Sorry, you need to enable JavaScript to visit this website.

Developing Best-In-Class Security Principles with Open Source Firmware

vzimmer's picture

Background

I had the opportunity to speak with the industry at the Intel Developer Forum (IDF) at the Moscone in San Fransciso last month. My session "Developing Best-In-Class Security Principles with Open Source Firmware" [1] treated a few topics, including the rationale for EDKII security features, System Management Mode (SMM), and open platforms for which these features are reduced to practice.

I began with a summary of the class of attacks, and then went into the three elements motivating the security feature, namely the need to protect the platform, detect unexpected changes, and recover or repair from malware. For this triple of properties I then graded where features like UEFI Secure Boot, TPM Measured Boot, and other elements in the EDK II Security Package mapped. 

From the generic features, I provided a discussion a particular element of the platform firmware that has been receiving attention, namely privilege escalations into System Management Mode (SMM). CanSecWest [2], BlackHat, and several other venues spoke to platforms attacks, including SMM.

After providing a background on SMM, I provided an introduction to a reference monitor that employs Intel Virtualization Technology called the peer/dual monitor in SMM. This monitor is refered to as an SMI Transfer Monitor (STM). In addition to the interface specification for the STM at [3], we also posted several software projects, including an STM itself, a small VMM to launch the STM (called the FRM), and code for integrating the STM into MinnowBoard Max [4].

Beyond the STM specification [6] and the code [5], we also posted white papers at [3] treating the internal design of the STM [7] and the FRM [8], respectively.  As part of the SMM discussion I also reviewed some research in using Symbolic Execution to evaluation SMM handlers [9].  

I finished up the IDF talk with a mapping of the EDK II security features, the STM, and the MinnowBoard Max and the Quark-based Galileo board. And it is with the EDK II code, platforms, and STM all publically available, there is an opportunity for security researchers and firmware practitioners to collaborate on the strength of function and evolution of protection, detection, and recovery.

References

[1] V. Zimmer, "STTS003 - Developing Best-in-Class Security Principles with Open Source Firmware," Intel Developer Forum, August 2015 http://myeventagenda.com/sessions/0B9F4191-1C29-408A-8B61-65D7520025A8/7/5

https://firmware.intel.com/sites/default/files/STTS003%20-%20SF15_STTS003_100f.pdf

[2] V. Zimmer, “UEFI, Open Platforms, and the Defender’s Dilemma,” CanSecWest 2015, March 18, 2015 

https://cansecwest.com/slides/2015/UEFI%20open%20platforms_Vincent.pptx

[3] SMI Transfer Monitor (STM)  https://firmware.intel.com/content/smi-transfer-monitor-stm

[4] "Security Technologies and the MinnowBoard Max", February 2015 blog  https://firmware.intel.com/blog/security-technologies-and-minnowboard-max

[5] "STM Release 1.0" - STM reference implementation, FRM, and MinnowBoard Max integration https://firmware.intel.com/sites/default/files/STM_Release_1.0.zip

[6] "STM User Guide 1.0", August 2015  https://firmware.intel.com/sites/default/files/STM_User_Guide-001.pdf

[7] Yao, Zimmer, "A Tour Beyond BIOS Launching an STM to Monitor SMM", August 2015 https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Launching_STM_to_Monitor_SMM_in_EFI_Developer_Kit_II.pdf

[8] Yao, Zimmer, "A Tour Beyond BIOS Launching a VMM in the EFI Developer Kit II", September 2015, https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Launching_VMM_in_EFI_Developer_Kit_II.pdf

[9] Oleksandr Bazhaniuk, John Loucaides, Lee Rosenbaum, Mark R. Tuttle, Vincent Zimmer, "Symbolic Execution for BIOS Security," 9th Usenix Workshop on Offensive Technologies (WOOT) '15, August 10, 2015 https://www.usenix.org/system/files/conference/woot15/woot15-paper-bazhaniuk.pdf