Betraying the BIOS: Where the Guardians of the BIOS are Failing

Black Hat USA 2017

Presented by: Alexander Matrosov
Date: Thursday July 27, 2017
Time: 17:00 - 18:00
Location: South Seas ABE

For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS?

In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.

Alexander Matrosov

Alex Matrosov is a Principal REsearch Scientist at Cylance. He has over a decade of experience with reverse engineering, advanced malware analysis, firmware security, and advanced exploitation techniques. Before joining Cylance, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where he lead BIOS security for Client Platforms. Before this role, Alex spent over six years at Intel Advanced Threat Research team and ESET as Senior Security Researcher. He is also author and co-author of the numerous research papers and the book "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats". Alex is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, Black Hat and DEF CON. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint's team.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats