[Dailydave] Understanding BIOS & SMM
Xeno Kovah
xsk.dailydave at gmail.com
Sun Jan 26 10:45:26 EST 2014
Our research team at MITRE has been looking into BIOS security for the past
couple years and starting to publish our results in the last year. We
described BIOS exploits and an in-BIOS defensive system called BIOS
Chronomancy at venues like BlackHat and ACM CCS. We also released a free
tool called Copernicus[1] which lets you detect if a BIOS is writable, and
dump the contents of the BIOS from a Windows system (which makes
enterprise-wide configuration and integrity checking possible.)
But the question is, let's say you have a BIOS dump and it shows
differences. How are you going to interpret those differences? How do you
distinguish natural changes from malicious ones? We wanted to get a basic
inspection capability out there, but we recognized that people were going
to need to know a lot more about system internals, hardware quirks, and
UEFI before they'd be able to make full use of it. So we made a class to
help bootstrap people faster. Currently the class is scheduled for
CanSecWest[2] and Syscan[3] (and the prices are going up starting Feb 1).
It would be nice if people wanted to understand how the deep system
architecture worked for it's own sake, because we of course think it's
super interesting and fulfilling to know things others don't. But hopefully
the news of the past couple months has made people realize that "out of
sight, out of mind" isn't a great strategy for BIOS security. First there
was #badBIOS (which was kicked off by Dragos experimenting with
Copernicus[4]). Then there was NSA's defensive side saying they had caught
the Chinese making BIOS bricking attacks[5]. Then there was NSA's offensive
side being caught having their own BIOS backdoor capabilities[6]. And of
course there were a whole lot of people letting their FUD flags fly around
all of it.
So if you'd like to get a more technical and quantitative view of what the
BIOS/SMM security landscape looks like, you should check out our classes
and watch for talks by Corey Kallenberg, John Butterworth, and myself over
the next 6 months where we'll be describing 2 new BIOS
memory-corruption-to-reflash exploits, 2 new SecureBoot-breaking tricks,
and trustworthy computing extensions to Copernicus that will counter many
classes of attacks against BIOS dumping software that would let an attacker
hide his BIOS presence.
Xeno
[1]
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
[2]https://cansecwest.com/dojo.html
[3]http://syscan.org/index.php/sg/training
[4]https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3
[5]http://www.cbsnews.com/news/nsa-speaks-out-on-snowden-spying/
[6]
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140126/ed338f2e/attachment.html>
More information about the Dailydave
mailing list