Finding Firmware Implants

an Incident Response and Forensics Guide

2 Day Training: August 3,4

Abstract

Firmware implants have been gaining momentum as an attack vector especially for Advanced Persistent Threats. How do you detect them? What are they capable of? How can you capture them for further study and remove them from a device?

This is a two day course diving into the tools and techniques used to extract system firmware from a system, unpack the contents, and analyze them for signs of tampering. Hardware Root of Trust systems such as Intel Boot Guard will be explained along with techniques used to subvert them.

Hands-on labs will provide each attendee with an opportunity to practice on an infected system including:

  • Finding reference firmware images for a system
  • Dumping firmware both internally, with software running on a target system, and externally via a hardware programmer
  • Desoldering of system flash ICs
  • Use various tools to understand and unpack firmware contents

Suggested Combo: Practical Firmware Implants, Aug 1,2

When You Finish This Class

  • You will be familiar with hardware root of trust systems and their limitations
  • You will know how to perform both internal and external dumping of firmware
  • You will be able to extract and analyze UEFI and BMC firmware contents
  • You will have an understanding on how to detect firmware implants

Who Should Attend

This course is designed for incident responders and forensic analysts of all experience levels.

Course Outline

Day 1:

  • What exactly is firmware?
  • Overview on multitude of firmwares present in a modern PC
  • Hands-On: Locating reference firmware images for target systems
  • Internal methods of dumping firmware
  • Hands-On: Dumping UEFI via MMIO and SPI
  • Firmware image structure and tools
  • Hands-On: Exploring UEFI firmware contents
  • Hands-On: Exploring BMC firmware contents
  • Hardware Root of Trust systems and their weaknesses

Day 2:

  • External methods of dumping firmware
  • Hands-On: chip-clip method
  • Hands-On: desolder flash IC and use ZIF socket
  • Anatomy of a UEFI implant: LoJax
  • Hands-On: find implants in dumps
  • Remediation difficulties

Prerequisites

  • Familiarity with the Linux command line

System Requirements

  • An Intel based laptop
  • Minimum 8GB of RAM
  • 50GB of free storage space
  • One of the following:
    • Ubuntu 18.04 LTS installed
    • Be able to boot from USB 3.1 Type A storage device
  • Unused USB Type A port
Rick Altherr, Jesse Michael

Rick Altherr &
Jesse Michael, Eclypsium

Upto 25% off! Register Now

Rick Altherr has a career ranging from ASICs to UX with a focus on the intersection of hardware and software. Leveraging 9 years of experience developing server firmware and management systems at Google, he now focuses on uncovering vulnerabilities in BMC and peripheral firmware.

Eclypsium Principal Researcher Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented multiple times at DEF CON, PacSec, Hackito Ergo Sum, and BSides Portland.