Fwd: [Dailydave] Understanding BIOS & SMM
---------- Forwarded message ---------- From: Xeno Kovah <xsk.dailydave@gmail.com> Date: Sun, Jan 26, 2014 at 7:45 AM Subject: [Dailydave] Understanding BIOS & SMM Our research team at MITRE has been looking into BIOS security for the past couple years and starting to publish our results in the last year. We described BIOS exploits and an in-BIOS defensive system called BIOS Chronomancy at venues like BlackHat and ACM CCS. We also released a free tool called Copernicus[1] which lets you detect if a BIOS is writable, and dump the contents of the BIOS from a Windows system (which makes enterprise-wide configuration and integrity checking possible.) But the question is, let's say you have a BIOS dump and it shows differences. How are you going to interpret those differences? How do you distinguish natural changes from malicious ones? We wanted to get a basic inspection capability out there, but we recognized that people were going to need to know a lot more about system internals, hardware quirks, and UEFI before they'd be able to make full use of it. So we made a class to help bootstrap people faster. Currently the class is scheduled for CanSecWest[2] and Syscan[3] (and the prices are going up starting Feb 1). It would be nice if people wanted to understand how the deep system architecture worked for it's own sake, because we of course think it's super interesting and fulfilling to know things others don't. But hopefully the news of the past couple months has made people realize that "out of sight, out of mind" isn't a great strategy for BIOS security. First there was #badBIOS (which was kicked off by Dragos experimenting with Copernicus[4]). Then there was NSA's defensive side saying they had caught the Chinese making BIOS bricking attacks[5]. Then there was NSA's offensive side being caught having their own BIOS backdoor capabilities[6]. And of course there were a whole lot of people letting their FUD flags fly around all of it. So if you'd like to get a more technical and quantitative view of what the BIOS/SMM security landscape looks like, you should check out our classes and watch for talks by Corey Kallenberg, John Butterworth, and myself over the next 6 months where we'll be describing 2 new BIOS memory-corruption-to-reflash exploits, 2 new SecureBoot-breaking tricks, and trustworthy computing extensions to Copernicus that will counter many classes of attacks against BIOS dumping software that would let an attacker hide his BIOS presence. Xeno [1]http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/... [2]https://cansecwest.com/dojo.html [3]http://syscan.org/index.php/sg/training [4]https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3 [5]http://www.cbsnews.com/news/nsa-speaks-out-on-snowden-spying/ [6]http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors...
So if you'd like to get a more technical and quantitative view of what> the BIOS/SMM security landscape looks like, you should check out our classes and watch for talks by Corey Kallenberg, John Butterworth, and myself over the next 6 months where we'll be describing 2 new BIOS memory-corruption-to-reflash exploits, 2 new SecureBoot-breaking tricks, and trustworthy computing extensions to Copernicus that will counter many classes of attacks against BIOS dumping software that would let an attacker hide his BIOS presence.
Sounds interesting. Intel has a 3-day UEFI training course for employes/partners. They put their courseware and labs online, and recent builds work with Linux and not just Windows/VisualStudio. Targets IHV audience, not security-centric. http://sourceforge.net/projects/edk2/files/Training/TrainingMaterial/ The above-mentioned Butterworth recently spoke at Perdue on BIOS security: http://www.cerias.purdue.edu/news_and_events/events/security_seminar/details... If you're in the Seatle area I'll be doing another half-day dev intro to UEFI at the local univerisity capture-the-flag team in March, and I think non-students are welcome to attend.
participants (2)
-
Blibbet
-
coderman