Alex Matrosov

Attacking Hardware Root of Trust from UEFI Firmware

Abstract

Many hardware vendors armoring modern Secure Boot by moving Root of Trust to the hardware. It is definitely the right direction to create more difficulties for the attacker. But usually, between hardware and firmware exist many layers of code. Also, hardware vendors always fighting for boot performance which creates interesting security issues in actual implementations.

In this presentation, I'll explain new security issues to bypass specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I'll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.

BIO

Alex Matrosov is a leading offensive security research at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), and spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers and is a frequent speaker at security conferences, including REcon, Zeronigths, Black Hat, DEFCON, and others. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint’s team.