Automatic Extraction of Exploitation Primitives in UEFI

The Unified Extensible Firmware Interface (UEFI) is a modern replacement for the traditional BIOS that is commonly used in computers. UEFI serves as the interface between the computer's firmware and the operating system, providing a standardized way for the hardware and software to communicate. UEFI, while offering enhanced security features, introduces its own set of security risks. These vulnerabilities are particularly dangerous due to their low-level nature, enabling attackers to compromise a system's integrity and persistence. UEFI vulnerabilities can be exploited to install rootkits, bypass Secure Boot protections, and gain unauthorized control over a system, making them a prime target for malicious actors. An attacker is able to interact with UEFI through NVRAM variables, which serve as a fundamental mechanism employed by UEFI modules for preserving configuration data throughout successive boot cycles. Another method is through System Management Interrupt (SMI) handlers. SMI handlers are the elements responsible for receiving and processing data originating from external sources while operating within the confines of the System Management Mode (SMM) execution environment. SMM is a secure operational mode specific to x86 processors that enables the handling of highly privileged data and the management of low-level hardware operations, such as power management. To find these vulnerabilities, we considered three different fuzzing approaches. The first one is about fuzzing functionality by asking the fuzzer to provide values for NVRAM variables, which are then processed by the functionality under test. While many of these variables are architecturally defined, others are defined by vendors to be used specifically in proprietary firmware drivers and can be easily identified by analyzing UEFI modules using reverse engineering tools. The second approach is to translate specific drivers into a user-space executable program, eliminating the complexity given by the use of an emulator. As a result, state-of-the-art off-the-shelf fuzzers can be used directly, also simplifying the process of identifying the root cause of a crash. The last approach focuses on the analysis of SMI handlers. To fuzz SMI handlers, a Linux kernel module was used as a point of interaction, since it is possible to inject data into the memory later used by the SMI handler and then trigger an SMI to execute the handler. By using distinct approaches, different classes of vulnerabilities can be identified in both whitebox and blackbox modes. Specifically, using the second approach, we were able to identify vulnerabilities in drivers provided by DARPA.