A Compendium to UEFI Hacking

There are quite a few operating/execution environments running below or before an Operating System's kernel. Computer science calls protection domains "Rings" and an Operating system's kernel is called "Ring 0" or "Supervisor mode". Researchers have called the lower-level environments Ring -1 (Hypervisor mode), and Ring -3 ("system management mode"), and they are fairly apt-names. I like to bundle all of these into a scary-but-funny-and-fitting name subzero, dun dun dun!

bios.jpg

Intel and the UEFI (Universal Extensible Firmware Interface) forum embody a really awesome subzero concept highlighted in the UEFI acronym-expansion. That is, applying standards to highly-privileged protection domains allows software engineers and vendors to take advantage of each other's development and security improvements. Never-the-less, standards and their implementation-specific variations attract security researches too!

Over the last few years there have been various vulnerabilities, exploitation, malware proof-of-concepts, attach strategies, frameworks, and research topics related to the new subzero developments. Like a kid in a hobby shop, I've become enthused by this world and cannot stop reading about what these epic researchers have accomplished. This article pays homage to this community by trying to compile the related work.

This document/chrono-log is no where near complete. It would be very helpful if mistakes, discrepancies, and in-adequateness could be emailed to "teddy@prosauce.org". I'll try to apply changes and additions ASAP. Keep in mind I cite work very similar to hundreds of derived work and concepts. My goal is to capture seminal, influential and ground-breaking concepts. And to this goal I welcome any criticism.

This will include offensive research related to: BIOS (though only more-recent BIOS research) because BIOS and BIOS Plug and Play concepts are still used; virtualization concepts as they apply to Ring 0 subversion; rootkits and bootkits that take advances of subzero concepts and technologies; ACPI (Advanced Configuration and Power Interface(s)); PCI OptionROM; UEFI; System Management Mode, Intel TXT and VT-d; Intel AMT and the Intel Management Engine. I'll loosely try to create several categories listed below:

Firmware, BIOS, UEFI Rootkits, Malware, and Offensive Concepts:

ACPI BIOS Rootkit
by: John Heasman, NGS Software
published: 2006 at BlackHat Europe

BIOS Rootkit: Welcome home, my Lord! (Chinese blog)
by: Icelord

PCI OptionRom Rootkit
by: John Heasman, NGS Software
published: 2007 at BlackHat DC

Your computer is now stoned (...again!)
by: Kimmo Kasslin and Elia Florio, F-Secure and Symantec
published: 2008 as an analysis of the Mebroot-family (Mebromi) of MBR-based Rootkits

SMM Rootkits: A New Breed of OS Independent Malware
by: Shawn Embleton, Sherri Sparks, Cliff Zou
published: 2008 at SecureCom

BIOS-level Windows Rootkit, and Persistent BIOS Infection
by: Alfredo Ortega and Anibal Sacco, Core Security Technologies
published: 2009 at CanSecWest Conference
additional references: Persistent BIOS Infection on Phrack

Reactivate the Rootkit: Attacks on BIOS anti-theft technologies
by: Alfredo Ortega, Anibal Sacco, Core Security Technologies
published: 2009 at BlackHat USA

A Real SMM Rootkit
by: Filip Wecherowski
published: 2009 by Phrack Magizine

Hardware Backdooring is practical, and Rakshasa
by: Jonathan Brossard, Toucan System
published: 2012 BlackHat USA

De Mysteriis Dom Jobsivs: Mac EFI Rootkits
by: Loukas K (snare)
published: 2012 at SyScan Singapore
additional references: BlackHat 2012 USA Whitepaper

When Firmware Modifications Attack: Embedded Exploitation
by: Ang Cui, Michael Costello, and Salvatore Stolfo
published: 2013 at NDSS

Implementation and Implications of a Stealth Hard-Drive Backdoor
by: Jonas Zaddach, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurelien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas
published: 2013 at ACSAC

Virtualization-focused Exploits and Rootkits:

SubVert: Implementating malware with virtual machines
by: Samuel T. King and Peter M. Chen
published: 2006 at IEEE Security and Privacy (Oakland)

