├── .gitattributes ├── Conferences ├── AVAR'2012 │ └── AVAR'12.pdf ├── BH'2015 │ └── BH_2015.pdf ├── Betraying the BIOS │ ├── 010 templates │ │ ├── ACM.bt │ │ ├── BG_IBBM.bt │ │ └── BG_KM.bt │ ├── BlackHat_17_[v1.0].pdf │ ├── Intel Boot Guard [REconstructed] │ │ ├── BG.h │ │ ├── BG_DXE.c │ │ └── BG__PEI.c │ ├── Offensivecon_18[v2.0].pdf │ ├── ZeroNights_17[v1.5].pdf │ └── readme.md ├── Bypassing Hardware Root of Trust │ ├── BHASIA2019_matrosov_final.pdf │ ├── offcon2019_final.pdf │ └── readme.md ├── CARO'2011 │ └── CARO'11.pdf ├── CARO'2012 │ └── CARO'12.pdf ├── CARO'2013 │ └── CARO'13.pdf ├── Ekoparty'2011 │ └── Ekoparty'11.pdf ├── H2HC 2014 │ └── CodeXplorer_H2HC.pdf ├── H2HC 2016 │ └── H2HC_2016.pdf ├── Nsec'2015 │ └── nsec_2015.pdf ├── OFFZONE'2019 │ ├── offzone2019_keynote_public.pdf │ └── readme.md ├── PHD'2012 │ └── PHD'12.pdf ├── RECON'2012 │ └── REcon'12.pdf ├── RECON'2013 │ └── RECON_2013.pdf ├── UEFI Firmware Rootkits Myths and Reality │ ├── BHASIA_2017_final.pdf │ └── readme.md ├── VB 2011 │ └── VB'11.pdf ├── VB 2012 │ └── VB'12.pdf ├── VB 2014 │ ├── VB2014_paper.pdf │ └── VB2014_slides.pdf ├── ZeroNights'2011 │ ├── Duqu involution of Stuxnet.pdf │ └── Modern malware techniques for attacking RBS systems in Russia.pdf ├── ZeroNights'2012 │ └── ZN'12.pdf ├── ZeroNights'2013 │ └── ZN_2013_pdf.pdf ├── ZeroNights_2016 │ ├── Excite_Project_ZN.pdf │ ├── UEFI_Rootkits_ZN_2016.pdf │ ├── You’re Off the Hook.pdf │ └── readme.md ├── Zeronights'2015 │ ├── AttackingHypervisors_ZeroNights_0x5.pdf │ └── CodeXplorer__ZeroNights_0x5.pdf └── Zeronights'2019 │ ├── readme.md │ └── zn2019_keynote_public.pdf ├── README.md └── White-papers ├── Carberp When You're in a Black Hole, Stop Digging.pdf ├── Hodprot Hot to Bot.pdf ├── King of Spam Festi botnet analysis.pdf ├── Mind the Gapz The most complex bootkit ever analyzed.pdf ├── Stuxnet Under the Microscope.pdf ├── TDL3 The Rootkit ofAll Evil.pdf └── The Evolution of TDL Conquering x64.pdf /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | *.pdf diff=astextplain 3 | *.pdf diff=astextplain -------------------------------------------------------------------------------- /Conferences/AVAR'2012/AVAR'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/AVAR'2012/AVAR'12.pdf -------------------------------------------------------------------------------- /Conferences/BH'2015/BH_2015.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/BH'2015/BH_2015.pdf -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/010 templates/ACM.bt: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | UINT16 ModuleType; 3 | UINT16 ModuleSubType; 4 | UINT32 HeaderSize; 5 | UINT32 HeaderVersion; 6 | UINT16 ChipsetId; 7 | UINT16 Flags; 8 | UINT32 ModuleVendor; 9 | UINT32 Date; 10 | UINT32 ModuleSize; 11 | UINT16 AcmSvn; 12 | UINT16 SeSvn; 13 | UINT32 CodeControlFlags; 14 | UINT32 ErrorEntryPoint; 15 | UINT32 GdtMax; 16 | UINT32 GdtBase; 17 | UINT32 SegmentSel; 18 | UINT32 EntryPoint ; 19 | UBYTE Reserved1[64]; 20 | UINT32 KeySize; 21 | UINT32 ScratchSpaceSize; 22 | UBYTE RsaPubKey[256] ; 23 | UINT32 RsaPubExp ; 24 | UBYTE RsaSig[256] ; 25 | } ACM_HEADER; 26 | 27 | ACM_HEADER ACM ; 28 | -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/010 templates/BG_IBBM.bt: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | UBYTE Signature[8]; // __ACBP__ 3 | UBYTE Unknown; 4 | UBYTE Unknown2; 5 | UBYTE Unknown3; 6 | UBYTE Unknown4; 7 | UBYTE AcmSvn; 8 | UBYTE Unknown5; 9 | UINT16 Unknown6; 10 | } BOOT_POLICY_MANIFEST_HEADER; 