presented by



# **An Introduction to Platform Security**

Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Brent Holtsclaw and John Loucaides (Intel)



## **Legal Notice**

No computer system can be absolutely secure.

Intel, the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

\*Other names and brands may be claimed as the property of others

© Intel Corporation.



## **Building a Threat Model...**

Note: Contents are meant as examples. This does not represent an exhaustive analysis.



## Why Attack Firmware?

- Persistent Compromise
  - Update firmware image with malicious content
- Stealthy Compromise
  - System Management Mode (SMM) code injection
- Bypass of Security Features
  - Hypervisor / Virtual Machine Monitor (VMM) Bypass
- Denial of Service
  - Corrupt/Delete critical configuration settings



NS

National Institute of Standards and Technology Information Technology Laboratory

SEARCH:

## Computer Security Division **Computer Security Resource Center**

| SP 800-147B | August 2014 | BIOS Protection Guidelines for Servers<br>SP 800-147B FAQ<br>doi:10.6028/NIST.SP.800-147B [Direct Link] |
|-------------|-------------|---------------------------------------------------------------------------------------------------------|
| SP 800-147  | April 2011  | BIOS Protection Guidelines<br>SP 800-147 FAQ<br>doi:10.6028/NIST.SP.800-147 [Direct Link]               |

"These draft guidelines promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and secure recovery from attacks."

May 30, 2017

SP 800-193

### **DRAFT Platform Firmware Resiliency Guidelines**

NIST announces the public comment release of Draft Special Publication 800-193, Platform Firmware Resiliency Guidelines. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a computer system. This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. These draft guidelines promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and secure recovery from attacks. This document is intended to guide implementers, including system manufacturers and and component suppliers, on how to use these mechanisms to build a strong security foundation into platforms.

The public comment period closed on July 14, 2017 Questions? Send email to : sp800-193comments@nist.gov

Draft SP 800-193 Comment Template

### Search

### CONTACT SITE MAP



# Standards for a highly secure Windows 10 device

I 11/05/2017 • <sup>①</sup> 2 minutes to read

These standards are for general purpose desktops, laptops, tablets, 2-in-1's, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows security features are enabled when you meet or exceed these standards and your device is able to provide a highly secure experience.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

### **Firmware-related features**

Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4+

Systems must have firmware that implements UEFI Class 2 or UEFI Class 3

System's firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default

System's firmware must implement Secure MOR revision 2

Systems must support the Windows\* UEFI Firmware Capsule Update specification

## **Attacks and Platform Assets**



These are examples. Not an exhaustive list.



## **Classes of Attacker**





## Unprivileged

## **Resilient Defense**





## Attack Surface (Interfaces to access/attack assets)



Note: Contents are meant as examples. This does not represent an exhaustive analysis.

### **UEFI** Variables

### **Device Drivers**

### Unprivileged



## **Do Firmware Attacks Require Kernel Privileges?**



A matter of finding legitimate signed kernel driver which can be used on behalf of user-mode exploit as a *confused* deputy.

*RWEverything* driver signed for Windows 64bit versions (co-discovered with researchers from MITRE)



Securing the Platform

## **Defending the Boot Media Asset**



## **Boot Media Resiliency**

| Attack                          | Protect Mechanism | Detect Mechanism                                           | Recover Mecha                    |
|---------------------------------|-------------------|------------------------------------------------------------|----------------------------------|
| Direct Write to Boot            | Config            | <ul> <li>UEFI Secure</li></ul>                             | <ul> <li>Capsule Upd</li></ul>   |
| Media (eg. unlocked             |                   | (Verified) Boot <li>Measured Boot</li> <li>HW Root of</li> | and Recover <li>Independent</li> |
| SPI, <u>Speed Racer</u> , etc.) |                   | Trust                                                      | hardware                         |

These are examples. Not an exhaustive list.



