LegbaCore Research

 
 
  1. *BIOS Necromancy: Utilizing “Dead Code” for BIOS Attacks.

   First publication date: 10/14/2015

    Synopsis: During our work towards trying to help secure firmware, we have begun to discover a trend. There are situations where unused “dead code” can creep into firmware codebases. This can lead to situations where the developers correctly believe that they are not intentionally using the code in question. However, if that code has vulnerabilities that are still attacker-invokable, it leads to a situation where the vendor has increased attack surface. Apple’s vulnerability to CERT VU#552286, which we determined by black box binary analysis, is an example of this. But we have also seen examples of this in private engagements that we cannot speak to publicly. This document is meant to serve as a warning to BIOS developers that they need to check very carefully that no known-vulnerable code somehow ends up on their flash chip, when they dismiss a vulnerability as “not applicable” to their codebase. They could be wrong, and without careful scrutiny, low level vulnerabilities like this can and will fester for years.

    Made public in conjunction with: Hack in the Box GSEC

    Materials: Whitepaper (pdf)


* Thunderstrike 2: Sith Strike

    First publication date: 8/6/2015

    Synopsis: In this work we teamed up with Trammell Hudson to improve upon his previous Thunderstrike proof of concept. Previously it required physical access to rewrite the flash chip. We suspected that Macs were vulnerable to the same remotely-exploitable vulnerabilities we had shown in the past. And indeed, they were vulnerable to 5/6 issues we had seen previously. This helps show that just because you don’t hear about a vulnerability affecting a particular vendor, doesn’t mean they’re not affected.

To show the consequences of these vulnerabilities, Thunderstrike 2 uses CERT VU#976132 (Darth Venamis) to break into the BIOS from an Apple Thunderbolt Ethernet adapter. Once resident in the BIOS, it infects all new ethernet adapters that it comes in contact with. As such it represents a novel type of “firmworm” that only ever lives in firmware. Because it does not touch the OS or filesystem it will not be detected by traditional security products or forensics professionals.

    Co-authored with: Trammell Hudson, Trmm.net

    Appeared in: BlackHat USA 2015, Defcon 2015, Hack in the Box GSEC (Singapore)

    Materials: TS2-HITB_GSEC.pdf (pdf, updated to discuss Macs’ confirmed vulnerability to CERT VU#552286) Original Slides (pdf), Original Slides (pptx), Original Slides (keynote) Thunderstrike 2 ‘firmworm’ video (YouTube), Bricking the latest Mac Mini with no exploit needed video (YouTube)



* Are You Giving Firmware Attackers a Free Pass?

    First publication date: 4/24/2015

    Synopsis: Yes. Yes you are. Because you’re not patching away the vulnerabilities we and others have found and disclosed, and you’re not inspecting whether anyone has infected your firmware. This talk provides an introduction to firmware threats & capabilities. But because it is longer than previous talks like “Betting BIOS Bugs Won’t Bite Y’er Butt?”, a special emphasis is placed on including actions organizations can take immediately to mitigating firmware vulnerabilities and infections, above and beyond patching.

    Appeared in: RSA 2015

    Materials: Slides (pdf), Slides (pptx), LightEater Demo Video 1 (YouTube) (infecting ASUS), LightEater Demo Video 2 (YouTube) (infecting HP)


* How Many Million BIOSes Would you Like to Infect?

    First publication date: 3/20/2015

    Synopsis: Because people don’t every patch their BIOSes, it is extremely likely that the vast majority of systems in the wild are vulnerable to at least one known exploit. We made public the details of the new SMM “Incursion” vulnerabilities (CERT VU# 631788, reported Oct 29th), that can be found automatically from SMM dumps. We showed the “LightEater” SMM implant stealing GPG keys/passwords/decrypted messages from Tails on an MSI system. We also showed how an unskilled attacker can infect a BIOS with an off-the-shelf Dediprog programmer, by just pressing the start button. This was done against an HP system, from which LightEater subsequently used Intel Serial-Over-LAN to exfiltrate data over the network in a NIC-agnostic way. We also showed infecting an Asus system, with LightEater installing kernel-mode rootkit style hooks into Windows 10 preview, to get notified every time a process loads. We then provided data analysis evidence that indicated that UEFI systems are mostly homogeneous as far as an attacker is concerned, and consequently thousands of BIOSes could easily be hooked for the insertion of implants in an automated fashion.

