current progress (aug, 2024)

This commit is contained in:
Adrien Bourmault 2024-08-21 12:53:44 +02:00
parent 32824a84f3
commit 5b89d689ea
Signed by: neox
GPG Key ID: 57BC26A3687116F6
6 changed files with 2905 additions and 343 deletions

View File

@ -89,14 +89,14 @@ journal = {Queue},
doi = {10.1145/2508834.2513149}
}
@misc{micron_ddr3,
@manual{micron_ddr3,
author = {Micron Technology Inc},
year = {2008},
number = {TN-41-02},
title = {Technical Note: DDR3 ZQ Calibration}
}
@misc{samsung_ddr3,
@manual{samsung_ddr3,
author = {Samsung Electronics Co. Ltd},
year = {2011},
month = {11},
@ -253,27 +253,7 @@ note = "[Online; accessed 8-May-2024]"
note = {Accessed: 2024-07-05}
}
@article{memory_training,
author = {Author Names},
title = {Title of the Paper on Memory Training Algorithms},
journal = {Journal Name},
year = {Year},
volume = {Volume},
number = {Number},
pages = {Pages}
}
@article{virtualization_firmware,
author = {Author Names},
title = {Title of the Paper on Hardware Virtualization and Firmware},
journal = {Journal Name},
year = {Year},
volume = {Volume},
number = {Number},
pages = {Pages}
}
@misc{asus_kgpe_d16_manual,
@manual{asus_kgpe_d16_manual,
author = {Asus},
title = {Asus KGPE-D16 Mainboard Documentation and User Manuals},
howpublished = {\url{https://www.asus.com/Commercial-Servers-Workstations/KGPE-D16/HelpDesk_Manual/}},
@ -301,13 +281,6 @@ note = "[Online; accessed 8-May-2024]"
year = 2024
}
@misc{computer_history_museum,
author = {Computer History Museum},
title = {The Evolution of the BIOS},
howpublished = {\url{https://computerhistory.org/}},
year = 2024
}
@book{rosenberg1994open,
title={Open architecture computer systems},
author={Rosenberg, Ronald H},
@ -344,13 +317,6 @@ note = "[Online; accessed 8-May-2024]"
howpublished = {\url{https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-firmware}},
}
@misc{smith_2017,
author = {Smith, R.},
title = {UEFI vs. BIOS: Whats the Difference?},
year = {2017},
howpublished = {\url{https://www.techradar.com/news/uefi-vs-bios-whats-the-difference}},
}
@misc{anderson_2018,
author = {Anderson, T.},
title = {BIOS vs. UEFI: Understanding the Modern Boot Environment},
@ -435,7 +401,7 @@ note = "[Online; accessed 8-May-2024]"
@article{coreboot_challenges,
author = {Minnich, R. and Hendricks, E.},
title = {Challenges and Progress in Coreboot Development},
title = {Challenges and Progress in coreboot Development},
journal = {Journal of Open Source Software},
year = {2018},
volume = {3},
@ -450,3 +416,495 @@ note = "[Online; accessed 8-May-2024]"
howpublished = {\url{https://www.gnu.org/software/gnuboot/web/faq.html}},
note = {Accessed: 2024-07-23}
}
@book{intel_acpi_spec,
author = {Intel Corporation},
title = {Advanced Configuration and Power Interface (ACPI) Specification},
year = {1996},
publisher = {Intel Corporation},
url = {https://uefi.org/specifications}
}
@article{acpi_os_support,
author = {Michael Gschwind},
title = {Advanced Configuration and Power Interface: The Operating System Perspective},
journal = {IEEE Micro},
year = {2000},
volume = {20},
pages = {82-89},
doi = {10.1109/40.888702}
}
@book{uefi_smm_security,
author = {Ronald D. Krebs and Vincent Zimmer and Suresh Marisetty},
title = {Beyond BIOS: Developing with the Unified Extensible Firmware Interface},
edition = {3rd},
year = {2017},
publisher = {Intel Press},
isbn = {978-0974364906}
}
@inproceedings{amd_psp_overview,
author = {David Kaplan and Jeremy Powell and Tom Woller},
title = {AMD Memory Encryption},
booktitle = {Architectural Support for Programming Languages and Operating Systems},
year = {2016},
pages = {149-160},
doi = {10.1145/2851141.2851148}
}
@techreport{intel_csme,
author = {Intel Corporation},
title = {Intel Converged Security and Management Engine (CSME) Security White Paper},
year = {2020},
url = {https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-csme-security-white-paper.pdf}
}
@article{heasman2007,
author = {John Heasman},
title = {Implementing and Detecting an ACPI BIOS Rootkit},
journal = {Black Hat USA},
year = {2007},
url = {https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf}
}
@article{domas2015,
author = {Christopher Domas},
title = {The Memory Sinkhole - Unleashing an x86 Design Flaw Allowing Universal Privilege Escalation},
journal = {Black Hat USA},
year = {2015},
url = {https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf}
}
@article{offsec_bios_smm,
