What learning paths is this class used in?
Exploits, Reverse Engineering, System Security
Architecture 4001: x86-64 Intel Firmware Attack & Defense
OpenSecurityTraining2
About This Course
PC BIOS/UEFI firmware is usually “out of sight, out of mind”. But this just means it’s a place where sophisticated attackers can live unseen and unfettered. This class shares information about PC firmware security that was hard-won over years of focused research into firmware vulnerabilities.
This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.
Learning Objectives
- Understand the original 16-bit "Real Mode" which the x86 CPU reset vector executes in.
- Understand 16-bit segmentation & assembly.
- Understand the evolution of Intel chipsets, and how to find the manual which corresponds to any given hardware.
- Understand how firmware uses IO to configure Intel and 3rd party hardware at boot time.
- Understand how firmware interacts with PCIe devices at boot time, both within the CPU/chipset, and 3rd party peripherals.
- Understand the core purposes of PCIe Option ROMs, but also how they can be used by attackers.
- Being capable of manually reading/writing the firmware-storage SPI flash through the register interface.
- Understand the protection mechanisms for the SPI flash and how they can be bypassed.
- Understand the protection mechanisms for System Management Mode how they can be bypassed.
- Understand how Chipsec can be used to assess the security posture of a firmware for both attack and defense.
- Understand how the ACPI S3 "sleep" power state can be used to attack systems.
- Being comfortable with Reading The Fun Manual(!) to go seek out the most accurate details of how things work.
Requirements
Knowledge of x86-64 assembly, such as that provided by Architecture 1001: x86-64 Assembly
Knowledge of x86-64 MSRs, Control Registers, Segmentation, and Port IO, such as that provided by Architecture 2001: x86-64 OS Internals
And knowledge of the Intel Simics full system simulator, such as that provided by Debuggers 1015: Introductory Simics
Frequently Asked Questions
Does the instructor teach this class in person?
Yes, but only occasionally. The next such class is at Hardwear.io in San Jose May 28-30th.
Course Staff
Xeno Kovah
Xeno founded OpenSecurityTraining(1) in 2011 to share his and others' trainings more widely. He relaunched OpenSecurityTraining2 in 2021.
Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.
Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.
Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he collects speaker badges and has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, Defcon, CanSecWest, PacSec, Hardwear.io NL, Hack in the Box KUL/AMS/GSEC, H2HC, Microsoft BlueHat, Shmoocon, Hack.lu, NoHat, Hacktivity, HackFest, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"