RESEARCH

CHIPSEC Platform Security Assessment Framework  [ Github ]

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell.

For more details regarding CHIPSEC capabilities, please refer to Exploring your system deeper is not naughty presentation from CanSecWest 2017.

Examples:
Using CHIPSEC to find vulnerabilities in SMM firmware

Tianocore security advisories  [ Tianocore security advisories ]

Modern system firmware is often based on the open source implementation of UEFI known as Tianocore.

I've contributed quite a few security advisories in Tianocore.

BERSerk Vulnerability  [ part 1 part 2 ]

Details of BERSerk vulnerability are provided here.


PUBLICATIONS

Discovering vulnerable UEFI BIOS firmware at scale  [ slides ]

Yuriy Bulygin, Oleksandr Bazhaniuk
44CON 2017

Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software. System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems.

We've discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We'll present the process, findings and limitations of such offline analysis of vendor firmware update images.

FRACTURED BACKBONE: BREAKING MODERN OS DEFENSES WITH FIRMWARE ATTACKS  [ slides ]

Yuriy Bulygin, Mikhail Gorobets, Oleksandr Bazhaniuk, Andrew Furtak
Black Hat USA 2017

In this work we analyzed two recent trends. The first trend is the growing threat of firmware attacks which include recent disclosures of Vault7 Mac EFI implants. We will detail vulnerabilities and attacks we discovered recently in system firmware including UEFI, Mac EFI and Coreboot which could lead to stealth and persistent firmware implants. We have also developed multiple techniques that can be used to detect that something wrong is going on with the firmware using open source CHIPSEC framework.

The second trend is modern operating systems started adopting stronger software defenses based on virtualization technology. Windows 10 introduced Virtualization Based Security (VBS) to provide hypervisor-based isolated execution environment to critical OS components and to protect sensitive data such as domain credentials. Previously, we discovered multiple ways adversaries could leverage firmware in attacks against hypervisors. We also demonstrated the first proof-of-concept attack on Windows 10 VBS exposing domain credentials protected by Credential Guard technology. We will apply this knowledge to analyze the security of modern hypervisor based OS defenses from the perspective of firmware and hardware attacks. We will detail firmware assisted attack vectors which can be used to compromise Windows 10 VBS. We will also describe changes done by platform vendors and Windows to improve mitigation against these attacks.

Blue Pill for Your Phone  [ slides ]

Oleksandr Bazhaniuk, Yuriy Bulygin
Black Hat USA 2017

In this research, we've explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels.

We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.

Exploring your system deeper is not naughty  [ slides ]

Oleksandr Bazhaniuk, Mikhail Gorobets, Andrew Furtak, Yuriy Bulygin
CanSecWest 2017

You wanted to explore deep corners of your system but didn't know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.

CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.

BARing the system: New vulnerabilities in SMM of Coreboot and UEFI based systems  [ slides ]

Yuriy Bulygin, Oleksandr Bazhaniuk
RECon Brussels 2017

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT).

This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.

ASN.1 Parsing Issues in Crypto Libraries: What Could Go Wrong?  [ slides ]

Andrew Furtak, Yuriy Bulygin, Oleksandr Bazhaniuk
Latincrypt 2015

This presentation will focus on a number of problem authors found in a number of crypto libraries related to ASN.1 parsing functionality. Some of these issues, such as 'BERserk' RSA signature forgery vulnerability in Mozilla NSS library (VU#772676), have already been studied publicly while others, such as ASN.1 parser issues in Oracle Java (CVE-2015-0410) and other crypto/SSL libraries, are largely unknown. Besides detailing specific issues we will discuss general set of potential issues with ASN.1 parsers used by crypto implementations, ways to avoid making such issues as well as test crypto libraries for issues in ASN.1 parsers.

Breaking Bad BIOS - The Art of BIOS Attacks

Oleksandr Bazhaniuk, Yuriy Bulygin
McAfee FOCUS 2015

Recent attacks against system firmware, including Basic Input/Output System (BIOS) and UEFI have attracted attention due to their ability to enable stealthy and highly persistent malware. Such malware may be able to can bypass secure OS boot, enabling attacks on encrypted disks and allowing installation of additional malware.

