TECH TRAINING 6 – Introductory BIOS & SMM Attack & Defense

Early Bird (< 30th June): SGD1499

Normal (> 1st July): SGD1999

REGISTER ONLINE NOW

---

PC BIOS/UEFI firmware is usually “out of sight, out of mind”. But this just means it’s a place where sophisticated attackers can live unseen and unfettered. This class shares information about PC firmware security that was hard-won over years of focused research into firmware vulnerabilities.

We will cover why the BIOS is critical to the security of the platform. This course will also show you what capabilities and opportunities are provided to an attacker when BIOSes are not properly secured. We will also provide you tools for performing vulnerability analysis on firmware, as well as firmware forensics. This class will take people with existing reverse engineering skills and teach them to analyze UEFI firmware. This can be used either for vulnerability hunting, or to analyze suspected implants found in a BIOS, without having to rely on anyone else.

Learning Objectives

• Understand the similarities and differences between the UEFI and legacy BIOS
• Understand the BIOS/UEFI boot environments and how they interact with the platform architecture
• How the BIOS/UEFI should configure the system to maximize platform security, and how attackers have bypassed these security mechanisms
• How System Management Mode (SMM) is instantiated and must be protected
• How SMM may be used to provide added layers of platform security
• How the BIOS flash chip should be locked down, and what kind of attacks can be done when it is not
• Learn how to Reverse Engineer UEFI modules
• To teach you “how to fish” so you can take your newly-acquired knowledge to perform further security research in this area

Target Audience

• Security researchers who wish to explore BIOS/SMM
• Firmware engineers wishing to better understand how to protect their firmware
• Operational defenders wishing to understand their exposure to BIOS level attacks
• Forensic analysts who may need to look for artifacts of possible BIOS attacks

Prerequisites

• Must have x86 assembly and architecture knowledge equal to or greater than what is provided here:
•    http://opensecuritytraining.info/IntroX86.html
•    http://opensecuritytraining.info/IntermediateX86.html
• Being familiar with IDA Pro is also helpful. A refresher is here:
•    http://opensecuritytraining.info/IntroductionToReverseEngineering.html

Hardware/Software Requirements

• Bring your own laptop
• IDA Pro (must have x64 capability, HexRays decompiler recommended, but not required)
• Windows >= 7 installed on hardware (preferred) or ability to run Windows in a VM (will not be able to do some labs)

Agenda

Day 1:

• Introduction to BIOS concepts
  • General system configuration responsibilities
  • Security-specific configuration responsibilities
• Hardware architecture
  • ICH/MCH/PCH
  • SPI flash chip
• Usage of PCI for x86 system internals
• Talking to hardware through the PCI configuration space
• PCI Option ROMs (and their use in attack)
• BIOS access control mechanisms
  • How they fail
  • Tools to detect their failure

Day 2:

• System Management Mode (SMM)
  • Why SMM is basically the best place for an attacker to live on an x86 system
  • Discussion of how the BIOS instantiates SMM from flash chip contents
  • Discussion of how attackers can break into SMM even without persisting on the flash chip
• Introduction to UEFI BIOS
  • The UEFI phases and security parameters specific to UEFI
  • UEFI Firmware Filesystem
• Reverse engineering UEFI modules
  • Applying UEFI structure definitions in IDA Pro
• How Secure Boot & Measured Boot work
  • Attacks against Secure Boot
  • Attacks against Measured Boot
• Specific tools useful for performing further firmware security research
  • RWEverything
  • ChipSec