Exploiting UEFI SMM Vulnerabilities for Persistent Implants

Dive deep into UEFI System Management Mode (SMM) vulnerabilities and learn to develop persistent firmware-level exploits in this comprehensive 55-minute conference talk. Explore the critical world of BIOS firmware security, understanding how UEFI has evolved into a complex pre-OS operating system with an expansive attack surface that attackers can leverage for unparalleled system control. Master the fundamentals of SMM - the most privileged x86 processor execution mode running at ring -2 - and discover why these vulnerabilities represent the ultimate prize for exploit developers seeking undetectable, persistent access that can survive for months or years. Begin with essential UEFI and SMM concepts including SMI invocation calling conventions, existing protection technologies, and current exploit mitigations. Progress through various SMM vulnerability classes including SMM callouts, confused deputy attacks, SMRAM memory corruption vulnerabilities through unchecked register values and nested pointers, and SMM time-of-check-time-of-use (TOCTOU) vulnerabilities. Conclude with hands-on analysis of real-world examples, following the complete exploit development process from reverse engineering UEFI drivers to identifying vulnerabilities and creating proof-of-concept exploits that bypass common SMM protections using ROP/JOP techniques. Gain practical insights into the broken platform firmware supply chain and understand why SMM vulnerabilities continue to plague the industry, making this essential knowledge for reverse engineers, exploit developers, and researchers focused on low-level platform firmware security.