In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems - including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues - most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).
Rodrigo Rubira Branco (BSDaemon) works as Senior Principal Security Researcher at Intel Corporation in the Security Center of Excellence where he leads the Core Client and BIOS Teams. Rodrigo released dozens of vulnerabilities in many important software in the past. In 2011 he was honored as one of the top contributors of Adobe. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. He is an active contributor to open- source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, PhDays, Troopers and many others. Rodrigo is also part of the committee for many security conferences, such as Black Hat (invited reviewer), PhDays, Hackito, NoSuchCon, Opcde, CCNC, LACSEC and others.
Vincent Zimmer is a Senior Principal Engineer in the Software and Services Group at Intel Corporation. Vincent Has been developing firmware for the last 25 years and has led the efforts in EFI, now UEFI, security since 1999. In addition to chairing the UEFI Security Subteam in the UEFI Forum www.uefi.org and writing specifications and papers, Vincent has written several books on firmware https://www.amazon.com/Vincent-Zimmer/e/B002I6IW4A/. Vincent has spoken at several events, including Cansecwest, BSides, Toorcamp, Open Compute, and the Intel Developer Forum. Vincent also coordinates efforts on the EDKII security http://www.tianocore.org/security/ and represents Intel for the UEFI Security Response team www.uefi.org/security
Bruce Monroe is the team lead for the Intel Product Security Incident Response Team (Intel PSIRT) Intel's Security Center of Excellence (SeCoE). The PSIRT team is responsible for leading Intel's product security response efforts for escapes in our shipping products and services. Bruce started with Intel in September 1996 and has held numerous roles throughout Intel including working in IT Operations and Product Security. Bruce was a founding member of Intel Security Operations Center following 9/11, and was the first full time hire for Intel's PSIRT team in 2007. He is the Intel's technical representative to the Internet Consortium for the Advancement of Security of the Internet, and to the Forum of Incident Response Team's Vendor Special Interest Group. Bruce helped to draft the Common Vulnerability Scoring System Version 3 that is an industry standard for vulnerability scoring. He's very active in industry incident response circles and has a broad network of security minded professionals both internally and externally. He's contributed to several industry standards on computer forensics, vulnerability, and incident response. He's handled numerous high profile incident response events including a number of talks impacting Intel products at Blackhat.