Skip to main content

Architecture 4001: x86-64 Reset Vector Firmware


About This Course

PC BIOS/UEFI firmware is usually “out of sight, out of mind”. But this just means it’s a place where sophisticated attackers can live unseen and unfettered. This class shares information about PC firmware security that was hard-won over years of focused research into firmware vulnerabilities.

We will cover why the BIOS is critical to the security of the platform. This course will also show you what capabilities and opportunities are provided to an attacker when BIOSes are not properly secured. We will also provide you tools for performing vulnerability analysis on firmware, as well as firmware forensics. This class will take people with existing reverse engineering skills and teach them to analyze UEFI firmware. This can be used either for vulnerability hunting, or to analyze suspected implants found in a BIOS, without having to rely on anyone else.

Learning Objectives
* Understand the similarities and differences between the UEFI and legacy BIOS
* Understand the BIOS/UEFI boot environments and how they interact with the platform architecture
* How the BIOS/UEFI should configure the system to maximize platform security, and how attackers have bypassed these security mechanisms
* How System Management Mode (SMM) is instantiated and must be protected
* How SMM may be used to provide added layers of platform security
* How the BIOS flash chip should be locked down, and what kind of attacks can be done when it is not
* How to Reverse Engineer UEFI modules
* To teach you “how to fish” so you can take your newly-acquired knowledge to perform further security research in this area


Architecture 1001: x86-64 Assembly and Architecture 2001: x86-64 OS Internals

Frequently Asked Questions

What learning paths is this class used in?

Exploits, Reverse Engineering, System Security

Does the instructor teach this class in person?

Yes, but only occasionally. Xeno's preferred in-person delivery method is a hybrid structure where we get everyone in the same room, and students proceed through the class at their own pace by watching videos. Xeno is then available in person and chat to answer questions immediately when they occur. He only does live-lecture classes for companies that have sponsored OST2, if they insist that they want this anachronistic and arguably suboptimal delivery method.

To be or not to be?

That is the question...

Course Staff

Xeno's Twitter Pic!

Xeno Kovah

Xeno founded OpenSecurityTraining in 2011 to share his and others' trainings more widely. He relaunched OST2 in 2021.

Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.

Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.

Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, Defcon, CanSecWest, PacSec, Hack in the Box KUL/AMS/GSEC, Microsoft BlueHat, Shmoocon,, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"