author = {Corey Kallenberg and Xeno Kovah},
title = {BIOS and SMM Internals},
year = {2014},
url = {https://opensecuritytraining.info/IntroBIOS_files/Day1_07_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SMM.pdf}
}
@techreport{cyber_smm_hack,
author = {Olivier Levillain and Aurelien Francillon and Yanick Fratantonio and Davide Balzarotti},
title = {How to Protect the BIOS and its Secrets},
institution = {ANSSI, Eurecom},
year = {2011},
url = {https://cyber.gouv.fr/sites/default/files/IMG/pdf/Cansec_final.pdf}
}
@article{blackhat_me_hack,
author = {Maxim Goryachy and Mark Ermolov},
title = {How to Hack a Turned Off Computer, or Running Unsigned Code in Intel Management Engine},
journal = {Black Hat Europe},
year = {2017},
pages = {1-23},
url = {https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf}
}
@manual{acpi_programming,
title = {ACPI Component Architecture Programmer Reference},
author = {ACPICA Project},
year = {2017},
url = {https://acpica.org/documentation},
note = {Accessed: 2024-08-03}
}
@manual{coreboot_docs,
title = {coreboot Documentation},
author = {coreboot Project},
year = {2023},
url = {https://doc.coreboot.org/}
}
@article{minnich_coreboot,
author = {Ron Minnich and Stefan Reinauer and Patrick Georgi},
title = {coreboot: Open-Source Firmware Platform},
journal = {Google Research},
year = {2017},
url = {https://research.google/pubs/pub45424/}
}
@inproceedings{minnich_status,
author = {Ron Minnich},
title = {coreboot: Status and some history},
year = {2006},
}
@techreport{intel_smm,
author = {Intel Corporation},
title = {System Management Mode},
year = {2016},
url = {https://www.intel.com/content/www/us/en/developer/articles/technical/system-management-mode.html}
}
@article{coprocessor_smm_monitoring,
author = {Aurelien Francillon and others},
title = {Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode},
journal = {arXiv},
year = {2018},
url = {https://arxiv.org/abs/1803.02700}
}
@inproceedings{brown2003linuxbios,
title = {LinuxBIOS as an Open-Source Firmware Alternative},
author = {R. E. Brown and others},
booktitle = {Proceedings of the 2003 Linux Symposium},
year = {2003}
}
@inproceedings{reinauer2008coreboot,
title = {The coreboot Open Source BIOS - A Review},
author = {Stefan Reinauer and others},
booktitle = {Usenix Annual Technical Conference},
year = {2008}
}
@techreport{mohr2012comparative,
title = {A Comparative Analysis of Bootloaders},
author = {Benjamin Mohr},
institution = {University of Freiburg},
year = {2012}
}
@article{HaiYa2024Awah,
% abstract = {This paper presents a wide-frequency and high-precision ZQ calibration circuit for NAND Flash memory. To achieve high-precision impedance calibration within the wide frequency range of NAND Flash memory, the proposed ZQ calibration circuit adopts dynamic comparator with offset voltage compensation to accurately control the equivalent impedance of driver. And to ensure that the offset voltage of comparator can be accurately compensated in a wide frequency range, the offset voltage compensation circuit is controlled by a charge pump whose charging and discharging step time can be adjusted based on operating frequency range. The proposed circuit is fabricated in 130 nm CMOS process. In the frequency range of 1 MHz to 200 MHz, the Monte-Carlo analysis results show that the standard deviation of offset voltage is within 0.18 mV and the standard deviation of targeting calibrated impedance on 300 ohm is within 3.5 ohm. And the chip testing results show that the proposed ZQ calibration circuit can achieve 1.5% calibration accuracy.},
author = {Hai, Ya and Liu, Fei and Wang, Yongshan and Fu, Liyin and Huo, Jian},
copyright = {2023},
issn = {1879-2391},
journal = {Microelectronics},
language = {eng},
pages = {106051-},
title = {A wide-frequency and high-precision ZQ calibration circuit for NAND Flash memory},
volume = {143},
year = {2024},
publisher = {Elsevier Ltd}
}
@inproceedings{pearson2014,
title = {The World Beyond x86},
author = {Timothy Pearson},
year = {2014}
}
@inproceedings{altera2008,
title = {DDR3 SDRAM Memory Interface Termination and Layout Guidelines},
author = {Altera®},
year = {2008},
number = {AN-520-1.0}
}
@article{LiHuiyong2014RRoD,
