Exploring Your System Deeper [with CHIPSEC] is Not Naughty

More documents

Recommendations

Info

Example: Attacking hypervisors via SMM pointers… Via ACPI table “UEFI” ACPI Phys Memory EDKII Comm Buffer SMI SMI Handlers in SMRAM Directly in registers RAX (code) OS Memory EDKI RBX (pointer) Fake SMM comm buffer VMM protected page Even though SMI handler check pointers for overlap with SMRAM, exploit can trick it to write to VMM protected page (Attacking Hypervisors via Firmware and Hardware)
Finding SMM “Pointer” vulnerabilities [x][ ======================================================================= [x][ Module: Testing SMI handlers for pointer validation vulnerabilities [x][ ======================================================================= ... [*] Allocated memory buffer (to pass to SMI handlers) : 0x00000000DAAC3000 [*] >>> Testing SMI handlers defined in 'smm_config.ini'.. ... [*] testing SMI# 0x1F (data: 0x00) SW SMI 0x1F [*] writing 0x500 bytes at 0x00000000DAAC3000 > SMI 1F (data: 00) RAX: 0x5A5A5A5A5A5A5A5A RBX: 0x00000000DAAC3000 RCX: 0x0000000000000000 RDX: 0x5A5A5A5A5A5A5A5A RSI: 0x5A5A5A5A5A5A5A5A RDI: 0x5A5A5A5A5A5A5A5A < checking buffers contents changed at 0x00000000DAAC3000 +[29,32,33,34,35] [!] DETECTED: SMI# 1F data 0 (rax=5A5A5A5A5A5A5A5A rbx=DAAC3000 rcx=0 rdx=...) [-]
Page 1 and 2: Exploring Your System Deeper [with
Page 3 and 4: Intro to firmware security
Page 5 and 6: Firmware Everywhere ‣ GBe NIC, Wi
Page 7 and 8: Some In-the-wild Firmware Attacks
Page 9 and 10: Finding Vulnerabilities in System F
Page 11 and 12: Example: exploiting flash protectio
Page 13 and 14: Testing S3 Vulnerabilities ‣ Vali
Page 15: Vulnerabilities in SMM of UEFI Firm
Page 20 and 21: Example: MMIO BAR Issues in Coreboo
Page 22 and 23: Monitoring changes in USB MMIO BAR
Page 24 and 25: Windows 10 Virtualization Based Sec
Page 26 and 27: Checking Hardware Protections
Page 28 and 29: Example: SMM Protections - Memory S
Page 30 and 31: Integrated Graphics Aperture Access
Page 32 and 33: Finding “Problems” With the Fir
Page 34 and 35: ]HackingTeam[ UEFI Rootkit
Page 36 and 37: ]HackingTeam[ UEFI Rootkit • The
Page 38 and 39: PoC SmmBackdoor by Dmytro Oleksiuk
Page 40: Where to Start From? Firmware Acqui
Page 43 and 44: Generating Whitelist… chipsec_mai
Page 45 and 46: Verifying Mac EFI whitelist on Mac
Page 47 and 48: Blacklist Example (in JSON format)
Page 49 and 50: Extracting EFI Executables from UEF
Page 51 and 52: Tools Other great tools to extract
Page 53 and 54: Firmware Artifacts 8. Settings stor
Page 55 and 56: Extracting EFI Configuration (on a
Page 57 and 58: Locating UEFI System Table & Runtim
Page 59 and 60: Locating ACPI Tables… chipsec_uti
Page 61 and 62: Fuzzing and exploring hypervisors
Page 63 and 64: Example: Crashing Xen Host by Unpri
Page 65 and 66: Issues in MSR Hypervisor Emulation
Page 67 and 68:
Example: VENOM Vulnerability VENOM
Page 69 and 70:
Example: Dom0 to Xen Exploit via S3
Page 71 and 72:
Extracting VMM Artifacts: Extended
Page 73:
Thank You!
show all

Exploring Your System Deeper [with CHIPSEC] is Not Naughty

Create successful ePaper yourself

Delete template?

Save as template?