06-30, 16:30–17:30 (US/Eastern), Grand Salon
BIOS Hacking is back and it’s badder than ever.
Legacy BIOS is old news and UEFI is the new reigning queen bee of Platform Firmware implementations. This changing of the guard brings new challenges and mitigations for bootkit writers to thwart and bypass, as well as the opportunity for creative exploits and groundbreaking techniques in UEFI exploit development.
This talk is a deep-dive on UEFI reverse engineering and exploit development, with a focus on new and creative UEFI exploit dev techniques. It will also cover strategies for finding new exploit targets within UEFI. Applicable both to seasoned veterans of UEFI/BIOS exploit dev, and those looking to break into the space, I’ll cover both UEFI RE and exploit dev essentials and new techniques to take your UEFI PoCs to the next level. This talk combines hardware hacking and platform firmware reverse engineering and exploit development and will cover the following:
- UEFI software testing/debugging techniques with emulators
- UEFI hardware debugging and testing techniques
- UEFI reverse engineering
- Assembly programming techniques for developing UEFI shellcode on different architectures (x86-64, aarch64 and EBC)
- PCI Option ROM hacking
What happens when you combine the exploit primitives in a vulnerable image parsing driver impacted by LogoFAIL, PCI Option ROM hacking, the oft-forgotten and neglected EBC (EFI Byte code) architecture and a dash of low-level graphics programming?
GOP Complex.
Even though Legacy BIOS is old news, the BIOS hacking techniques of days past are fresh and worth exploring. Current vulnerability research in UEFI is pushing the boundaries for innovative and creative platform firmware exploits. This talk combines old school and new school UEFI/BIOS and firmware hacking techniques to present a new body of work that seeks to answer the question: How do I turn a work of art into a UEFI bootkit?
The talk is a deep-dive on UEFI reverse engineering and exploit development, with a focus on new and creative UEFI exploit dev techniques. It will also cover strategies for finding new exploit targets within UEFI.
This talk combines hardware hacking and platform firmware reverse engineering and exploit development. The first part of this talk will present an overview of UEFI reverse engineering and exploit development techniques to establish a foundation [I’ll cover the essentials: you’ll learn what DXE is (hint: it’s not a Country music group), the phases of the UEFI/PI boot process and the difference between Secure Boot, Boot Guard and BIOS Guard.]
The second part of the talk will cover the following:
- UEFI RE and exploit dev techniques relevant to developing a PoC for one of the LogoFail vulnerabilities (a platform-specific image parsing DXE driver)
- Cross-architecture exploitation techniques
- EBC (EFI Byte Code) and the EFI Byte Code Virtual Machine
- PCI Option ROM hacking techniques
- Hardware debugging and testing for UEFI
This talk presents work that leverages the image parsing bugs of LogoFail, the oft-forgotten and neglected EBC (EFI Byte code) architecture and PCI option ROM hacking techniques to present my newest UEFI exploit: GOP Complex.
Nika Korchok Wakulich (aka ic3qu33n) is a hacker/reverse engineer/artist based in Brooklyn, NY. She is a Security Consultant at Leviathan Security Group where she works on a range of penetration testing engagements, with a focus on hardware, firmware and embedded security. Outside of work, she combines her artistic practice (woodcut prints, painting, drawing, etc.) with her independent security research on passion projects in different areas of security.
She has presented her security research at a number of InfoSec conferences including REcon, OffensiveCon, Hushcon, and BSides SF. She is a contributing writing for a number of hacker zines, including tmp.0ut and VX-Underground Black Mass.
When she isn't making art, reverse engineering or making art as a part of her reverse engineering process, she enjoys learning languages, skateboarding, and taking long walks (à la Paul Erdös).
You can find her online, in a few of the various corners of the internet she frequents at:
- Twitter: @nikaroxanne
- GitHub: @ic3qu33n and @nikaroxanne
- Website/Portfolio: https://ic3qu33n.fyi
- Mastodon: ic3qu33n@infosec.exchange
- Keybase: @ic3qu33n