% abstract = {The signal integrity of the circuit, as one of the important design issues in high-speed digital system, is usually seriously affected by the signal reflection due to impedance mismatch in the DDR3 bus. In this paper, a novel optimization method is proposed to optimize impedance mismatch and reduce the signal refection. Specifically, by applying the via parasitic, an equivalent model of DDR3 high-speed signal transmission, which bases on the match between the on-die-termination (ODT) value of DDR3 and the characteristic impedance of the transmission line, is established. Additionally, an improved particle swarm optimization algorithm with adaptive perturbation is presented to solve the impedance mismatch problem (IPSO-IMp) based on the above model. The algorithm dynamically judges particles’ state and introduces perturbation strategy for local aggregation, from which the local optimum is avoided and the ability of optimization-searching is activated. IPSO-IMp achieves higher accuracy than the standard algorithm, and the speed increases nearly 33% as well. Finally, the simulation results verify that the solution obviously decreases the signal reflection, with the signal transmission quality increasing by 1.3 dB compared with the existing method.},
author = {Li, Huiyong and Jiang, Hongxu and Li, Bo and Duan, Miyi},
address = {United States},
copyright = {Copyright © 2014 Huiyong Li et al.},
issn = {2356-6140},
journal = {TheScientificWorld},
keywords = {Algorithms ; Buses ; Efficiency ; Experiments ; Mathematical models ; Mathematical optimization ; Motor vehicles ; Properties ; Reading ; Signals and signaling},
language = {eng},
pages = {257972-11},
title = {Reflection Reduction on DDR3 High-Speed Bus by Improved PSO},
volume = {2014},
year = {2014},
publisher = {Hindawi Publishing Corporation}
}
@article{ChengKaixing2021TOWo,
% abstract = {As we enter the 5G (5th-Generation) era, the amount of information and data has become increasingly tremendous. Therefore, electronic circuits need to have higher chip density, faster operating speed and better signal quality of transmission. As the carrier of electronic components, the design difficulty of high-speed PCB (Printed Circuit Board) is also increasing. Equal-length wiring is an essential part of PCB design. But now, it can no longer meet the needs of designers. Accordingly, in view of the shortcomings of the traditional equal-length wiring, this article proposes two optimization ways: the ”spiral wiring” way and the ”double spiral wiring” way. Based on the theoretical analysis of the transmission lines, the two optimization ways take the three aspects of optimizing the layout and wiring space, suppressing crosstalk and reducing reflection as the main points to optimize the design. Eventually, this article performs simulation and verification of schematic diagram and PCB of the optimal design by using HyperLynx simulation software. The simulation results show that these two ways not only improve the flexibility of the transmission line layout, but also improve the signal integrity of the transmission lines. Of course, this also proves the feasibility and reliability of the two optimized designs.},
author = {Cheng, Kaixing and Luo, Zhongqiang and Xiong, Xingzhong and Wei, Xiaohan},
address = {Warsaw},
copyright = {2021. This work is licensed under https://creativecommons.org/licenses/by-sa/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.},
issn = {2081-8491},
journal = {International Journal of Electronics and Telecommunications},
keywords = {Crosstalk ; Design ; Electric lines ; Electronic circuits ; Optimal designs (Statistics) ; Printed circuits ; Telecommunication lines},
language = {eng},
number = {3},
pages = {385-394},
title = {Two Optimization Ways of DDR3 Transmission Line Equal-Length Wiring Based on Signal Integrity},
volume = {67},
year = {2021},
publisher = {Polish Academy of Sciences}
}
@article{ErmolovMarkM.2022Uxit,
