UEFI and PCI bootkits. Pierre Chifflier PacSec 2013
|
|
- Jennifer Patrick
- 5 years ago
- Views:
Transcription
1 UEFI and PCI bootkits Pierre Chifflier PacSec 2013
2 ANSSI Created on July 7th 2009, the ANSSI (French Network and Information Security Agency) is the national authority for the defense and the security of information systems Under the authority of the Prime Minister Main missions are: prevention defense of information systems UEFI and PCI bootkits 2/42
3 UEFI study Motivations Study UEFI Raise awareness of pre-boot dangers Present and discuss countermeasures Study Boot sequence UEFI functions: Hooking the bootloader ACPI Tables Network functions PCI devices Countermeasures UEFI and PCI bootkits 3/42
4 Overview 1 UEFI 2 PCI 3 Description of UEFI VGA Bootkit 4 Demo 5 Countermeasures UEFI and PCI bootkits 4/42
5 UEFI UEFI and PCI bootkits 5/42
6 BIOS vs UEFI (1/2) BIOS x86 architectures Real mode (16 bits) No support for large disks (> 2 TB), MBR sector Memory mapping on 1MB No integrity check Old-school in 2013 :) UEFI and PCI bootkits 6/42
7 UEFI UEFI: recent? 2000 EFI (Intel) UEFI (Unified EFI Forum, Current version: UEFI 24 Objectives Overcome BIOS limitations Multi-architectures (x86, ARM, Itanium, ) Standardization of drivers Modern conception: modular, C language UEFI and PCI bootkits 7/42
8 UEFI: Specifications Services IP4/6, UDP/TCP 4/6, ARP, DHCP4/6, MTFP4/6, FTP, PXE, iscsi VLAN, EAP, IPsec (IKEv2) PCI, USB, SCSI, AHCI, removable media GPT, vfat Console, Graphical Mode, Human Interface, UTF-16 User Identification ACPI, SMRAM Debugger Compression EFI Byte Code Virtual Machine Firmware management UEFI and PCI bootkits 8/42
9 UEFI and Security EFI Development Kit (EDK) 2 1,000,000+ SLOC No protection on memory pages, rwx everywhere All code running in ring 0 Huge attack surface Most code written from scratch (including libc+, IPv4/IPv6 stack, IPsec, PE parser) Lots of StrCat and StrCpy UEFI and PCI bootkits 9/42
10 UEFI and Security (2) Services offered to malwares Network functions (IPv4 and IPv6) Get drivers over PXE Use an IPsec tunnel Manipulate ACPI tables Add new drivers UEFI and PCI bootkits 10/42
11 UEFI Boot Sequence Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 11/42
12 PCI bootkits UEFI and PCI bootkits 12/42
13 Overview: PCI Expansion ROMs (small) optional memory chip, present on PCI/PCIe/Thunderbolt/ExpressCard devices Provides some code, executed by Firmware Already exploited in the past, for the BIOS What about UEFI? UEFI and PCI bootkits 13/42
14 VGA Card UEFI and PCI bootkits 14/42
15 Scenario and assumptions Use case Attacker has already gained root/admin privileges She wants to install a persistent stealthy rootkit Bootkit: bootloader rootkit Visible modifications Hard if BIOS password set Use the hardware? Without re-flashing the BIOS UEFI and PCI bootkits 15/42
16 Example: graphics card Objective: (persistent of) privilege escalation Problems OS? Not yet in memory No access to hard disk (+ possible encryption) How to execute code? In a few kilobytes! And the graphics card must still work properly Initial reactions All combined: nice story for Matrix fans Need I go on? Mrk UEFI and PCI bootkits 16/42
17 UEFI Boot Sequence Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42
18 Scenario Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment Start: PCI card verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42
19 Scenario Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment Target: OS verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42
20 UEFI Boot Sequence 1 Legacy Code Load Opt ROM SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 18/42
21 Real world scenario Get the expansion ROM, using one of: Extract PCI device Add a new internal or external PCI device Boot on a USB stick Gain admin privileges on OS New functionalities Add the UEFI code to create a hybrid ROM Flash expansion ROM Backdoor installed UEFI and PCI bootkits 19/42
22 Dump(Importation) ROM Cat /sys/bus/pci/devices/0000\:00\:020/rom Manufacturer tools Example: ATI E:\> a t i f l a s h exe unlockrom 0 E:\> a t i f l a s h exe s 0 myrom bin UEFI and PCI bootkits 20/42
23 Crafting the UEFI ROM 1 Crafting a hybrid ROM Using the Development Kit (vim + gcc) Create a DXE driver: C code, 64 bits (make) Choose some PCI IDs Convert to ROM format (EfiRom) Patch image (cat) 1 ROM wasn t built in a day UEFI and PCI bootkits 21/42