Reaching Far Corners of Matrix: Generic VMM Fingerprinting  [ slides ]

Oleksandr Bazhaniuk, Yuriy Bulygin, Andrew Furtak, Mikhail Gorobets, John Loucaides, Mickey Shkatov
SOURCE Seattle 2015

Last years there were not many studies on fingerprinting the virtualized environment. This talk is to fill the gap and provide generalized approach for VMM fingerprinting and detection. The approach exploits ISA corner cases handling by VMMs. The results for the most popular modern VMMs will be presented. They show that all the popular modern VMMs can be reliably identified just with several instructions from user mode.

Attacking Hypervisors Through Firmware and Hardware  [ slides slides ]

Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin
Black Hat USA 2015
DEF CON 23

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware, such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.

We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

Demo videos:
UEFI firmware rootkit steals secrets from virtual machines
Xen exploit from Dom0 via vulnerable firmware implementation
Hyper-V exploit from root partition through SMM firmware

Technical Details of the S3 Resume Boot Script Vulnerability  [ paper ]

Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides, Mikhail Gorobets

The examination of commercial malware developed by Hacking Team has revealed much to the security community. Of particular interest to platform security researchers at Intel's Advanced Threat Research team (ATR) is the presence of what appears to be a UEFI-based persistent infection mechanism. ATR has been researching vulnerabilities related to system firmware and working with a community of firmware developers and platform manufacturers to mitigate these threats. Others have also posted good information about this issue. Here, we will provide some preliminary analysis of the firmware threat.

Attacking and Defending BIOS in 2015  [ slides ]

Oleksandr Bazhaniuk, Yuriy Bulygin, Andrew Furtak, Mikhail Gorobets, John Loucaides, Alex Matrosov, Mickey Shkatov
RECon 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We'll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail "SMI input pointer" and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues

Demo videos:
Exploit for the S3 boot script vulnerability in UEFI firmware (VU# 976132)

A New Class of Vulnerabilities in SMI Handlers  [ slides ]

Oleksandr Bazhaniuk, Yuriy Bulygin, Andrew Furtak, Mikhail Gorobets, John Loucaides, Alexander Matrosov, Mickey Shkatov
CanSecWest 2015

This presentation will discuss security of SMI handler components of system firmware including the nature of a new class of vulnerabilities within the SMI handlers of BIOS/UEFI based firmware on various systems. It will also discuss how systems can be tested for these vulnerabilities and what can be done in firmware implementations to mitigate them.

Additionally, the presentation will also discuss how S3 resume affects security of the system and problems with S3 resume boot script in some BIOS implementations recently discovered and presented at 31C3.

Demo videos:
SMM unchecked pointer exploit demo

You Can't Recover a Brick: Hardware Security in the Enterprise

Yuriy Bulygin, Steve Grobman
McAfee FOCUS 2014

Vulnerabilities in BIOS, firmware, or hardware can lead to complete system compromise, including permanent damage. This talk will describe vulnerable areas in low level components on devices that are deployed in an enterprise. We'll show you how to reduce risk through a demonstration of how Intel Security tools validate systems during a typical denial of service attack scenario.

Summary of Attacks Against BIOS and Secure Boot  [ slides ]

Yuriy Bulygin, John Loucaides, Andrew Furtak, Oleksandr Bazhaniuk, Alexander Matrosov
DEF CON 22

A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.

This talk will detail and organize some of the attacks and how they work. We will demonstrate a full software bypass of secure boot. In addition, we will describe underlying vulnerabilities and how to assess systems for these issues using an open source framework for platform security assessment. We will cover BIOS write protection, forensics on platform firmware, attacks against SMM, attacks against secure boot, and various other issues. After watching, you should understand how these attacks work, how they are mitigated, and how to test a system for the vulnerability.

