Awesome UEFI Security

This repository contains a collection of UEFI/BIOS security materials. Collected my own, not comprehensive. Feel free to PR.

• Awesome UEFI Security
  • CTF Challenges
  • Documentations 📖
  • Development 💻
  • Bootkits 💣
  • Tools 🔨
  • Vulnerabilities & Exploits 🔎
  • Talks 🔈
  • Blogs 📰
  • Papers 📃
  • Training & Courses 🔰

CTF-Challenges

• UIUCTF-2022 SMM Cow Say 1
• UIUCTF-2022 SMM Cow Say 2
• UIUCTF-2022 SMM Cow Say 3
• D^3CTF-2022-pwn-d3guard
• corCTF 2023 smm-diary
• Dubhe CTF 2024 ToySMM
• DVUEFI

Documentations 📖

• UEFI Forum
• UEFI Specification v2.10
• UEFI Platform Initialization Specification v1.7a
• UEFI Shell Specification V2.2
• UEFI Platform Initialization Distribution Packaging Specification v1.1
• ACPI Specification v6.5

Development 💻

• EDK II
• edk2-pytool-library
• edk2-libc
• uefi-rs
• UEFI-Lessons
• arch-secure-boot
• EDK II Module Write Guide

Some interesting projects

• uefi-paint
• mitnal

Bootkits 💣

ATT&CK Attack Vector

Time	Name
Nov. 2024	Bootkitty
Oct. 2022	BlackLotus
Jul. 2022	CosmicStrand
Jan. 2022	MoonBounce
Oct. 2021	Especter
Sep. 2021	FinSpy
Dec. 2020	Trickbot
Oct. 2020	MosaicRegressor
2018	LoJax

Bootkits related repositories:

• LoJax
• umap
• UEFI-Bootkit
• SmmBackdoor
• PeiBackdoor
• bootlicker

Tools 🔨

• efiXplorer: IDA Pro plugin, the best plugin for analyzing UEFI binaries for now.
• UEFITool: Tool for parsing and extracting UEFI firmware images.
• brick: IDA Pro plugin, a static vulnerability scanner, support several types of vulnerabilities.
• fwhunt-scan
• FwHunt
• qiling: Qiling has an EFI mode, which can partially emulate UEFI binary files.
• efiSeek: A Ghidra plugin for UEFI binaries analyzing.
• efi_fuzz: A coverage-guided emulator-based NVRAM fuzzer for UEFI (based on qiling).
• efi_dxe_emulator: A simple emulator for UEFI DXE files.
• uefi-firmware-parser: Library for parsing UEFI firmware images.
• uefi-retool
• BIOSUtiities: A lot of scripts to parse and extract UEFI firmware images directly from exe files.
• innoextract: A tool to unpack installers created by Inno Setup
• Chipsec: The most commonly used tool for extracting UEFI firmware and exploiting UEFI vulnerabilities.
• LVFS
• EfiGuard
• ghidra-firmware-utils
• dropWPBT
• fwexpl
• fiano
• UefiVarMonitor
• VBiosFinder
• kraft_dinner
• Voyager
• efi-memory
• smram_parse
• ebvm
• UEFI-SecureBoot-SignTool
• PciLeech: PciLeech supports DMA attacks against UEFI, and it contains a mode can hook UEFI Runtime Services and print some chars.
• bob_efi_fuzzer
• uefi-rs: A rust wrapper for UEFI. You can built UEFI applications and vulnerabilities PoCs easily with this library.
• tsffs: A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS, released by Intel.
• efi-inspector: A Binary Ninja plugin for parsing UEFI firmware images.
• efi-resolver: Official UEFI plugin for Binary Ninja; it supports type propogation, which is really cool, and it starts supporting PEI files now.
• python-uefivars: A python tool to inspect UEFI variables (but it cannot take firmware images as input).

