logo
allArticlesConferencesPresentations

Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases

Conference:  Black Hat USA 2022

2022-08-10

Summary

The presentation discusses the vulnerabilities in firmware and device security, emphasizing the need for increased attention and awareness to the problem.
  • Firmware and device security is complex and has dangerous attack surfaces with few mitigations available
  • Automation and tooling can help with vulnerability research and detection
  • There is a need for increased attention and awareness to device security
The presenter discusses the EFI Explorer plugin, which can find vulnerabilities in Dixie drivers and platform initialization drivers, but vendors are ignoring to use it. They also created the firmware hand approach for detecting known vulnerabilities on the semantic level and made it available for free for the community. They reported nine high severity vulnerabilities to Lenovo and developed tooling and automation for arm. The presenter emphasizes the need for more attention and awareness to device security.

Abstract

Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 9 months, the Binarly efiXplorer team disclosed 42 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS. The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for successful attacks.In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM). These topics have never been publicly discussed from the offensive security research perspective.
Materials:
Tags:

Post a comment

Related work

Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)

Conference:  BlackHat USA 2021
Authors:
2021-08-05

efiXplorer: Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis

Conference:  BlackHat EU 2020
Authors:
2020-12-09

UEFI exploitation for the masses

Conference:  Defcon 26
Authors:
2018-08-01

Remotely Attacking System Firmware

Conference:  BlackHat USA 2018
Authors:
2018-08-08

AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Behind the Scenes of Intel Security and Manageability Engine

Conference:  BlackHat USA 2019
Authors:
2019-08-07