    Appeared in: CanSecWest 2015, Hack in the Box AMS 2015, SummerCon 2015

    Materials: Slides (pdf), Slides (pptx), Whitepaper (pdf), LightEater Demo Video 1 (YouTube) (infecting ASUS), LightEater Demo Video 2 (YouTube) (infecting a HP), LightEater Demo Video 3 (YouTube) (attacking Tails), Demo Video 4 (YouTube) (Bricking a Gigabyte motherboard with “DualUEFI” backup BIOS, which is supposed to prevent bricking)


* Betting BIOS Bugs Won’t Bite Y’er Butt?

    First publication date: 1/16/2015

    Synopsis: Survey of some of the many BIOS level vulnerabilities that have come out in the past few years, for those who were not following the area.

    Appeared in: ShmooCon 2015

    Materials: Slides (pdf), Video (mp4)


----------------------------------------------------------------------------------------


Work led & performed by founders prior to starting LegbaCore:


* Attacks on UEFI Security

    First publication date: 12/28/2014

    Synopsis: Public disclosure of prevalent firmware vulnerabilities. These include the “Speed Racer” Intel hardware race condition (VU#766164) that architecturally undercuts one SPI flash protection bit. The “Darth Venamis” vulnerability (VU#976132) in EFI S3 resume boot scripts, that reveals that a system could be secure when going to sleep, but vulnerable when waking back up. And some more UEFI open source reference vulnerabilities (VU#533140) that could allow bypassing firmware “protected range registers.” The combination of these vulnerabilities are believed to defeat all firmware protection mechanisms on all un-patched systems available today.

    Co-authored with: Rafal Wojtczuk, Bromium

    Appeared in: 31C3, CanSecWest 2015

    Materials: Slides (pdf), “Speed Racer” (VU#766164) Whitepaper (pdf), “Venamis” (VU#976132) Whitepaper (pdf), Video (YouTube)


* Analyzing UEFI BIOS from Attacker and Defender Viewpoints

    First publication date: 10/17/2014

    Synopsis: An analysis of what elements of UEFI help attackers, and which help defenders.

    Appeared in: BlackHat Europe 2014

    Materials: Slides (pdf)


* What Would it Take to Enable Global Firmware Vulnerability Checking & Integrity Checking?

    First publication date: 10/8/2014

    Synopsis: A Microsoft-targeted discussion of what they could do to improve the state of firmware security, e.g. by performing vulnerability and integrity checking within their customer base.

    Appeared in: Microsoft BlueHat 2014

    Materials: not yet available


* Into the Unknown: {How to Detect BIOS Attackers, Assessing your BIOS Vulnerabilities}

    First publication date: 9/26/2014

    Synopsis: Talks targeted at encouraging Anti-Virus vendors to start checking for malware at the BIOS level, and to encourage Mandiant customers attending MIRCon to encourage Mandiant to start checking for malware at the BIOS level.

    Appeared in: VirusBulletin 2014, MIRCon 2014

    Materials: VirusBulletin Slides (pdf), MIRCon Slides (pdf)


* Extreme Privilege Escalation of Windows 8/UEFI Systems

    First publication date: 8/8/2014

    Synopsis: Public disclosure of two vulnerabilities (VU#552286) that allow a ring 3 attacker to feed a UEFI system a fake BIOS update, cause a memory corruption while it’s being parsed, and execute arbitrary code in the context of SMM, before signature checks or any other protection mechanisms are in play. These vulnerabilities affected hundreds of PC models. This talk also introduced “The Watcher”, a PoC SMM agent that can perform arbitrary code execution on behalf of an attacker.

