One Bootloader to Load Them All

Presented at DEF CON 30 (2022), Aug. 12, 2022, noon (45 minutes)

Introduced in 2012, Secure Boot - the OG trust in boot - has become a foundational rock in modern computing and is used by millions of UEFI-enabled computers around the world due to its integration in their BIOS. The way Secure Boot works is simple and effective, by using tightly controlled code signing certificates, OEMs like Microsoft, Lenovo, Dell and others secure their boot process, blocking unsigned code from running during boot. But this model puts its trust in developers developing code without vulnerabilities or backdoors; in this presentation we will discuss past and current flaws in valid bootloaders, including some which misuse built-in features to inadvertently bypass Secure Boot. We will also discuss how in some cases malicious executables can hide from TPM measurements used by BitLocker and remote attestation mechanisms. Come join us as we dive deeper and explain how it all works, describe the vulnerabilities we found and walk you through how to use the new exploits and custom tools we created to allow for a consistent bypass for secure boot effective against every X86-64 UEFI platform.

Presenters:

• Mickey Shkatov - Hacker
  Mickey has been doing security research for almost a decade, one of specialties is simplifying complex concepts and finding security flaws in unlikely places. He has seen some crazy things and lived to tell about them at security conferences all over the world, his past talks range from web pentesting to black badges and from hacking cars to BIOS firmware.
• Jesse Michael / @jessemichael - Hacker   as Jesse Michael
  Jesse Michael - Jesse is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

Links:

• https://forum.defcon.org/node/241827
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Mickey Shkatov, Jesse Michael - One Bootloader to Load Them All.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Mickey Shkatov, Jesse Michael - One Bootloader to Load Them All.srt (subtitles)
• https://www.youtube.com/watch?v=99t7wEYs8h0

Similar Presentations:

• ToorCon San Diego 15 (2013) / A Tale of One Software Bypass of Windows 8 Secure Boot
• Black Hat USA 2013 / A Tale of One Software Bypass of Windows 8 Secure Boot
• DEF CON 22 (2014) / Summary of Attacks Against BIOS and Secure Boot