Black Hat Asia: The UEFI Firmware Rootkits: Myths and Reality

The UEFI Firmware Rootkits: Myths and Reality
Alex Matrosov  |  Principal Research Scientist, Cylance
Eugene Rodionov  |  Senior Specialized Software Engineer, ESET

In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).

In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC.

In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard – hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) – is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks.



Open Source Hardware Camp 2017 announced

Andrew Back announced the CfP for “Open Source Hardware Camp 2017”, taking place in September in the U.K. Note also ChipHack and ORConf! I wish O’Reilly’s Maker Faire would merge with this group, so that these OSH camps were worldwide, not just in the UK…

This year Open Source Hardware Camp will take place over the weekend of Saturday 2nd & Sunday 3rd September, hosted as part of the Wuthering Bytes festival in Hebden Bridge, which in 2017 will take place over the course of 10 days (again!). We will be returning to the Birchcliffe Centre in Hebden Bridge, which benefits from the convenience of adjoining, budget accommodation. Proposals for talks and workshops for OSHCamp 2017 are invited! That the deadline for submitting titles and abstracts is Monday 1st May. There is no theme and topics may include, for example: Open source hardware projects, Open development practices and principles, Novel/interesting/fun projects built using open source hardware, Tools (hardware and software), Skills and techniques, e.g. PCB fab, DIY SMT assembly, Relevant technologies, e.g. SPI/I2C bus programming, …something else relevant to the community. Other events running as part of Wuthering Bytes 2017 and which may be of interest:
* Fri 1st: Wuthering Bytes Festival Day, http://wutheringbytes.com/
* Wed 6th & Thurs 7th: Chip Hack, http://chiphack.org/
* Thurs 7th PM & Fri 8th AM: EDSAC Challenge
* Fri 8th AM – Sunday 10th PM: GNU ORConf, http://orconf.org/

More info:


Denver coreboot Conference 2017

Denver coreboot conference
Monday June 5 – Tuesday June 6, 2017
Optional Hacking Day
Wednesday June 7, 2017



See also:




European coreboot conference 2017

OEMs: please note!

Carl-Daniel Hailfinger posted an announcement to the upcoming European coreboot conference 2017 to the coreboot-announce list:

We are currently planning to host a coreboot conference in Germany with 2 days of talks and an additional 2 days of hacking. The date will probably either be October 19-22 or October 26-29, i.e. directly before or after Embedded Linux Conference Europe and LinuxCon Europe. Ticket prices haven’t been decided yet and depend on the location and venue availability. The location will be either in Bonn or Bochum. Both Bochum and Bonn offer a variety of interesting activities for conference participants. Bochum is reachable by public transport from Frankfurt Airport within 120 minutes, from Dusseldorf Airport within 40 minutes and from Cologne Airport within 80 minutes. Bonn is reachable by public transport from Frankfurt Airport within 70 minutes, from Dusseldorf Airport within 70 minutes and from Cologne Airport within 30 minutes.
Please fill out the application and subscribe to the newsletter if you are planning to join us!

Full announcement:


Hardware security training at Black Hat



Alexander on U-Boot+UEFI+GRUB on ARM

Here’s one interesting presentation for the upcoming OpenIoT and Embedded Linux Conference:

Marrying U-Boot, uEFI and grub2 – Alexander Graf, SUSE

Booting is hard. Booting in the ARM world is even harder. State of the art are a dozen different boot loaders that may or may not deserve that name. Each gets configured differently and each has its own pros and cons. As a distribution this is a nightmare. Configuring each and every one of them complicates code that really should be very simple. To solve the problem, we can just add another layer of abstraction (grub2) on top of another layer of abstraction (uEFI) on top of another layer of abstraction (u-boot). Follow me on a journey on how all those layers can make life easier for the distribution and how much fun uEFI really is. After this talk, you will know how ARM systems boot, what uEFI really means, how uEFI binaries interact with firmware and how this enables convergence of the Enterprise and Embedded markets.

Alexander Graf, KVM Wizard, SUSE
Alexander started working for SUSE about 8 years ago. Since then he worked on fancy things like SUSE Studio, QEMU, KVM and openSUSE on ARM. Whenever something really useful comes to his mind, he tends to implement it. Among others he did Mac OS X virtualization using KVM, nested SVM, KVM on PowerPC and a lot of work in QEMU for openSUSE on ARM. He is the upstream maintainer of KVM for PowerPC, QEMU for PowerPC and QEMU for S390x.





Brian speaking at Bsides Huntsville

Brian Richardson of Intel will be speaking about firmware at a security conference, BSides Huntsville.