Low Level Attacks/Firmware/BIOS/UEFI
Timeline of Low level software and hardware attack papers
Building reliable SMM backdoor for UEFI based platforms
The Empire Strikes Back Apple – how your Mac firmware security is completely broken
- Writeup on compromise of UEFI on apple hardware.
- Some scripts for IDA Pro to assist with reverse engineering EFI binaries
Grab links for his papers
Talks & Presentations
|BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013
|Hacking Measured Boot and UEFI - Defcon20 - There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.
|Hardware Backdooring is Practical -Jonathan Brossard
|Attacking “secure” chips
|**Attackin the TPM part 2https://www.youtube.com/watch?v=h-hohCfo4LA
|Breaking apple touchID cheaply
|An Introduction to Firmware Analysis[30c3] - This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation.
|Analyzing and Running binaries from Firmware Images - Part 1
|Binwalk - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
|SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics
|hw0lat_detector: A system hardware latency detector -Linux Kernel Module - This patch introduces a new hardware latency detector module that can be used to detect high hardware-induced latencies within the system. It was originally written for use in the RT kernel, but has wider applications.
Reverse Engineering Router Firmware walk through
|WindSLIC SLIC injectors - includes UEFI, NTFS, bootmgr SLIC injectors and installers.
|UEFI Firmware Parser - The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.
|Firmware Modifcation kit - This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.
|Debug Agent Based UEFI Debugging - The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports
Papers & Writeups