24 PCI Expansion ROM format < 64 kb PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure Image 0 < 64 kb PCI Data Structure PCI ROM Header Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42
25 PCI Expansion ROM format Image 0 < 64 kb < 64 kb PCI ROM Header PCI Data Structure PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure ROM vanilla Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42
26 PCI Expansion ROM format Image 0 < 64 kb < 64 kb PCI ROM Header PCI Data Structure PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure ROM vanilla Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure UEFI Code Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42
27 Writing ROM (1/2) Manufacturer tools Example: ATI E:\> a t i f l a s h exe unlockrom 0 E:\> a t i f l a s h exe p f 0 myrom bin Restart, and cross fingers UEFI and PCI bootkits 23/42
28 Writing ROM (2/2) Flash SPI: low-level tools UEFI and PCI bootkits 24/42
29 Execution in UEFI Malware Execution The UEFI firmware enumerates PCI devices Expansion ROMs are loaded into memory a : Legacy: (0xc0000 0xfffff) UEFI: dynamic The legacy is ROM loaded by the CSM UEFI ROMs are loaded afterward The C entry point is called The ExitBootServices function is hooked a All roads lead to ROM UEFI and PCI bootkits 25/42
30 Load PCI Expansion ROM 1 2 Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 26/42
31 Intercepting the bootloader Bootloader role Copy of kernel image into memory (address?) Call ExitBootServices Problem: memory can be reused by the OS Tested on Grub2 UEFI and PCI bootkits 27/42
32 Intercepting the bootloader Bootloader role Copy of kernel image into memory (address?) Call ExitBootServices Problem: memory can be reused by the OS Tested on Grub2 Challenges Persistent memory allocation Reconstruction of the call stack Identification of address Preparation of the next step UEFI and PCI bootkits 27/42
33 Next Step: bootloader Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 28/42
34 Intercepting the kernel (1/2) Memory image before decompression Physical addresses virtual addresses Kernel: initialize IDT, GDT, pagination, etc Mode change (32 -> 64 bits), CS and DS, Use a breakpoint? Not easy (IDT) 32 bits 32 bits bits reset GDT +IDT Reset GDT+IDT Early Kernel Decompression Code Init Part 2 Uncompressed Image 0x UEFI and PCI bootkits 29/42
35 Intercepting the kernel (2/2) Use Hardware Breakpoints Hardware Debug Registers Use interruption #DB Interrupt vector 1 Hardware BP 1: 0x Hardware BP 2: before IDT reload, in Init Part 2 UEFI and PCI bootkits 30/42
36 Next Step: early kernel Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS #DB added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 31/42
37 Syscall Modification Modification of a system call Patch code in memory Privileges escalation Chosen syscall: fork Address of syscall? Addresses of internal functions? Modified system call xor %rdi,% rdi call *0 x f f f f f f f f f ; prepare_kernel_cred call *0 x f f f f f f f f d b 6 ; commit_creds ret UEFI and PCI bootkits 32/42
38 Next Step: syscall Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS #DB added code fork SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 33/42
39 Demo Legacy Code Header Load Opt ROM Init Code Load ROM Modified ExitBootServices ExitBS Interrupt Handler #DB Modified Fork added code fork SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 34/42
40 EFI Byte Code EBC: EFI Byte Code EBC Virtual Machine defined in specifications Assembly Intel-like instructions, platform-independent Can be used in Option ROMs Example of EFI Byte Code CC ADD64 R7, R6 0x4 B ,+48), R MOVnw 0,+48) CALL32 R7 UEFI and PCI bootkits 35/42
41 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes UEFI and PCI bootkits 36/42
42 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes UEFI and PCI bootkits 36/42
43 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes Great way to obfuscate code Portable (including multiple payloads) UEFI and PCI bootkits 36/42
44 Consequences UEFI PCI Bootkits Stealthy: no disk or file modification, small memory footprint: almost invisible Portable Survives to upgrades or reinstall Can also use DMA Independent of disk encryption BIOS password: does not prevent Antivirus (even UEFI): useless grsec / randomization / : complicates the exploitation, but does not prevent the attack Solutions? UEFI and PCI bootkits 37/42