Platform Security Assessment With CHIPSEC  [ slides ]

John Loucaides, Yuriy Bulygin
CanSecWest 2014

All Your Boot Are Belong To Us

[ slides (Intel)  slides (MITRE) ]

Yuriy Bulygin, Andrew Furtak, Oleksandr Bazhaniuk, John Loucaides from Intel
Corey Kallenberg, Xeno Kovah, John Butterworth, Sam Cornwell from MITRE
CanSecWest 2014



Demo videos:
Windows 8 Secure Boot bypass via "Setup" variable in vulnerable UEFI firmware
Windows 8 Secure Boot bypass via unchecked TE executable in vulnerable UEFI firmware

A Tale of One Software Bypass of Windows 8 Secure Boot  [ slides ]

Yuriy Bulygin, Andrew Furtak, Oleksandr Bazhaniuk
Black Hat USA 2013

Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

Demo videos:
UEFI bootkit bypasses Windows 8 Secure Boot on vulnerable firmware implementations
User-mode Secure Boot bypass

Evil Maid Just Got Angrier: Why Full-Disk Encryption With TPM is Insecure on Many Systems  [ slides  demo ]

Yuriy Bulygin
CanSecWest 2013

Security features like Full-Disk Encryption solutions rely on protections of the underlying firmware and hardware. Often system firmware (BIOS) doesn't use or incorrectly configures protections offered by hardware. This work demonstrates that software Full-Disk Encryption solutions are still subject to Evil Maid attacks when firmware fails to correctly utilize hardware protections, even when they rely on Trusted Platform Module to protect contents on the system drive from attacks that tamper with system firmware.

Enhanced Detection of Malware  [ paper  ]

Carlos Rozas, Hormuzd Khosravi, Divya Kolar Sunder, Yuriy Bulygin
Intel Technology Journal, Volume 13 Issue 02, 2009 (Advances in Internet Security)

Researchers and industry have found novel uses for cloud computing to detect malware. We present a cloud-computing-based architecture that improves the resiliency of the existing solutions, and we describe our prototype that is based on existing Intel platforms.

Insane Detection of Insane Rootkits: Chipset Based Detection and Removal of Virtualization Malware  [ slides demo ]

Yuriy Bulygin, David Samyde
Black Hat USA 2008

This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

It also includes a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.

CPU side-channels vs. virtualization rootkits: the good, the bad, or the ugly  [ slides ]

Yuriy Bulygin
ToorCon Seattle 2008

Side-channels that use CPU resources are bad. Everyone knows that. Rootkits that use CPU virtualization aren't any better. Security researchers mentioned theoretical possibility of using new developments in CPU side-channel cryptanalysis to detect virtualization rootkits. The purpose of this talk is to demonstrate actual implementation of detector that uses recently discovered RSB based micro-architectural side-channel to detect CPU virtualization rootkits. We will also describe essentials of the RSB-based side-channel analysis used by our detector.

Additional materials:
Detecting virtualization using CPU Return Stack Buffer
Hyper-channel PoC source code

Remote and Local Exploitation of Network Drivers  [ paper slides demo (55MB) ]

Yuriy Bulygin
Black Hat USA 2007

During 2006 vulnerabilities in wireless LAN drivers gained an increasing attention in security community. One can explain this by the fact that any hacker can take control over every vulnerable laptop without having any "visible" connection with those laptops and execute a malicious code in kernel.

This work describes the process behind hunting remote and local vulnerabilities in wireless LAN drivers as well as in other types of network drivers. The first part of the work describes simple and much more advanced examples of remote execution vulnerabilities in wireless device drivers that should be considered during vulnerabilities search. We demonstrate an example design of kernel-mode payload and construct a simple wireless frames fuzzer. The second part of the work explains local privilege escalation vulnerabilities in I/O Control device driver interface on Microsoft® Windows®, introduces a technique to uncover them. The third part of the work describes specific examples of local vulnerabilities in network drivers that can be exploited remotely and an exploitation technique. In the last part of the work we present case studies of remote and local vulnerabilities mitigated in Intel® Centrino® wireless LAN device drivers.

Epidemics of Mobile Worms  [ paper  ]

IEEE IPCCC Malware 2007

A Spread Model of Flash Worms  [ paper  ]

IEEE IPCCC Malware 2006
© 2008-2017 c7zero