Explore the complexities of supply chain security in the UEFI ecosystem through this 41-minute Black Hat conference talk. Delve into the challenges posed by multiple parties involved in firmware code development, including Intel/AMD's reference code and core frameworks from AMI, Phoenix, and Insyde. Understand why hardware platform vendors contribute less than 10% to the UEFI system firmware code base and the implications of this reality. Examine how vulnerabilities can be discovered not only in platform vendor codebases but also within reference code, potentially impacting the entire ecosystem. Learn about the varying patch cycles across vendors, the extended periods vulnerabilities can remain unpatched, and the difficulties in verifying fixes due to inconsistent patching methods. Gain insights from experts Alexander Tereshkin, Alexander Matrosov, and Adam Zabrocki on safeguarding the UEFI ecosystem and addressing the hardcoded challenges in firmware supply chain security.
Safeguarding UEFI Ecosystem - Firmware Supply Chain is Hardcoded
Overview
Syllabus
Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)
Taught by
Black Hat
Related Courses
-
The Firmware Supply-Chain Security Is Broken - Can We Fix It?
-
The UEFI Firmware Rootkits - Myths and Reality
-
EFIxplorer - Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis
-
The Various Shades of Supply Chain - SBOM, N-Days and Zero Trust
-
Static Analysis-Based Recovery of Service Function Calls in UEFI Firmware
-
Firmware is the New Black - Analyzing Past Three Years of BIOS - UEFI Security Vulnerabilities
