Firmware Cartography: Charting the Course for Modern Server Compromise

The talk discusses the methodology for vulnerability hunting in undocumented server components and mapping the paths laid out in binary firmware images. It covers the attack surface of modern servers and how it has been reduced to smaller windows through which attackers need to operate. The talk also focuses on the reasons why one would want to hit different components and the problems that exist in these components.

• Modern servers have reduced attack surfaces if configured correctly
• The talk discusses the attack surface of modern servers and the reasons why one would want to hit different components
• The methodology for vulnerability hunting in undocumented server components and mapping the paths laid out in binary firmware images is discussed
• UEFI BMC and other components are constantly evolving and becoming more hardened
• The attack surface is concentrated into fewer and fewer components
• There are gating events where one needs to compromise a component first to get all the information needed to pivot into other components

The talk uses case studies to explain and cover the attack surface of modern servers. It also discusses the reasons why one would want to hit different components and the problems that exist in these components. The talk emphasizes the importance of configuring newer servers in certain fashions to reduce the attack surface. The talk also discusses the need to find fixes in the meantime before the hardware can catch up to the way we think about threats these days. The talk concludes by discussing the use of SMM as a strong clave to secure the components using the hardware that we have until we can design our perfect system.

The modern server is the Matryoshka doll of computers, computers inside computers, a giant, undocumented mess. Undocumented devices have made homes at undocumented addresses, on buses, and in protocols most server owners don't know exist. With few exceptions, however, they and their secrets can't really stay hidden -- you just have to know how to look.In this talk, we'll cover our methodology for vulnerability hunting in undocumented server components, mapping the paths laid out in binary firmware images. Tracking the interactions between software, hardware, and everything in-between exposes the permeable (or missing!) security controls that attempt to block you from opening these new worlds to explore. Through PoC helper libraries and chaining useful primitives together, oh, the places you'll go.In addition to showing how to find new vulnerabilities, we'll use case studies of public vulns found by ourselves and others, explaining what makes them unique, or common, and other unreleased exploitation details. We'll release initial versions of Binary Ninja plugins we're working on at Atredis Partners, bringing UEFI coverage to the new platform and its hot MLIL. And who knows, we might disclose some new bugs or useful post exploitation details if we're able.