Vulnerabilities & Exploits 🔎

• PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.
• Vulnerability-REsearch: Vulnerabilities found by Binarly-IO, really a lot.
• vulnerability-disclosures: Vulnerabilities found by ESET, some of the vulnerabilities in the repo related to UEFI.
• vulnerabilities: Vulnerabilities found by 10TG, some of the vulnerabilities related to UEFI.
• CVE-2022-3430, CVE-2022-3431, CVE-2022-3432: These three vulnerabilities are found by ESET Research, all of which are NVRAM vulnerabilities in Lenovo devices that could disable Secure Boot.
• CVE-2022-4020: NVRAM vulnerability found by ESET Research, which exists in Acer devices and could disable Secure Boot by setting a UEFI Variable.
• ThinkPwn
• Aptiocalypsis
• UsbRt_ROP
• CVE-2022-21894
• CVE-2014-8274
• Super-UEFIinSecureBoot-Disk
• SmmExploit
• CERT/CC UEFI Analysis Resources: This repo contains an example of CVE-2021-28216

Talks 🔈

Year	Conference	Title
2024	Defcon	AMD Sinkclose: Universal Ring -2 Privilege Escalation
2024	Blackhat USA	You've Already Been Hacked: What if There Is a Backdoor in Your UEFI OROM?
2024	Blackhat USA ARSENAL	Damn Vulnerable UEFI (DVUEFI): An Exploitation Toolkit and Learning Platform for Unveiling and Fixing UEFI Firmware Vulnerabilities
2023	Blackhat Europe	LogoFAIL: Security implications of image parsing during system boot
2023	Blackhat Asia	The Various Shades of Supply Chain: SBOM, N-Days and Zero Trust
2021	AVAR	The Evolution of Threat Actors: Firmware is the Next Frontier
2022	Blackhat USA	Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
2022	Blackhat Asia	The Firmware Supply-Chain Security Is Broken: Can We Fix It?
2021	Blackhat USA	Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)
2021	Blackhat USA	Breaking Secure Bootloaders
2020	Blackhat Europe	efiXplorer: Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis
2019	Blackhat USA	Firmware Cartography: Charting the Course for Modern Server Compromise
2019	Blackhat Asia	MODERN SECURE BOOT ATTACKS: Presenter’s Name Presenter's Position BYPASSING HARDWARE ROOT OF TRUST FROM SOFTWARE
2019	Blackhat Asia	Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with Napper
2019	Blackhat USA	Breaking Through Another Side: Bypassing Firmware Security Boundaries from Embedded Controller
2018	Blackhat USA	Remotely Attacking System Firmware
2018	Blackhat Europe	Malware Buried Deep Down the SPI Flash: Sednit's First UEFI Rootkit Found in the Wild
2018	Blackhat Asia	I Don't Want to Sleep Subverting Intel TXT with S3 Sleep
2017	Blackhat USA	INTEL AMT. STEALTH BREAKTHROUGH
2017	Blackhat USA	Firmware is the New Black - Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
2017	Blackhat USA	Betraying the BIOS: Where the Guardians of the BIOS are Failing
2017	Blackhat USA	Taking DMA Attacks to the Next Level
2017	Blackhat Asia	The UEFI Firmware Rootkits: Myths and Reality
2017	Blackhat USA	Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks
2014	Blackhat Europe	Analyzing UEFI BIOSes from Attacker & Defender Viewpoints
2014	Blackhat USA	Extreme Privilege Escalation on Windows 8/UEFI Systems
2014	Blackhat USA	Protecting Data In-Use from Firmware and Physical Attacks
2014	Blackhat USA	Exposing Bootkits with BIOS Emulation
2013	Blackhat USA	A Tale of One Software Bypass of Windows 8 Secure Boot
2013	Blackhat USA	BIOS Chronamancy: Fixing the Core Root of Trust for Measurement
2013	Blackhat USA	Funderbolt Adventures in Thunderbolt DMA Attacks
2011	Blackhat	Battery Firmware Hacking
2009	Blackhat USA	Attacking Intel® BIOS
2009	Blackhat USA	Reversing and Exploiting an Apple Firmware Update
2009	Blackhat DC	Attacking Intel® Trusted Execution Technology
2009	Blackhat	Introducing Ring -3 Rootkits
2008	Blackhat	Preventing and Detecting Xen Hypervisor Subversions
2018	CanSecWest	TPM Genie Attacking the Hardware Root of Trust For Less Than $50
2015	CanSecWest	A New Class of Vulnerabilities in SMI Handlers
2015	CanSecWest	Attacks on UEFI Security
2014	CanSecWest	ALL YOUR BOOT ARE BELONG TO US
2009	CanSecWest	Getting into the SMRAM: SMM Reloaded
2022	DEFCON	The COW Container On Windows Who Escaped the Silo
2022	DEFCON	One Bootloader to Load Them All
2021	DEFCON	High Stakes Updates: BIOS RCE OMG WTF BBQ
2019	DEFCON	UEFI Exploitation for the Masses
2019	DEFCON	Ring 0 Ring 2 Rootkits Bypassing Defenses
2019	DEFCON	EDR is Coming Hide Yo Sh!t
2017	DEFCON	Safeguarding rootkits: IntelBootGuard
2018	DEFCON	Disabling Intel ME in Firmware
2014	DEFCON	Extreme Privilege Escalation On Windows 8/UEFI Systems
2013	DEFCON	Hacking Measured Boot and UEFI
2020	DEFCON	OuterHaven UEFI Memory Space
2008	DEFCON	Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer(pratical low level attacks against x86 authentication software)
2007	DEFCON	Hacking the Extensible Firmware Interface
2022	H2HC	Data-only Attacks Against UEFI BIOS
2022	Offensive Con	UEFI Firmware Vulnerabilities: Past, Present and Future
2017	REcon	BARing the System New vulnerabilities in Coreboot & UEFI based systems

