How an NSA researcher plans to allow everyone to guard against firmware attacks
A years-long project from researchers at the National Security Agency that could better protect machines from firmware attacks will soon be available to the public, the lead NSA researcher on the project tells CyberScoop.
The project will increase security in machines essentially by placing a machine’s firmware in a container to isolate it from would-be attackers. A layer of protection is being added to the System Management Interrupt (SMI) handler — code that allows a machine to make adjustments on the hardware level — as part of the open source firmware platform Coreboot.
Eugene Myers, who works in the National Security Agency’s Laboratory for Advanced Cybersecurity, told CyberScoop that the end product — known as an SMI Transfer Monitor with protected execution (STM-PE) — will work with x86 processors that run Coreboot. Attackers are increasingly targeting firmware in order to run malicious attacks. Just last year, the first-ever documented UEFI rootkit was deployed in the wild, according to ESET researchers.
These type of attacks are particularly concerning because if an attacker compromises an endpoint’s firmware, they could gain control of the entire system. Many security software products do not detect firmware attacks.
“[Firmware] runs in a very privileged mode which means it has access to everything in the computer, which makes that piece of software very dangerous in, say, that an attacker can … put his software down there and he can do whatever he wants,” Myers said.
Intel security researcher Maggie Jauregui says firmware attacks are attractive to malicious actors because of how easy it is to avoid detection. When a device goes into the x86 processor mode in question (system management mode), the operating system and other applications get interrupted, making malicious firmware code difficult to detect.
“All processing is interrupted for a very small period of time. So small that the user doesn’t even notice anything happened,” Jauregui said. “Malware [can] interrupt your OS and bypass every protection on your system to do pretty much whatever they want with it. You want passwords or secrets on your system? You got them. You want to run nefarious code? You can do that.”
The implementation Myers is building is intended to function as an anti-tamper technology, preventing this kind of nefarious activity. The STM is a hypervisor, meaning it can isolate physical hardware from a computer’s operating system and can prevent meddling with low-level code, such as power management.
“When [STM-PE is] run, it takes this code and puts it in a box such that it can only access the device system that it needs to access,” Myers said. “[The STM-PE] by that nature will improve the security of the system.”
Jauregui told CyberScoop she is excited about the open source Coreboot project, and the NSA’s contributions, because she says it should affect firmware security writ large since it will be open source.
“The big picture is defense. I think they are significantly increasing the bar of entry for any attacks, not just for U.S. citizens but across the board … That’s what I find to be powerful about these contributions,” Jauregui said. “I think they’re incentivizing everybody to increase their defenses.”
Coming to Linux, too
Although attackers are just starting to utilize firmware hacks, this particular NSA project has been in the works for approximately seven years, Myers tells CyberScoop.
“We had been working the STM internally … on a project and I came to my boss and said, ‘We can do this in the STM, I could put protected execution capability down there.’ And he says, ‘Oh, I didn’t realize you could do that,’” Myers explained.
The project picked up momentum when Intel released STM firmware that runs on its x86 platform as open source in 2015. Making it open source let the NSA build out the protected execution service.
“The Intel STM open sourcing allowed us to open source STM-PE,” Myers said. “What’s happened in the past is we’ve done a lot of one offs. By the time we [would be] done with the project everything’s obsolete. This way we don’t have to worry about obsolescence and being behind the curve.”
Just in the last few days, Myers told CyberScoop, he built out a way for anyone, even Linux users, to build their own implementation if they don’t want to rely on the NSA’s version.
“STM and STM-PE [could] only be built on a Microsoft Windows build system,” Myers said. “However, a huge portion of the open source community is on Linux, and this will make it available for them to directly build the STM.”
The Linux build system version is now available on GitHub. Myers’ contributions to the open source Coreboot project are still pending approvals.
The NSA has long contributed projects for public benefit, such as a secure version of Linux, SE Linux, or Ghidra, the malware reverse-engineering open source tool, which the NSA unveiled to the public earlier this year at the RSA conference.
You can read more about Myers’ work here.