Intel firmware security research at WOOT

Usenix WOOT 2015 is happening in Washington D.C. later this month. It has a very interesting UEFI security talk:

Symbolic execution for BIOS security
Oleksandr Bazhaniuk, John Loucaides, Lee Rosenbaum, Mark R. Tuttle, Vincent Zimmer, Intel Corporation
May 25, 2015

We are building a tool that uses symbolic execution to search for BIOS security vulnerabilities including dangerous memory references (call outs) by SMM interrupt handlers in UEFI-compliant implementations of BIOS. Our tool currently applies only to interrupt handlers for SMM variables. Given a snapshot of SMRAM, the base address of SMRAM, and the address of the variable interrupt handler in SMRAM, the tool uses S2E to run the KLEE symbolic execution engine to search for concrete examples of a call to the interrupt handler that causes the handler to read memory outside of SMRAM. This is a work in progress. We discuss our approach, our current status, our plans for the tool, and the obstacles we face.

There might be other interesting talks happening there, but none have BIOS/UEFI/firmware in their title/abstract, so I missed them. 🙂

https://www.usenix.org/node/191950
https://www.usenix.org/conference/woot15/workshop-program/presentation/bazhaniuk

Click to access woot15-paper-bazhaniuk.pdf


https://www.usenix.org/conference/woot15/workshop-program

Lua for UEFI

Lua is a scripting language, small and simple, easy to ’embed’ into an application.  I just noticed, Lua is in the EDK-II trunk!  The UEFI port is based on Lua 5.2.3, released on November 2013.  The UEFI copyrights are dated 2013-2014, so I missed this Lua change for a long time! 😦 Emulex Corporation did the intial UEFI port, and Intel Corporation did some final build/file packaging changes.  So, thanks Emulex and Intel!

Here’s the mandatory hello-world in Lua, “ported to UEFI”:

    print(“Hello UEFI World”)

To install Lua on UEFI: On your UEFI System Partition (ESP), create \Efi\Tools directory, and copy Lua.efi there.  That is the standalone Lua interpreter. Also create the directory \Efi\Stdlib\lib\Lua on your ESP, this is the default location Lua will look for scripts. There are a few sample scripts in the Lua source tree’s AppPkg/Applications/Lua/scripts directory, or you can ignore these and just add your own scripts in this directory.

One known issue: EOF characters, ^D or ^Z, are not properly recognized by the console and can’t be used to terminate an application. Use os.exit() to exit Lua.

This means you can write UEFI scripts in UEFI Shell scripts, Python, and Lua, given the language options on TianoCore. (There’s also a Ruby port outside TianoCore.org, more on that in an upcoming blog.)

From security perspective, you also need to worry about Lua language issues, too. The ESP is FAT-based on most vendors systems (except for Mac OS X which uses HFS+ and Linaro mentions using Ext2/Ext3 on their AArch64 port, but I haven’t confirmed this in code yet), so little ACL security to protect the global Lua binary and scripts on \Efi\Stdlib\lib\Lua. (Similar concerns with the Python for UEFI implementation.)

For more information, from the EDK-II trunk, see:

/AppPkg/Applications/Lua