Header bannerHeader banner

Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard (coded)

BlackHat USA 2021

Speakers

Alex Matrosov
Visit the event website
August 4, 2021

Summary

The UEFI ecosystem is very complicated in terms of supply chain security where we have multiple parties involved in the firmware code development like Intel/AMD with its reference code, or AMI, Phoenix and Insyde with its core frameworks for system firmware development. The hardware platform vendor contributes less than 10% to the UEFI system firmware code base from all the code shipped to the customers. The reality is vulnerabilities can be discovered not just in the platform vendor codebase, but inside the reference code. This impact can be worse reflecting on the whole ecosystem. The patch cycles are different across vendors and these vulnerabilities can stay unpatched to endpoints for 6-9 months. Moreover, they can be patched differently between vendors making fix verification difficult and expensive.

This research resulted from an internal security review for some of the NVIDIA hardware and few edge computing platforms provided by partners. We found several issues. Some issues related to Intel EDKII (reported to Intel in September 2020). Additional issues for legacy protocols like SmiFlash, which is sometimes still available even on relatively new hardware. These are subject to attacker influence through NVRAM or SPI flash, allowing attackers to gain persistence. One issue particularly exciting to us due to its sustainable path of exploitation and impact of arbitrary code execution in the PEI phase. Our researchers developed a PoC where arbitrary code execution on PEI phase transfers a payload to SMM and survives the DXE phase. This powerful exploit path can be used to install a persistent implant in the system firmware compromising all Secure Boots.

BlackHat USA 2021