UEFI is rapidly replacing conventional BIOS on modern computers. This paper discusses two vulnerabilities the authors discovered in the UEFI open source reference implementation and the techniques used to exploit them.
Extreme Privilege Escalation On Windows 8/UEFI Systems
One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.
The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "Runtime Service" interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them.