For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS?
In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.
This talk is a revisited version of the Black Hat Vegas 2017 research with new details about Intel BIOS Guard and Intel ACM’s including new vulnerabilities.
Alex Matrosov is leading embedded security at NVIDIA. He has over two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where he leads BIOS security. Before this role, Alex spent over six years at Intel Advanced Threat Research team and ESET as Senior Security Researcher. He is also author and co-author of the numerous research papers and the book “Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats”. Alex is frequently invited to speak at security conferences, such as REcon, Zeronigths, Black Hat, DEFCON and many others. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint’s team.
