Extreme Privilege Escalation on Windows 8/UEFI Systems

Abstract

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "Runtime Service" interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This presentation, originally presented at a conference, discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2014
Accession Number
AD1107704

Entities

People

  • Corey Kallenberg
  • John Butterworth
  • Sam Cornwell
  • Xeno Kovah

Organizations

  • MITRE Corporation

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Case Studies
  • Computer Programs
  • Computers
  • Corporations
  • Debugging
  • Determinants (Mathematics)
  • Embedded Systems
  • Environment
  • Extreme Environments
  • Firmware
  • Instructions
  • Instrumentation
  • Iterations
  • Operating Systems
  • Optimization
  • Platforms
  • Security
  • Specifications
  • Standards
  • Virtual Machines
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Database Systems and Applications