11 | 12 | ///////////////////////////////////////////////////// 13 | typedef struct { 14 | UBYTE Unknown[2]; 15 | UINT16 Unknown1; 16 | UINT32 Base; 17 | UINT32 Size; 18 | } IBB_SEGMENT; 19 | 20 | typedef struct 21 | { 22 | UINT16 Size; 23 | UBYTE Hash[32]; 24 | }KEY_HASH; 25 | 26 | typedef struct { 27 | UBYTE Signature[8]; // __IBBS__ 28 | UBYTE Unknown; 29 | UBYTE Unknown1[2]; 30 | UBYTE Unknown2; 31 | UINT32 Unknown3; 32 | UINT64 Unknown4; 33 | UINT64 VtdBar; 34 | UINT32 Unknown5; 35 | UINT32 Unknown6; 36 | UINT64 Unknown7[2]; 37 | UINT16 Unknown8; 38 | KEY_HASH IbbHash ; 39 | UINT32 EntryPoint ; 40 | KEY_HASH SigHash ; 41 | UBYTE SegmentNum ; 42 | IBB_SEGMENT IbbSegment[4] ; 43 | } IBB_ELEMENT; 44 | 45 | ///////////////////////////////////////////////////// 46 | typedef struct { 47 | UBYTE Signature[8]; // __PMDA__ 48 | UBYTE Version; 49 | UINT16 Size; 50 | } PLATFORM_MANUFACTURER; 51 | 52 | typedef struct 53 | { 54 | UBYTE Unknown8; 55 | UINT16 Size; 56 | UINT32 Exp ; 57 | UBYTE PubKey[256] ; 58 | }RSA_PUBLIC_KEY; 59 | 60 | typedef struct 61 | { 62 | UINT16 KeySize; 63 | UINT16 Unknown16; 64 | UBYTE RsaSignature[256] ; 65 | }RSA_SIGNATURE; 66 | 67 | typedef struct 68 | { 69 | RSA_PUBLIC_KEY Key; 70 | UINT16 Unknown16; 71 | RSA_SIGNATURE Signature ; 72 | }KEY_RSA; 73 | 74 | 75 | 76 | 77 | typedef struct { 78 | UBYTE Signature[8]; // __PMSG__ 79 | UBYTE Version; 80 | KEY_RSA RsaKey; 81 | } BOOT_POLICY_MANIFEST_SIGNATURE; 82 | 83 | ///////////////////////////////////////////////////// 84 | 85 | typedef struct { 86 | BOOT_POLICY_MANIFEST_HEADER Hdr; 87 | IBB_ELEMENT IBBS; 88 | PLATFORM_MANUFACTURER PM; 89 | BOOT_POLICY_MANIFEST_SIGNATURE BPMS; 90 | } BOOT_POLICY_MANIFEST; 91 | 92 | BOOT_POLICY_MANIFEST BPM; -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/010 templates/BG_KM.bt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Betraying the BIOS/010 templates/BG_KM.bt -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/BlackHat_17_[v1.0].pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Betraying the BIOS/BlackHat_17_[v1.0].pdf -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/Intel Boot Guard [REconstructed]/BG.h: -------------------------------------------------------------------------------- 1 | const UByteArray BG_VENDOR_HASH_FILE_GUID_PHOENIX // 389CC6F2-1EA8-467B-AB8A-78E769AE2A15 2 | ("\xF2\xC6\x9C\x38\xA8\x1E\x7B\x46\xAB\x8A\x78\xE7\x69\xAE\x2A\x15", 16); 3 | 4 | #define BG_VENDOR_HASH_FILE_SIGNATURE_PHOENIX (*(UINT64 *)"$HASHTBL") 5 | 6 | const UByteArray BG_VENDOR_HASH_FILE_GUID_AMI // CBC91F44-A4BC-4A5B-8696-703451D0B053 7 | ("\x44\x1F\xC9\xCB\xBC\xA4\x5B\x4A\x86\x96\x70\x34\x51\xD0\xB0\x53", 16); 8 | 9 | typedef struct BG_VENDOR_HASH_FILE_ENTRY 10 | { 11 | UINT8 Hash[SHA256_DIGEST_SIZE]; 12 | UINT32 Offset; 13 | UINT32 Size; 14 | } BG_VENDOR_HASH_FILE_ENTRY; 15 | 16 | typedef struct BG_VENDOR_HASH_FILE_HEADER_PHOENIX_ 17 | { 18 | UINT64 Signature; 19 | UINT32 NumEntries; 20 | //BG_VENDOR_HASH_FILE_ENTRY Entries[]; 21 | } BG_VENDOR_HASH_FILE_HEADER_PHOENIX; 22 | 23 | typedef struct BG_VENDOR_HASH_FILE_HEADER_AMI_NEW_ 24 | { 25 | BG_VENDOR_HASH_FILE_ENTRY Entries[2]; 26 | } BG_VENDOR_HASH_FILE_HEADER_AMI_NEW; 27 | 28 | typedef struct BG_VENDOR_HASH_FILE_HEADER_AMI_OLD_ 29 | { 30 | UINT8 Hash[SHA256_DIGEST_SIZE]; 31 | UINT32 Size; 32 | // Offset is derived from flash map, will be detected as root volume with DXE core 33 | } BG_VENDOR_HASH_FILE_HEADER_AMI_OLD; 34 | 35 | typedef struct BG_MICROSOFT_PMDA_HEADER_ 