Awesome UEFI Security

This repository contains a collection of UEFI/BIOS security materials. Collected my own, not comprehensive. Feel free to PR.

• Awesome UEFI Security
  • CTF Challenges
  • Documentations 📖
  • Development 💻
  • Bootkits 💣
  • Tools 🔨
  • Vulnerabilities & Exploits 🔎
  • Talks 🔈
  • Blogs 📰
  • Papers 📃
  • Training & Courses 🔰

CTF-Challenges

• UIUCTF-2022 SMM Cow Say 1
• UIUCTF-2022 SMM Cow Say 2
• UIUCTF-2022 SMM Cow Say 3
• D^3CTF-2022-pwn-d3guard
• corCTF 2023 smm-diary
• Dubhe CTF 2024 ToySMM
• DVUEFI

Documentations 📖

• UEFI Forum
• UEFI Specification v2.10
• UEFI Platform Initialization Specification v1.7a
• UEFI Shell Specification V2.2
• UEFI Platform Initialization Distribution Packaging Specification v1.1
• ACPI Specification v6.5

Development 💻

• EDK II
• edk2-pytool-library
• edk2-libc
• uefi-rs
• UEFI-Lessons
• arch-secure-boot
• EDK II Module Write Guide

Some interesting projects

• uefi-paint
• mitnal

Bootkits 💣

ATT&CK Attack Vector

Time	Name
Oct. 2022	BlackLotus
Jul. 2022	CosmicStrand
Jan. 2022	MoonBounce
Oct. 2021	Especter
Sep. 2021	FinSpy
Dec. 2020	Trickbot
Oct. 2020	MosaicRegressor
2018	LoJax

Bootkits related repositories:

• LoJax
• umap
• UEFI-Bootkit
• SmmBackdoor
• PeiBackdoor
• bootlicker

Tools 🔨

• efiXplorer: IDA Pro plugin, the best plugin for analyzing UEFI binaries for now.
• UEFITool: Tool for parsing and extracting UEFI firmware images.
• brick: IDA Pro plugin, a static vulnerability scanner, support several types of vulnerabilities.
• fwhunt-scan
• FwHunt
• qiling: Qiling has an EFI mode, which can partially emulate UEFI binary files.
• efiSeek: A Ghidra plugin for UEFI binaries analyzing.
• efi_fuzz: A coverage-guided emulator-based NVRAM fuzzer for UEFI (based on qiling).
• efi_dxe_emulator: A simple emulator for UEFI DXE files.
• uefi-firmware-parser: Library for parsing UEFI firmware images.
• uefi-retool
• BIOSUtiities: A lot of scripts to parse and extract UEFI firmware images directly from exe files.
• innoextract: A tool to unpack installers created by Inno Setup
• Chipsec: The most commonly used tool for extracting UEFI firmware and exploiting UEFI vulnerabilities.
• LVFS
• EfiGuard
• ghidra-firmware-utils
• dropWPBT
• fwexpl
• fiano
• UefiVarMonitor
• VBiosFinder
• kraft_dinner
• Voyager
• efi-memory
• smram_parse
• ebvm
• UEFI-SecureBoot-SignTool
• PciLeech: PciLeech supports DMA attacks against UEFI, and it contains a mode can hook UEFI Runtime Services and print some chars.
• bob_efi_fuzzer
• uefi-rs: A rust wrapper for UEFI. You can built UEFI applications and vulnerabilities PoCs easily with this library.
• tsffs: A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS, released by Intel.
• efi-inspector: A Binary Ninja plugin for parsing UEFI firmware images.
• efi-resolver: Official UEFI plugin for Binary Ninja; it supports type propogation, which is really cool, and it starts supporting PEI files now.
• python-uefivars: A python tool to inspect UEFI variables (but it cannot take firmware images as input).

