Evil Maid Just Got Angrier - Why Full-Disk Encryption ... - CanSecWest

More documents

Recommendations

Info

The Solution is Simple <strong>Just</strong> let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration, and not introduce a single bug in all of this, of course.
Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The Real World: Bypassing Measured/Trusted Boot 4 Windows BitLocker with TPM 5 Secure Boot 6 What Else? 7 Anything We Can Do?
Page 1:
Evil Maid Just Got Angrier Why Full
Page 4 and 5:
Outline 1 UEFI BIOS 2 Measured/Trus
Page 6 and 7:
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Legacy BIOS CPU Reset vector in ROM
Page 14 and 15:
Legacy BIOS CPU Reset vector in ROM
Page 16 and 17: Security of Legacy BIOS Huh?
Page 18 and 19: Unified Extensible Firmware Interfa
Page 20 and 21: So is UEFI BIOS secure? UEFI specif
Page 22 and 23: Outline 1 UEFI BIOS 2 Measured/Trus
Page 24 and 25: Windows BitLocker http://technet.mi
Page 26 and 27: Typical Chain of Measurements
Page 28 and 29: Typical Chain of Measurements ⊗ I
Page 44 and 45: The Problem Startup UEFI BIOS firmw
Page 46 and 47: The Solution is Simple Just let Bit
Page 54 and 55: SPI Flash / BIOS Protections 1 Writ
Page 56 and 57: SPI Protected Range Registers http:
Page 60 and 61: Hey! We’ve Succeeded!
Page 62 and 63: NIST BIOS Protection Guidelines Rec
Page 64 and 65: UEFI Updates Aren’t Exactly Signe
Page 69 and 70: Angry Evil Maid Attack Outline Agai
Page 71 and 72: The Original Boot Block
Page 73 and 74: Writing Payload to Early BIOS in SP
Page 75 and 76: But That P67 Board Is Just Too Old
Page 77 and 78: ASUS P8Z77-V PRO Yes! UEFI BIOS upd
Page 79 and 80: Demo The problem applies to any Ful
Page 81 and 82: What About Secure Boot? UEFI 2.3.1
Page 85 and 86: BIOS Rootkits BIOS Rootkit [5,6,7,1
Page 87 and 88: Anything We Can Do? If you care abo
Page 89 and 90: Further Reading 1 Evil Maid goes af
show all

Evil Maid Just Got Angrier - Why Full-Disk Encryption ... - CanSecWest

Create successful ePaper yourself

Delete template?

Save as template?