12-01, 18:30–19:30 (Europe/Berlin), Main Stage
Nowadays, it’s difficult to find any hardware vendor who develops all the components present in its products. Many of these components, including firmware, are outsourced to ODMs. As a result, this limits the ability of hardware vendors to have complete control over their hardware products. In addition to creating extra supply chain security risks, this also produces security gaps in the threat modeling process. Through this research, we wanted to raise awareness about the risks in the firmware supply chain and the complexity of fixing known vulnerabilities.
The firmware patch cycles last typically around 6-9 months (sometimes even longer) due to the complexity of the firmware supply chain and the lack of a uniform patching process. The 1-day and n-day vulnerabilities in many cases have a large impact on enterprises since the latest firmware update wasn’t installed or the device vendor had not released a patch yet. Each vendor follows their own patch cycle. Even known issues may not be patched until the next firmware update is available.
We decided to build an open-source framework to identify known vulnerabilities in the context of UEFI specifics, classify them based on their impact and detect across the firmware ecosystem with the help of the LVFS project. We will be sharing our approach as well as the tooling we have created to help industry identify the problems and get patched.
Workshop outline:
- Why it's important to get patched in time, and why your EDR won't help you with compromised firmware?
- The uefi_r2 scanner details internals (https://github.com/binarly-io/uefi_r2)
- How semantic code annotations work to bring UEFI codentext for code analysis
- How to scale uefi_r2 scanner in enterprise infrastructure?
- Deep dive into FwHunt rules format
- What is the difference between detecting new and known issues?
- How does the FwHunt detection work on different layers PEI/DXE/SMM?
- LVFS integration of uefi_r2 and FwHunt
- How patch the industry deal with the help of LVFS?
- Future plans and upcoming updates for FwHunt technology
Richard has over 15 years of experience developing open source software.
He is the maintainer of the LVFS, fwupd, libxmlb, ODRS, GNOME Software, AppStream-glib, PackageKit, colord, and UPower and also contributes to many other projects and opensource standards.
Richard graduated in 2007 from the University of Surrey with a Masters in Electronics Engineering. He now works as a principle engineer for Red Hat, and once built a company selling open source calibration equipment. Richard's outside interests include taking photos, eating good food and looking after his two daughters.
Kai Michaelis is co-founder and CTO of immune GmbH set out to build a solution for platform and supply chain security. He’s also a co-founder of the Open Source Firmware Foundation. He earned a Masters degree in computer security in 2018 from Ruhr University Bochum and has previously worked on GnuPG.
Alex Matrosov is CEO and Founder of BInarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.
Alex leads supply chain security research & development at Binarly Inc. With more than 10 years of experience in researching low-level design, firmware and system software built for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.