Binarly Executives to Present on Firmware Security at Black Hat Briefings 2022

PASADENA, Calif.--(BUSINESS WIRE)--Binarly Inc., providers of the industry’s first AI-powered firmware protection platform, today announced plans to present groundbreaking research at Black Hat USA 2022 to call attention to serious security weaknesses in the complex layers of code exposing attack surfaces below the operating system.

Binarly executives, CEO Alex Matrosov and CTO Claudiu Teodorescu, will separately take the stage at the premier security research conference to discuss expanding attack surfaces in the modern system firmware boot process and major gaps in the way SIEMs and EDRs monitor endpoints for signs of attacks.

The two presentations, accepted by the independent Black Hat Review Board, will highlight the discovery of high-impact vulnerabilities related to pre-EFI, SMM and DXE firmware components; and design weaknesses in the default WMI mechanism used to monitor endpoints for signs of malicious compromises.

The first presentation, titled “Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases,” explores recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs and will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).

The findings from this project, which was conducted by Matrosov and Binarly researchers Alex Ermolov, Yegor Vasilenko and Sam Thomas, have never been publicly discussed from the offensive security research perspective.

The second presentation, titled “Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs,” will train the spotlight on major weaknesses in Windows Management Instrumentation (WMI), the mechanism used by existing security technologies to monitor endpoints for signs of malicious attacks.

This project was conducted by Teodorescu and Binarly offensive security researchers Andrey Golchikov and Igor Korkin.

The Binarly team will also be announcing the coordinated release and mitigation of ten (10) new high-impact vulnerabilities affecting firmware from Intel and HP device vendors. FwHunt rules will be publicly available to protect the ecosystem and help to recover from these repeatable failures.

Binarly’s offensive security research expertise was also recognized by the annual Pwnie Awards with a nomination in the “Most Underhyped Research” category. The company’s work in collaboration with Nvidia researchers Alex Tereshkin and Adam 'pi3' Zabrocki on INTEL-SA-00525 (CVE-2021-0144) was lauded by the Pwnies organizers for calling attention to the repeatable failures in the entire firmware supply chain ecosystem.

Quote from Binarly CEO and head of research Alex Matrosov:

“A modern system firmware boot process has multiple phases and is quite complex in general. Different boot phases can contain different security boundaries, allowing attackers to gain more privileges than expected by firmware developers at specific points of the boot process. As a result of inconsistencies in implementation between multiple boot phases and security technologies, there could be room for breaking general security promises. These implementation-based attacks can be hard to fix since many of them require redesigning current security technologies from scratch.”

Quote from Binarly CTO Claudiu Teodorescu:

“Building security solutions that heavily rely on technologies such as Windows Management Interface Management (WMI) is a dangerous proposition since those have not been designed and developed with security first in mind. We’re raising awareness around the security risks of using this approach by showcasing different methods of disabling WMI, thus blinding a whole class of security products such as SIEMs and EDRs, that rely on the telemetry provided by these technologies. Also, originating such attacks from below the Operating System, in the firmware, during the boot process, will make the detection by the endpoint security solutions almost impossible.”

Full details on Binarly’s participation at Black Hat available here.

About Binarly

Founded in 2021, Binarly provides an agentless, enterprise-class AI-powered firmware security platform that helps protect from advanced threats below the operating system. Based in Pasadena, California, Binarly’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.