Presentation: Extreme Privilege Escalation On Windows 8/UEFI Systems

August 2014
Topics: Cybersecurity, Computer Security
Corey Kallenberg, The MITRE Corporation
Xeno Kovah, The MITRE Corporation
John Butterworth, The MITRE Corporation
Sam Cornwell, The MITRE Corporation
Download PDF (3.8 MB)

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "Runtime Service" interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This presentation, originally presented at a conference, discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them.


Publication Search