UEFI security presentation at Seattle DC206 Meeting

If you missed the Intel presentation from BlackHat Briefings this summer, and if you are in the Seattle area this Sunday, Vincent Zimmer of Intel will be reprising this presentation at the DC206 Meeting at the Black Lodge Research hackerspace.


What: Oct DC206 Meeting: Firmware is the New Black
When: October 15th, 1-3pm
Who: Vincent Zimmer
Where: Black Lodge Research

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).





Intel Whitepaper updated: Using IOMMU for DMA Protection in UEFI Firmware

We recommend firmware developers review this docment to understand threats from unauthorized internal DMA, as well as DMA from non-PCI devices that platform firmware may configure. Using an IOMMU such as Intel VT-d allows fine-grain control of memory protection without broadly disabling bus-mastering capabilities in the pre-boot space.

Note: this whitepaper was originally published under the title “A Tour beyond BIOS Using Intel® VT-d for DMA Protection in UEFI BIOS” in January 2015.




Security updates for Intel NUC firmware (INTEL-SA-00084)

Intel ID: INTEL-SA-00084
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Oct 06, 2017

This update improves protection against mitigates multiple vulnerabilities related to security features in Intel® NUC system firmware (BIOS). BIOS Administrator and User password bypass: Insufficient protection of password storage in system firmware for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attacker to bypass Administrator and User passwords via access to password storage. SPI Write Protection Bypass: Insecure platform configuration in system firmare for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows an attacker with physical presence to run arbitrary code via unauthorized firmware modification during BIOS Recovery. SMM Privilege Elevation: Insufficient input validation in system firmware for Intel® NUC systems allows local attacker to execute arbitrary code via manipulation of memory. Boot Guard Bypass: Incorrect policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to bypass enforcement of integrity protections via manipulation of firmware storage. Dangerous SPI Opcode Protections: Insufficient policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to violate integrity or availability of nonvolatile storage for firmware via specially crafted accesses to nonvolatile storage. Intel highly recommends that users update to the latest version. Intel would like to thank Nikolaj Schlaj for reporting CVE-2017-5700 and CVE-2017-5701 and working with us on coordinated disclosure. Intel would like to thank Embedi for reporting CVE-2017-5721 and CVE-2017-5722 and working with us on coordinated disclosure.[…]





Embedi: Bypassing Intel Boot Guard

In recent years, there is an increasing attention to the UEFI BIOS security. As a result, there are more advanced technologies created to protect UEFI BIOS from illegal modifications. One of such technologies is Intel Boot Guard (BG) – a hardware-assisted BIOS integrity verification mechanism available since Haswell microarchitecture (2013). So-called «UEFI rootkits killer» this technology is designed to create a trusted boot chain (where a current boot component cryptographically measures/verifies the integrity of the next one) with Root-of-Trust locked into hardware.[…]



Intel seeks senior security researcher

Job ID: JR0037962
Senior Security Researcher

The Platform Engineering Group (PEG) is responsible for the design, development, and production of system-on-a-chip (SoC) products that go into Intel’s next generation client and mobile platforms. PEG strives to lead the industry moving forward through product innovation and world class engineering. Intel Security Center of Excellence’s goal is to be a prominent leader in the industry to assure security in computing platforms by conducting advanced security research. If you are a seasoned threat, vulnerability and exploit research expert who craves for tons of fun and pride in raising the security bar for ubiquitous computing systems, we would like you to join us as a proud member of Intel’s Advanced Security Research Team. Through your deep vulnerability analysis and mitigation development expertise, you will influence the security of a variety of Hardware, Firmware, Software & Systems spanning a range of products including Devices, Cloud, Auto, IOT, AI, VR, Drones, and Networks. Responsibilities include the following: Own emerging threat analysis, gain insights & know-how of evolving attack techniques, predict and extrapolate attack trends ahead of its occurrence, develop robust counter measures and mitigation. This role requires maintaining substantial knowledge of state-of-the-art security principles, theories, attacks etc. and contribute those insights to internal and external stakeholders. Participation in development or intellectual property is also a responsibility.

* Applicants should possess at least 10 years of experience in the field of system security research and excel in exploring software and hardware techniques as a method of attack against targets within the computing systems.
* Ability to span security expertise over HW, SW and Firmware domains. Passion for the latest gadgets and building security into these gadgets.
* Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others






Intel Platform Armoring and Resiliency team seeks BIOS intern

Interesting: Intel SSG has a “Platform Armoring and Resiliency (PAR)” team! Wish I had more details on what they do (besides inferring from job postings). If you’re on the PAR team and you have a home page or more public info, please leave a Comment.

Security BIOS Engineering Intern Hillsboro, OR
Job ID: JR0034895
Job Category: Intern/Student

Intel Corporation’s Software and Services Group (SSG) is looking for an intern to work in the area of platform firmware resiliency. The Platform Armoring and Resiliency PAR team within SSG is responsible for creating a secure firmware capability within Intel and the ecosystem to proactively ensure the standard boot and recovery infrastructure of IA platforms is both usable and secure[…]

* Utilizing fuzzing and symbolic execution tools to explore target binaries
* Prototyping new functionality in UEFI/BIOS
* Developing/supporting software tools in C and Python
* Gathering and analyzing execution traces to identify patterns of interest
* Utilizing QEMU or virtualization environments to analyze target binaries

* 3 months experience with Intel Model-Specific Registers (MSRs) or Configuration Space Registers (CSRs)
* 3 months experience with developing kernel modules or kernel code


A bit less interesting: Intel HR webmaster posts URLs with spaces in them. 😦