36 | { 37 | UINT32 Version; 38 | UINT32 NumEntries; 39 | } BG_MICROSOFT_PMDA_HEADER; 40 | 41 | #define BG_MICROSOFT_PMDA_VERSION 0x00000001 42 | 43 | typedef struct BG_MICROSOFT_PMDA_ENTRY_ 44 | { 45 | UINT32 Address; 46 | UINT32 Size; 47 | UINT8 Hash[SHA256_DIGEST_SIZE]; 48 | } BG_MICROSOFT_PMDA_ENTRY; 49 | 50 | // 51 | // Intel ACM 52 | // 53 | 54 | #define INTEL_ACM_MODULE_TYPE 0x00030002 55 | #define INTEL_ACM_MODULE_VENDOR 0x8086 56 | 57 | typedef struct INTEL_ACM_HEADER_ { 58 | UINT16 ModuleType; 59 | UINT16 ModuleSubType; 60 | UINT32 HeaderSize; 61 | UINT32 HeaderVersion; 62 | UINT16 ChipsetId; 63 | UINT16 Flags; 64 | UINT32 ModuleVendor; 65 | UINT8 DateDay; 66 | UINT8 DateMonth; 67 | UINT16 DateYear; 68 | UINT32 ModuleSize; 69 | UINT16 AcmSvn; 70 | UINT16 SeSvn; 71 | UINT32 CodeControlFlags; 72 | UINT32 ErrorEntryPoint; 73 | UINT32 GdtMax; 74 | UINT32 GdtBase; 75 | UINT32 SegmentSel; 76 | UINT32 EntryPoint; 77 | UINT8 Reserved1[64]; 78 | UINT32 KeySize; 79 | UINT32 ScratchSpaceSize; 80 | UINT8 RsaPubKey[256]; 81 | UINT32 RsaPubExp; 82 | UINT8 RsaSig[256]; 83 | } INTEL_ACM_HEADER; 84 | 85 | // 86 | // Intel BootGuard Key Manifest 87 | // 88 | #define BG_BOOT_POLICY_MANIFEST_HEADER_TAG (*(UINT64 *)"__ACBP__") 89 | typedef struct BG_BOOT_POLICY_MANIFEST_HEADER_ { 90 | UINT64 Tag; 91 | UINT8 Version; 92 | UINT8 HeaderVersion; 93 | UINT8 PMBPMVersion; 94 | UINT8 BPSVN; 95 | UINT8 ACMSVN; 96 | UINT8 : 8; 97 | UINT16 NEMDataSize; 98 | } BG_BOOT_POLICY_MANIFEST_HEADER; 99 | 100 | typedef struct SHA256_HASH_ { 101 | UINT16 HashAlgorithmId; 102 | UINT16 Size; 103 | UINT8 HashBuffer[32]; 104 | } SHA256_HASH; 105 | 106 | typedef struct RSA_PUBLIC_KEY_ { 107 | UINT8 Version; 108 | UINT16 KeySize; 109 | UINT32 Exponent; 110 | UINT8 Modulus[256]; 111 | } RSA_PUBLIC_KEY; 112 | 113 | typedef struct RSA_SIGNATURE_ { 114 | UINT8 Version; 115 | UINT16 KeySize; 116 | UINT16 HashId; 117 | UINT8 Signature[256]; 118 | } RSA_SIGNATURE; 119 | 120 | typedef struct KEY_SIGNATURE_ { 121 | UINT8 Version; 122 | UINT16 KeyId; 123 | RSA_PUBLIC_KEY PubKey; 124 | UINT16 SigScheme; 125 | RSA_SIGNATURE Signature; 126 | } BG_KEY_SIGNATURE; 127 | 128 | #define BG_IBB_SEGMENT_FLAG_IBB 0x0 129 | #define BG_IBB_SEGMENT_FLAG_NON_IBB 0x1 130 | typedef struct BG_IBB_SEGMENT_ELEMENT_ { 131 | UINT16: 16; 132 | UINT16 Flags; 133 | UINT32 Base; 134 | UINT32 Size; 135 | } BG_IBB_SEGMENT_ELEMENT; 136 | 137 | #define BG_BOOT_POLICY_MANIFEST_IBB_ELEMENT_TAG (*(UINT64 *)"__IBBS__") 138 | #define BG_IBB_FLAG_AUTHORITY_MEASURE 0x4 139 | 140 | typedef struct BG_IBB_ELEMENT_ { 141 | UINT64 Tag; 142 | UINT8 Version; 143 | UINT16 : 16; 144 | UINT8 Unknown; 145 | UINT32 Flags; 146 | UINT64 IbbMchBar; 147 | UINT64 VtdBar; 148 | UINT32 PmrlBase; 149 | UINT32 PmrlLimit; 150 | UINT64 Unknown3; 151 | UINT64 Unknown4; 152 | SHA256_HASH IbbHash; 153 | UINT32 EntryPoint; 154 | SHA256_HASH Digest; 155 | UINT8 IbbSegCount; 156 | // BG_IBB_SEGMENT_ELEMENT IbbSegment[]; 157 | } BG_IBB_ELEMENT; 158 | 159 | #define BG_BOOT_POLICY_MANIFEST_PLATFORM_MANUFACTURER_ELEMENT_TAG (*(UINT64 *)"__PMDA__") 160 | typedef struct BG_PLATFORM_MANUFACTURER_ELEMENT_ { 161 | UINT64 Tag; 162 | UINT8 Version; 163 | UINT16 DataSize; 164 | } BG_PLATFORM_MANUFACTURER_ELEMENT; 165 | 166 | #define BG_BOOT_POLICY_MANIFEST_SIGNATURE_ELEMENT_TAG (*(UINT64 *)"__PMSG__") 167 | typedef struct BG_BOOT_POLICY_MANIFEST_SIGNATURE_ELEMENT_ { 168 | UINT64 Tag; 169 | UINT8 Version; 170 | BG_KEY_SIGNATURE KeySignature; 171 | } BG_BOOT_POLICY_MANIFEST_SIGNATURE_ELEMENT; 172 | 173 | #define BG_KEY_MANIFEST_TAG (*(UINT64 *)"__KEYM__") 174 | typedef struct BG_KEY_MANIFEST_ { 175 | UINT64 Tag; 176 | UINT8 Version; 177 | UINT8 KmVersion; 178 | UINT8 KmSvn; 179 | UINT8 KmId; 180 | SHA256_HASH BpKeyHash; 181 | BG_KEY_SIGNATURE KeyManifestSignature; 182 | } BG_KEY_MANIFEST; 183 | -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/Intel Boot Guard [REconstructed]/BG_DXE.c: -------------------------------------------------------------------------------- 1 | EFI_STATUS BootGuardDxe(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable) 2 | { 3 | ... 4 | 5 | if ( BootGuardSupported() == FALSE ) { 6 | return EFI_SUCCESS; 7 | } 8 | 9 | ... 10 | 11 | BootMode = GetBootMode(); 12 | if ( (BootMode == BOOT_IN_RECOVERY_MODE) || (BootMode == BOOT_ON_FLASH_UPDATE) ) { 13 | return EFI_SUCCESS; 14 | } 15 | 16 | ... 17 | 18 | if ( BootGuardVerifyTransitionPEItoDXEFlag == 0 ) { 19 | BootGuardRegisterCallBack(); 20 | } 21 | 22 | return EFI_SUCCESS; 23 | } -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/Intel Boot Guard [REconstructed]/BG__PEI.c: -------------------------------------------------------------------------------- 1 | EFI_STATUSBootGuardPei(EFI_PEI_SERVICES **PeiServices, VOID *Ppi) 2 | { 3 | ... 4 | 5 | Status = GetBootMode (); 6 | if ( EFI_ERROR( Status ) ) { 7 | return Status; 8 | } 9 | 10 | ... 11 | 12 | if ( (BootMode == BOOT_IN_RECOVERY_MODE) || (BootMode == BOOT_ON_FLASH_UPDATE) || BootMode == BOOT_ON_S3_RESUME) { 13 | return Status; 14 | } 15 | 16 | BootGuardVerifyTransitionPEItoDXEFlag = 0; 17 | 18 | ... 19 | 20 | CalculateSha256(BootGuardHashKeySegment0); 21 | CalculateSha256(CurrentBootGuardHashKey0); 22 | 23 | if ( !MemCmp(BootGuardHashKeySegment0, CurrentBootGuardHashKey0, 32) ) { 24 | BootGuardVerifyTransitionPEItoDXEFlag = 1; 25 | } else { 26 | BootGuardVerifyTransitionPEItoDXEFlag = 0; 27 | return EFI_SUCCESS; 28 | } 29 | 30 | if ( !((BootGuardHashKeySegment1 == 0) { 31 | CalculateSha256 (BootGuardHashKeySegment1); 32 | CalculateSha256 (CurrentBootGuardHashKey1); 33 | 34 | if ( !MemCmp(BootGuardHashKeySegment1, CurrentBootGuardHashKey1, 32) ) { 35 | BootGuardVerifyTransitionPEItoDXEFlag = 1; 36 | } else { 37 | BootGuardVerifyTransitionPEItoDXEFlag = 0; 38 | return EFI_SUCCESS; 39 | } 40 | } 41 | 42 | return Status; 43 | } 44 | 45 | -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/Offensivecon_18[v2.0].pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Betraying the BIOS/Offensivecon_18[v2.0].pdf -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/ZeroNights_17[v1.5].pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Betraying the BIOS/ZeroNights_17[v1.5].pdf -------------------------------------------------------------------------------- /Conferences/Betraying the BIOS/readme.md: -------------------------------------------------------------------------------- 1 | # Betraying the BIOS: Where the Guardians of the BIOS are Failing 2 | For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS? 3 | 4 | In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering. 5 | 6 | This talk is a revisited version of the Black Hat Vegas 2017 research with new details about Intel BIOS Guard and Intel ACM’s including new vulnerabilities. 