Tuesday, May 30, 2017

UEFI and Security postings

I was pleased to see https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/ a few days ago and the associated Github repo https://github.com/advanced-threat-research/firmware-security-training. The authors include



I'm glad to see this material, including a couple of my co-authors from https://www.usenix.org/system/files/conference/woot15/woot15-paper-bazhaniuk.pdf.

Hopefully I will get a chance to talk with some of these ex-Intel, now-McAfee engineers at Blackhat. I see they are giving the talk https://www.blackhat.com/us-17/briefings.html#fractured-backbone-breaking-modern-os-defenses-with-firmware-attacks. Myself and a couple of colleagues are giving a separate talk at the event https://www.blackhat.com/us-17/briefings.html#firmware-is-the-new-black-analyzing-past-three-years-of-bios-uefi-security-vulnerabilities.

Interesting timing since it was in 2007 that I sat on the front row watching John Heasman https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf talk about "Hacking the Extensible Firmware Interface." This was my first Blackhat trek a decade ago. I had coffee why John a few weeks afterward in Tacoma and he exhorted me to push the signing of UEFI drivers and applications. He also mentioned the venerable TCG specs on page 37.

Good times. Fast forward to today, UEFI seems to be in the news http://www.itworld.com/article/3198647/security/6-reasons-why-chip-hacks-will-become-more-popular-in-the-future.html and conference scene quite a bit of late.

Beyond the training material and upcoming conference talks, though, I am especially happy to see the NIST Special Publications (SP) 800-193 on "Platform Firmware Resiliency Guidelines" get posted http://csrc.nist.gov/publications/drafts/800-193/sp800-193-draft.pdf for purposes of public comment review. This work should complements the UEFI standards in provides a robust platform implementation. As always, the people involved in the process are as important as the output of the process itself.



So much for May blogging, and here's looking forward to a WA summer. Speaking of summer, it is interesting that the picture of Stevenson, WA from last week
looks quite similar to a picture from 2005, too.
The passage of time......