try to bring a system with a CD-R/DVD-R burner. I’ll bring some blank discs. CHIPSEC and most of the below tools are Python-based, so install CPython 2.7x on your system. Install any of the below tools if you want to use these to examine ROMs:


UEFI Firmware Parser:

Copernicus’ BIOS Diff:

Most of these tools are Python-based, but UEFITool is a C++-based Qt GUI app. You need to get Qt Creator installed, open Qt Creator, open the UEFI Tools’s .pro file, then Build it. UEFITool builds on most platforms pretty painlessly. If you don’t want to install Qt on your system, you can download pre-built binaries of UEFITool for Windows and Mac OSX. For Linux, no binaries provided, you must build from source.

One potential direction for the lab is to look at Intel’s analysis of the Hacking Team’s UEFI malware, and how to use CHIPSEC and UEFITool, using the GUIDs and strings from the below analysis to see if you have Hacking Team bootkit.

Unfortunately, it looks like the PNWFHW (Pacific NorthWest FirmWare Hackers) stickers likely won’t arrive in time, probably next week, so no stickers this time, sorry.