Prior Work

Because people don’t ever patch their BIOSes, it is extremely likely that the vast majority of systems in the wild are vulnerable to at least one known exploit. We made public the details of the new SMM “Incursion” vulnerabilities (CERT VU# 631788, reported Oct 29th), that can be found automatically from SMM dumps. We showed the “LightEater” SMM implant stealing GPG keys/passwords/decrypted messages from Tails on an MSI system. We also showed how an unskilled attacker can infect a BIOS with an off-the-shelf Dediprog programmer, by just pressing the start button. This was done against an HP system, from which LightEater subsequently used Intel Serial-Over-LAN to exfiltrate data over the network in a NIC-agnostic way. We also showed infecting an Asus system, with LightEater installing kernel-mode rootkit style hooks into Windows 10 preview, to get notified every time a process loads. We then provided data analysis evidence that indicated that UEFI systems are mostly homogeneous as far as an attacker is concerned, and consequently thousands of BIOSes could easily be hooked for the insertion of implants in an automated fashion.

Survey of some of the many BIOS level vulnerabilities that have come out in the past few years, for those who were not following the area.

In 2013, MITRE released Copernicus 1, a best-effort system to capture a raw dump of the BIOS and whether it appears to be possible for an attacker to write to it. In 2014, we released Copernicus 2 to combat the ability of an attacker to subvert not just Copernicus 1, but all other BIOS capture systems. While these free tools are a good way to get a copy of your BIOS, analyzing it to detect malicious changes is still an open problem in need of further investigation before defenders can feel confident that they have un-infected BIOS. You can’t just compare the MD5s from two BIOS dumps and get a valid comparison. This is a problem that leads to firmware-level malware going under-reported and under-analyzed due to not enough people with the background to jump into this area.

In this presentation, we will assume that you have a suspected badBIOS dumped by Copernicus that you’d like to determine the integrity and authenticity of. We will perform a breadth-first discussion of the topics such as port IO, memory-mapped IO, PCI, SMM, UEFI, and others that you need to become more familiar with in order to effectively analyze modern BIOSes. We will especially focus on how UEFI’s removal of security through obscurity is a double edged sword which helps both attackers and defenders analyze BIOSes for attacks or integrity checks. This talk will serve as a gateway for people with existing reverse engineering knowledge to start analyzing modern PC firmware.

A Microsoft-targeted discussion of what they could do to improve the state of firmware security, e.g. by performing vulnerability and integrity checking within their customer base. Unfortunately neither Microsoft nor MITRE ever published this presentation. (And of course Microsoft never implemented the idea.)

Talks targeted at encouraging Anti-Virus vendors to start checking for malware at the BIOS level, and to encourage Mandiant customers attending MIRCon to encourage Mandiant to start checking for malware at the BIOS level.

Public disclosure of two vulnerabilities (VU#552286) that allow a ring 3 attacker to feed a UEFI system a fake BIOS update, cause a memory corruption while it’s being parsed, and execute arbitrary code in the context of SMM, before signature checks or any other protection mechanisms are in play. These vulnerabilities affected hundreds of PC models. This talk also introduced “The Watcher”, a PoC SMM agent that can perform arbitrary code execution on behalf of an attacker.

A description of how Intel TXT’s SMI suppression behavior can be used to subvert a BIOS protection mechanism. Also a discussion of on what hardware SMIs aren’t suppressed, and the implications for the trustworthiness if Copernicus 2.

Disclosure of a vulnerability (VU#758382) with the “Setup” UEFI non-volatile variable on some systems. Manipulation of this variable can lead to bypassing secure boot, or even bricking the system. Versions after CanSecWest also included discussion of the “Charizard” vulnerability (VU#291102 - not yet public). This is a way to suppress SMIs to subvert a BIOS protection mechanism, and therefore subvert secure boot. Co-authored (CanSecWest only) with: Bulygin, Furtak, Bazhaniuk & Loucaides, Intel Security

While there had been previous attacks, against BIOS, they often relied on having a BIOS that was wide open. Only a single previous publication had successfully attacked a BIOS and altered its contents, even though the BIOS should ostensibly be un-alterable except in the presence of a signed BIOS update. This talk presented the second ever BIOS exploit (VU#912156), and a third way to also bypass the signed update requirement (VU#255726-not-yet-published).

Discussing some of the limitations of the NIST NICE framework, as determined by trying to map the OpenSecurityTraining.info classes to it.

Discussion of how Copernicus could be used for enterprise-wide assessment of BIOS vulnerabilities, and integrity checking BIOSes to look for the presence of malicious implants. (In the ToorCon form, it was part of an extended 90 minute talk, including some BIOS Chronomancy material.)

Explaining how Timing-Based Attestation (or Software-Based Attestation as it’s known when you don’t use special hardware) is an extremely sexy defensive technique. It has all the elements that make hacking in general so fun: digging through low level code, victory going to the superior understanding of the architecture/code, etc. This talk is a survey of other work in the area, while going into a little bit more depth about how we’ve used it at the kernel and BIOS level.

In this talk we coined the term Timing-Based Attestation (TBA) to refer to what was previously called “software-based attestation”, to emphasize its reliance of detection of timing side-channel information. Showed the feasibility of using TBA 1) from the Windows kernel driver 2) across a real enterprise network and 3) with the TPM instead of just network round trip time. Also laid out the 3 necessary conditions for TOCTOU attacks to subvert TBA.

Outlining the case that in order to train the necessary number of security experts currently needed, we must use both open source and open access classes, like those found on OpenSecurityTraining.info (now known as “OST1”).