Advanced x86: BIOS and System Management Mode Internals Conclusion Xeno Kovah && Corey Kallenberg LegbaCore, LLC.

Slides:



Advertisements
Similar presentations
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Advertisements

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CSUF Chapter CSUF Operating Systems Security 2.
10 Best Practices for Migrating Applications to the Public, Private or Hybrid Cloud.
Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
What you don’t know CAN hurt you!
Section 3.2: Operating Systems Security
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
SM3121 Software Technology Mark Green School of Creative Media.
E-Safety Quiz Keeping safe online! A guide for parents & children.
Introduction To C++ Programming 1.0 Basic C++ Program Structure 2.0 Program Control 3.0 Array And Structures 4.0 Function 5.0 Pointer 6.0 Secure Programming.
Defeating public exploit protections (EMET v5.2 and more)
Cyber Patriot Training
Host and Application Security Lesson 4: The Win32 Boot Process.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Training Security Nerds: Computum deos ab hominibus Xeno Kovah.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:
Utility Programs Lesson Objective: Understanding the functions of an operating system. Learning Outcome: Answer some basic questions on operating systems.
Controlling Your Social Networking Privacy Settings Stay safe online!
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Scanner Run Jared Wilkin Chris Good. A Children’s Game.
Chapter 3.2: Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as.
1 What to do before class starts??? Download the sample database from the k: drive to the u: drive or to your flash drive. The database is named “FormBelmont.accdb”
Unit 1 – Improving Productivity Instructions ~ 100 words per box.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Copyright 2006 by Timothy J. McGuire, Ph.D. 1 MIPS Assembly Language CS 333 Sam Houston State University Dr. Tim McGuire.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Advanced x86: BIOS and System Management Mode Internals Tools
Advanced x86: BIOS and System Management Mode Internals SPI Flash Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals Input/Output
Xeno Kovah && Corey Kallenberg LegbaCore, LLC
Cover Letter YOUTH CENTRAL – Cover Letters & Templates
Advanced x86: BIOS and System Management Mode Internals System Management Mode (SMM) Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals SPI Flash Programming Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals Introduction
Advanced x86: BIOS and System Management Mode Internals SPI Flash Protection Mechanisms Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals Memory Map Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Advanced x86: BIOS and System Management Mode Internals More Fun with SMM Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Design time and Run time Chris, Andrea, Martina, Henry, Antonio, Ole, Philippe, Hartmut, Anne, Jeff, Felix, Sebastian, Kurt.
Advanced x86: BIOS and System Management Mode Internals Flash Descriptor Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Xeno Kovah && Corey Kallenberg
Lecture 2 Page 1 CS 236 Online Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Advanced x86: BIOS and System Management Mode Internals SMM & Caching Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Copyright 2006 by Timothy J. McGuire, Ph.D. 1 MIPS Assembly Language CS 333 Sam Houston State University Dr. Tim McGuire.
Role Of Network IDS in Network Perimeter Defense.
n Taking Notes and Keeping a Journal n Listening Skills n Working Together n Managing Your Time.
Advanced x86: BIOS and System Management Mode Internals SMI Suppression Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Revising Research Papers. Intro Paragraphs ● Include a strong, memorable hook (1-2 sentences). ● Briefly introduce the career you’re writing about (2-3.
WELCOME. Skills and Techniques - Session 2 Skills and Techniques Booting from Windows 8.1 and Windows 10 devices.
John Samuels October, Why Now?  Vista Problems  New Features  >4GB Memory Support  Experience.
/Reimage-Repair-Tool/ /u/6/b/ /channel/UCo47kkB-idAA-IMJSp0p7tQ /alexwaston14/reimage-system-repair/
Comp1202: Conclusions Revision Session. Coming up Key Concepts - The Pillars HashMaps Exceptions The Exam Some Last Words.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Protecting Memory What is there to protect in memory?
Firewall Configuration and Administration
Lesson Objectives Aims You should be able to:
I Can Stay Safe Online! Read the title slide with the students or have the group read it aloud. Introduce the lesson by saying that we can use the computer.
Xeno Kovah && Corey Kallenberg LegbaCore, LLC
Star Math PreTest Instructions For iPad users with the STAR app
Introducing the Ideas One of Six Traits:
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
TPM, UEFI, Trusted Boot, Secure Boot
Types of Software Testing Course. CONTENT  Black-box testing course  White-box software testing course  Automated software testing course  Regression.
Presentation transcript:

