Back from the dead: Exhuming EBC
A spectre is haunting UEFI -- the spectre of EBC.
All the powers of old platform firmware landscapes have entered into a holy alliance to exorcise this spectre: lack of open-source (or any) compiler targeted for EBC, exceptional rarity of in-the-wild EBC binary samples, lack of any working/maintained debugging tools for EBC binaries, sparse and outdated documentation.
If EBC has been wholly exorcised though, why do I keep finding the EBCVM DXE driver in modern UEFI firmware images at a staggering rate?
Two things result from this fact:
In reconciling this apparent contradiction between a purported industry-wide UEFI exorcism and the persistent spectre of EBC, one arrives at two conclusions:
I. EBC is already acknowledged to be itself a power. Platform firmware supply chain vulnerabilities are a persistent and pervasive problem, and the continued use of outdated and deprecated components is a known path for successful exploits of this kind, particularly in UEFI. The EBCVM binary is present in a wide range of current UEFI firmware builds out there in the wild... and without the means of material EBC binaries to run, the EBCVM is a DXE driver collecting dust.
II. Someone ought to do something about that.
What's a malware witch to do?
How does one reverse engineer EBC binaries without available EBC-targeted tools? Or write an exploit in an assembly language with only a slim collection of fasm-targeted assembly source files for reference and no working debugger for EBC? Is thunking this season's hottest new sandbox escape technique??
This talk is the story of the long and arduous UEFI EBC xdev process, and presents the first UEFI exploits written in EBC/targeting the EBCVM as well as novel techniques in UEFI reverse engineering/exploit development. This talk is the continuation of the work showcased in my article in vx-underground Black Mass volume #3, scheduled for release in the upcoming month. Building upon the work from that research project, this talk is a deep dive into EBC, the internals of the EBCVM and exploring novel UEFI attack vectors/exploit chains that leverage the EBCVM. I will talk about the next stage of EBC xdev, including the following novel techniques that I developed for EBC vx
- compiling valid EBC binaries using a combination of open-source and custom tools
- debugging EBC binaries with qemu and gdb, without the use of the EBCDebugger DXE driver by targeting the EBCVM itself
- leveraging EBC and the EBCVM for UEFI malware including but not limited to PCI option ROM attacks, polymorphism, exploit primitives for SMM attack chains, and graphics.
Applicable to seasoned UEFI reverse engineers/exploit developers, and those interested in topics such as: reverse engineering binaries for an archaic/undocumented ISA, exploit development techniques relevant to VM/sandbox escapes, and much more.