Vulnerabilities & Exploits 🔎

• PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.
• Vulnerability-REsearch: Vulnerabilities found by Binarly-IO, really a lot.
• vulnerability-disclosures: Vulnerabilities found by ESET, some of the vulnerabilities in the repo related to UEFI.
• vulnerabilities: Vulnerabilities found by 10TG, some of the vulnerabilities related to UEFI.
• CVE-2022-3430, CVE-2022-3431, CVE-2022-3432: These three vulnerabilities are found by ESET Research, all of which are NVRAM vulnerabilities in Lenovo devices that could disable Secure Boot.
• CVE-2022-4020: NVRAM vulnerability found by ESET Research, which exists in Acer devices and could disable Secure Boot by setting a UEFI Variable.
• ThinkPwn
• Aptiocalypsis
• UsbRt_ROP
• CVE-2022-21894
• CVE-2014-8274
• Super-UEFIinSecureBoot-Disk
• SmmExploit
• CERT/CC UEFI Analysis Resources: This repo contains an example of CVE-2021-28216

Talks 🔈

Year	Conference	Title
2024	Defcon	AMD Sinkclose: Universal Ring -2 Privilege Escalation
2024	Blackhat USA ARSENAL	Damn Vulnerable UEFI (DVUEFI): An Exploitation Toolkit and Learning Platform for Unveiling and Fixing UEFI Firmware Vulnerabilities
2023	Blackhat Europe	LogoFAIL: Security implications of image parsing during system boot
2023	Blackhat Asia	The Various Shades of Supply Chain: SBOM, N-Days and Zero Trust
2021	AVAR	The Evolution of Threat Actors: Firmware is the Next Frontier
2022	Blackhat USA	Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
2022	Blackhat Asia	The Firmware Supply-Chain Security Is Broken: Can We Fix It?
2021	Blackhat USA	Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)
2021	Blackhat USA	Breaking Secure Bootloaders
2020	Blackhat Europe	efiXplorer: Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis
2019	Blackhat USA	Firmware Cartography: Charting the Course for Modern Server Compromise
2019	Blackhat Asia	MODERN SECURE BOOT ATTACKS: Presenter’s Name Presenter's Position BYPASSING HARDWARE ROOT OF TRUST FROM SOFTWARE
2019	Blackhat Asia	Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with Napper
2019	Blackhat USA	Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
2018	Blackhat USA	Remotely Attacking System Firmware
2018	Blackhat Europe	Malware Buried Deep Down the SPI Flash: Sednit's First UEFI Rootkit Found in the Wild
2018	Blackhat Asia	I Don't Want to Sleep Subverting Intel TXT with S3 Sleep
2017	Blackhat USA	INTEL AMT. STEALTH BREAKTHROUGH
2017	Blackhat USA	Firmware is the New Black - Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
2017	Blackhat USA	Betraying the BIOS: Where the Guardians of the BIOS are Failing
2017	Blackhat USA	Taking DMA Attacks to the Next Level
2017	Blackhat Asia	The UEFI Firmware Rootkits: Myths and Reality
2017	Blackhat USA	Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks
2014	Blackhat Europe	Analyzing UEFI BIOSes from Attacker & Defender Viewpoints
2014	Blackhat USA	Extreme Privilege Escalation on Windows 8/UEFI Systems
2014	Blackhat USA	Protecting Data In-Use from Firmware and Physical Attacks
2014	Blackhat USA	Exposing Bootkits with BIOS Emulation
2013	Blackhat USA	A Tale of One Software Bypass of Windows 8 Secure Boot
2013	Blackhat USA	BIOS Chronamancy: Fixing the Core Root of Trust for Measurement
2013	Blackhat USA	Funderbolt Adventures in Thunderbolt DMA Attacks
2011	Blackhat	Battery Firmware Hacking
2009	Blackhat USA	Attacking Intel® BIOS
2009	Blackhat USA	Reversing and Exploiting an Apple Firmware Update
2009	Blackhat DC	Attacking Intel® Trusted Execution Technology
2009	Blackhat	Introducing Ring -3 Rootkits
2008	Blackhat	Preventing and Detecting Xen Hypervisor Subversions
2018	CanSecWest	TPM Genie Attacking the Hardware Root of Trust For Less Than $50
2015	CanSecWest	A New Class of Vulnerabilities in SMI Handlers
2015	CanSecWest	Attacks on UEFI Security
2014	CanSecWest	ALL YOUR BOOT ARE BELONG TO US
2009	CanSecWest	Getting into the SMRAM: SMM Reloaded
2022	DEFCON	The COW Container On Windows Who Escaped the Silo
2022	DEFCON	One Bootloader to Load Them All
2021	DEFCON	High Stakes Updates: BIOS RCE OMG WTF BBQ
2019	DEFCON	UEFI Exploitation for the Masses
2019	DEFCON	Ring 0 Ring 2 Rootkits Bypassing Defenses
2019	DEFCON	EDR is Coming Hide Yo Sh!t
2017	DEFCON	Safeguarding rootkits: IntelBootGuard
2018	DEFCON	Disabling Intel ME in Firmware
2014	DEFCON	Extreme Privilege Escalation On Windows 8/UEFI Systems
2013	DEFCON	Hacking Measured Boot and UEFI
2020	DEFCON	OuterHaven UEFI Memory Space
2008	DEFCON	Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer(pratical low level attacks against x86 authentication software)
2007	DEFCON	Hacking the Extensible Firmware Interface
2022	H2HC	Data-only Attacks Against UEFI BIOS
2022	Offensive Con	UEFI Firmware Vulnerabilities: Past, Present and Future
2017	REcon	BARing the System New vulnerabilities in Coreboot & UEFI based systems

