GCC Global Cybersecurity Camp

GCC 2022 Taiwan Lecture 4

UEFI BIOS Security

Abstract

This training offers in-depth knowledge of Unified Extensible Firmware Interface (UEFI) BIOS, its security threats, and countermeasures.

In recent years, firmware has become one of the common attack targets due to its lower visibility for defenders and lessor security levels, as indicated by the Microsoft report in 2021, revealing that the 80% of organizations experienced firmware attacks in the past 2 years. Among many types of firmware, UEFI BIOS is one of the most attractive targets because of its wide adoption as well as the high privilege level that even exceeds that of hypervisors and operating systems. In fact, real-world adversaries abused UEFI and exploited relevant vulnerabilities to install backdoors and establish persistency that remained undetected for years. Lojax(2018), MosaicRegressor(2020), and FinSpy(2021) are some of the recent examples.

Despite this emerging threat, the industry is yet to be better equipped. Does the security software detect exploitation, are the incident response teams able to consider and analyze attacks through UEFI, how many defenders can reverse engineer them? Even worse, how well the UEFI architecture and security mechanisms are understood in the first place?

This training will help students familiarize themselves with UEFI and different types of threats through hands-on exercises using real-world samples, followed by the 4-hour long lecture and discussions. This includes but not limited to code analysis of UEFI runtime driver used for game cheating, reverse engineering of Windows malware that infects UEFI and System Management Mode (SMM) vulnerabilities, along with relevant detection and protection technologies such as Boot Guard, Secure Boot, Trusted Platform Module (TPM) and CHIPSEC.

Trainer

Name: Satoshi Tanda
Bio :

Satoshi Tanda (@standa_t) is a system software engineer and a security researcher with over a decade of experience. His experience spans over the areas of UEFI- and Windows kernel-module programming and reverse engineering, vulnerability discovery and exploitation, malware analysis, virtualization technologies, and teaching them to professionals and school students. He works at CrowdStrike and analyzes UEFI security threats at scale and discovered multiple vulnerabilities in UEFI BIOS.

Back to GCC 2022 Taiwan Page