Practical Firmware Implants and Bootkits // Mickey Shkatov, Jesse Michael
In-Person | March 18-21 | 4 Days
BOOK NOWABSTRACT
Elevate your expertise in low-level firmware security with our advanced, hands-on class that prioritizes learning by doing over traditional lectures. Dive into practical techniques as you practice BIOS/UEFI manipulation, bypass Secure Boot and Intel® BootGuard, develop your own BIOS implants and Bootkits, and learn to enable and use Intel hardware debugging on off-the-shelf targets. You'll also develop exploits and more.
By the end of this course, you'll have gained the experience and skills to set you apart in tackling sophisticated firmware-level threats, enhancing both your offensive and defensive capabilities, making you really stand out in the world of firmware security.
Practical Firmware Implants and Bootkits // Mickey Shkatov, Jesse Michael
In-Person | March 18-21 | 4 Days
INTENDED AUDIENCE
- Security practitioners (Offensive or Defensive)
- Security researchers
- Firmware developers
KEY LEARNING OBJECTIVES
- Learn about UEFI Firmware security
- Learn about low level Intel based hardware
- Learn and practice hands-on real world firmware adversarial techniques
- Understand how to abuse and bypass firmware protections using real world examples
COURSE DETAILS
Part 1:
- Firmware basics and Introduction
- Firmware forensics introduction
- Firmware and Bootkits Overview
- Firmware Supply Chain
- How well do you know your device?
- Practical exercises
- BIOS Development basics and ramp up
- Coding, building and testing BIOS drivers.
Part 2:
- Low-level PC Architecture
- Hardware boot process
- UEFI background and implementation
- Hardware debug capabilities
- Physical flash programming
- CPU/SMM/platform exploitation
- Bootloader implants
- Secure Boot Bypass
- ACPI
- Practical exercises
- Make your own file dropper from BIOS
Part 3:
- Attacking BIOS, XROM, UEFI, SMI
- Attacking SPI Flash
- Remotely exploitable attacks
- Hardware misconfiguration attacks
- Attacking SMI handlers
- Attacking UEFI variables and S3bootscript
- Attacking firmware update
- Spectre & Meltdown type of attacks
- Practical exercises
- Secure boot bypass implants
- SMM
- Option ROMS
Part 4:
- Intel hardware debug
- Enabling intel hardware debug on production systems
- Boot guard bypass
- Source Point Hardware Debugging tools basics
- Low level debug and exploitation
- Practical exercises
- Exploitation
- Intel Hardware Debugging
Knowledge Prequisites
- Programming experience (C, C++, Python, .NET, and PowerShell)
- Be familiar with assembly language and Debuggers (Binary ninja, IDA, Ghidra)
System Requirements
Hardware
- Virtualization capable Intel based laptop
- 6th Gen Intel Core CPU or newer. Not Atom based. Not AMD.
- Must have USB A ports
- Minimum 16GB of RAM (for running one guest VM)
- Minimum 140 GB free disk space
Software
- Host OS Windows 10/11 64-bit
- VMWare Virtualization Software
- System Administrator access required on both host and guest OSs
Purchasing Requirements 🛒
- Source Point Educational license (1-year subscription) – 225$
- Target Hardware mini pc – To be updated soon
YOUR INSTRUCTORS: Mickey Shkatov and Jesse Michael
Mickey Shkatov - Mickey has been involved in security research for over a decade, specializing in breaking down complex concepts and identifying security vulnerabilities in unusual places. His experience spans a variety of topics, which he has presented at security conferences worldwide. His talks have covered areas ranging from web penetration testing to the intricacies of BIOS firmware.
Jesse Michael - Jesse is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.