Blogs 📰

• Binarly-IO

  • Multiple Vulnerabilities In Qualcomm And Lenovo ARM-Based Devices
  • Firmware Patch Deep-Dive: Lenovo Patches Fail To Fix Underlying Vulnerabilities
  • OpenSSL Usage In UEFI Firmware Exposes Weakness In SBOMs
  • The Firmware Supply-Chain Security Is Broken: Can We Fix It?
  • Leaked Intel Boot Guard Keys: What Happened? How Does It Affect The Software Supply Chain?
  • New Attacks To Disable And Bypass Windows Management Instrumentation
  • Binarly Discloses High-Impact Firmware Vulnerabilities In Insyde-Based Devices
  • Binarly Discovers Multiple High-Severity Vulnerabilities In AMI-Based Devices
  • Binarly Finds Six High Severity Firmware Vulnerabilities In HP Enterprise Devices
  • The Intel PPAM Attack Story
  • Using Symbolic Execution To Detect UEFI Firmware Vulnerabilities
  • Blasting Event-Driven Cornucopia
  • FirmwareBleed: The Industry Fails To Adopt Return Stack Buffer Mitigations In SMM
  • FwHunt The Next Chapter: Firmware Threat Detection At Scale
  • A Deeper UEFI Dive Into MoonBounce
  • Repeatable Failures: AMI UsbRt - Six Years Later, Firmware Attack Vector Still Affect Millions Of Enterprise Devices
  • Repeatable Firmware Security Failures: 16 High Impact Vulnerabilities Discovered In HP Devices
  • An In-Depth Look At The 23 High-Impact Vulnerabilities
  • Detecting Firmware Vulnerabilities At Scale: Intel BSSA DFT Case Study
  • Why Firmware Integrity Is Insufficient For Effective Threat Detection And Hunting
  • Firmware Supply Chain Is Hard(Coded)
  • Attacking (Pre)EFI Ecosystem

• Cr4sh

  • Exploiting AMI Aptio firmware on example of Intel NUC
  • Exploring and exploiting Lenovo firmware secrets
  • Exploiting SMM callout vulnerabilities in Lenovo firmware
  • Breaking UEFI security with software DMA attacks
  • Building reliable SMM backdoor for UEFI based platforms
  • Exploiting UEFI boot script table vulnerability

