bios in 2015
play

BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew - PowerPoint PPT Presentation

Apr 28, 2023 •209 likes •1.21k views

Attacking and Defending BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew Furtak , Mikhail Gorobets, John Loucaides , Alex Matrosov, Mickey Shkatov Advanced Threat Research Agenda State of BIOS/EFI Firmware Security Recent

  1. Attacking and Defending BIOS in 2015 Oleksandr Bazhaniuk, Yuriy Bulygin (presenting) , Andrew Furtak , Mikhail Gorobets, John Loucaides , Alex Matrosov, Mickey Shkatov Advanced Threat Research

  2. Agenda State of BIOS/EFI Firmware Security Recent Classes of Vulnerabilities S3 Resume Boot Script Firmware Configuration (UEFI Variables) Input Pointers in SMI Handlers Call-Outs in SMI Handlers Detecting and Mitigating These Vulnerabilities Conclusions

  3. Plain Ordinary Art of Breaking BIOS... * Quotes are from or based on novels by Strugatsky brothers

  4. We seem to have a bit of a problem 37 unique publicly disclosed issues in the last ~2 years • (by only a handful of researchers) Multi tiple ple of these are really classes ses of issues with many • instances in affected firmware products (SMI input pointers, SMI call-outs, indiscriminate use of UEFI vars..) Many same issues aff ffect ct multi tiple le vendors rs at once (S3 • boot script, UEFI variables, SMI call-outs, SMI input pointers, missing basic BIOS write protections…) Issues in open source EDK reference implementation • may find their way in multiple UEFI firmware products And updating system firmware is not an easy thing •

  5. Jolly Ghosts (2013-2014) Vulnerability Ref Affected Discoverer EFI firmware is not write protected (attack on Full-Disk Encryption with CSW2013, Intel ATR, TPM aka “Angry Evil Maid”, subverting TPM measured boot). In 2009, NoSuchCon MITRE, Sacco & Ortega discovered legacy BIOS were not write protected 2013 LegbaCore Secure Boot bypass due to SPI flash protections are not used BH2013 Secure Boot bypass due to PE/TE Header confusion CSW2014 Multiple Secure Boot bypass due to CSM default enabled or CSM CSW2014 Intel ATR enable/disable stored in Setup (2 issues) Secure Boot bypass due to “Clear keys ” and “Restore default keys” CSW2014 stored in Setup Secure Boot bypass due to ignoring SecureConfig integrity mismatch CSW2014 Secure Boot bypass via on/off switch stored in Setup variable CSW2014 Multiple Intel ATR, LegbaCore Unauthorized modification of UEFI variables in UEFI systems (Secure VU#758382 Multiple LegbaCore, Boot policies stored in Setup, corrupting Setup contents) – 2 issues Tianocore Intel ATR SMM Cache attack protections (SMRR) not enabled (“The Sicilian”) VU#255726 Multiple Dell BIOS in some Latitude laptops and Precision Mobile Workstations VU#912156 Dell vulnerable to buffer overflow (“ Ruy Lopez”) LegbaCore SMI Suppression if SMM BIOS protection is not used (“ Charizard ”) VU#291102 Multiple Intel BIOS locking mechanism contains race condition that enables VU#766164 AMI, write protection bypass (“Speed Racer”) Phoenix

  6. Exploding Rainbows (2014) Vulnerability Ref Affected Discoverer UEFI EDK2 Capsule Update vulnerabilities a.k.a. “King and Queen’s VU#552286 Multiple, LegbaCore Gambit” (2 issues) Tianocore EDK2 UEFI Variable “Reinstallation” (bypassing Boot -Service only variables) Tianocore Multiple, Intel ATR EDK2 Insecure Default Secure Boot Policy for Option ROMs Incorrect PKCS#1v1.5 Padding Verification for RSA Signature Check Overwrite from PerformanceData Variable CommBuffer SMM Overwrite/Exposure (3 issues) TOCTOU (race condition) Issue with CommBuffer (2 issues) SMRAM Overwrite in Fault Tolerant Write SMI Handler (2 issues) Tianocore EDK2 Intel ATR SMRAM Overwrite in SmmVariableHandler (2 issues) Integer/Heap Overflow in SetVariable Heap Overflow in UpdateVariable Overwrite from FirmwarePerformance Variable Integer/Buffer Overflow in TpmDxe Driver Protection of PhysicalPresence Variable

