blog

REsearch Blog

Innovative Technology Would Not Be Possible Without In-depth REsearch

ARM-based Firmware Support in New efiXplorer v5.0 [LABScon Edition]
September 30, 2022
EFIXPLORER
Binarly efiXplorer Team

We promised to release the new version of efiXplorer with ARM-based firmware support last week at the inaugural LABScon event. This is one of the most important releases since the project began in February of 2020. In the beginning, efiXplorer focused primarily on x86-based firmware analysis, but after seeing the growth of ARM-based servers and laptops, we are now adding support for ARM.

Read more
Binarly Discovers Multiple High-Severity Vulnerabilities in AMI-based Devices
September 12, 2022
AMI
Binarly efiXplorer Team

The Binarly security research team continues to find evidence of repeatable failures in the firmware development ecosystem, exposing critical vulnerabilities related to the ecosystem that impact the entire industry rather than just a single vendor.

Read more
Binarly Finds Six High Severity Firmware Vulnerabilities in HP Enterprise Devices
September 8, 2022
Responsible Disclosure
Binarly efiXplorer Team

The Binarly security research team has had a busy year finding, documenting and helping to fix high-impact vulnerabilities affecting multiple enterprise vendors. In this blog, we provide an in-depth look at some of the vulnerabilities we discussed at the Black Hat 2022 conference affecting HP EliteBook devices.

Read more
Using Symbolic Execution to Detect UEFI Firmware Vulnerabilities
September 07, 2022
Binarly Platform
Binarly efiXplorer Team

The Binarly team is constantly researching ways to automate our proprietary deep code inspection technology to improve the discovery of different classes of bugs within system firmware. The Binarly efiXplorer team has decades of experience in program analysis and automation, enabling us to develop unique binary analysis techniques and technologies internally.

Read more
Black Hat 2022: Blasting Event-Driven Cornucopia - WMI edition
August 23, 2022
Black Hat
Binarly Research Team

In our previous blog, we discussed post-exploitation impact from firmware vulnerabilities which can lead to long-time persistence on the device. A firmware implant is the ultimate goal for an attacker to obtain persistence. An attacker can install the malicious implant on different levels of the firmware, either as a modified legitimate module or a standalone driver. The impact of targeting unprivileged non-SMM DXE runtime drivers or applications by a threat actor is often underestimated. This kind of malicious DXE driver can bypass Secure Boot and influence further boot stages. All these firmware threats have been discovered only after many years of being deployed in the wild.

Read more
Black Hat 2022: The Intel PPAM attack story
August 16, 2022
Black Hat
Binarly efiXplorer Team

The increasingly large number of firmware vulnerabilities gives attackers a lot of options for persistence and the means to bypass traditional endpoint solutions. At least two recently discovered firmware implants -- MoonBounce and CosmicStrand -- have persisted for more than seven years by using basic firmware bootkit techniques. In general, the UEFI system firmware grows in complexity every year and constantly introduces new attack surfaces.

Read more
FirmwareBleed: The industry fails to adopt Return Stack Buffer mitigations in SMM
July 18, 2022
FirmwareBleed
Binarly Team

Speculative execution mitigations have been discussed for some time, but most of the focus has been at the operating system level in order to adopt them in software stacks. What is happening at the firmware level? When it comes to applying these mitigations, how does the industry take advantage of them, and who coordinates their adoption specifically into the firmware? These are all good questions, but unfortunately no positive news can be shared.

Read more
Firmware Supply Chain Company Binarly Raises $3.6 Million from Westwave Capital, Acrobator Ventures
June 22, 2022
Binarly
Binarly Team

Every startup, like a story, has its own beginning. Binarly started with a simple idea to gain more visibility into firmware through binary code analysis and change the cybersecurity industry’s approach to managing the firmware threat landscape.

Read more
FwHunt The Next Chapter: Firmware Threat Detection at Scale
June 2, 2022
Binarly Platform
Binarly Team

Almost a year ago, while describing our company mission and the limitations of available solutions for detecting firmware threats, we discussed our initial vision around binary code inspection for detecting firmware threats and vulnerabilities (See: Why Firmware Integrity Is Insufficient For Effective Threat Detection And Hunting).

Read more
Repeatable Failures: AMI UsbRt - Six years later, firmware attack vector still affect millions of enterprise devices
March 21, 2022
Vulnerability Research
efiXplorer Team

A month ago, Binarly’s security research team managed the coordinated disclosure of 16 high impact vulnerabilities in HP devices and 23 additional security defects impacting major enterprise vendors. In less than a year, Binarly disclosed 42 high severity vulnerabilities haunting the UEFI firmware ecosystem, all serious enough to cause arbitrary code execution in System Management Mode (SMM).

Read more
Repeatable Firmware Security Failures: 16 High Impact Vulnerabilities Discovered in HP Devices
March 8, 2022
Vulnerability Research
efiXplorer Team

Today, Binarly’s security research lab announced the discovery and coordinated disclosure of 16 high-severity vulnerabilities in various implementations of UEFI firmware affecting multiple enterprise products from HP, including laptops, desktops, point-of-sale systems, and edge computing nodes.

