Wednesday, December 31, 2014

Regarding a prediction for 2015

Given it is the final day of 2014, I thought that my final blog of 2014 would treat the which commences in a few hours, maybe with another one of my infamous TL:DR-style postings? Specifically, I'd like to build upon missive from Tim Lewis at wherein he shared his belief that security concerns in the platform firmware will predominate as the top user story of 2015. Given the sampling below from 2014, he may be observing an unenviable trend line.

Regarding that trend, there have been talks at several venues in 2014, such as the Black Hat (BH) talks a few months ago This talk had an associated CVE and white paper

In addition, just this week there were a couple of talks featured on UEFI at the Chaos Communications Conference (CCC), including and the associated presentation
by researchers from Bromium and Mitre, respectively.

The other CCC talk was on EFI and Thunderbolt Glad to hear from the Matthew Garrett question to the presenter near the end of the talk that the option ROM vulnerability could have been mitigated if the Apple platforms implemented UEFI Secure Boot with option ROM verification (i.e., UEFI Driver Loading) enabled.

These security events and broad use of UEFI and edk II-based platforms definitely argue for the need to have additional industry coordination. This is a role that CERT has done admirably, but as Tim noted, they are now joined by the UEFI Security Response Team (USRT) This effort has been followed by a more code base-specific effort, too I am happy to be involved in both and although my CVSS-Fu isn't too evolved yet, I'm trying my best in writing technical advisories and doing the associated grading.

It is interesting that the references for both BH and CCC talks above cite the Intel Framework Specifications at and not the superseding UEFI Platform Initialization (PI) specifications This might contribute to some of the ambiguity seen in the boot script implementations, for example, noted in the CCC talk, since the Intel Framework specifications are frozen after having been contributed to the UEFI Forum. Maybe posting a ZIP of the PI specs and a PDF of the Framework makes the latter more search-engine friendly?

For the CCC talk, it was good to see that slide 53 mentions the work done with my Intel colleague

      [11] A Tour Beyond BIOS:
      Implementing S3 Resume with EDK2 –JiewenYao and Vincent Zimmer,
      October 2014

which can be found at Jiewen and I designed features like the Lock Box protocol to allow for protecting the boot script memory, via SMM or other container, back in 2009. But issues in seeing the protections deployed are compounded by the sheer difficulty in implementing S3 resume in platforms. Specifically, getting the functionality correct and having less-easily testable properties like securing the boot script has proven challenging. As a platform developer the last call you want to hear during product development is from the SQA team, saying "Everything works great, but our S3 resume testing fails once out of 10,000 times."

The above S3 document represents part of an effort to document some of the design intent on edk II source artifacts. We already have architectural intent documents such as and (including the companion talk, with a view toward more implementation at With documents like the S3 one above, and its companion documents on variables and TPM Measured Boot, though, the design intent of the code is more fully explored. One can argue that with additional text diagrams and other literate programming techniques in the edk II sources an 'implementation document' should not be required, but I would counter that these are intended to be companions to well-commented source modules and not a replacement for such actions.

Regarding other defenses, in the S3 talk Corey also mentioned the "SMI Transfer Monitor" (STM). Corey's co-presenter Rafal discusses the STM in more detail at This is also mentioned in CCC 2013 talk by former Intel researcher Gal Diskin.on slide 13. Chapter 13 of Grawrock's 2nd edition of Safe Computing also describes this feature. The gist of the STM is that it represents a usage of the peer-monitor capability in IA32, a hardware feature defined in chapter 34.15 of the Intel Software Development Manual (SDM) There is a nice peer monitor overview at The use of the peer monitor, which is essentially virtualization controls in System Management Mode (SMM), allows for de-privileging today's ring 0 SMM code, such as that built responsive to the infrastructure in volume 4 of the PI 1.3 specification So when Corey said "where is the STM specification?", he was referring to the firmware convention for loading the STM, interaction with Intel TXT, and how to expose resource lists for which the guest SMM code can access. This class of firmware interaction is the "STM specification" and it is built upon the hardware specifications of the peer monitor virtualization capability treated in the SDM. The SDM is the bible for software-visible parts of IA32, i.e., the 'architecture.' The SDM hasn't changed over the last decade plus, whereas the STM specification has, er, evolved. 