7 | 8 | ## Conferences: 9 | * **Black Hat Vegas 2017** [slides](https://github.com/REhints/BlackHat_2017/blob/master/Betraying%20the%20BIOS.pdf) [video](https://www.youtube.com/watch?v=Dfl2JI2eLc8) 10 | * **H2HC 2017** [video](https://www.youtube.com/watch?v=jQyzhXQexrQ) 11 | * **Blue Hat 2017 (Revisited Version)** [video](https://www.youtube.com/watch?v=a2A-iuAGkSM) 12 | * **ZeroNights (Revisited Version)** [slides](https://github.com/REhints/Publications/blob/master/Conferences/Betraying%20the%20BIOS/ZeroNights_17%5Bv1.5%5D.pdf) [video](https://www.youtube.com/watch?v=mTuA68JHJdw) 13 | * **Offensivecon 2018 (Updated and Revisited Version)** [slides](https://github.com/REhints/Publications/blob/master/Conferences/Betraying%20the%20BIOS/Offensivecon_18%5Bv2.0%5D.pdf) [video](https://www.youtube.com/watch?v=kSQVGFbTfqE) 14 | 15 | ## References: 16 | * **Who Watch BIOS Watchers?** [link](https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9) 17 | -------------------------------------------------------------------------------- /Conferences/Bypassing Hardware Root of Trust/BHASIA2019_matrosov_final.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Bypassing Hardware Root of Trust/BHASIA2019_matrosov_final.pdf -------------------------------------------------------------------------------- /Conferences/Bypassing Hardware Root of Trust/offcon2019_final.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Bypassing Hardware Root of Trust/offcon2019_final.pdf -------------------------------------------------------------------------------- /Conferences/Bypassing Hardware Root of Trust/readme.md: -------------------------------------------------------------------------------- 1 | # Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software 2 | Many hardware vendors are armoring modern Secure Boot by moving Root of Trust to the hardware. While it is definitely the right direction to create more difficulties for the attacker, many layers of code exist between hardware and firmware. Also, hardware vendors are always fighting for boot performance, which creates interesting security issues in actual implementations. 3 | 4 | In this presentation, I'll explain new security issues to bypass a specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I'll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries. 5 | 6 | 7 | ## Conferences: 8 | * [Offensivecon 2019](https://www.offensivecon.org/speakers/2019/alex-matrosov.html) [video](https://www.youtube.com/watch?v=Ap-2CnoyBek) 9 | * Amazon Red Team Summit [RTS 2019](https://redteamsummit.com) 10 | * [BHASIA 2019](https://www.blackhat.com/asia-19/briefings/schedule/#modern-secure-boot-attacks-bypassing-hardware-root-of-trust-from-software-13950) 11 | * [OPCDE 2019](https://emirates.opcde.com/speaker/alex-matrosov/) [video](https://www.youtube.com/watch?v=TuaP7fG4_rk) 12 | * [Ekoparty 15](http://ekoparty.org/editions/eko15/charlas/bypassing-root-trust.php) 13 | -------------------------------------------------------------------------------- /Conferences/CARO'2011/CARO'11.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/CARO'2011/CARO'11.pdf -------------------------------------------------------------------------------- /Conferences/CARO'2012/CARO'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/CARO'2012/CARO'12.pdf -------------------------------------------------------------------------------- /Conferences/CARO'2013/CARO'13.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/CARO'2013/CARO'13.pdf -------------------------------------------------------------------------------- /Conferences/Ekoparty'2011/Ekoparty'11.