| Date | Day | Time | Duration |
| 07 Nov | Monday | 0900-17:00 GST/GMT+4 | 8 Hours |
| 08 Nov | Tuesday | 0900-17:00 GST/GMT+4 | 8 Hours |
This 2-day course introduces students to real-world attack scenarios on devices powered by UEFI firmware. The course starts from low-level internals of modern operating systems boot process from the perspective of a security researcher interested in bootkits analysis, detection/forensics and vulnerability research. After the OS boot process, the course goes down to the firmware, and discusses UEFI architecture and internals with focus on security researcher needs (including common vulnerabilities and design mistakes). The second part of the course focused on UEFI firmware implants (from hardware and firmware perspective), its cover threat modeling, attack surface, forensics, and reverse engineering. The course will build a mindset for hunting unknown firmware threats including the supply chain perspective.
Students will learn about UEFI internals from different perspectives such as firmware implant developer, malware and vulnerability researcher over the course. After the course, students will have knowledge about common firmware attacks, exploits, security feature bypasses and architectural mistakes in the firmware development process which can potentially lead successful implant installation. During the course, most of the exercises are based on hardware-based challenges specially created to have the same environment as in real life.
Common UEFI firmware vulnerabilities which leads implant installation Hunt for implants with common tools (UEFItool, Chipsec, RWEverything) Reverse engineering UEFI drivers DXE/PEI (include QEMU automation tricks, idapython and custom plugins) Forensic approaches for UEFI (include firmware acquisition with software and hardware tools (GreatFET, DediProg)) Common security configuration mistakes and supply chain risk model
Day 1
Digging down to the firmware Modern OS boot process internals and reversing Legacy bootkits case study, deep dive too boot sectors (MBR/VBR) Evolution of bootkits, mess with OS bootloaders (MS Win10) Introduction to UEFI world from security challenges perspective. Ddeep dive into UEFI internals Connection points between UEFI and OS (UEFI System/Runtime Services, ACPI, HW ports) UEFI firmware boot process, hardware relations and where security features get enabled Different shades of UEFI Secure Boot Intel Boot/BIOS Guards and where implementation fails UEFI firmware update process from OS and UEFI shell Introduction to UEFI firmware implants
Day 2
Dissecting UEFI implants Types and classification for UEFI firmware/hardware implants Creating threat model/attack surface from implant installation perspective Difference from implant perspective between UEFI firmware vendors Coreboot and AMI/Phoenix/Insyde Playing with IDA and Ghidra to understand implant behavioral and nature Hunt implants in real-world environment Introduction to common hardware and firmware supply-chain risks models Dissecting supply chain problems on real-world hardware.
Format The relative breakdown of the course materials is as follows:
– 40% Lecture
– 50% Lab
– 10% Discussion
Digging down to the firmware Modern OS boot process internals and reversing Legacy bootkits case study, deep dive too boot sectors (MBR/VBR) Evolution of bootkits, mess with OS bootloaders (MS Win10) Introduction to UEFI world from security challenges perspective. Ddeep dive into UEFI internals Connection points between UEFI and OS (UEFI System/Runtime Services, ACPI, HW ports) UEFI firmware boot process, hardware relations and where security features get enabled Different shades of UEFI Secure Boot Intel Boot/BIOS Guards and where implementation fails UEFI firmware update process from OS and UEFI shell Introduction to UEFI firmware implants
Dissecting UEFI implants Types and classification for UEFI firmware/hardware implants Creating threat model/attack surface from implant installation perspective Difference from implant perspective between UEFI firmware vendors Coreboot and AMI/Phoenix/Insyde Playing with IDA and Ghidra to understand implant behavioral and nature Hunt implants in real-world environment Introduction to common hardware and firmware supply-chain risks models Dissecting supply chain problems on real-world hardware.
Alex Ermolov leads supply chain and platform security research and development at Binarly Inc. With more than 10 years of experience in researching low-level design, firmware and system software built for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.
Yegor Vasilenko is an experienced Security Researcher focused on reverse engineering and firmware analysis. Nowadays he enjoys firmware reverse engineering and tools development. Yegor is one of the maintainers of a popular tool called efiXplorer for UEFI firmware reverse engineering and vulnerability research.
Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.
