EFIDrill: IDA plugin for UEFI firmware vulnerability hunting base on data flow analysis

The Unified Extensible Firmware Interface (UEFI) is a critical component in the boot process, but it’s vulnerable to attacks. These attacks can disable Secure Boot, allowing the injection of UEFI rootkits. These insidious pieces of malware hide within the SMM or BootLoader, granting attackers persistent control over the infected system.

Researchers are actively exploring UEFI security. They’ve uncovered numerous SMM vulnerabilities, leading to more robust UEFI implementations. Tools like “efiexplorer” help reverse engineer UEFI firmware. Yet, many UEFI vulnerabilities remain hidden, as current detection methods rely heavily on fuzz testing or instruction matching. There’s a pressing need for tools that automate UEFI vulnerability discovery through data flow analysis.

Efidrill is a groundbreaking open-source IDA plugin that empowers data flow tracing, taint tracking, automated structure analysis, variable prediction, and vulnerability detection within UEFI firmware. It has already proven successful in uncovering previously unknown vulnerabilities in hardware from major vendors like Asus, Intel, and Dell.

• mmap_ir_to_address: map intermediate representation (IR) addresses to actual addresses in a binary file.
• check_interesting_variables: Find the variables of interest (0x40e,readsavesatate, commbuffer), different functions have different variables of interest.
• ana_ins_addr: Analyze each assembly instruction.
• add_interesting_memory_map_list: Add new define to the interesting_op_list.
• vulnerability_find: Call all plug-ins.
• fix_use: Find the far jump use(def is not in the current function), the address of the far jump block ir is (-1,-1), and the actual address is -1.
• get_def: generate def.

Install & Use

Copyright (C) 2024

• Xuxiang Yang, Security researcher @ Security Lab GIC Lenovo
• Qingzhe Jiang, Security researcher, Manager, @ Security Lab GIC Lenovo
• Weixiao Ji, Security researcher @ Security Lab GIC Lenovo