• eclypsium

  • FIRMWARE ATTACKS: AN ENDPOINT TIMELINE
  • ONE BOOTLOADER TO LOAD THEM ALL
  • FIRMWARE SECURITY REALIZATIONS – PART 2 – START YOUR MANAGEMENT ENGINE
  • FIRMWARE SECURITY REALIZATIONS – PART 1 – SECURE BOOT AND DBX
  • YET ANOTHER UEFI BOOTKIT DISCOVERED: MEET COSMICSTRAND
  • THE ILOBLEED IMPLANT: LIGHTS OUT MANAGEMENT LIKE YOU WOULDN’T BELIEVE
  • “EVIL MAID” FIRMWARE ATTACKS USING USB DEBUG

• ESET Research

  • BlackLotus UEFI bootkit: Myth confirmed
  • ESET Research Podcast: UEFI in crosshairs of ESPecter bootkit
  • When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
  • UEFI threats moving to the ESP: Introducing ESPecter bootkit
  • Needles in a haystack: Picking unwanted UEFI components out of millions of samples
  • A machine‑learning method to explore the UEFI landscape
  • LOJAX: First UEFI rootkit found in the wild, courtesy of the Sednit group
  • UEFI malware: How to exploit a false sense of security
  • Bootkit Threat Evolution in 2011

• Sentinel Lab

  • Moving From Common-Sense Knowledge About UEFI To Actually Dumping UEFI Firmware
  • Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware
  • Moving From Dynamic Emulation of UEFI Modules To Coverage-Guided Fuzzing of UEFI Firmware
  • Adventures From UEFI Land: the Hunt For the S3 Boot Script
  • Zen and the Art of SMM Bug Hunting | Finding, Mitigating and Detecting UEFI Vulnerabilities
  • Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP Firmware

• SYNACKTIV

  • Code Check(Mate) in SMM
  • Through The SMM-Glass And a Vulnerability Found There.
  • A Journey in Reversing UEFI Lenovo Passwords Management
  • S3 Sleep, Resume and Handling Them with Type-1 Hypervisor
  • Introductory Study of IOMMU (VT-d) and Kernel DMA Protection on Intel Processors

• NCCGroup

  • Stepping Insyde System Management Mode
  • A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
  • Intel BIOS Advisory – Memory Corruption in HID Drivers

• Others

  • Debugging System with DCI and Windbg
  • Reverse engineering (Absolute) UEFI modules for beginners
  • Experiment in extracting runtime drivers on Windows
  • BIOS Based Rootkits
  • Understanding modern UEFI-based platform boot
  • Attacking UEFI Runtime Services and Linux
  • Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation

Papers 📃

Year	Jour/Conf	Paper
2024	ASE	STASE: Static Analysis Guided Symbolic Execution for UEFI Vulnerability Signature Generation
2023	S&P	RSFUZZER: Discovering Deep SMI Handler Vulnerabilities in UEFI Firmware with Hybrid Fuzzing
2023	arXiv	SoK: Security Below the OS – A Security Analysis of UEFI
2023	China CIC	A Survey on the Evolution of Bootkits Attack and Defense Techniques
2022	S&P	Finding SMM Privilege-Escalation Vulnerabilities in UEFI Firmware with Protocol-Centric Static Analysis
2022	IH&MMSec	Hidden in Plain Sight - Persistent Alternative Mass Storage Data Streams as a Means for Data Hiding With the Help of UEFI NVRAM and Implications for IT Forensics
2020	DAC	UEFI Firmware Fuzzing with Simics Virtual Platform
2015	SYSTOR	Thunderstrike:EFI firmware bootkits for Apple MacBooks
2015	WOOT	Symbolic execution for BIOS security
2014	Virus Bulletin	Bootkits: Past, Present & Future
2011		Attacking Intel TXT® via SINIT code execution hijacking
2014		Speed Racer: Exploiting an Intel Flash Protection Race Condition

Training & Courses 🔰

• Advanced x86: Introduction to BIOS & SMM
• UEFI Official Learning Center
• EDK II Secure Code Review Guide
• Tianocore Training Contents