Bluepill: Subverting Vista Kernel for Fun and Profit
by: Joanna Rutkowska, Advanced Malware Labs, COSEINC
published: 2006 SyScan Conference in Singapore
additional references: Cached version of the project page, Followup research, IsGameOver()

Hardware Virtualization Rootkits
by: Dino A. Dai Zovi
published: 2006 at BlackHat USA

VBoot Kit: Compromising Windows Vista Security
by: Nitin Kumar and Vipin Kumar, NVLabs
published: 2007 at BlackHat Europe

BIOS Boot Hijacking and VMware Vulnerabilities Digging
by: Sun Bing
published: 2007 at POC, Seoul Korea

Firmware, BIOS, and UEFI Vulnerabilities and Exploitation:

System Management Mode to Circumvent Operating System Security
by: Loic Duflot, Daniel Etiemble, and Olivier Grumelard
published: 2006 at CanSecWest Conference

Hacking the Extensible Firmware Interface
by: John Heasman, NGS Software
published: 2007 at BlackHat USA

Attacking Intel Trusted Execution Technology
by: Rafal Wojtczul and Joanna Rutkowska
published: 2009 at BlackHat DC

Attacking SMM Memory via Intel CPU Cache Poisoning
by: Rafal Wojtczuk and Joanna Rutkowska
published: 2009 by Invisible Things Labs

Attacking Intel BIOS
by: Rafal Wojtczuk and Alexander Tereshkin
published: 2009 at BlackHat USA

Introducing Ring -3 Rootkits
by: Alexander Tereshkin and Rafal Wojtczuk
published: 2009 at BlackHat USA
additional references: Code from IVLs

Another Way to Circumvent Intel Trusted Execution Technology
by: Rafal Wojtczuk, Joanna Rutkowska, and Alexander Tereshkin
published: 2009 by Invisible Things Labs

Following the White Rabbit: Software Attacks against Intel VT-d
by: Rafal Wojtczuk and Joanna Rutkowska
published: 2011 by Invisible Things Labs

Exploring new lands on Intel CPUs (SINIT code execution hijacking)
by: Rafal Wojtczuk and Joanna Rutkowska
published: 2011 by Invisible Things Labs

BIOS Chronomancy: Fixing the Core Root of Trust for Measurement
by: John Butterworth, Corey Kallenberg, Xeno Kovah, The MITRE Corporation
published: 2013 at BlackHat USA

(Coming Soon): All Your Boot are Belong to Us
by: Corey Kallenberg, Yuriy Bulygin, Andrew Furtak, Oleksandr Bazhaniuk, John Loucaides, Xeno Kovah, John Butterworth, Sam Cornwell, Intel and MITRE
published: 2014 at CanSecWest Conference

Related Vulnerability Advisories:

Intel-SA-00017: (2008) BIOS SMM Privilege Escalation
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00017&languageid=en-fr

Asus EEE PC: (2009) BIOS SMM Privilege Escalation Vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2009-08/0059.html

Intel-SA-00018: (2009) BIOS SMM Privilege Escalation
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00018&languageid=en-fr

Intel-SA-00019: (2009) Unauthorized Downgrading to a previous BIOS version
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00019&languageid=en-fr

Intel-SA-00020: (2009) Buffer Overflow Local Privilege Escalation
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00020&languageid=en-fr

Intel-SA-00021: (2009) SINIT Misconfiguration allows for Privilege Escalation
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00021&languageid=en-fr

Intel-SA-00022: (2010) BIOS SMM Privilege Escalation
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00022&languageid=en-fr

Intel-SA-20023: (2010) Intel AMT Software Development Kit Remote Code Execution
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00023&languageid=en-fr

Intel-SA-00030: (2011) SINIT Buffer Overflow Vulnerability (example)
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&languageid=en-fr

CVE-2011-1898: VT-d (PCI passthrough) MSI
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1898

VU#912156: (2013) Dell BIOS RBU Packet Buffer Overflow
http://www.kb.cert.org/vuls/id/912156

Postamble:

This list is a massive work in-progress. I hope to augment it with subzero defenses and related security tools very soon!