Blogs 📰

• Binarly-IO

  • Multiple Vulnerabilities In Qualcomm And Lenovo ARM-Based Devices
  • Firmware Patch Deep-Dive: Lenovo Patches Fail To Fix Underlying Vulnerabilities
  • OpenSSL Usage In UEFI Firmware Exposes Weakness In SBOMs
  • The Firmware Supply-Chain Security Is Broken: Can We Fix It?
  • Leaked Intel Boot Guard Keys: What Happened? How Does It Affect The Software Supply Chain?
  • New Attacks To Disable And Bypass Windows Management Instrumentation
  • Binarly Discloses High-Impact Firmware Vulnerabilities In Insyde-Based Devices
  • Binarly Discovers Multiple High-Severity Vulnerabilities In AMI-Based Devices
  • Binarly Finds Six High Severity Firmware Vulnerabilities In HP Enterprise Devices
  • The Intel PPAM Attack Story
  • Using Symbolic Execution To Detect UEFI Firmware Vulnerabilities
  • Blasting Event-Driven Cornucopia
  • FirmwareBleed: The Industry Fails To Adopt Return Stack Buffer Mitigations In SMM
  • FwHunt The Next Chapter: Firmware Threat Detection At Scale
  • A Deeper UEFI Dive Into MoonBounce
  • Repeatable Failures: AMI UsbRt - Six Years Later, Firmware Attack Vector Still Affect Millions Of Enterprise Devices
  • Repeatable Firmware Security Failures: 16 High Impact Vulnerabilities Discovered In HP Devices
  • An In-Depth Look At The 23 High-Impact Vulnerabilities
  • Detecting Firmware Vulnerabilities At Scale: Intel BSSA DFT Case Study
  • Why Firmware Integrity Is Insufficient For Effective Threat Detection And Hunting
  • Firmware Supply Chain Is Hard(Coded)
  • Attacking (Pre)EFI Ecosystem

• Cr4sh

  • Exploiting AMI Aptio firmware on example of Intel NUC
  • Exploring and exploiting Lenovo firmware secrets
  • Exploiting SMM callout vulnerabilities in Lenovo firmware
  • Breaking UEFI security with software DMA attacks
  • Building reliable SMM backdoor for UEFI based platforms
  • Exploiting UEFI boot script table vulnerability