Read more
An In-Depth Look at the 23 High-Impact Vulnerabilities
February 1, 2022
Vulnerability Research
efiXplorer Team

In our previous blog “The Firmware Supply Chain Security is broken Can we fix it”, we delved deep into the challenges of the firmware ecosystem by introducing the supply chain "race condition" paradigm.

Read more
A deeper UEFI dive into MoonBounce
January 21, 2022
MoonBounce
Binarly Team

After uncovering FinSpy several months ago, an APT threat targeting UEFI bootloaders, in the morning of January 20th 2022, Kaspersky Lab has released a new report on their latest discovery, a very interesting UEFI firmware threat dubbed MoonBounce.

Read more
The Firmware Supply-Chain Security is broken: Can we fix it?
December 27, 2021
Binarly Platform
Binarly Team

At the beginning of December, Binarly was very active in spreading the word about the problems in the firmware supply chain ecosystem at multiple security conferences. Alex Matrosov, the Binarly CEO, gave a keynote entitled “The Evolution of Threat Actors: Firmware is the Next Frontier” at AVAR conference in which he focused on the evolving threats coming from historically overlooked places below the operating system.

Read more
Design issues of modern EDRs: bypassing ETW-based solutions
November 15, 2021
Black Hat
Binarly Team

As experts in firmware security, the Binarly team is frequently asked why endpoint solutions can’t detect threats originating below the operating system such as firmware implant payloads. Unfortunately, the problem requires a more complex approach and the modern architecture of Endpoint Detection & Response (EDR) solutions are weak against generic attack patterns.

Read more
Design issues of modern EDRs: bypassing ETW-based solutions
November 15, 2021
Black Hat
Binarly Team

As experts in firmware security, the Binarly team is frequently asked why endpoint solutions can’t detect threats originating below the operating system such as firmware implant payloads. Unfortunately, the problem requires a more complex approach and the modern architecture of Endpoint Detection & Response (EDR) solutions are weak against generic attack patterns.

Read more
Detecting Firmware vulnerabilities at scale: Intel BSSA DFT case study
September 14, 2021
FwHunt
Binarly Team

In our previous two blogs, Firmware Supply Chain is Hard(coded) and Attacking (pre)EFI Ecosystem, we described in detail four high severity vulnerabilities that impacted the UEFI system firmware and put a large number of enterprise devices at high risk.

Read more
Attacking (pre)EFI Ecosystem
September 10, 2021
Black Hat
Binarly Team

At Black Hat USA 2021, Binarly CEO Alex Matrosov jointly presented with Nvidia security researchers Alex Tereshkin and Adam 'pi3' Zabrocki their findings in the “Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)” talk, highlighting five high severity vulnerabilities that affected the whole UEFI ecosystem.

Read more
Firmware Supply Chain is Hard(coded)
August 20, 2021
Black Hat
Binarly Team

At Black Hat USA 2021, Binarly CEO Alex Matrosov jointly presented with Nvidia security researchers Alex Tereshkin and Adam 'pi3' Zabrocki their findings in the “Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)” talk, highlighting five high severity vulnerabilities that affected the whole UEFI ecosystem.

Read more
The list of highest-rated books for Malware Analysts features “Rootkits and Bootkits”
August 12, 2021
Rootkits and Bootkits
Binarly Team

Today we are pleased to announce that "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book by Alex Matrosov, Eugene Rodionov and Sergey Bratus has been featured in the Highest-Rated Books for Malware Analysts Available on Amazon.

Read more
The list of highest-rated books for Malware Analysts features “Rootkits and Bootkits”
August 12, 2021
Rootkits and Bootkits
Binarly Team

Today we are pleased to announce that "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book by Alex Matrosov, Eugene Rodionov and Sergey Bratus has been featured in the Highest-Rated Books for Malware Analysts Available on Amazon.

Read more
Why Firmware Integrity is Insufficient for Effective Threat Detection and Hunting
August 02, 2021
Threat Hunting
Binarly Team

Currently, integrity checking is the standard methodology for firmware security validation and threat detection. This article details the different scenarios where firmware integrity is necessary, but insufficient from the threat analysis and incident response perspective.

Read more
Breaking through another Side: Bypassing Firmware Security Boundaries
July 14, 2021
UEFI
Alex Matrosov

This blog post describes my joint research with Alexandre Gazet that culminated with us presenting the “Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller” (slides) talk at BlackHat 2019 Conference in Las Vegas. Our REsearch focused on the Embedded Controller security and Intel BIOS Guard technology implementation in Lenovo Thinkpad BIOS and took around 5 month of our spare time.

Read more
Who Watches BIOS Watchers?
July 12, 2021
UEFI
Alex Matrosov

At the last Black Hat event in Vegas, I presented the first publicly known concept of an attack on a specific implementation of Intel Boot Guard technology - technology that is mostly undocumented. While I was working on this research one thought bothered me: the specification of a technology can be almost perfect, but after all, the implementation part is done by third-parties and it is challenging to maintain proper level security in this case. Intel Boot Guard is an excellent example of a complex technology where there are places where making a small mistake allows an attacker to bypass the security of the entire technology.

Read more