% abstract = {The purpose of this study was to uncover previously unknown vulnerabilities in Intel CPUs caused by implementation errors or backdoors embedded in system firmware, applications, and hardware. The authors have discovered the Red Unlocked debugging mode which allows microcode to be extracted from Intel Atom processors. Using this debugging mode, the internal microcode structure and the implementation of x86 instructions have been examined, and two undocumented x86 instructions were found. These undocumented x86 instructions, udbgrd and udbgwr, can read and write microarchitectural data. These instructions are assumed to be intended for Intel engineers to debug the CPU microarchitecture. However, their existence poses a cybersecurity threat: there is a working demonstration available in the public domain on how to activate the Red Unlock mode for one of the current Intel platforms. This paper presents the analysis of the udbgrd and udbgwr instructions and explains the conditions under which they can be used on commonly available platforms. This kind of research can be used to develop methods, tools, and solutions to ensure information security of systems and networks by countering threats that arise from newly identified vulnerabilities stemming from implementation defects or backdoors in system firmware, applications, and hardware.},
author = {Ermolov, Mark M. and Sklyarov, Dmitry V. and Goryachy, Maxim S.},
issn = {2074-7128},
journal = {Bezopasnostʹ informat͡s︡ionnykh tekhnologiĭ},
language = {eng},
number = {4},
pages = {27-41},
title = {Undocumented x86 instructions to control the CPU at the microarchitecture level in modern INTEL processors},
volume = {29},
year = {2022},
publisher = {Joint Stock Company "Experimental Scientific and Production Association SPELS}
}
@article{EmbletonShawn2013Sran,
% abstract = {The emergence of hardware virtualization technology has led to the development of OS independent malware such as the virtual machine‐based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The system management Mode based rootkit (SMBR). System Management mode (SMM) is a relatively obscure mode on Intel processors used for low‐level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non‐preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits used for high‐profile targeted attacks. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of system management mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP and receive remote command packets stealthily. By modifying and reflashing the BIOS, the SMM rootkit can install itself on a computer even if the computer has originally locked its SMM. The rootkit hides its memory footprint and requires no changes to the existing operating system. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware. Copyright © 2009 John Wiley & Sons, Ltd. This paper presents a proof‐of‐concept SMM rootkit, which explores the potential vulnerability of the low‐level Intel processors' System Management Mode so that it cannot be detected by security software running based on the Operating System. To illustrate the capability of a stealthy SMM rootkit, we implement a chipset‐level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP and receive remote command packets stealthily.},
author = {Embleton, Shawn and Sparks, Sherri and Zou, Cliff C.},
address = {London},
copyright = {Copyright © 2010 John Wiley & Sons, Ltd.},
issn = {1939-0114},
journal = {Security and communication networks},
language = {eng},
number = {12},
pages = {1590-1605},
title = {SMM rootkit: a new breed of OS independent malware},
volume = {6},
year = {2013},
publisher = {Blackwell Publishing Ltd}
}
@article{WaqarMuhammad2021DDCF,
% abstract = {This paper shows that an intermittent AC coupling defect occurring in a DDR4 data channel will cause more intermittent errors in DDR4, compared to such defect in DDR3. The intermittent AC coupling defect occurs due to intermittent fracture in DDR4 package solder ball. The defect causes DC offset in DDR4, which shifts the data signal or data eye and results in DDR4 data channel failure. The DC offset occurs due to the asymmetric nature of pseudo open drain termination scheme. DDR4 data channel response is compared with DDR3 channel. It is shown that pseudo random binary sequence (PRBS) pattern will always cause failure for DDR4, but PRBS will only cause failure in DDR3 if the sequence of consecutive 0's or 1's in PRBS pattern is long enough to cause threshold violation. As a result there will be more intermittent errors in DDR4 compared to DDR3. The defect due to fracture in solder ball is modelled by an AC coupling capacitor. A 1nF AC coupling capacitor corresponding to a solder ball fracture of height about 1nm is used to show the difference between DDR4 and DDR3 response.},
author = {Waqar, Muhammad and Bak, Geunyong and Kwon, Junhyeong and Baeg, Sanghyeon},
address = {Piscataway},
copyright = {Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021},