    Appeared in: BlackHat USA 2014, Defcon 2014, Hack in the Box KUL 2014 (pdf), Hack.lu 2014

    Materials: Slides (pdf), Whitepaper (pdf), Video


* SENTER Sandman: Using Intel TXT to Attack BIOSes

    First publication date: 6/6/2014

    Synopsis: A description of how Intel TXT’s SMI suppression behavior can be used to subvert a BIOS protection mechanism. Also a discussion of on what hardware SMIs aren’t suppressed, and the implications for the trustworthiness if Copernicus 2.

    Appeared in: SummerCon 2014, Hack in the Box KUL 2014, Hack.lu 2014, DeepSec 2014

    Materials: Slides (pdf), Whitepaper (pdf), SummerCon Video (Vimeo)


* Setup for Failure: Defeating UEFI Secure Boot

    First publication date (VU#758382): 3/12/2014

    First publication date (VU#291102): 4/3/2014

    Synopsis: Disclosure of a vulnerability (VU#758382) with the “Setup” UEFI non-volatile variable on some systems. Manipulation of this variable can lead to bypassing secure boot, or even bricking the system.

Versions after CanSecWest also included discussion of the “Charizard” vulnerability (VU#291102 - not yet public). This is a way to suppress SMIs to subvert a BIOS protection mechanism, and therefore subvert secure boot.

    Co-authored (CanSecWest only) with: Bulygin, Furtak, Bazhaniuk & Loucaides, Intel Security

    Appeared in: CanSecWest 2014, SyScan 2014, Hack in the Box AMS 2014, Hack in Paris 2014

    Materials: CanSecWest slides Intel(pdf) & MITRE (pdf), Slides & Whitepaper (zip of pptx & pdf), SyScan video (YouTube)


* Copernicus 2: SENTER the Dragon!

    First publication date: 3/12/2014

    Synopsis: Discussion of how a SMM MitM attacker (“Smite’em”) can subvert all software-based BIOS capture utilities (including our own Copernicus). Proposed the use of Intel Trusted Execution Technology (TXT) to improve the trustworthiness of the BIOS capture mechanism due to implicit SMI suppression & capability for remote attestation. (Later it was determine that newer hardware doesn’t suppress SMIs. See “SENTER Sandman”.)

    Appeared in: CanSecWest 2014

    Materials: Slides (pptx), PoC Code (Win 7 only)


* Defeating Signed BIOS Enforcement

    First publication date (VU#255726-not-yet-published): 9/25/2013

    First publication date: (VU#912156): 7/31/2013

    Synopsis: While there had been previous attacks, against BIOS, they often relied on having a BIOS that was wide open. Only a single previous publication had successfully attacked a BIOS and altered its contents, even though the BIOS should ostensibly be un-alterable except in the presence of a signed BIOS update. This talk presented the second ever BIOS exploit (VU#912156), and a third way to also bypass the signed update requirement (VU#255726-not-yet-published).

    Appeared in: EkoParty 2013, Hack in the Box KUL 2013, PacSec 2013, (BlackHat USA 2013)

    Materials: Slides (pdf), Whitepaper (pdf), Video


* Mapping Free & Open Source  Deep Technical Training to the NICE Framework

    First publication date: 9/17/2013

    Synopsis: Discussing some of the limitations of the NIST NICE framework, as determined by trying to map the OpenSecurityTraining.info classes to it.

    Appeared in: NIST NICE Workshop

    Materials: Slides (pdf), Video


* Copernicus: Question your assumptions about BIOS security

    First publication date: 7/17/2013

    Synopsis: Discussion of how Copernicus could be used for enterprise-wide assessment of BIOS vulnerabilities, and integrity checking BIOSes to look for the presence of malicious implants.

    Appeared in: MTEM 2013, DCISE TechEx 2013, ToorCon 2013 (part of 90 minutes including BIOS Chronomancy material.)

    Materials: Slides (no longer publicly available), Code (zip)


* Timing-Based Attestation: Sexy Defense, or the Sexiest?