45 Solution 1: TPM [Should be a] Passive component Present on (almost) all PCs The Firmware measures elements Measures are used through atomic operations (eg unseal) Limitations Lack of applications Not supported by all bootloaders Makes updates complicated Requires Full Disk Encryption for integrity Not perfect a a see BIOS Chronomancy presentation UEFI and PCI bootkits 38/42
46 Solution 2: Secure Boot Part of UEFI specifications Verification of cryptographic signatures (RSA2048) of all loaded elements (executables, drivers, expansion ROMs, etc) UEFI and PCI bootkits 39/42
47 Solution 2: Secure Boot Part of UEFI specifications Verification of cryptographic signatures (RSA2048) of all loaded elements (executables, drivers, expansion ROMs, etc) Source: Intel Developer Forum 2012 UEFI and PCI bootkits 39/42
48 Solution 2: Secure Boot Limitations Optional (even if required for the Windows 8 Hardware Certification) Requires to disable Compatibility Support Module (CSM) Usage restrictions (ex ARM tablets) Management of the Certificate Authorities How to use another CA (Not Microsoft s)? Need to re-sign or whitelist ROMs? Can also be vulnerable (eg to direct SPI Flash writes a, or NVRAM access) a A tale of one software bypass of windows 8 secure boot, Blackhat 2013 UEFI and PCI bootkits 40/42
49 Conclusion Hardware Protections exist, but they are often poorly implemented or not used All firmware compoments must be protected from tampering Suggestions for OEMs / editors Protect UEFI from SPI writes (except in reboot mode) or direct NVRAM access Allow only signed updates Protect the initial steps (SEC/PEI) Protect the root of trust S-CRTM and do all of this without bugs UEFI and PCI bootkits 41/42
50 Future work Next Evaluate the (many) UEFI functions Analyze EFI Byte Code Virtualization a la Blue Pill Disassemble UEFI firmwares Look at (Secure Boot, IPsec) implementations Questions? UEFI and PCI bootkits 42/42
Comparison on BIOS between UEFI and Legacy
Comparison on BIOS between UEFI and Legacy Abstract The BIOS (Basic Input/Output System) connects the hardware with the system software. The system BIOS is between the system hardware and the system software,
More informationPast, Present, and Future Justin Johnson Senior Principal Firmware Engineer
Dell Firmware Security Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer justin.johnson1@dell.com Dell Security 2 What does BIOS do? Configure and Test System Memory Configure
More informationAttacking and Defending the Platform
presented by Attacking and Defending the Platform Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Erik Bjorge and Maggie Jauregui (Intel) Legal Notice No computer system can be absolutely
More informationIA32 OS START-UP UEFI FIRMWARE. CS124 Operating Systems Fall , Lecture 6
IA32 OS START-UP UEFI FIRMWARE CS124 Operating Systems Fall 2017-2018, Lecture 6 2 Last Time: IA32 Bootstrap Computers and operating systems employ a bootstrap process to load and start the operating system
More informationHacking the Extensible Firmware Interface. John Heasman, Director of Research
Hacking the Extensible Firmware Interface John Heasman, Director of Research Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking
More informationAn Introduction to Platform Security
presented by An Introduction to Platform Security Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Brent Holtsclaw and John Loucaides (Intel) Legal Notice No computer system can be
More informationPL-I Assignment Broup B-Ass 5 BIOS & UEFI
PL-I Assignment Broup B-Ass 5 BIOS & UEFI Vocabulary BIOS = Basic Input Output System UEFI = Unified Extensible Firmware Interface POST= Power On Self Test BR = Boot Record (aka MBR) BC =Boot Code (aka
More informationAbout unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos
July 16, 2016 1/45 Whoami RE, vulnerability research LSE 2015 Sogeti since 2/45 1 2 Reverse Exploitation 3 4 3/45 Agenda 1 4/45 Agenda 1 5/45 Unified Extended FIrmware is based on EFI Specification for
More informationFirmware Rootkits: The Threat to the Enterprise. John Heasman, Director of Research
Firmware Rootkits: The Threat to the Enterprise John Heasman, Director of Research Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection,
More informationCIS 4360 Secure Computer Systems Secured System Boot
CIS 4360 Secure Computer Systems Secured System Boot Professor Qiang Zeng Spring 2017 Previous Class Attacks against System Boot Bootkit Evil Maid Attack Bios-kit Attacks against RAM DMA Attack Cold Boot
More informationIntroduction to Intel Boot Loader Development Kit (Intel BLDK) Intel SSG/SSD/UEFI