  7. Spitting Devil's Cabbage (2014-2015) Vulnerability Ref Affected Discoverer Boot Failure Related to UEFI Variable Usage (36 issues) Tianocore EDK2 Intel ATR, TianoCore dev, LegbaCore Boot Failure Related to TPM Measurements Tianocore EDK2 TianoCore dev Tianocore UEFI implementation reclaim function vulnerable to VU#533140 EDK2, Rafal Wojtczuk, buffer overflow (2 issues) Tianocore Insyde LegbaCore Overflow in Processing of AuthVarKeyDatabase Tianocore EDK2 Rafal Wojtczuk, LegbaCore Counter Based Authenticated Variable Issue Tianocore EDK2 TianoCore dev Some UEFI systems do not properly secure the EFI S3 VU#976132 Multiple Rafal Wojtszuk, Intel Resume Boot Path boot script (“ Venamis ”) ATR, LegbaCore Some BIOS protections are unlocked on resume (“ Snorlax ”) VU#577140 LegbaCore Loading unsigned Option ROMs (“ Thunderstrike ”) based on trmm.net Apple Trammell Hudson earlier work by @snare SMI input pointer validation vulnerabilities (multiple issues) CSW2015 Multiple Intel ATR SMI handler call-out vulnerabilities (multiple issues) LegbaCore Multiple LegbaCore Earlier by Filip Wecherowski & ITL (bugtraq, ITL) SPI flash configuration lock (FLOCKDN) is lost after resume reverse.put.as Apple Pedro Vilaça from S3 sleep ( Update: Apple advisory) Update: Trammell Hudson, LegbaCore The list may be incomplete

  8. Your BIOS is definitely maybe vulnerable

  9. This is one way to handle the problem http://sovietart.me/

  10. Calm silence ends the history of mankind...

  11. So let’s talk what needs to be done But, t, first st, , wh why we we ne need any changes es Attacks via S3 Resume Boot Script #S3SleepResumeBootScript Attacks via UEFI Variables #BadBIOSVariableContents Attacks via Bad SMI Handlers Input Pointers #SMIHandlerBadInputPointers Attacks via SMI Handlers Call-Outs #ThisVulnSeriouslyHadToBeGoneLongAgo

  12. Attacking Firmware via S3 Resume Boot Script Image source

  13. VU# 976132 (CVE-2014-8274) • Freddy Krueger vulnerabilities (S3 Resume Boot Script) were independently discovered by us and other security researchers • Rafal Wojtczuk of Bromium and Corey Kallenberg (@coreykal) of LegbaCore first published Attacks on UEFI Security (paper) • Details of PoC exploit were described by Dmytro Oleksiuk (@d_olex) in Exploiting UEFI boot script table vulnerability • Pedro Vilaça (@osxreverser) disclosed a related vulnerability in Mac EFI firmware (SPI Flash Configuration HW lock bit FLOCKDN is gone after waking from sleep)

  14. Searching for ACPI global structure… AcpiGlobalVariable UEFI variable points to a structure in memory ( ACPI_VARIABLE_SET_COMPATIBILITY ) [ CHIPSEC ] Reading EFI variable Name=‘ AcpiGlobalVariable ’.. [ uefi ] EFI variable AF9FFD67-EC10-488A-9DFC- 6CBF5EE22C2E:AcpiGlobalVariable: 18 be 89 da