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Ekoparty'2011/Ekoparty'11.pdf -------------------------------------------------------------------------------- /Conferences/H2HC 2014/CodeXplorer_H2HC.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/H2HC 2014/CodeXplorer_H2HC.pdf -------------------------------------------------------------------------------- /Conferences/H2HC 2016/H2HC_2016.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/H2HC 2016/H2HC_2016.pdf -------------------------------------------------------------------------------- /Conferences/Nsec'2015/nsec_2015.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Nsec'2015/nsec_2015.pdf -------------------------------------------------------------------------------- /Conferences/OFFZONE'2019/offzone2019_keynote_public.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/OFFZONE'2019/offzone2019_keynote_public.pdf -------------------------------------------------------------------------------- /Conferences/OFFZONE'2019/readme.md: -------------------------------------------------------------------------------- 1 | # The Evolution of Advanced Threats: REsearchers Arms Race 2 | The evolution in defensive software is really connected to the evolution of the modern threat landscape. Each new iteration of evolution is focused on covering specific gaps in detection methods or data collection algorithms. The main direction of advanced threats like rootkits or bootkits has been to gain persistence methods to be closer to firmware and hardware levels. While modern operating systems are building mitigations to increase the cost of exploitation and malware persistence, advanced threat actors are already looking ahead for the next-lowest level of persistence. 3 | 4 | This talk will look through the evolutionary prism of advanced threats, at the evolution—or lack of evolution—of tools for forensics and reverse engineering. During the talk, we will delve into modern platform security gaps, seeking solutions to improve auditing visibility and prevent advanced threat actors from gaining a foothold in platform levels where security sensors do not exist. 5 | 6 | 7 | ## Conferences: 8 | * [Offzone 2019](https://offzone.moscow/speakers/alexander-matrosov/) [video](https://www.youtube.com/watch?v=7p2uAgO9lBQ) (RUS) 9 | * [Ekoparty 15](http://ekoparty.org/editions/eko15/charlas/researchers-arm-race.php) 10 | * [Platform Security Summit 2019](https://www.platformsecuritysummit.com/#matrosov) 11 | * [Defcamp 2019](https://def.camp/speaker/alex-matrosov) 12 | -------------------------------------------------------------------------------- /Conferences/PHD'2012/PHD'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/PHD'2012/PHD'12.pdf -------------------------------------------------------------------------------- /Conferences/RECON'2012/REcon'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/RECON'2012/REcon'12.pdf -------------------------------------------------------------------------------- /Conferences/RECON'2013/RECON_2013.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/RECON'2013/RECON_2013.pdf -------------------------------------------------------------------------------- /Conferences/UEFI Firmware Rootkits Myths and Reality/BHASIA_2017_final.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/UEFI Firmware Rootkits Myths and Reality/BHASIA_2017_final.pdf -------------------------------------------------------------------------------- /Conferences/UEFI Firmware Rootkits Myths and Reality/readme.md: -------------------------------------------------------------------------------- 1 | # UEFI Firmware Rootkits: Myths and Reality 2 | In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim's system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash). 