Introduction to Intel Boot Loader Development Kit (Intel BLDK) Intel SSG/SSD/UEFI Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED,
More informationSystem Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules
presented by System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules Fall 2018 UEFI Plugfest October 15 19, 2018 Presented by Brian Richardson (Intel) Materials
More informationWindows 8 Uefi Bios Update Step By Step Guide Msi Usa
We have made it easy for you to find a PDF Ebooks without any digging. And by having access to our ebooks online or by storing it on your computer, you have convenient answers with windows 8 uefi bios
More informationAdvanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC
Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot Xeno Kovah && Corey Kallenberg LegbaCore, LLC All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/
More informationThe Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu
The Early System Start-Up Process Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu 1 Boot Process Booting is the initialization of a computerized system In Linux,
More informationPersistent BIOS Infection
CORE SECURITY TECHNOLOGIES 2009 Persistent BIOS Infection The early bird catches the worm Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Agenda Introduction A bit of history
More informationCanSecWest Nicolás A. Economou Andrés Lopez Luksenberg
CanSecWest 2012 Nicolás A. Economou Andrés Lopez Luksenberg INTRO There have been as many new MBR threats found in the first seven months of 2011 as there were in previous three years.... Symantec Intelligence
More informationTailoring TrustZone as SMM Equivalent
presented by Tailoring TrustZone as SMM Equivalent Tony C.S. Lo Senior Manager American Megatrends Inc. UEFI Plugfest March 2016 www.uefi.org 1 Agenda Introduction ARM TrustZone SMM-Like Services in TrustZone
More informationPRESS ROOT TO CONTINUE: DETECTING OSX AND WINDOWS BOOTKITS WITH RDFU
Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO CONTINUE: DETECTING OSX AND WINDOWS BOOTKITS WITH RDFU Agenda Our motivation Who are we Introduction to Unified extensible framework
More informationSolutions for the Intel Platform Innovation Framework for EFI July 26, Slide 1
Solutions for the Intel Platform Innovation Framework for EFI July 26, 2005 Slide 1 AMI introduces Aptio AMI s Framework-based product offering Offers all innovations of the Intel Platform Innovation Framework
More informationDELLEMC. TUESDAY September 19 th 4:00PM (GMT) & 10:00AM (CST) Webinar Series Episode Nine WELCOME TO OUR ONLINE EVENTS ONLINE EVENTS
WELCOME TO OUR DELLEMC Webinar Series Episode Nine OUR PRESENTATION IS DUE TO START TUESDAY September 19 th 4:00PM (GMT) & 10:00AM (CST) About us.. We re a global team of Dell technicians with highly varied
More informationUEFI Firmware Security Concerns and Best Practices
presented by UEFI Firmware Security Concerns and Best Practices UEFI Security Resources - July 2017 Dick Wilkins, PhD & Jim Mortensen Phoenix Technologies, Ltd. 1 Legal Stuff All rights reserved. PHOENIX
More informationAMT vpro ME. How to Become the Sole Owner of Your PC. ptsecurity.com
AMT vpro ME How to Become the Sole Owner of Your PC Mark Ermolov Maxim Goryachy Dmitry Malkin AMT disable techniques Positive Research Center What is it? Second «hidden» processor in your PC Built into
More informationECE 471 Embedded Systems Lecture 12
ECE 471 Embedded Systems Lecture 12 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 8 October 2015 Announcements Homework grades have been sent out, let me know if you did not
More informationUEFI Support for Memtest86+ Patricio Chilano Mateo
UEFI Support for Memtest86+ Patricio Chilano Mateo 1 MEMTEST86+ http://www.memtest.org/ Memory diagnostic tool for x86 and x86-64 platforms Release History - Initial release on 2004 as a fork of Memtest86
More informationPlatform Configuration Registers
Chapter 12 Platform Configuration Registers Platform Configuration Registers (PCRs) are one of the essential features of a TPM. Their prime use case is to provide a method to cryptographically record (measure)
More informationDebugging under Unified Extensible Firmware Interface (UEFI): Addressing DXE Driver Challenges
Debugging under Unified Extensible Firmware Interface (UEFI): Addressing DXE Driver Challenges Jeff Bobzin Sr. Director Insyde Software Session ID EFIS003 Debugging Then The first computer bug, a moth
More informationUEFI and IoT: Best Practices in Developing IoT Firmware Solutions