  15. Searching for “S3 Boot Script”… Pointer AcpiBootScriptTable at offset 0x18 in the structure ACPI_VARIABLE_SET_COMPATIBILITY points to the script table typedef struct { // // Acpi Related variables // EFI_PHYSICAL_ADDRESS AcpiReservedMemoryBase ; UINT32 AcpiReservedMemorySize ; EFI_PHYSICAL_ADDRESS S3ReservedLowMemoryBase ; EFI_PHYSICAL_ADDRESS AcpiBootScriptTable; .. } ACPI_VARIABLE_SET_COMPATIBILITY ;

  16. “S3 Boot Script” table in memory

  17. Why “S3 Resume Boot Script”? To speed up S3 resume, required HW configuration actions are written to an “S3 Resume Boot Script” by DXE drivers instead of running all configuration actions normally performed during boot

  18. S3 Boot Script is a Sequence of Platform Dependent Opcodes 00 00 00 00 21 00 00 00 02 00 0f 01 00 00 00 00 00 00 c0 fe 00 00 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 24 00 00 00 02 02 0f 01 00 00 00 00 04 00 c0 fe 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 08 02 00 00 00 21 00 00 00 02 00 0f 01 00 00 00 00 00 00 c0 fe 00 00 00 00 01 00 00 00 00 00 00 00 10 03 00 00 00 24 00 00 00 02 02 .. 01 00 00 00 00 00 00 00 f0 00 02 00 67 01 00 00 20 00 00 00 01 02 30 04 00 00 00 00 21 00 00 00 00 00 00 00 de ff ff ff 00 00 00 00 68 01 00 00 .. d3 d1 4b 4a 7e ff

  19. Decoding Opcodes [ 000 ] Entry at offset 0x0000 ( length = 0x21 ): Data : 02 00 0f 01 00 00 00 00 00 00 c0 fe 00 00 00 00 01 00 00 00 00 00 00 00 00 Decoded : Opcode : S3_BOOTSCRIPT_MEM_WRITE ( 0x02 ) Width : 0x00 ( 1 bytes ) Address : 0xFEC00000 Count : 0x1 Values : 0x00 .. [ 359 ] Entry at offset 0x2F2C ( length = 0x20 ): Data : 01 02 30 04 00 00 00 00 21 00 00 00 00 00 00 00 de ff ff ff 00 00 00 00 Decoded : Opcode : S3_BOOTSCRIPT_IO_READ_WRITE ( 0x01 ) Width : 0x02 ( 4 bytes ) Address : 0x00000430 Value : 0x00000021 Mask : 0xFFFFFFDE # chipsec_util.py uefi s3bootscript

  20. S3 Boot Script Opcodes • I/O port write ( 0x00 ) • I/O port read-write ( 0x01 ) • Memory write ( 0x02 ) • Memory read-write ( 0x03 ) • PCIe configuration write ( 0x04 ) • PCIe configuration read-write ( 0x05 ) • SMBus execute ( 0x06 ) • Stall ( 0x07 ) • Dispatch ( 0x08 ) / Dispatch2 ( 0x09 ) • Information ( 0x0A ) • …

  21. Processor I/O Port Opcodes S3_BOOTSCRIPT_IO_WRITE/READ_WRITE opcodes in the S3 boot script write or RMW to processor I/O ports Opcode below sends SW SMI by writing value 0xBD port 0xB2

  22. “Dispatch” Opcodes S3_BOOTSCRIPT_DISPATCH/2 opcodes in the S3 boot script jumps to entry-point defined in the opcode

  23. Opcode Restoring BIOS Write Protection S3_BOOTSCRIPT_PCI_CONFIG_WRITE opcode in the S3 boot script restores BIOS hardware write-protection (value 0x2A indicates BIOS hardware write protection is ON)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BIOS AGM 2013 Apothecaries Hall, London Welcome 15 th June 2013 BIOS AGM Agenda Apologies

BIOS AGM 2013 Apothecaries Hall, London Welcome 15 th June 2013 BIOS AGM Agenda Apologies

BIOS AGM 2013 Apothecaries Hall, London Welcome 15 th June 2013 BIOS AGM Agenda Apologies Approve previous years AGM minutes To receive the Chairs report Receiving of accounts and auditors remuneration 2012 To receive officers for

