Finding Firmware Implants

an Incident Response and Forensics Guide

2 Day u_short 16 CPE Hour Training: August 2020

ON HOLD

Abstract

Firmware implants have been gaining momentum as an attack vector especially for Advanced Persistent Threats. How do you detect them? What are they capable of? How can you capture them for further study and remove them from a device?

This is a two day course diving into the tools and techniques used to extract system firmware from a system, unpack the contents, and analyze them for signs of tampering. Hardware Root of Trust systems such as Intel Boot Guard will be explained along with techniques used to subvert them.

Hands-on labs will provide each attendee with an opportunity to practice on an infected system including:

  • Finding reference firmware images for a system
  • Dumping firmware both internally, with software running on a target system, and externally via a hardware programmer
  • Desoldering of system flash ICs
  • Use various tools to understand and unpack firmware contents

Suggested Combo: Practical Firmware Implants

When You Finish This Class

  • You will be familiar with hardware root of trust systems and their limitations
  • You will know how to perform both internal and external dumping of firmware
  • You will be able to extract and analyze UEFI and BMC firmware contents
  • You will have an understanding on how to detect firmware implants

Who Should Attend

This course is designed for incident responders and forensic analysts of all experience levels.

Course Outline

Day 1:

  • What exactly is firmware?
  • Overview on multitude of firmwares present in a modern PC
  • Hands-On: Locating reference firmware images for target systems
  • Internal methods of dumping firmware
  • Hands-On: Dumping UEFI via MMIO and SPI
  • Firmware image structure and tools
  • Hands-On: Exploring UEFI firmware contents
  • Hands-On: Exploring BMC firmware contents
  • Hardware Root of Trust systems and their weaknesses

Day 2:

  • External methods of dumping firmware
  • Hands-On: chip-clip method
  • Hands-On: desolder flash IC and use ZIF socket
  • Anatomy of a UEFI implant: LoJax
  • Hands-On: find implants in dumps
  • Remediation difficulties

Prerequisites

  • Familiarity with the Linux command line

System Requirements

  • An Intel based laptop
  • Minimum 8GB of RAM
  • 50GB of free storage space
  • One of the following:
    • Ubuntu 18.04 LTS installed
    • Be able to boot from USB 3.1 Type A storage device
  • Unused USB Type A port
Oleksandr Bazhaniuk, Jesse Michael

Oleksandr Bazhaniuk &
Jesse Michael

Eclypsium CTO and Founder Alex Bazhaniuk has been performing security research and product security for a number of years at Intel Corporation. Alex has presented his research at well-known security conferences and he also teaches popular trainings in firmware security. Previously, he co-founded the first DEF CON group in Ukraine.

Eclypsium Principal Researcher Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented multiple times at DEF CON, PacSec, Hackito Ergo Sum, and BSides Portland.