    First publication date: 6/2/2013

    Synopsis: Explaining how Timing-Based Attestation (or Software-Based Attestation as it’s known when you don’t use special hardware) is an extremely sexy defensive technique. It has all the elements that make hacking in general so fun: digging through low level code, victory going to the superior understanding of the architecture/code, etc. This talk is a survey of other work in the area, while going into a little bit more depth about how we’ve used it at the kernel and BIOS level.

    Appeared in: Trusted Infrastructure Workshop 2013, ShmooCon 2014

    Materials: Video


* BIOS Chronomancy: Fixing the Static Core Root of Trust for Measurement (S-CRTM)

    First publication date: 5/15/2013

    Synopsis: (The first appearance at NoSuchCon did not include a discussion of VU#912156, but subsequent talks did.) Discussed how the S-CRTM is supposed to provide trustworthy reporting to detect the presence of BIOS level attackers. First showed a way that an attacker could exploit their way into a BIOS, even if all security mechanisms were properly configured (VU#912156). Then showed “The Tick”, which is BIOS-resident malware that subverts the S-CRTM by lying to the TPM to replay or recalculate a clean measurement. Then showed “The Flea”, which was BIOS malware that could survive attempts to remove it through a reflash, by infecting the new BIOS as it is about to be written. To defense against such attacks, and build a stronger S-CRTM, we used our existing work on Timing-Based Attestation to create “BIOS Chronomancy”. This defensive technique allows for the customization of the BIOS to provide timing side-channel tamper-evidence to allow for the detection of BIOS malware. Also released “Copernicus”, a free Windows tool for inspecting the BIOS vulnerability/integrity state. This talk was effectively 3 talks crammed into one, so that we could guarantee we would get into BlackHat. ;)

    Appeared in: NoSuchCon 2013, BlackHat USA 2013, EkoParty 2013, Breakpoint/Ruxcon 2013, Sec-T 2013, SecTor 2013, Hack.lu 2013, ACM CCS 2013

    Materials: Slides (pdf), Whitepaper (BlackHat) (pdf), Whitepaper (ACM CCS) (pdf), Code (Copernicus) (zip), Code (BC TBA) (src), Video


* No More Hooks: Trustworthy Detection of Code Integrity Attacks

    First publication date: 7/29/2012

    Synopsis: Bringing the below “New Results for Timing-Based Attestation” paper content to a Defcon audience.

    Appeared in: Defcon 2012

    Materials: Slides (pdf)


* New Results for Timing-Based Attestation

    First publication date: 5/20/2012

    Synopsis: Showed the feasibility of using TBA 1) from the Windows kernel driver 2) across a real enterprise network and 3) with the TPM instead of just network round trip time. Also laid out the 3 necessary conditions for TOCTOU attacks to subvert TBA.

    Appeared in: IEEE Symposium on Security & Privacy 2012

    Materials: Whitepaper (pdf)


* Training Deep Technical Security Experts at Scale: Lessons Learned from Massive Online Classes

    First publication date: 1/16/2012

    Synopsis: Outlining the case that in order to train the necessary number of security experts currently needed, we must use both open source and open access classes, like those found on OpenSecurityTraining.info.

    Appeared in: Shmoocon 2012, DoD IA Symposium 2012

    Materials: Slides (ppt)


----------------------------------------------------------------------------------------


The LegbaCore founders were also the founders and first contributors to OpenSecurityTraining.info. They have created the following classes:


Xeno

http://opensecuritytraining.info/IntroX86.html

http://opensecuritytraining.info/IntroX86-64.html

http://opensecuritytraining.info/IntermediateX86.html

http://opensecuritytraining.info/LifeOfBinaries.html

http://opensecuritytraining.info/Rootkits.html


Corey

http://opensecuritytraining.info/Exploits1.html

http://opensecuritytraining.info/Exploits2.html


Xeno, Corey, & John Butterworth (MITRE)

http://opensecuritytraining.info/IntroBIOS.html

RESEARCH/PUBLICATIONS