presented by UEFI and IoT: Best Practices in Developing IoT Firmware Solutions Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Hawk Chen (Byosoft) Updated 2011-06- 01 UEFI Plugfest
More informationI Don't Want to Sleep Tonight:
I Don't Want to Sleep Tonight: Subverting Intel TXT with S3 Sleep Seunghun Han, Jun-Hyeok Park (hanseunghun parkparkqw)@nsr.re.kr Wook Shin, Junghwan Kang, HyoungChun Kim (wshin ultract khche)@nsr.re.kr
More informationFirmware Implementation Techniques to Achieve Windows 8 Fast Boot
presented by Firmware Implementation Techniques to Achieve Windows 8 Fast Boot UEFI Summer Summit July 16-20, 2012 Presented by Jeff Bobzin Insyde Software Updated 2011-06-01 UEFI Summer Summit July 2012
More informationUEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies
GOLD PARTNER: Hlavní partner: Hlavní odborný partner: UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory MVP:Security CISA CISM CEH CHFI ondrej@sevecek.com
More informationDigging Into The Core of Boot
Digging Into The Core of Boot Yuriy Bulygin Oleksandr Bazhaniuk @c7zero @ABazhaniuk Agenda Intro Recap of MMIO BAR Issues in Coreboot & UEFI Coreboot ACPI GNVS Pointer Issue SMI Handler Issues in Coreboot
More informationAptio 5.x Status Codes
Checkpoints & Beep Codes for Debugging Document Revision 2.0 Revision Date: April 10, 2014 Public Document Copyright 2014 American Megatrends, Inc. 5555 Oakbrook Parkway Suite 200 Norcross, GA 30093 Legal
More informationUEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities
UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities Alexander Ogolyuk, Andrey Sheglov, Konstantin Sheglov Saint Petersburg National Research University of Information Technologies,
More informationLinux Boot Process. Nassim Eddequiouaq LSE Summer Week 2015
Linux Boot Process Nassim Eddequiouaq LSE Summer Week 2015 Why does boot matter? No boot No boot! OS uses evolving hardware features Faster and more secure please What does Linux need? Hardware initialization
More informationUEFI and the Security Development Lifecycle
presented by UEFI and the Security Development Lifecycle Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Tim Lewis (Insyde Software) Agenda The Threat Is Real The Security Development
More informationOS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
More informationBOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES. CS124 Operating Systems Winter , Lecture 5
BOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES CS124 Operating Systems Winter 2015-2016, Lecture 5 2 Bootstrapping All computers have the same basic issue: They require a program to tell them what to do but
More informationTUX : Trust Update on Linux Kernel
TUX : Trust Update on Linux Kernel Suhho Lee Mobile OS Lab, Dankook university suhho1993@gmail.com -- Hyunik Kim, and Seehwan Yoo {eternity13, seehwan.yoo}@dankook.ac.kr Index Intro Background Threat Model
More informationFreeBSD and the IBM PC BIOS
FreeBSD and the IBM PC BIOS Bruce M. Simpson bms@freebsd.org 27th December 2002 1 Introduction This document is intended as a source of technical information for individuals wishing to support FreeBSD
More information10 Steps to Virtualization
AN INTEL COMPANY 10 Steps to Virtualization WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Virtualization the creation of multiple virtual machines (VMs) on a single piece of hardware, where
More informationStandardized Firmware for ARMv8 based Volume Servers
presented by Standardized Firmware for ARMv8 based Volume Servers UEFI Spring Plugfest March 29-31, 2016 Presented by Jonathan Zhang, Robert Hsu Cavium Inc. & AMI Updated 2011-06-01 UEFI Plugfest March
More informationOVERDRIVE Quick Start Guide. v.1.0
OVERDRIVE 1000 Quick Start Guide v.1.0 TABLE OF CONTENTS 1. Introduction 3 2. Connections 3 3. Console Connection 4 3.1 Windows 4 3.2 Linux 5 3.3 Mac OS X 6 3.4 Power-up Procedure 6 3.5 Logging In 9 4.
More informationStrengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software
presented by Strengthening the Chain of Trust Kevin Lane HP Jeff Bobzin Insyde Software August Updated 22, 2014 2011-06-01 Agenda Quick Intro to UEFI UEFI Myths Using Linux + Secure Boot Continuing the
More informationCSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3
CSPN Security Target HP Sure Start HW Root of Trust NPCE586HA0 December 2016 Reference: HPSSHW v1.3 Version : 1.3 1 Table of contents 1 Introduction... 4 1.1 Document Context... 4 1.2 Product identification...