Advanced x86: BIOS and System Management Mode Internals Conclusion Xeno Kovah && Corey Kallenberg LegbaCore, LLC

All materials are licensed under a Creative Commons “Share Alike” license. 2 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at

What did we learn? Chipsec architecture (and it’s evolution) PCI & the importance of port & memory-mapped IO to system configuration SMM & it’s protections/vulnerabilities SPI flash & its protections/vulnerabilities UEFI, SecureBoot, firmware integrity checking “Any sufficiently advanced {attack} is indistinguishable from {black} magic” Doesn’t seem like a lot does it? :) Gotta go deep, not broad, to find the land of the deep dark 3

What do I want you to know? Everyone Any child can break things The true measure of skill is being able to make things that neither child nor adult can break Those who value civilization only break things when it can make defenses stronger 4

What do I want you to know? Consultants/Everyone Make sure your customers know that they almost certainly have a ton of vulnerable BIOSes. Make sure they know that they can sometimes fix vulnerabilities through BIOS updates –More true for the top 3, Lenovo, HP, Dell than it is for all the other asian PC- makers :-/ And if there aren’t BIOS updates available for their machines that make them protected, if they’re a large purchaser from a particular vendor they can go push that vendor to secure their systems –And we can help, because we have a lot of experience talking to OEMs, explaining this stuff to them so they understand how to properly lock a BIOS And just in general I want you to know this sort of stuff so you can show off and make it clear you know stuff other people don’t know when you start your first job :) 5

What do I want you to know? Forensics How to integrity check a BIOS, so you can determine not just if an attacker *could* infect it, but if an attacker *did* infect it Know how to reverse engineer a BIOS, so that if you ever find a BIOS with a suspicious change Limits of the tools’ trustworthiness. There’s no real “forensically sound” way to capture BIOS contents other than physical SPI readers, and there’s no way to capture SMM contents other than to have an exploit to break in and see what’s there at runtime :-/ If you only ever do forensics on disk/memory, you will never find sophisticated adversaries who hide in SMM/BIOS. “Firmware forensics” is going to be the next evolution in forensics. (it went “disk” -> “memory” and should now go -> firmware.) But very few people know about firmware, and firmware is especially variable on embedded systems. So you’re positioned ahead of the curve, which means you could to research and make tools for others and become well-known within the forensics community. 6

What do I want you to know? Product Security/Penetration Testing Know how to evaluate BIOS security directly, and know what all the security bits mean, and how they fail If you’re pentesting a company, run Copernicus on every box you get on. Make it clear to the customer that a real attacker could have bricked all the unlocked computers (maybe demo it on one box with their permission using the manual flash writing we learned about on the start of day 4) And again, pentester reports need to include mitigation, which should be BIOS updates. So you need to let them know that they (and we) can push their vendor to improve their security posture for their BIOS/SMM 7

I’ve only talked about a small sampling of attacks (mostly ones that we found) But I’ve given you the knowledge to go out and understand the rest

Mad skillz: go get some! There’s a whole lot more material at OpenSecurityTraining.info for you to learn (because clearly some of you didn’t know it yet :P) If you already know a topic that’s there (like x86 assembly) try to go out and become a teacher for it. – There’s no better way to refine your skills than teaching them to other people (because you need to know how to answer, or lookup, any random question that a student thinks up :)) If you know a topic that’s not already there, contribute it! – Needs to be a full day’s worth of class material, which I judge to be >= 6 hours – Doesn’t need to be in English 9

Reminder: Optional overall homework for the class Find an integer overflow in the EDK2 code: We will have Corey evaluate it, and if he thinks it's exploitable we'll handle the disclosure and give you co- authorship for the disclosure, and give you the option to present with us if we are able to successfully turn it into a conference talk To pick your starting point for analysis, you'll want to think about what kind of information a BIOS might be processing that an attacker could potentially control – E.g. images, USB messages, firmware updates, PE executables, UEFI firmware filesystem, FAT filesystem, network packets, etc 10

I hope you have fun exploring and doing voodoo in the Deep Dark! 11