BIOS and Secure Boot Attacks Uncovered presented at ekoparty 2014

by Alexander Matrosov, Yuriy Bulygin,

Summary : A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and OS loaders. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component. This talk will detail and organize some of the attacks and how they work. We will demonstrate some of these attacks including user-mode bypasses of secure boot. We will describe underlying vulnerabilities and how to assess systems for these issues using chipsec (https://github.com/chipsec/chipsec), an open source framework for platform security assessment. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. In addition, we will explain why exploits against systems firmware, which were supposed to require kernel mode privilege, in many cases could be done from user mode. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.