743 views • 49 slides
Spring 2015 Final Exam and Presentation Schedule BSHE | BIOS | EH | EPI | GH | HPM | INFO | PUBH |

Spring 2015 Final Exam and Presentation Schedule BSHE | BIOS | EH | EPI | GH | HPM | INFO | PUBH |

Spring 2015 Final Exam and Presentation Schedule BSHE | BIOS | EH | EPI | GH | HPM | INFO | PUBH | E MPH BSHE Class# Course# Section Title Faculty Day(s) Time Location Capstone Seminar: Colin 1:00- 2617 590 000 TU 3:50pm GCR 115

199 views • 6 slides
BioS oSpecimen Exchange for Neurological Disorders (BioS oSEN END) MBPS Training Webinar

BioS oSpecimen Exchange for Neurological Disorders (BioS oSEN END) MBPS Training Webinar

BioS oSpecimen Exchange for Neurological Disorders (BioS oSEN END) MBPS Training Webinar BioSEND Training Webinar Overview 1. Study Reminders 2. Site Equipment 3. Biospecimen Collection Protocol 4. Study Visit Protocol 5. Kits &

1.12k views • 54 slides
Coach Bios Coach Bios Crispin Napolitano - Head Coach

Coach Bios Coach Bios Crispin Napolitano - Head Coach

Mission Statement To Build and Create a Culture of Excellence. We are dedicated to developing each young man with the core values of

665 views • 31 slides
BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S..

1.27k views • 100 slides
Quality assurance of biocontrol agents Rose Buitenhuis Can you recognize quality? The bios are

Quality assurance of biocontrol agents Rose Buitenhuis Can you recognize quality? The bios are

Quality assurance of biocontrol agents Rose Buitenhuis Can you recognize quality? The bios are @#&%$ !!! 1. Are your expectations too high? Preventative approach needed Bios cant perform miracles Patience is a virtue, results

538 views • 9 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
IND INDUSTRY BIOS IOSECURITY STANDARDS Aquaculture Biosecure Systems by Francois Brenta BIOS

IND INDUSTRY BIOS IOSECURITY STANDARDS Aquaculture Biosecure Systems by Francois Brenta BIOS

Aquaculture Biosecure Systems IND INDUSTRY BIOS IOSECURITY STANDARDS Aquaculture Biosecure Systems by Francois Brenta BIOS IOSECURITY IN IN WORLD PRA RAWN FARM RMING Aquaculture Biosecure Systems by Francois Brenta CH CHAL ALLENGES S

595 views • 24 slides
Nandeeshwar.B CDAC Hyderabad 29.04.2020 Why Security ? " The olden phrase is always

Nandeeshwar.B CDAC Hyderabad 29.04.2020 Why Security ? " The olden phrase is always

Nandeeshwar.B CDAC Hyderabad 29.04.2020 Why Security ? " The olden phrase is always golden... Prevention is Better than Cure." Desktop Security BIOS Settings BIOS (Basic Input / Output System) Settings Computers BIOS is

842 views • 68 slides
TRACIE HEALTHCARE EMERGENCY PREPAREDNESS INFORMATION GATEWAY Establishing Medical Operations

TRACIE HEALTHCARE EMERGENCY PREPAREDNESS INFORMATION GATEWAY Establishing Medical Operations

Access the recorded webinar here: https:// attendee.gotowebinar.com/recording/256769356898835472 Access speaker bios here: https://files.asprtracie.hhs.gov/documents/establishing-mocc-for- covid-19-webinar-speaker-bios.pdf Access Q and A here:

1.13k views • 78 slides
Estimating the mean number of rows in Auditoriums on UNC- Chapel Hills Campus Bios 664 -

Estimating the mean number of rows in Auditoriums on UNC- Chapel Hills Campus Bios 664 -

Estimating the mean number of rows in Auditoriums on UNC- Chapel Hills Campus Bios 664 - Sample Survey Project Team 4: Cally Pfeiffer, Nathaniel Putnam, Preston Burns, Vasyl Zhabotynsky, Patrick Pasquariello Population We consider our

