announce: October DC206 Meeting: Firmware is the New Black

Posted in Uncategorized at 15:53 by admin

What: Oct DC206 Meeting: Firmware is the New Black
When: October 15th (3rd Sundays), 1-3pm
Who: Vincent Zimmer
Where: Black Lodge Research

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities


In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).


Vincent Zimmer was born in Houston, Texas, where he also grew up. Vincent attended Cornell University in Ithaca, New York, and achieved a Bachelor of Science in Electrical Engineering. Vincent has worked for various technology companies, including Intel Corporation, where he has been employed since 1997. While working at Intel, Vincent received his Master of Science degree in Computer Science from the University of Washington in Seattle, Washington. Vincent is presently a senior principal engineer in the Software and Services Group at Intel. During Vincent’s career working on embedded systems and firmware, he has received over 350 US patents https://en.wikipedia.org/wiki/List_of_prolific_inventors and presented at several industry conferences. In addition to the Beyond BIOS book, Vincent has published book chapters and articles. Along with writing firmware, Vincent has also contributed to and written specifications in the Unified Extensible Firmware Interface (UEFI) Forum, the Trusted Computing Group (TCG), and the Internet Engineering Task Force (IETF). Vincent presently lives in the Seattle area of Washington state with his wife and 2 daughters.

Black Lodge Research:
17725 NE 65th St, A-155; Evans Business Park, Bldg A; Redmond, WA 98052 https://blacklodgeresearch.org/ https://twitter.com/the_black_lodge/