Platform Firmware Defense for Blue Teams presented at sourceseattle 2017

by Lee Fisher,

Summary : For attackers, "Firmware is the new Software". However, defenders, for the most part, have not yet started to audit the state of their platform firmware (UEFI, ACPI, etc). Every time you say 'wipe system' or 'golden image' as part of a security solution, remember that is the only the easy image to wipe, and you are ignoring the most important ones, you're wiping the rootkits but not the bootkits. Firmware-level hosted malware, bare-metal or virtualized, is nearly invisible to normal security detection tools, has full control of your system, and can often continue running even when the system is "powered off". Bootkits are already 'weaponized', security firms like Hacking Team and government agencies (eg, recent Wikileak Vaul7 of CIA Apple bootkits) have EFI/UEFI-base malware in use, for the last few years.
In this presentation, we'll briefly cover existing best practices for firmware security, NIST SP (147,147b,155,193), then cover some known firmware malware, including the blacklisted UEFI modules (and keys). Finally, we'll cover how to use some open source tools (CHIPSEC, UEFITool, FWTS, etc.) to help detect UEFI/ACPI-based malware on your system. I'll also be announcing a new open source tool to help make it easier to check firmware for issues.