Introductory BIOS and SMM Security

- Jon Butterworth

This course is designed for those who are interested in BIOS security and want to learn about its role in configuring platform security. Because BIOS is such a large subject, this course extrapolates and explains specifically those aspects of BIOS that relate to platform security. However, this course will also explain the core concepts required to understand the security aspects of the presented material as well as de-abstract the subject as a whole.

We will cover the various system components that the BIOS is responsible for configuring and the security they can provide. This course will also show you what capabilities and opportunities are provided to an attacker when they are not properly configured. This course will also provide you tools which you can use to measure many of these configurations and, most importantly, show you how to understand and interpret the results.

This course covers both legacy BIOS and the new UEFI but will show you how much of the security configurations are agnostic with respect to the BIOS manufacturer and whether the BIOS is legacy or UEFI. UEFI-­‐specific differences will be discussed on the second day.

You will also learn how to apply your existing reverse engineering skills to the analysis of UEFI firmware when changes to it have been detected.

Pre-requisite of Training Class

Student

• Must have x86 assembly and architecture knowledge equal to or greater than what is provded here:
  • http://opensecuritytraining.info/IntroX86.html
  • http://opensecuritytraining.info/IntermediateX86.html
• Being familiar with IDA Pro is also helpful. A refresher is here:
• http://opensecuritytraining.info/IntroductionToReverseEngineering.html
• Target Audience
• Those who want to learn more about low-level system security
• Those who are interested in learning how an attacker can infect BIOS
• Those who want to be able to understand the methodology for finding out whether their BIOS firmware is secure
• Security researchers who want to explore firmware

Hardware

• None
• SInce BIOS differs between machines, I will lend each student a laptop to ensure uniform results for all lab exercises

Software

• None required. Same as Hardware Requirements

LEARNING OBJECTIVES:

• Understand the BIOS/UEFI boot environments and how they interact with the platform architecture
• How the BIOS/UEFI should configure the system to maximize platform security
• How System Management Mode (SMM) is instantiated and must be protected
• How SMM may be used to provide added layers of platform security
• How CPU caching can actually undermine SMM security
• How the BIOS flash chip should be locked down
• How the BIOS interacts with the Trusted Platform Module (TPM) and the measured boot process
• Understand what capabilities are provided to an attacker when the above components are not configured properly
• Learn how to Reverse Engineer UEFI modules when it has been detected in the firmware that “something has changed”
• Understand the similarities and differences between the UEFI and legacy BIOS
• To teach you to fish so you can take your newly-­‐acquired knowledge to further security research in this area

Daily Class Outline

Day 1

• Introduction to BIOS concepts
• Chipset architecture
• Input/Output (including PCI) and how the BIOS uses it to configure the system
• PCI Option ROMs
• BIOS’ interaction with the TPM and the Measured Boot process
• BIOS’ lockdown of the serial flash where the BIOS itself resides

Day 2

• System Management Mode (SMM)
• CPU caching
• Introduction to UEFI BIOS
• The UEFI phases and security parameters specific to UEFI
• Reverse engineering UEFI modules
• Useful tools and methods for analyzing potentially malicious UEFI drivers