Filtering Against Persistent Firmware Rootkits - BadUSB, HDDHack, UEFI

grarpamp grarpamp at
Wed Mar 22 08:57:10 UTC 2017

Over two years ago this "trojans in the firmware" was mentioned.

These attacks are real and are in the wild. They are created and
used by various hats from adversary to researcher to miscreant...
and ultimately can end up passing unwittingly through degrees of
separation to and among you and your peers over daily sharing and
other physical transactions, use of unaudited application and systems
code, dual booting, parking lot attacks, computer labs, libraries,
component swapping, etc.

Some mitigation may be possible through kernel filtering modes...

- Filter and log all known firmware / bios writing opcodes.
- Filter and log all opcodes except those required for daily use,
 such as: read, write, erase unit, inquiry, reset, etc.
- Filter and log all opcodes execpt those in some user defined
 rulesets. Default permit / deny, the usual schemes.

In a securelevel, this may provide some resistance and extra steps
of defense in depth to attacks that presume they have direct access
to firmware without needing to smash the kernel further beyond root
(also, root access is foolishly yet often available to users).

FreeBSD should consider addressing any oppurtunities to further
inhibit these attack vectors. Details via links below.

(CC'd to a few lists to promote general awareness.
Replies are perhaps best made only to freebsd-security@ .)

# CAM - hdd, tape, optical, etc




# FreeBSD, UFS - supported

# various

More information about the freebsd-questions mailing list