More informationHITB Amsterdam
Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org HITB 2011 - Amsterdam Purpose of this presentation G. Delugré
More informationBoot Mode Considerations: BIOS vs. UEFI
Boot Mode Considerations: BIOS vs. UEFI An overview of differences between UEFI Boot Mode and traditional BIOS Boot Mode Dell Engineering October 2017 A Dell EMC Deployment and Configuration Guide Revisions
More informationAdvanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018
Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018 Basic Information Lecture Schedule: Course begins today! Course ends on June 1 st Lecture slots: Tuesday, 08.00 am 10.00
More informationDVD :50 PM Page 1 BIOS
99 0789729741 DVD 3.07 06 09 2003 1:50 PM Page 1 BIOS 99 0789729741 DVD 3.07 06 09 2003 1:50 PM Page 2 2 BIOS AMI BIOS POST Checkpoint Codes Table 1 AMI BIOS POST Checkpoint Codes for All AMI BIOS Products
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationSystem Prep Applications A Powerful New Feature in UEFI 2.5
presented by System Prep Applications A Powerful New Feature in UEFI 2.5 UEFI Spring Plugfest May 18-22, 2015 Presented by Kevin Davis Insyde Software Updated 2011-06-01 UEFI Plugfest May 2015 www.uefi.org
More informationDo as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack
Do as I Say not as I Do Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack ALI ABBASI SYSSEC GROUP, RUHR UNIVERSITY BOCHUM, GERMANY & SCS GROUP UNIVERSITY OF TWENTE, NETHERLANDS
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationGA-G1975X Post Code Definition
GA-G1975X Post Code Definition AWARD Post Code Definition CFh Test CMOS R/W functionality. C0h Early chipset initialization: -Disable shadow RAM -Disable L2 cache (socket 7 or below) -Program basic chipset
More informationEmbedded BIOS. Features and Board Support Packages congatec AG 1
Embedded BIOS Features and Board Support Packages 2006 congatec AG 1 Our Mission To provide a first class, leading edge, innovative and extremely stable firmware solution for congatec embedded computer
More informationExtended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing
More informationThe Simple Firmware Interface
The Simple Firmware Interface A. Leonard Brown Intel Open Source Technology Center len.brown@intel.com Abstract The Simple Firmware Interface (SFI) was developed as a lightweight method for platform firmware
More informationImplementing Secure Boot: A Refresher on Key & Database Configuration
presented by Implementing Secure Boot: A Refresher on Key & Database Configuration UEFI PlugFest March 18-22, 2013 Presented by Tim Lewis, CTO, Insyde Software Updated 2011-06-01 UEFI Spring PlugFest March
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationOverview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work
http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook (pronounced Case ) Overview Wait, which firmware? Threats Update methods request_firmware()
More informationCOS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University
COS 318: Operating Systems Overview Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Announcements Precepts: Tue (Tonight)!
More informationSSN Lab Assignment: UEFI Secure Boot
SSN Lab Assignment: UEFI Secure Boot A. Bakker J. van der Ham M. Pouw Feedback deadline: November 10, 2016 10:00 CET 1 Introduction UEFI Secure Boot ensures by means of digital signatures that the code
More informationECE 471 Embedded Systems Lecture 16
ECE 471 Embedded Systems Lecture 16 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 15 October 2018 Announcements Midterm is graded Don t forget HW#5 No class Wednesday, Career
More informationBIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1
BIOS Setup (For Skylake-W Platform) User s Guide Rev.1.1 Copyright 2017 GIGA-BYTE TECHNOLOGY CO., LTD. All rights reserved. The trademarks mentioned in this manual are legally registered to their respective
More informationGraphics Output Protocol (GOP) Driver for UEFI
Graphics Output Protocol (GOP) Driver for UEFI Reethambari S V 1, Dr D Seshachalam 2 1 Department of ECE BMS College of Engineering,Bangalore, India. 2 Professor and former HOD, Dept of ECEBMS College
More informationManufacturing Tools in the UEFI Secure Boot Environment
Manufacturing Tools in the UEFI Secure Boot Environment Presented by Stefano Righi presented by UEFI Plugfest May 2014 Agenda Introduction Transition of Manufacturing Tools to UEFI Manufacturing Tools
More informationAMD Security and Server innovation
presented by AMD Security and Server innovation UEFI PlugFest March 18-22, 2013 Roger Lai AMD TATS BIOS Development Group Updated 2011-06-01 UEFI Spring PlugFest March 2013 www.uefi.org 1 Agenda Exciting
More informationBackup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.
