efiXplorer: Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis

Presented at Black Hat Europe 2020 Virtual, Dec. 9, 2020, 2:20 p.m. (40 minutes)

<p>Existing UEFI analysis instruments lack systemic approach to firmware vulnerability research focused on specifics of x86-based systems. No publicly known tools available for UEFI firmware vulnerabilities research focused on static analysis. Most of the common reversing tools focused on simplifying some reconstruction routines but not rebuilding the full picture based on firmware image. Previously, researchers have presented some work on statically analyzing UEFI firmware images at scale but more focused on misconfiguration issues (like Secure Boot not enabled or firmware update is not authenticated).<br><br>In our talk, we will introduce a vulnerability research approach with unique static analysis sauce aimed to find vulnerable code patterns. efiXplorer plugin REconstructs key elements and data types (like EFI protocols) with cross-references (by analyzing the full firmware image) valuable for UEFI reverse engineering. Without reconstruction cross-references, it's hard to find classes of issues such as SMM (Intel System Management Mode) callout (where a pointer is referencing a not validated buffer in untrusted memory (NVRAM, ACPI ...) controlled by the attacker) and others.<br><br>efiXplorer IDA plugin - Most comprehensive open-source IDA plugin for UEFI reverse engineering. Authors open-sourced this plugin recently and continue to work on it focusing more on vulnerability research.<br><br>The presented IDA plugin discovered multiple previously unreported vulnerabilities in recent widespread hardware platforms from common vendors (like ASUS, ASRock, MSI, Gigabyte, Lenovo, and some others). In this Briefing, we will push a new version of the plugin with functionality to trigger all presented classes of the issues during the talk.</p>

Presenters:

• Alex Matrosov - Chief Offensive Security Researcher, Nvidia
  Alex Matrosov is a well recognized offensive security researcher. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Alex served as Senior Principal Security Researcher at Nvidia, Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers, and is a frequent speaker at security conferences, including REcon, Zeronigths, Black Hat, DEF CON, and others. Additionally, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which has been developed and supported since 2013 by REhint's team.
• Andrey Labunets - Security Researcher, Binarly
  <span>Andrey Labunets is a security researcher focused on firmware analysis and machine learning, uncovering emerging firmware attacks and developing new detection methods. He is a recognized expert with publications at IETF, conference talks, and open-source contributions. Previously, Andrey led investigations and performed incident response at global scale at Facebook as well as Whatsapp.</span>
• Philip Lebedev - Security Researcher, Binarly
  <span>Philip Lebedev focuses on his PhD research on firmware vulnerability analysis at scale. He enjoys poking around real targets as well CTF challenges with LC↯BC/MSLC teams. Philip is a Binarly REsearch Team member, focusing on reverse engineering and finding binary exploitation techniques in embedded software. Also, Philip frequently presents at security research conferences like PHDays, HITB and others.</span><br>
• Yegor Vasilenko - Security Researcher, Binarly
  <span>Yegor Vasilenko is an experienced Security Researcher focused on reverse engineering, malware analysis through the prism of incident response routines. Yegor is the creator of one of the most popular plugin for UEFI firmware reverse engineering with IDA ("UEFI_RETool", </span><a href="https://protect-us.mimecast.com/s/Ln-5CZ6wWJfM1ZglvUK-anN?domain=github.com" data-mce-href="https://protect-us.mimecast.com/s/Ln-5CZ6wWJfM1ZglvUK-anN?domain=github.com">https://github.com/yeggor/UEFI_RETool</a><span>), a tool which preceded efiXplorer. Nowadays he enjoys firmware RE automation and finding vulnerabilities at scale.</span>

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#efixplorer-hunting-for-uefi-firmware-vulnerabilities-at-scale-with-automated-static-analysis-21488

Similar Presentations:

• 31C3 (2014) / Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer
• SOURCE Seattle 2017 / Platform Firmware Defense for Blue Teams
• 32C3 (2015) / Reversing UEFI by execution