x86-64 Intel Firmware Attack & Defense



2 days

Delivery Method

Guided Own Pace



Seats Available



2 days

Delivery Method

Guided Own Pace




DATE: 21-22 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
21 Aug Monday 0900-17:00 ICT/GMT+7 8 Hours
22 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours

Go HERE to take this class as a 4-Day Buffet course.
Go HERE to take this class as a 3-Day Buffet course.
Go HERE to join just the x86-64 assembly class.
Go HERE to join just the x86-64 OS internals class.

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you’re paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there’s bits of material you already know, you can just skip them and move on to the bits you don’t know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.

Because we give you all the lecture and lab materials and videos after class, what you’re really paying for is support from the instructor! So you’ll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you’d like to learn more about the benefits of this style of class delivery, please read this blog post.


Key Learning Objectives
  • Understand the original 16-bit “Real Mode” which the x86 CPU reset vector executes in.
  • Understand 16-bit segmentation & assembly.
  • Understand the evolution of Intel chipsets, and how to find the manual which corresponds to any given hardware.
  • Understand how firmware uses IO to configure Intel and 3rd party hardware at boot time.
  • Understand how firmware interacts with PCIe devices at boot time, both within the CPU/chipset, and 3rd party peripherals.
  • Understand the core purposes of PCIe Option ROMs, but also how they can be used by attackers.
  • Being capable of manually reading/writing the firmware-storage SPI flash through the register interface.
  • Understand the protection mechanisms for the SPI flash and how they can be bypassed.
  • Understand the protection mechanisms for System Management Mode how they can be bypassed.
  • Understand how Chipsec can be used to assess the security posture of a firmware for both attack and defense.
  • Understand how the ACPI S3 “sleep” power state can be used to attack systems.
  • Being comfortable with Reading The Fun Manual(!) to go seek out the most accurate details of how things work.


What Students say about this training

SO much visualization; there is zero “wall of texts” slides.

I loved the threat trees and explanations that went along with them, the more narrative approach made it easy to stay engaged.

I like that it’s progressive and well taught with lots of tricks to make the material less dry

Really enjoyed the mix of lecture with some practical investigation on hardware with Chipsec.

The animated diagrams and humor mixed in with the slides worked really well for communicating how memory and registers were arranged and how bytes and nibbles split into different fields.

The “go forth and read things you will now understand better” research unlocked sections were great motivation for learning new things and letting me dive into rabbit holes of neat information.

The explanation of how the manuals are organized and how to find information in them along with the little fact lookup missions are so valuable, especially with Intel manuals.

I really enjoyed this class and the material. I will be referring to it frequently I am sure. I am also thankful for the collection of data sheets in the gitlab repo. That is a nice touch and I’m sure it took a long time to collect and organize.


Topics covered


  • Attacker motivations & capabilities


Reset Vector

  • The “Real Mode” execution environment
  • Reading reset vector assembly and the transitions to “Protected Mode”



  • The evolution of the platform architecture
  • Finding the correct manual for the hardware you bring to class, to find the correct offsets to memory mapped IO registers for the rest of the class



  • Memory Mapped IO (MMIO) as used by firmware
  • Port IO (PIO) as used by firmware
  • Hardware-defined vs. reconfigurable memory spaces



  • Evolution, topology, and usage by firmware
  • Configuration address space MMIO vs. PIO accesses
  • Base address registers & extended configuration address space
  • “Option ROMs” and how they’ve been repeatedly used for attacks


SPI Flash

  • Introduction & supported SPI operation modes on x86
  • MMIO register-based SPI flash programming interface
  • SPI flash layout & the Intel flash descriptor
  • SPI protection threat tree, moves and counter-moves
  • – Protected Range Registers (PRRs) and bypasses like failure to FLOCKDN + sleep attacks
  • – SMM-based BIOS Lockdown and bypasses like SMI Suppression + sleep attacks


System Management Mode (SMM)

  • Introduction & System Management Interrupts (SMIs)
  • System Management RAM (SMRAM) & the protection thereof
  • SMM threat tree, moves and counter-moves:
  • – Caching Attacks
  • – Remapping Attacks
  • – SMM Call-Out Vulnerabilities
  • – SMM Confused Deputy Attacks
  • – SMM TOCTOU Attacks


Power-transition attacks

  • x86 ACPI S3 low-power sleep effects on SPI & SMM protection
  • Attacks exploiting S3 sleep states




Go HERE to take this class as a 4-Day Buffet course.
Go HERE to take this class as a 3-Day Buffet course.
Go HERE to join just the x86-64 assembly class.
Go HERE to join just the x86-64 OS internals class.

Why You Should Take This Course

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree.
And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one’s read yet with a security mindset.
You can also opt to attend this class on 23 & 24 Aug instead. To do so, just email sectraininfo@hitb.org
Go HERE to take this class as a 4-Day Buffet course. Go HERE to take this class as a 3-Day Buffet course. Go HERE to join just the x86-64 assembly class. Go HERE to join just the x86-64 OS internals class.

Who Should Attend

  • People who want to start their journey up the skill tree towards such professions as reverse engineering, malware analyst, vulnerability hunter, security researcher, OS engineer, or systems architect.
  • People who gain satisfaction from understanding how systems really work at a very deep level.
  • People who don’t have a lot of free time outside of work, and who thus want to use this time to hunker down and jam through all this material with full instructor support.

Key Learning Objectives

  • Prerequisite Knowledge

    You should have equivalent knowledge of x86-64 assembly, architecture as that provided in the x86-64 Assembly class, also offered at HITB. You should also have the knowledge of control registers, model-specific registers, segmentation, and port IO provided in the x86-64 OS Internals class, also offered at HITB. If you don’t have that background, or if you just need a refresher, you can sign up for the Xeno’s All You Can Learn Buffet class to go through that material before proceeding to this class’s material.

    Hardware / Software Requirements

    • A Windows or Linux system capable of running Intel Simics . Note: You don’t really need a 10th gen CPU to run it, as we won’t be doing anything too performance-demanding with it.
    • Headphones for watching videos, (preferably over-ear so you’re not disturbed as the instructor is walking around the class answering individuals’ questions).

    Your Instructor

    Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team’s first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore.

    And after presenting a firmware worm that could spread between Macs via Apple’s EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals – everything from 3rd party GPUs to SecureBoot for monitors! He also worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture – being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2