Glossary A Active Directory a directory service that inventories, secures and manages the users, computers, rules and other components of a Microsoft Windows network. This service is typically deployed
More informationThe Phantom Menace: Intel ME Manufacturing Mode. Mark Ermolov & Maxim Goryachy
The Phantom Menace: Intel ME Manufacturing Mode Mark Ermolov & Maxim Goryachy About us Mark Ermolov Security Researcher at Positive Technologies Twitter: @_markel e-mail: mermolov[at]ptsecurity[dot]com
More informationARM Trusted Firmware ARM UEFI SCT update
presented by ARM Trusted Firmware ARM UEFI SCT update UEFI US Fall Plugfest September 20-22, 2016 Presented by Charles García-Tobin (ARM) Updated 2011-06-01 Agenda ARM Trusted Firmware What and why UEFI
More information9/19/18. COS 318: Operating Systems. Overview. Important Times. Hardware of A Typical Computer. Today CPU. I/O bus. Network
Important Times COS 318: Operating Systems Overview Jaswinder Pal Singh and a Fabulous Course Staff Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) u Precepts:
More informationA Tour Beyond BIOS Using the Intel Firmware Support Package with the EFI Developer Kit II
White Paper A Tour Beyond BIOS Using the Intel Firmware Support Package with the EFI Developer Kit II Jiewen Yao Intel Corporation Vincent J. Zimmer Intel Corporation Ravi Rangarajan Intel Corporation
More informationMicrosoft UEFI Certification Authority
presented by Microsoft UEFI Certification Authority UEFI PlugFest September 19-20, 2013 Presented by Jeremiah Cox (Microsoft Corp.) Updated 2011-06-01 UEFI PlugFest September 2013 www.uefi.org 1 Agenda
More informationSecurity Issues Related to Pentium System Management Mode
Security Issues Related to Pentium System Management Mode Loïc Duflot Direction Centrale de la Sécurité des Systèmes d Information loic.duflot@sgdn.pm.gouv.fr SGDN/DCSSI 51 boulevard de la Tour Maubourg
More informationECE 471 Embedded Systems Lecture 16
ECE 471 Embedded Systems Lecture 16 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 6 October 2017 Midterm will be graded Don t forget HW#5 Announcements MEMSYS wrapup. Academia,
More informationConfiguring Server Boot
This chapter includes the following sections: Boot Policy, page 1 UEFI Boot Mode, page 2 UEFI Secure Boot, page 3 CIMC Secure Boot, page 3 Creating a Boot Policy, page 5 SAN Boot, page 6 iscsi Boot, page
More informationMonitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015
Monitoring Hypervisor Integrity at Runtime Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Motivation - Server Virtualization Trend x86 servers were virtualized
More informationBIOS Update Release Notes
BIOS Update Release Notes PRODUCTS: NUC5i3RYH, NUC5i3RYHS, NUC5i3RYK, NUC5i5RYH, NUC5i5RYK, NUC5i7RYH (Standard BIOS) BIOS Version 0371 - RYBDWi35.86A.0371.2018.0709.1155 Date: July 9, 2018 MEBx Code:
More informationUsing the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software
Using the UEFI Shell October 2010 UEFI Taipei Plugfest 1 San Francisco Cable Car 2 Agenda Insyde UEFI Support UEFI Shell 2.0 What is it? UEFI Shell 2.0 Unique Features Network Browsing Example Application
More informationIntroduction to Embedded Bootloader. Intel SSG/SSD/UEFI
Introduction to Embedded Bootloader Intel SSG/SSD/UEFI Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE,
More informationAMIBIOS8 Check Point and Beep Code List
AMIBIOS8 Check Point and Beep Code List Version 1.5, Last Updated July 10, 2003 Copyright (c) 2003 American Megatrends, Inc. All Rights Reserved. American Megatrends, Inc. 6145-F, Northbelt Parkway Norcross,
More informationMark Tuttle, Lee Rosenbaum, Oleksandr Bazhaniuk, John Loucaides, Vincent Zimmer Intel Corporation. August 10, 2015
Mark Tuttle, Lee Rosenbaum, Oleksandr Bazhaniuk, John Loucaides, Vincent Zimmer Intel Corporation August 10, 2015 Overview Message: Symbolic execution is now a believable path to BIOS validation Outline:
More informationBIOS Update Release Notes
BIOS Update Release Notes PRODUCTS: NUC5i3RYH, NUC5i3RYK, NUC5i5RYH, NUC5i5RYK, NUC5i7RYH (Standard BIOS) BIOS Version 0366 - RYBDWi35.86A.0366.2017.0816.1026 Date: August 16, 2017 Memory Reference Code:
More informationKey Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge
Key Threats Internet was just growing Mail was on the verge Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering Key Threats Code Red and Nimda (2001), Blaster (2003), Slammer