260 views • 13 slides
www.netelderassociates.com Culture as Operating System People as BIOS Departments as

www.netelderassociates.com Culture as Operating System People as BIOS Departments as

Lloyd Taylor www.netelderassociates.com Culture as Operating System People as BIOS Departments as Tribes Putting it Together A culture is a set of rules on how things are to be done. Some are explicit printf();

780 views • 26 slides
Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy Bulygin (@c7zero) CanSecWest 2013 Outline 1 UEFI BIOS Outline 1 UEFI BIOS 2 Measured/Trusted Boot Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The

906 views • 90 slides
Bioinformatics: Network Analysis Evolution of Genes and Genomes COMP 572 (BIOS 572 / BIOE 564) -

Bioinformatics: Network Analysis Evolution of Genes and Genomes COMP 572 (BIOS 572 / BIOE 564) -

Bioinformatics: Network Analysis Evolution of Genes and Genomes COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 The Traditional Phylogeny Reconstruction Problem U V W X Y AGGGCAT TAGCCCA TAGACTT TGCACAA

784 views • 53 slides
Bioinformatics: Network Analysis Analyzing Stoichiometric Matrices COMP 572 (BIOS 572 / BIOE 564)

Bioinformatics: Network Analysis Analyzing Stoichiometric Matrices COMP 572 (BIOS 572 / BIOE 564)

Bioinformatics: Network Analysis Analyzing Stoichiometric Matrices COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 Biological Components Have a Finite Turnover Time Most metabolites turn over within a minute in a

976 views • 81 slides
El Elec ectr tron on Bea eam m Trea eatment tment of Was aste tewater ter an and Bios

El Elec ectr tron on Bea eam m Trea eatment tment of Was aste tewater ter an and Bios

El Elec ectr tron on Bea eam m Trea eatment tment of Was aste tewater ter an and Bios osol olids ids: : Cu Current ent St State te of th the e Sc Scien ence ce Suresh D. Pillai, Ph.D. Professor of Microbiology Director,

362 views • 24 slides
WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC Presenters: Eloi

WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC Presenters: Eloi

WEN ETA JB? A 2 million dollars problem Date: 05/06/2019 For: SSTIC Presenters: Eloi Benoist-Vanderbeken, Fabien Perigaud Who are we Eloi Benoist-Vanderbeken Fabien Perigaud @elvanderb @0xf4b Working for Synacktiv: Offensive

883 views • 40 slides
Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert

Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert

The TiCAB Trial Ticagrelor vs Aspirin in Patients undergoing Coronary- Artery Bypass Grafting Herib eribert Schun unker ert, M , MD on behalf of the e TiCAB Investigators TiCAB an investigator initiated trial Sponsor Deutsches

822 views • 26 slides
universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 .

universal composability from essentially any trusted setup Mike Rosulek | | CRYPTO 2012 . Example: Set intersection A B ( function evaluation ) Generate a fair coin toss ( randomized ) Online poker without a dealer ( reactive ) secure

882 views • 48 slides
for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation & Memory

for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation & Memory

Stream-based Memory Specialization for General Purpose Processors Zhengrong Wang Prof. Tony Nowatzki 1 Computation & Memory Specialization SIMD Dataflow + + + + + + New ISA abstraction for / certain computation pattern. Core

774 views • 32 slides
:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2 Nick Sullivan 3 George Tankersley 4 Filippo Valsorda 4 1 Royal Holloway, University of London 2 University of Waterloo 3 Cloudflare 4 Independent PETS

591 views • 55 slides
Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Spring 2015 :: CSE 502 Computer Architecture Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture Big Picture I-cache Instruction Branch FETCH Flow Predictor

381 views • 19 slides
Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter, Emmett Witchel, Thomas Anderson 1 Lets build a fast server NoSQL store, Database, File server, Mail server Requirements Small updates (1

1.07k views • 79 slides
4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip Fracture Results Onset Refer to Attached Ofirmev Brochure

84 views • 5 slides

More recommend