I have spent quite a bit of time on SMM over the last decade plus, from having defined the Framework SMM CIS infrastructure, from which the present PI 1.3 SMM design has been derived, to collaborating on peer monitor and STM work. I'm a big fan of isolation technologies and trusted computing, but I'll have to pause here for this 2014 entry on this topic. If I were a smarter guy I would follow in the foot-steps of Fermat's Last Theorem and claim to have the final proof of solving the SMM security issues but excuse myself for today by noting that the answer is "too large to fit in the margin" of this blog

Just as a document cannot replace well commented codes, having more executable methods for assurance are always preferred. These include efforts such as the CHIPSEC work which I also describe in and These tests are run after boot and provide an a posteriori view of the platform.

More recent technology includes having security testability in-situ with the platform, versus a CHIPSEC style post-boot test, and reporting the results. This type of test and reporting capability was mentioned in 2013 at and now has a public specification realization at (HSTI) This work bridges the semantic gap historically faced by platform builders wherein the various system requirements in a Windows Hardware Certification document, such as, can now have a companion reporting channel. Examples include injunctions in System.Fundamentals.Firmware.UEFILegacyFallback, such as

"An OEM may not ship a 64 bit system which defaults to legacy BIOS or loads legacy option ROMs if that system ships with a UEFI-compatible OS. When Secure Boot is Enabled, Compatibility Support Modules (CSM) must NOT be loaded."
These Compatibility Support Module (CSM) behaviors are something that only the platform implementation can deduce and are difficult to detect via a later test, although heuristics like scanning 0xC0000p through 0x100000p in the address space 'could' be done.

The HSTI interface builds upon the Adapter Interface Protocol (AIP) class of structure defined in the UEFI 2.4 specification Since AIP producers are boot service only, a pre-OS agent needs to query the HSTI interface in order to cull the settings and convey the results into the operating system run time, if needed, in a vendor-specific fashion.

Related work to HSTI that goes beyond mapping to Windows requirements include the ability to report BIOS Integrity Attributes, as described in in And in order to surface this information, we defined in the following:

    typedef struct {
       UINT32 VendorId;
       EFI_GUID ReferenceManifestGuid;
    } TCG_Sp800-155-PlatformId_EventStruct

This structure can be used to reference an off-machine Reference Manifest (RM). The idea is that the GUID in the structure above would be specific to a vendor, model, and firmware instance in a XML-based manifest document on the platform suppliers website. The schemas are defined in, so now it's a set of work items for the industry to map the RM's to platform attributes, such as mentioned in 155.

Who knows, at some point maybe these reporting and testing efforts will all align?

Well, if you have gotten this far, the 'Didn't Read" portion of "Too Long, Didn't Read" (TL;DR) hasn't been the case for you. I'm not sure whether to reward you for your stoicism or not for wading through this entry.

To summarize, 2014 has shows a spate of security-related activities, both by the attackers (BH, CCC) and the defenders (USRT). The firmware-producing and consuming community is acutely aware of assurance concerns and new testing methodologies have been deployed in '14 and are coming in '15, too, including HSTI. I don't necessarily subscribe to the 'Spy versus Spy' aspect of security, or fall into existential angst that the "Defenders Dilemma" is not solvable. Instead, I see many parties passionate about having robust, usable systems and collaboration on art to achieve those goals. Open source, open documentation, open specifications, open platforms,.... All help in the cause.

And if you're still working these last hours of today, pause and have a coffee.
Also, enjoy a happy and safe new year.


Post a Comment