More informationWindows 8 BIOS Boot settings
DE114 Windows 8 BIOS Boot settings The Windows 8 BIOS boot settings allow you to configure the new items of boot options for systems running in Windows 8 operating system. UEFI BIOS Utility - Advanced
More informationState of the Port to x86_64 July 2017
State of the Port to x86_64 July 2017 July 7, 2017 Update Topics Executive Summary Development Plan Release Plan Engineering Details Compilers Objects & Images Binary Translator Early Boot Path Boot Manager
More informationGeneral Firmware Overview of Recommendations for Window OS
presented by General Firmware Overview of Recommendations for Window OS Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Fei Zhou (Microsoft, Inc.) Updated 2011-06- 01 UEFI Plugfest
More informationCOS 318: Operating Systems. Overview. Andy Bavier Computer Science Department Princeton University
COS 318: Operating Systems Overview Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Logistics Precepts: Tue: 7:30pm-8:30pm, 105 CS
More informationAMI Product Catalog. A Leader in Storage and Computing Innovations Worldwide
AMI Product Catalog A Leader in Storage and Computing Innovations Worldwide American Megatrends Inc. 5555 Oakbrook Parkway, Suite 200 Norcross, GA 30093 Main: 770.246.8600 Sales: 800.828.9264 Tech Support:
More information3 November 2009 e09127r1 EDD-4 Hybrid MBR support
To: T13 Technical Committee From: Rob Elliott, HP (elliott@hp.com) Date: 3 November 2009 Subject: e09127r1 EDD-4 Hybrid support Revision history Revision 0 (24 July 2009) First revision Revision 1 (3 November
More informationUEFI TECHNICAL UPDATES & PLATFORM INNOVATIONS. Dong Wei - HP 魏东 Vincent Zimmer - Intel
UEFI TECHNICAL UPDATES & PLATFORM INNOVATIONS Dong Wei - HP 魏东 Vincent Zimmer - Intel Agenda Introduction Latest UEFI specs releases Intel UEFI Development Kit 2010 (Intel UDK 2010) Key features HP Experience
More informationUEFI Plugfest March
UEFI Plugfest March 2017 www.uefi.org 1 presented by The UEFI Forum State of UEFI Fall 2017 UEFI Seminar and Plugfest October 30 November 3, 2017 Presented by Mark Doran, UEFI Forum President www.uefi.org
More informationIntroduction to Configuration. Chapter 4
Introduction to Configuration Chapter 4 This presentation covers: > Qualities of a Good Technician > Configuration Overview > Motherboard Battery > Hardware Configuration Overview > Troubleshooting Configurations
More informationBIOS. Chapter The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers CompTIA A+ Guide to Managing and Troubleshooting PCs
BIOS Chapter 8 Overview In this chapter, you will learn how to Explain the function of BIOS Distinguish among various CMOS setup utility options Describe option ROM and device drivers Troubleshoot the
More informationBIOS User Guide RACING P1A
BIOS User Guide RACING P1A BIOS Update... 2 UEFI BIOS Setup... 6 1. Main Menu... 7 2. Advanced Menu... 8 3. Chipset Menu...14 4. Security Menu...20 5. Boot Menu...23 6. Exit Menu...25 BIOS Update The BIOS
More informationBIOS Update Release Notes
BIOS Update Release Notes PRODUCTS: NUC5i3RYH, NUC5i3RYK, NUC5i5RYH, NUC5i5RYK, NUC5i7RYH (Standard BIOS) BIOS Version 0359 RYBDWi35.86A.0359.2016.0906.1028 Date: September 06, 2016 Memory Reference Code:
More informationTrusted Computing and O/S Security
Computer Security Spring 2008 Trusted Computing and O/S Security Aggelos Kiayias University of Connecticut O/S Security Fundamental concept for O/S Security: separation. hardware kernel system user Each
More informationDepartment of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD
Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD THIS LECTURE... Today: Technology Lecture discusses basics in context of TPMs
More informationVerified Boot: Surviving in the Internet of Insecure Things. Randall Spangler Chrome OS Firmware Lead
Verified Boot: Surviving in the Internet of Insecure Things Randall Spangler Chrome OS Firmware Lead Introduction Who am I? Chrome OS firmware engineer since 2009 Co-architect of the Chrome OS verified
More informationHow to create a trust anchor with coreboot.
How to create a trust anchor with coreboot. Trusted Computing vs Authenticated Code Modules Philipp Deppenwiese About myself Member of a hackerspace in germany. 10 years of experience in it-security. Did
More information