3 | 4 | In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC. 5 | 6 | In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard - hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) - is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks. 7 | 8 | ## Conferences: 9 | * H2HC 2016 [slides]() [video](https://www.youtube.com/watch?v=yyFStw6ApdM) 10 | * ZeroNights 2016 [slides](https://github.com/REhints/Publications/blob/master/Conferences/ZeroNights_2016/UEFI_Rootkits_ZN_2016.pdf) 11 | * [BHASIA 2017](https://www.blackhat.com/asia-17/briefings.html#the-uefi-firmware-rootkits-myths-and-reality) (Revisited and Updated Version) [slides](https://github.com/REhints/Publications/blob/master/Conferences/BHASIA%202017/BHASIA_2017_final.pdf) [video](https://www.youtube.com/watch?v=b2Wd8G8w6PM) 12 | 13 | ## UEFI Ransomware PoC Demo [video](https://www.youtube.com/watch?v=QSf2_qD8kTw) 14 | -------------------------------------------------------------------------------- /Conferences/VB 2011/VB'11.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/VB 2011/VB'11.pdf -------------------------------------------------------------------------------- /Conferences/VB 2012/VB'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/VB 2012/VB'12.pdf -------------------------------------------------------------------------------- /Conferences/VB 2014/VB2014_paper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/VB 2014/VB2014_paper.pdf -------------------------------------------------------------------------------- /Conferences/VB 2014/VB2014_slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/VB 2014/VB2014_slides.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights'2011/Duqu involution of Stuxnet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights'2011/Duqu involution of Stuxnet.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights'2011/Modern malware techniques for attacking RBS systems in Russia.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights'2011/Modern malware techniques for attacking RBS systems in Russia.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights'2012/ZN'12.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights'2012/ZN'12.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights'2013/ZN_2013_pdf.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights'2013/ZN_2013_pdf.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights_2016/Excite_Project_ZN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights_2016/Excite_Project_ZN.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights_2016/UEFI_Rootkits_ZN_2016.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights_2016/UEFI_Rootkits_ZN_2016.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights_2016/You’re Off the Hook.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/ZeroNights_2016/You’re Off the Hook.pdf -------------------------------------------------------------------------------- /Conferences/ZeroNights_2016/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Conferences/Zeronights'2015/AttackingHypervisors_ZeroNights_0x5.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Zeronights'2015/AttackingHypervisors_ZeroNights_0x5.pdf -------------------------------------------------------------------------------- /Conferences/Zeronights'2015/CodeXplorer__ZeroNights_0x5.