### ani<u>sm</u>

date ery nt

## **Boot Media Protections**

- SPI Controller
  - Descriptor regions and permissions
  - Protected Range Registers
- SMM-Based BIOS Write Protection
  - -SMI when enabling write access
  - Enable write access from SMM
- Reducing the TCB









Securing the Platform

## **Defending the Runtime Firmware Assets**



## **Runtime Firmware Resiliency**

| Attack          | Protect Mechanism                                                                                   | Detect Mechanism                               | Recover Mecha                                      |
|-----------------|-----------------------------------------------------------------------------------------------------|------------------------------------------------|----------------------------------------------------|
| Call-Outs       | <ul> <li>Limited Page Table<br/>Access</li> <li>No Execute Pages</li> <li>Hardware Check</li> </ul> | <ul><li>Debugger</li><li>Fuzzing</li></ul>     | • Firmware Upda                                    |
| Confused Deputy | <ul> <li>Limited Page Table<br/>Access</li> </ul>                                                   | <ul> <li>Fuzzing (e.g.<br/>CHIPSEC)</li> </ul> | Firmware Upda                                      |
| Malicious DMA   | <ul><li>TSEG</li><li>IOMMU</li></ul>                                                                |                                                | <ul><li> Reboot</li><li> Firmware Update</li></ul> |

These are examples. Not an exhaustive list.

### System Management Mode (SMM)

- CPU enters System Management Mode (SMM) upon receiving System Management Interrupt (SMI#) from the chipset or other logical CPU
- CPU (OS) state is saved in SMRAM upon entry to SMM and restored upon exit from SMM. SMRAM is a range
  of DRAM reserved by BIOS and protected from other runtime code.
- CPU exits SMM to the interrupted OS when SMI handler executes RSM instruction ("Resume from SMM")





## SMI "Confused Deputy" Attacks



Attacker can target SMM itself or bypass VMM protections, writing to VMM or other Guest VM memory





# (SMBASE + 8000h)

## **SMI Handler Memory Map Restriction**





## **Finding SMM "Pointer" Vulnerabilities**

[x] [ Module: Testing SMI handlers for pointer validation vulnerabilities . . . [\*] >>> Testing SMI handlers defined in 'smm config.ini'... . . . [\*] testing SMI# 0x1F (data: 0x00) SW SMI 0x1F [\*] writing 0x500 bytes at 0x0000000DAAC3000 > SMI 1F (data: 00) RAX: 0x5A5A5A5A5A5A5A5A5A RBX: 0x0000000DAAC3000 RCX: 0x0000000000000000 RDX: 0x5A5A5A5A5A5A5A5A5A RSI: 0x5A5A5A5A5A5A5A5A5A RDI: 0x5A5A5A5A5A5A5A5A5A [!] DETECTED: SMI# 1F data 0 (rax=5A5A5A5A5A5A5A5A5A rbx=DAAC3000 rcx=0 rdx=...) [-] <<< Done: found 2 potential occurrences of unchecked input pointers

https://www.youtube.com/watch?v=z2Qf45nUeaA



## Software/DMA Access to SMRAM









## **Preboot DMA Protection**



This paper presents the idea of using an input-output memory management unit (IOMMU) to resist Direct Memory Access (DMA) attacks in firmware. The example presented uses Intel® Virtualization Technology (Intel® VT) for Directed I/O (Intel® VT-d), and the concept can be applied to other IOMMU engines.



https://firmware.intel.com/sites/default/files/Intel\_WhitePaper\_Using\_IOMMU\_for\_DMA\_Protection\_in\_UEFI.pd



