A BIOS (Basic Input-Output System) is a critical piece of firmware, shrouded in mystery and understood by few, in the hands of an attacker with the right skillset, it offers an unparalleled wellspring of power. A BIOS is platform firmware responsible for configuring hardware and preparing a system before loading an operating system. UEFI is a specification that defines a platform-agnostic implementation for platform-firmware initialization. As the replacement for *the artist formerly known as Legacy BIOS*, UEFI firmware now encompasses a rich ecosystem of functionality - from networking stacks to the Graphics Output Protocol (GOP), a UEFI BIOS firmware image can be considered an operating system in and of itself -- a pre-OS OS with a rich and expansive attack surface.
This talk is a reverse-engineering and exploit development deep dive into one specific class of UEFI vulnerabilities for x86-64 processors: SMM (System Management Mode) vulnerabilities. SMM is the most-privileged processor execution mode on x86 systems, running in ring -2 with god-tier control, it is a prime target for attackers looking to install low-level platform firmware exploits that are undetectable by a system and can maintain persistence on a device for months or years. While SMM vulnerabilities are not new, they continue to plague an industry with a well-documented, deeply broken platform firmware supply chain. For an exploit developer, SMM vulnerabilities can be the keys to the kingdom: why bother bypassing OS-level protections when you can exploit an SMM callout in a UEFI firmware to install an SMM backdoor directly to the SPI flash of a device?
This talk is divided into 3 parts:
In Part 1, I will provide an overview of UEFI and SMM, including SMI invocation calling conventions, existing UEFI protection technologies and SMM exploit mitigations.
In Part 2, I will cover several types of SMM vulnerabilities: SMM callouts, SMM confused deputy attacks/SMRAM memory corruption vulnerabilities (via unchecked register values and nested pointers), and SMM TOCTOU vulnerabilities.
In Part 3, I will walk through several real-world examples, using my own UEFI SMM exploits to demonstrate my UEFI xdev process. Moving from reverse engineering UEFI drivers, to identifying SMM vulnerabilities, to development of PoCs for SMM callouts and SMRAM memory corruption vulnerabilities using techniques for bypassing common SMM exploit mitigations with ROP/JOP.
Applicable to reverse engineers, exploit developers, and researchers focused on low-level platform firmware attacks.
