松尾和树_你已经被黑了如果你的UEFI OROM中有一个后门怎么办.pdf

1、#BHUSA BlackHatEventsYouve AlreadyYouve Already BeenBeen HackedHackedWhat if There Is a Backdoor in Your UEFI OROM?What if There Is a Backdoor in Your UEFI OROM?Kazuki Matsuo(InfPCTechStack)2024/8/8 South Seas CD,Level 3#BHUSA BlackHatEventsWhoami-Kazuki Matsuo（InfPCTechStack）Title：Security Research

2、erAffiliation：FFRI Security,Inc&Waseda University（This study was done during my masters degree）Interests：UEFI（Negative Rings）Trusted ComputingWindows Kernel#BHUSA BlackHatEventsContributorsYuki Mogi Security Researcher FFRI Security,Inc Recently interested in security observability Active in MWS,an

3、academic cybersecurity community in Japan.Koh M.Nakagawa(tsunek0h)Security Researcher FFRI Security,Inc Vulnerability Research on macOS/iOS Black Hat EU 2020/Asia 2023,CODE BLUE(2021,2023)Tatsuya Mori(valdzone)Professor Waseda University Autonomous vehicle security https:/seclab.jp#BHUSA BlackHatEve

4、ntsUEFI BIOS BIOS：System firmware that initializes hardware and boots the OS.UEFI：Standard for BIOS and defines the boot phases shown in the right figure.DXE：The phase where most devices are abstracted by multiple DXE modules/drivers.UEFI Protocol：Interface for accessing the device produced in the D

5、XE phase.(e.g.HttpProtocol,SimpleFileSystemProtocol)Runtime DXE modules：Some DXE modules persist in memory during runtime.(Most DXE modules are unloaded before OS boot)#BHUSA BlackHatEventsOROM（aka Option ROM,PCI Expansion ROM,XROM）Contains DXE drivers that initialize the device.Present both in exte

6、rnal and internal devices Often present in network cards,storage devices,graphic cards,and adapters.DXE drivers in OROM get loaded at PCI enumeration phase(pretty early in DXE).Legacy BIOS OROM and UEFI OROM is different.This talk is about UEFI OROM.OROM OROM#BHUSA BlackHatEventsThis Talk is about I