Betraying the BIOS: Where the Guardians of the BIOS are Failing
This presentation is meant to serve as an alarm for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail. The state of UEFI firmware security has become more serious in the last few years. On the one side, there’s been an increase in activity from the security research community. On the other side, more and more information about UEFI implants has become available: for example, HackingTeam and state-sponsored implants. But most often this information becomes public because of leaks, primarily because no tools for detection are available and UEFI implants are typically used for targeted attacks.
UEFI’s place in the world has grown hugely in the last few years, from the desktop/laptop market to IoT, automotive, drones, etc. Fortunately, UEFI security has advanced in many different directions too. The level of security demonstrated by some modern enterprise hardware vendors has improved a lot. But not all hardware vendors are the same. Unfortunately, some vendors don’t enable the protections offered by modern hardware, such as the simple protection bits for SMM and SPI flash memory (BLE, BWE, PRx), which Intel introduced years ago. This makes them easy targets for attackers since they have no active memory protections at the hardware level. In my talk at Black Hat Asia this year, I demonstrated these kinds of weaknesses with the installation of a persistent rootkit inside SPI flash (from Microsoft Windows 10 with active Secure Boot). But, hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot’s “Root of Trust” from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the “Authenticated Code Module” (ACM), which isolates them from attackers and also protects from race condition attacks. Those “Guard” technologies are sometimes referred to as UEFI rootkit killers. Not many details are publicly available regarding these technologies.
In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system? Those questions will be answered during the talk.