Bypassing Hardware-Based Trusted Boot Through x86 Downgrade
Offered By: Hack In The Box Security Conference via YouTube
Course Description
Overview
Explore the intricacies of bypassing hardware-based trusted boot through x86 downgrade in this 33-minute conference talk from the Hack In The Box Security Conference. Delve into the vulnerability discovered in the Intel CPU microcode loader, which allows for downgrading CPU microcode and potentially removing security fixes for vulnerabilities like Spectre var2. Examine the implications of loading older versions of Intel Authenticated Code Modules (ACMs) and their impact on Intel security technologies such as Boot Guard, BIOS Guard, TXT, and SGX. Learn how exploiting patched vulnerabilities in ACMs can lead to bypassing trusted/measured boot on Intel TXT & BIOS Guard protected platforms. Gain insights into firmware security, undocumented technologies, and architectural flaws as the speaker demonstrates the practical application of this attack vector on a real-world system.
Syllabus
Intro
Inside Intel CPU
Firmware Interface Table (FIT)
Microcode Update binary main header
Microcode Update binary extended header
Microcode Update binary data
Known facts about Microcode
Authenticated Code Modules (ACMS)
Useful links to start digging
Updating Microcode in UEFI BIOS
Microcode Update loading process
Platform Init
Microcode Downgrade
Side channel attacks
Debug capabilities
Downgrading ACMs. Intel BIOS Guard
Downgrading ACMs. Intel TXT
#Report and Reaction
#Mitigations
Taught by
Hack In The Box Security Conference
Related Courses
Physical and Advanced Side-Channel AttacksGraz University of Technology via edX Side-Channel Security: Developing a Side-Channel Mindset
Graz University of Technology via edX Introduction to Software Side Channels and Mitigations
Graz University of Technology via edX Cryptography and Information Theory
University of Colorado System via Coursera Hardware Security
University of Maryland, College Park via Coursera