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Zeronights'2015/CodeXplorer__ZeroNights_0x5.pdf -------------------------------------------------------------------------------- /Conferences/Zeronights'2019/readme.md: -------------------------------------------------------------------------------- 1 | # HARDWARE SECURITY IS HARD: how hardware boundaries define platform security 2 | 3 | In nowadays, I don’t know any hardware vendor who develops all the components present in their platform. The big piece of it outsourced to OEM’s includes firmware too. That creates additional complexity and limits hardware vendor control under the platform. That creates not only supply chain security risks but also produce security gaps in the threat modeling process by design. 4 | 5 | In most of the cases, hardware vendor separate threat model and security boundaries for each hardware component present on the platform but in reality it misses a lot of details which is directly reflected on platform security. This talk will look through the prism security problems and vulnerabilities created over those architecture design mistakes. 6 | 7 | * [zeronights link](https://zeronights.ru/report-en/hardware-security-is-hard-how-hardware-boundaries-define-platform-security/) 8 | * [video recording](https://www.youtube.com/watch?v=ovGDHgG5pGw) 9 | -------------------------------------------------------------------------------- /Conferences/Zeronights'2019/zn2019_keynote_public.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/Conferences/Zeronights'2019/zn2019_keynote_public.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | REhint's Publications 2 | ============ 3 | conferences slides and white-papers 4 | -------------------------------------------------------------------------------- /White-papers/Carberp When You're in a Black Hole, Stop Digging.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/Carberp When You're in a Black Hole, Stop Digging.pdf -------------------------------------------------------------------------------- /White-papers/Hodprot Hot to Bot.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/Hodprot Hot to Bot.pdf -------------------------------------------------------------------------------- /White-papers/King of Spam Festi botnet analysis.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/King of Spam Festi botnet analysis.pdf -------------------------------------------------------------------------------- /White-papers/Mind the Gapz The most complex bootkit ever analyzed.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/Mind the Gapz The most complex bootkit ever analyzed.pdf -------------------------------------------------------------------------------- /White-papers/Stuxnet Under the Microscope.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/Stuxnet Under the Microscope.pdf -------------------------------------------------------------------------------- /White-papers/TDL3 The Rootkit ofAll Evil.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/TDL3 The Rootkit ofAll Evil.pdf -------------------------------------------------------------------------------- /White-papers/The Evolution of TDL Conquering x64.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/REhints/Publications/26c8e454fbacaa68a13f0a6280e00bd07e5d5717/White-papers/The Evolution of TDL Conquering x64.pdf --------------------------------------------------------------------------------