Intel ATR posts RECon and CSW presentations

Yesterday, Intel Advanced Threat Research (ATR) released presentations of two recent talks they’ve given on BIOS/SMM/UEFI security.

1) Attacking and Defending BIOS in 2015
Advanced Threat Research, Intel Security
RECon 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using “S3 resume boot script” vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We’ll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail “SMI input pointer” and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues

2) A New Class of Vulnerabilities in SMI Handlers
Advanced Threat Research, Intel Security
CanSecWest 2015

This presentation will discuss security of SMI handler components of system firmware including the nature of a new class of vulnerabilities within the SMI handlers of BIOS/UEFI based firmware on various systems. It will also discuss how systems can be tested for these vulnerabilities and what can be done in firmware implementations to mitigate them. Additionally, the presentation will also discuss how S3 resume affects security of the system and problems with S3 resume boot script in some BIOS implementations recently discovered and presented at 31C3.

More Information:

VZ CanSecWest slides and July PNWFWH follow-up

In case you missed Vincent Zimmer of Intel speaking at CanSecWest  back in March 2015, it gives a good overview of UEFI security technologies.

“UEFI, Open Platforms and the Defender’s Dillema”

I am reminded of this talk, since we just got Vincent to reprise this talk today at, at the monthly DC206 Meeting, which was also the meeting of the Pacific NorthWest FirmWare Hackers (PNWFWH). Vincent was a guest speaker and spoke on UEFI security for a while, mostly QA w/o slides.

I also gave a talk, on UEFI security tools (CHIPSEC, UEFItool, UEFI Firmware Parser, BIOS Diff, BIOS Extract, LUV-live, FWTS, etc.). I’ll cleanup the slides and post them on this blog shortly. Our scheduled lab was a bit flat, due to 2x the presentations, and a BLR-hosted BBQ, and the interest in listening to the QA with Vincent, and the miserable heat. But some of the attendees had already gotten LUV-live working on their systems, and had learned to dump ROMs, which is the first step.

Vincent also helped me understand the UEFI 2.5 feature list, I’ll be working on more blog posts with spec/source and other info on these ~63 items in some upcoming blog posts.