Post on 19-Aug-2018
transcript
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
1/30
Introduction to Reversing DXE drivers
Bruno Pujos
February 9, 2016
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
2/30
Perspective
SubjectTalk about reverse engineering firmwareUnified Extended Firmware Interface (UEFI)Driver eXecution EnvironmenentEverything here concern Intel x86 architecture
InterestWhat’s going on my computer ?Developing your ownSecurityFor all this reading the documentation is not enough
Wait firmware ?
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
3/30
Agenda
1 Firmware and Flash
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
4/30
Firmware
Firmware is a softwareIt is stored on non-volatile memory (ROM, flash, . . . )Low-level control program for the devicePretty much a firmware in everythingIt is also the ”first” code running at boot time
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
5/30
(Really) Basic computer
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
6/30
SPI Flash
Serial Peripheral InterfaceSPI is not a ”real” standard. . .Store our firmware and other stuff
In theory could be a LPC FlashWhat is inside it ?
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
7/30
SPI Flash
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
8/30
Getting the SPI Flash content
HardwareNot ”simple” (at least for me)Full accessRead and Write
SoftwareSimple but limited accessNever seen a flash limited for reading but possibleAccessible through the PCH using MMIO registers(FADDR, FDATA and HSFC)Several tools allow you to dump the SPI Flash
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
9/30
Demo!
Demo!
Chipsec1
Open-source tool developed by IntelWritten in PythonWorks on Windows, Linux and UEFI shellGive a good abstraction on hardwareDriver not signedNot complete and some bugs
Getting the SPI Flash contentpython chipsec_util.py spi dump <FILE.BIN>
1https://github.com/chipsec/chipsec
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
10/30
Agenda
2 UEFI
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
11/30
UEFI
UEFI 101Unified Extended Firmware InterfaceSpecification for firmware development since 2005Successor of EFI (1998)”BIOS firmware following the UEFI specification”(or just say UEFI)
GoalCompatible with legacyAbstraction from the hardware and theimplementationModular: allowing code reuseCommunity effort. . .
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
12/30
We got our BIOS what now ?
What is in our BIOS ? Where is the code ?
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
13/30
FileSystem
UEFI PI specification
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
14/30
FileSystem content
Different section containing different fileRecursive FileSystemMost of the things are compressed
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
15/30
Demo!
Demo!Tools
Lots of tools for parsing the FileSystemSome constructor have addition to the specificationchipsec does it but fail on certain things (inparticular parsing of updates)Just grep -r ’uefi firmware parser tool’ internetUsing UEFIExtract1
1https://github.com/LongSoft/UEFITool
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
16/30
FileSystem Content
Several binaryDifferent formatsData. . .Lot of filesDivided in sections
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
17/30
Boot step
1 Security (SEC) Phase2 Pre-EFI Initialization (PEI) Phase3 Driver Execution Environment (DXE) Phase4 Boot Device Selection (BDS) Phase5 Runtime (RT) Phase6 Afterlife (AL) Phase
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
18/30
Agenda
3 DXE
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
19/30
Driver Execution Environment
Biggest part of a firmwareMost of ”user-input” will be handle hereDXE phase is split in driversDXE phase is generally concentrate in one section ofthe FileSystem
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
20/30
DXE driver
DXE drivers generalityDrivers are executable PE32+ or TE (TianoExecutable)Native code or EFI Byte Code (never encounter EBC)different kind of ”drivers”:
EFI ApplicationBoot Service DriverRuntime Driver
DXE driver goalInitialize hardwareHardware abstractionManagement interface (GUI and so on)Network (PXE!)Boot paths. . .
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
21/30
DXE driver loading order
Loading orderPretty much arbitraryDependencies between driversGlobal order can be defineGenerally use DEPEX
DEPEXStore in a file at the same level than the driver (DXEor PEI)Really simple bytecode with 10 opcodeAllow to precise protocol GUID necessaryCan give you information about the dependenciesDemo
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
22/30
Services and Protocols
ServicesDriver need an API for basic thingsDXE Foundation MUST provide a limited set ofservices to the driverAllow timing, allocation, global variable, . . .And in particular declaration and request ofprotocols
ProtocolsDrivers need a way to communicateProtocols allow to propose servicesCan be anything from printing on the screen tosending network packet, or handling the USB.
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
23/30
EFI System Table
UEFI specification
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
24/30
Reversing first step
EFI System Table and the services tables decodingFind any references to the services and in particulardeclaration and request of protocolsLook for GUIDWith only that you can have a good idea of what thedriver doesIDA python plugin: efi-utils1
Demo!
1https://github.com/snare/ida-efiutils
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
25/30
Input and Output
MMIOMemory Map IOTypically a hard-coded address (but not always)Can give good informationUse chipsec for finding the bases
IO portIO PortCan give good informationCan be relativeSome important one:
0x80 IO_POST0xcf8 IO_PCI_CONFIG_ADDRESS0xcfc IO_PCI_CONFIG_DATA
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
26/30
Finding the documentation
Material DatasheetProcessorPCH (or your equivalent)Graphics Card, network card, . . .
CodeEDK, EDK2, UDK2014. . .CorebootDriver implementation, . . .
SpecificationUEFI specificationUEFI PI specificationACPI, PCI, TPM, . . .
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
27/30
Agenda
4 Conclusion
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
28/30
RE DXE driver 101
Nothing really hardTime consumingA lot of things are not documented (at least publicly)You don’t need to read the specification for beginningIf you are interested just go for it
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
29/30
Going further
SMMSecureBootMeasureBoot & TPMVulnerability research. . .
Introduction toReversing DXE
drivers
Firmware andFlash
UEFI
DXE
Conclusion
Bruno Pujos
30/30
Questions ?
Questions ?