Detect Me If You Can - Anti-Firmware Forensics

Presented at REcon 2022, June 5, 2022, 3:30 p.m. (30 minutes).

As firmware threats are becoming more prevalent, security companies are starting to provide UEFI firmware scanners to detect malicious firmware implants. These scanners first acquire a firmware image inside a SPI flash memory on hardware then parse and scan the image with known signatures.

Every software-based firmware acquisition on Intel platforms has a risk of being intercepted by SMM rootkits. This risk has been pointed out by security researchers for years. However, there has been no publicly-available implementation and no one has demonstrated the concept practically.

In this presentation, I'll explain about the firmware acquisition MitM attack PoC that I implemented to assess the risk correctly. I'll also show that the PoC can hide known bootkit components against both open and closed source firmware security tools. I believe that the findings from this research will be helpful for better firmware scanner implementations in the future.

The PoC will be published after the presentation.

Presenters:

• Takahiro Haruyama
  Takahiro Haruyama is a Sr. Threat Researcher on the VMware Threat Analysis Unit (TAU), with over ten years of extensive experience and knowledge in malware analysis and digital forensics. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken at several famous conferences including Virus Bulletin, REcon, HITB, SANS DFIR Summit, BlackHat Briefings USA/Europe/Asia.

Links:

• https://cfp.recon.cx/2022/talk/RS9CWJ/

Similar Presentations:

• 30C3 (2013) / An introduction to Firmware Analysis: Techniques - Tools - Tricks
• Black Hat USA 2015 / Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware
• ShellCon 2020 Virtual / Finessing firmware security testing