Security of BIOS/UEFI System Firmware from Attacker's and Defender's Perspective

Instructors: Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak and John Loucaides
Dates: 16-18 June 2015
Capacity: 20

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern OSes against bootkits.

The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

Agenda

• 1. BIOS and UEFI firmware fundamentals
• - PC platform architecture fundamentals
• - Legacy BIOS and PCI Option ROMs
• - UEFI firmware
• - Differences between UEFI firmware and legacy BIOS
• - Compatibility Support Module (CSM)
• - System Management Mode firmware (SMI handlers)
• 2. Bootkits
• - Legacy System Boot and Master Boot Record (MBR)
• - Legacy Bootkits
• - UEFI Boot, GUID Partition Table (GPT) and EFI System Partition (ESP)
• - UEFI Bootkits
• - Secure boot
• 3. Common attack vectors against BIOS and UEFI firmware
• - BIOS protection in SPI flash memory
• - BIOS update
• - System Management Mode Memory (SMRAM) protection
• - Platform hardware configuration
• - System Management Interrupt (SMI) handlers firmware
• - UEFI Secure Boot
• - BIOS settings/configuration (CMOS memory, UEFI variables, Pcd)
• - S3 "Sleep" State
• 4. Mitigations in firmware and hardware
• 5. Hands-on learning of platform hardware and firmware
• - Accessing platform hardware resources/configuration
• - Accessing system firmware in SPI flash memory
• - Software and hardware extraction of SPI flash contents
• - Building UDK and working in UEFI environment
• - BIOS and EFI debugging tools
• 6. Hands-on learning of platform hardware and firmware
• - Manual verification of the platform and firmware configuration
• - Automated verification with CHIPSEC framework
• - Developing modules in CHIPSEC
• - Developing fuzzers for the system firmware
• 7. Hands-on firmware forensics exercises
• - Extracting contents of SPI Flash memory
• - Parsing SPI flash images
• - Extracting and analyzing system firmware file system
• - Extracting and analyzing persistent configuration
• - Analyzing suspect BIOS images
• 8. Extra material
• - Introduction to Measured Boot and Trusted Platform Module (TPM)
• - SW Based Full-Disk Encryption with Measured Boot and Secure Boot

Who should attend?

IT security professionals or anyone interested in understanding and assessing security of system firmware including BIOS and UEFI based firmware.

Class Requirements

Prerequisites:

• Understanding of x86 platform hardware and firmware fundamentals is welcome but not required.

Required Hardware:

• - A laptop computer based on 2nd Generation Core Intel processor or later, preferably with UEFI based firmware, UEFI OS (such as Microsoft Windows 8 or higher).

Students will be provided with bootable Linux and UEFI shell USB thumb drives with all tools and materials used in the training.

Bio

Yuriy Bulygin is chief threat researcher at Intel Security where he is leading the Advanced Threat Research team in identifying and analyzing new threats impacting modern platforms and researching mitigations in hardware and software against these threats. He joined Intel's Security Center of Excellence in 2006, where he was responsible for conducting security analysis and penetration testing of microprocessors, chipsets, graphics, and various other components, firmware, and technologies on Intel PCs, servers, and mobile devices.

Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest. He is also a co-founder of DCUA, the first DefCon group in Ukraine.

Andrew Furtak is a security researcher focusing on security analysis of firmware and hardware of modern computing platforms. He was previously a security software engineer. Andrew holds a MS in applied mathematics and physics from the Moscow Institute of Physics and Technology.

John Loucaides is a security researcher who is currently focusing on responding to platform security issues. He has performed security analysis for a wide variety of targets from embedded systems to enterprise networks, developing repeatable methods for improving assurance.

To Register

Click here to register.