SEI.blog.graphic_2022.jpg (127.45 kB)

UEFI: 5 Recommendations for Securing and Restoring Trust

online resource

posted on 2023-06-28, 21:17 authored by Vijay SarvepalliVijay Sarvepalli

Despite a drop in overall sales of computers, a staggering 286.2 million Windows-based PCs were sold in 2022. Each of these computers was released with firmware based on the Unifired Extensible Firmware Interface (UEFI), an alternative to the legacy Basic Input/Output System (BIOS), which provides an extensible intersection between hardware and the OS itself. The UEFI standard also identifies reliable ways to update this firmware from the OS. Despite its ubiquitous and indispensable role, this piece of software remains invisible to most users. However, attackers have not forgotten about it. The attack dubbed BlackLotus first exposed a bookit (advanced form of malicious software) that cannot be easily detected or removed. Many vendors, including Microsoft, are still at an impasse with this bootkit as they are unable to reliably detect it or protect even today’s fully patched machines from this type of attack. On the heels of that attack, another soon followed that involved a leak of sensitive information, such as private keys from multiple PC manufacturers. These private keys, typically used to cryptographically sign UEFI-based software, could potentially be used to create malicious software that can achieve very high-privileged access to the CPU. In creating such bootkits, the attacker plants malicious code along with software that is both essential and highly trusted for normal operation of these devices. In this blog post, which I adapted from my recent white paper, I will expand on the concerns brought to light from these attacks and highlight our recommendations to secure the UEFI ecosystem and restore trust in this piece of firmware. These recommendations will both raise awareness and help direct upcoming efforts to create a safer environment for computing.

History

Publisher Statement

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

Copyright Statement

Usage metrics

Keywords

security vulnerabilities network situational awareness vulnerability mitigation vulnerability analysis

Licence

In Copyright

Exports

RefWorks

BibTeX

Ref. manager

Endnote

DataCite

NLM