Spectre Strikes Again: Introducing the Firmware Edition
The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem. While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.
Throughout their lifecycle, devices are susceptible to security issues due to the asynchronous nature of firmware security fixes delivery from multiple parties and the asynchronous nature of the supply chain. The lack of transparency in vendor security advisories results in an opaque channel for informing customers about the criticality of released security fixes and leads to varying approaches to patching widespread vulnerabilities with industry-wide implications. Even major silicon vendors develop mitigations for side-channel attacks differently. This situation presents an opportunity for potential threat actors to exploit known speculative attacks like the 5-year-old Spectre or the 1-year-old Retbleed. A new perspective is needed to construct an attack vector that utilizes speculative attacks to target UEFI-specific firmware vulnerabilities.
In this presentation, we will discuss our research into the potential use of speculative attacks against the System Management Mode (SMM) on AMD-based devices and outline the methodologies we employed throughout our research investigation.
Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has over two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.