### PHMR.Limit

### EfiMemoryTop

PHMR.Base

### PLMR.Limit

### EfiFreeMemoryTop

### EfiFreeMemoryBottom

### EfiMemoryBottom

### PLMR.Base

Securing the Platform

## **Defending the HW Configuration Assets**



## **Hardware Configuration Resiliency**

| Attack                                                                                | Protect Mechanism                                                | Detect Mechanism | Recover Mecha                                   |
|---------------------------------------------------------------------------------------|------------------------------------------------------------------|------------------|-------------------------------------------------|
| Memory<br>Reconfiguration (e.g.<br><u>Remap</u> )                                     | <ul> <li>Configuration<br/>Guidance &amp;<br/>Locking</li> </ul> | CHIPSEC          | <ul><li>Reboot</li><li>Firmware Up</li></ul>    |
| Controller<br>Reconfiguration (e.g.<br>SPI)                                           | <ul> <li>Configuration<br/>Guidance &amp;<br/>Locking</li> </ul> | CHIPSEC          | <ul><li>Reboot</li><li>Firmware Up</li></ul>    |
| Feature<br>Enable/Disable or<br>Reconfiguration (e.g.<br>IOMMU, instructions,<br>etc) | <ul> <li>Configuration<br/>Guidance &amp;<br/>Locking</li> </ul> | • CHIPSEC        | <ul> <li>Reboot</li> <li>Firmware Up</li> </ul> |

These are examples. Not an exhaustive list.



### anism

### odate

### pdate

### odate



## **CHIPSEC: Platform Security Assessment Framework**

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (e.g. BIOS/UEFI), and the configuration of platform components.

## Research $\rightarrow$ Testing $\rightarrow$ Risk Assessment

### Research

- Access to hardware from the OS
- Reusable Python based framework  $\bullet$

### **Testing/Validation**

- Implement test modules that support multiple platforms
- Ability to provide both positive and • negative test cases

### **Risk Assessment**

- Evaluate new systems for • vulnerabilities and mitigations
- Evaluate the state of existing systems •



# **CHIPSEC** Architecture



\*Other names and brands may be claimed as the property of others.



# **Testing Against Known Issues**

- CHIPSEC Framework for Platform Security Assessment
  - Tests for known security issues (ex: locking SPI ROM at runtime)
  - Runs under Microsoft Windows,
     Linux, Mac OS X, and the UEFI Shell
  - <u>chipsec@intel.com</u>
- Open Source (GPLv2 License)
  - <u>https://github.com/chipsec/chipsec</u>
  - Released in 2014
  - Part of Intel's Linux UEFI Validation (LUV) suite: <u>https://01.org/linux-uefi-validation</u>



| S releases 21 contribut<br>Create new file Upt<br>el module<br>le<br>SMI generation. (#255)<br>(#185)<br>le<br>ault. change root directory of chi |                     |                |               | P              |
|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|----------------|---------------|----------------|
| Create new file Uple   el module                                                                                                                  | ) 🔳 Wiki            | Insights 🗸     |               | h <del>•</del> |
| el module<br>le<br>SMI generation. (#255)<br>(#185)<br>le<br>ault. change root directory of chi<br>command (#238)                                 | ♥ <b>5</b> releases |                | <b>21</b> con | tribu          |
| le<br>SMI generation. (#255)<br>(#185)<br>le<br>ault. change root directory of chi<br>command (#238)                                              |                     | Create         | e new file    | Uple           |
| SMI generation. (#255)<br>(#185)<br>le<br>ault. change root directory of chi<br>command (#238)                                                    | er module           |                |               |                |
| (#185)<br>le<br>ault. change root directory of chi<br>command (#238)                                                                              | le                  |                |               |                |
| le<br>ault. change root directory of chi<br>command (#238)                                                                                        | SMI generation. (   | (#255)         |               |                |
| le<br>ault. change root directory of chi<br>command (#238)                                                                                        | (#105)              |                |               |                |
| ault. change root directory of chi<br>command (#238)                                                                                              |                     |                |               |                |
| command (#238)                                                                                                                                    |                     | directory of c | hi            |                |
| 5)                                                                                                                                                | command (#238)      |                |               |                |
|                                                                                                                                                   | ()                  |                |               |                |

# Examples: Checking Locks with CHIPSEC

| HW Configuration             | Test            |
|------------------------------|-----------------|
| Memory Controller            | memconfig       |
| SPI Descriptor               | spi_access      |
| SPI Controller               | spi_lock        |
| <b>BIOS Write Protection</b> | bios_wp         |
| Debug Enable/Disable         | debug_interface |
| Architectural Features       | ia32cfg         |

These are examples. Not an exhaustive list.







# Thanks for attending the Spring 2018 UEFI Plugfest

For more information on the UEFI Forum and UEFI Specifications, visit <u>http://www.uefi.org</u>

presented by



