Intel firmware security research at WOOT

Usenix WOOT 2015 is happening in Washington D.C. later this month. It has a very interesting UEFI security talk:

Symbolic execution for BIOS security
Oleksandr Bazhaniuk, John Loucaides, Lee Rosenbaum, Mark R. Tuttle, Vincent Zimmer, Intel Corporation
May 25, 2015

We are building a tool that uses symbolic execution to search for BIOS security vulnerabilities including dangerous memory references (call outs) by SMM interrupt handlers in UEFI-compliant implementations of BIOS. Our tool currently applies only to interrupt handlers for SMM variables. Given a snapshot of SMRAM, the base address of SMRAM, and the address of the variable interrupt handler in SMRAM, the tool uses S2E to run the KLEE symbolic execution engine to search for concrete examples of a call to the interrupt handler that causes the handler to read memory outside of SMRAM. This is a work in progress. We discuss our approach, our current status, our plans for the tool, and the obstacles we face.

There might be other interesting talks happening there, but none have BIOS/UEFI/firmware in their title/abstract, so I missed them. 🙂

Click to access woot15-paper-bazhaniuk.pdf