Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Independent

Architecture 4001: x86-64 Intel Firmware Attack & Defense

OpenSecurityTraining2 via Independent

Overview

PC BIOS/UEFI firmware is usually “out of sight, out of mind”. But this just means it’s a place where sophisticated attackers can live unseen and unfettered. This class shares information about PC firmware security that was hard-won over years of focused research into firmware vulnerabilities.

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

Learning Objectives
- Understand the original 16-bit "Real Mode" which the x86 CPU reset vector executes in.
- Understand 16-bit segmentation & assembly.
- Understand the evolution of Intel chipsets, and how to find the manual which corresponds to any given hardware.
- Understand how firmware uses IO to configure Intel and 3rd party hardware at boot time.
- Understand how firmware interacts with PCIe devices at boot time, both within the CPU/chipset, and 3rd party peripherals.
- Understand the core purposes of PCIe Option ROMs, but also how they can be used by attackers.
- Being capable of manually reading/writing the firmware-storage SPI flash through the register interface.
- Understand the protection mechanisms for the SPI flash and how they can be bypassed.
- Understand the protection mechanisms for System Management Mode how they can be bypassed.
- Understand how Chipsec can be used to assess the security posture of a firmware for both attack and defense.
- Understand how the ACPI S3 "sleep" power state can be used to attack systems.
- Being comfortable with Reading The Fun Manual(!) to go seek out the most accurate details of how things work.

Syllabus

  1. Introduction
  2. Reset Vector
  3. Chipsets
  4. Input/Output
  5. PCIe
  6. PCIe Option ROMs / Expansion ROMs & Attacks
  7. SPI Flash
  8. System Management Mode (SMM)
  9. Power-transition attacks
  10. (Optional) Minimal Boot
  11. Conclusion

Taught by

Xeno Kovah

Reviews

Start your review of Architecture 4001: x86-64 Intel Firmware Attack & Defense

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.