• eclypsium

  • FIRMWARE ATTACKS: AN ENDPOINT TIMELINE
  • ONE BOOTLOADER TO LOAD THEM ALL
  • FIRMWARE SECURITY REALIZATIONS – PART 2 – START YOUR MANAGEMENT ENGINE
  • FIRMWARE SECURITY REALIZATIONS – PART 1 – SECURE BOOT AND DBX
  • YET ANOTHER UEFI BOOTKIT DISCOVERED: MEET COSMICSTRAND
  • THE ILOBLEED IMPLANT: LIGHTS OUT MANAGEMENT LIKE YOU WOULDN’T BELIEVE
  • “EVIL MAID” FIRMWARE ATTACKS USING USB DEBUG

• ESET Research

  • BlackLotus UEFI bootkit: Myth confirmed
  • ESET Research Podcast: UEFI in crosshairs of ESPecter bootkit
  • When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
  • UEFI threats moving to the ESP: Introducing ESPecter bootkit
  • Needles in a haystack: Picking unwanted UEFI components out of millions of samples
  • A machine‑learning method to explore the UEFI landscape
  • LOJAX: First UEFI rootkit found in the wild, courtesy of the Sednit group
  • UEFI malware: How to exploit a false sense of security
  • Bootkit Threat Evolution in 2011

• Sentinel Lab

  • Moving From Common-Sense Knowledge About UEFI To Actually Dumping UEFI Firmware
  • Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware
  • Moving From Dynamic Emulation of UEFI Modules To Coverage-Guided Fuzzing of UEFI Firmware
  • Adventures From UEFI Land: the Hunt For the S3 Boot Script
  • Zen and the Art of SMM Bug Hunting | Finding, Mitigating and Detecting UEFI Vulnerabilities
  • Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP Firmware

• SYNACKTIV

  • Code Check(Mate) in SMM
  • Through The SMM-Glass And a Vulnerability Found There.
  • A Journey in Reversing UEFI Lenovo Passwords Management
  • S3 Sleep, Resume and Handling Them with Type-1 Hypervisor
  • Introductory Study of IOMMU (VT-d) and Kernel DMA Protection on Intel Processors

• NCCGroup

  • Stepping Insyde System Management Mode
  • A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
  • Intel BIOS Advisory – Memory Corruption in HID Drivers

• Others

  • Debugging System with DCI and Windbg
  • Reverse engineering (Absolute) UEFI modules for beginners
  • Experiment in extracting runtime drivers on Windows
  • BIOS Based Rootkits
  • Understanding modern UEFI-based platform boot
  • Attacking UEFI Runtime Services and Linux
  • Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation

Papers 📃

Year	Jour/Conf	Paper
2024	arXiv	UEFI Vulnerability Signature Generation using Static and Symbolic Analysis
2023	S&P	RSFUZZER: Discovering Deep SMI Handler Vulnerabilities in UEFI Firmware with Hybrid Fuzzing
2023	arXiv	SoK: Security Below the OS – A Security Analysis of UEFI
2023	China CIC	A Survey on the Evolution of Bootkits Attack and Defense Techniques
2022	S&P	Finding SMM Privilege-Escalation Vulnerabilities in UEFI Firmware with Protocol-Centric Static Analysis
2022	IH&MMSec	Hidden in Plain Sight - Persistent Alternative Mass Storage Data Streams as a Means for Data Hiding With the Help of UEFI NVRAM and Implications for IT Forensics
2020	DAC	UEFI Firmware Fuzzing with Simics Virtual Platform
2015	SYSTOR	Thunderstrike:EFI firmware bootkits for Apple MacBooks
2015	WOOT	Symbolic execution for BIOS security
2014	Virus Bulletin	Bootkits: Past, Present & Future
2011		Attacking Intel TXT® via SINIT code execution hijacking
2014		Speed Racer: Exploiting an Intel Flash Protection Race Condition

Training & Courses 🔰

• Advanced x86: Introduction to BIOS & SMM
• UEFI Official Learning Center
• EDK II Secure Code Review Guide
• Tianocore Training Contents