issn = {2169-3536},
journal = {IEEE access},
keywords = {Capacitors ; Couplings ; Printed circuits},
language = {eng},
pages = {63002-63011},
title = {DDR4 Data Channel Failure Due to DC Offset Caused by Intermittent Solder Ball Fracture in FBGA Package},
volume = {9},
year = {2021},
publisher = {IEEE}
}
@inproceedings{BashunVladimir2013Tytb,
% abstract = {Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In general, UEFI has many technical advantages over BIOS (pre-OS environment, boot and run-time services, CPU-independent drivers etc.) including also powerful security mechanisms (e.g. secure boot, update, etc.). They are aimed to provide platform integrity, be root of trust of security architecture, control all stages of boot process until it pass control to authenticated OS kernel. From the other side UEFI technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. The main goal of this research is to provide analysis of the UEFI security issues, find the point and source of the security problems and classify them. The paper describes the architectural and implementation troubles of UEFI which lead to threats, vulnerabilities and attacks. It also includes extensive review of the previous research activities in this area and the results of our own experiments. As the result of the work some recommendation about how to make this young technology more safe and secure are provided.},
author = {Bashun, Vladimir and Sergeev, Anton and Minchenkov, Victor and Yakovlev, Alexandr},
booktitle = {14th Conference of Open Innovation Association FRUCT},
isbn = {1479949779},
issn = {2305-7254},
keywords = {Hardware ; Microprogramming},
language = {eng},
number = {14},
pages = {16-24},
title = {Too young to be secure: Analysis of UEFI threats and vulnerabilities},
volume = {232},
year = {2013},
publisher = {FRUCT Oy}
}
@article{AlexanderOgolyuk2017UBaI,
% abstract = {We describe principles and implementation details of UEFI BIOS attacks and vulnerabilities, suggesting the possible security enhancement approaches. We describe the hidden Intel Management Engine implementation details and possible consequences of its security possible discredit. Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of "invulnerable" malicious applications. We highlight the base principles and actual state of Management Engine (which is a part of UEFI BIOS firmware) and its attack vectors using reverse engineering techniques.},
author = {Alexander Ogolyuk and Andrey Sheglov and Konstantin Sheglov},
issn = {2305-7254},
journal = {Proceedings of the XXth Conference of Open Innovations Association FRUCT},
language = {eng},
number = {20},
pages = {657-662},
title = {UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities},
volume = {776},
year = {2017},
publisher = {FRUCT}
}
@inproceedings{ChevalierRonny2017CBMA,
% abstract = {Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 µs threshold defined by Intel).},
author = {Chevalier, Ronny and Villatel, Maugan and Plaquin, David and Hiet, Guillaume},
copyright = {Distributed under a Creative Commons Attribution 4.0 International License},
keywords = {Computer science},
language = {eng},
pages = {399-411},
title = {Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode},
volume = {2017},
year = {2017},
publisher = {ACM}
}
@article{YiJinhui2021DoDS,
% abstract = {In order to flexibly adjust the frame delay of real-time image acquisition by high-resolution cameras, which is based on optical fiber communication protocol, and facilitate subsequent control, this article uses MT41J128M16JT-125IT DDR3 SDRAM of Mircon company to cache image data. And based on the MIG controller that comes with Xilinx Vivado development tool for continuous read and write control, the results show that when the camera system is designed at 2fps and the system clock is 50Mhz, the system data bandwidth is 2.2Gbps. The selected DDR3 chip has a bandwidth of 6.25Gbps, which can meet the real-time transmission requirements of the design system.},
author = {Yi, Jinhui and Wang, Mingfu and Bai, Lidong},
address = {Bristol},
copyright = {2021. This work is published under http://creativecommons.org/licenses/by/3.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.},
issn = {1742-6588},
journal = {Journal of physics. Conference series},
keywords = {Cameras ; Optical fibers ; Physics ; Realtime . . .},
language = {eng},
number = {1},
pages = {12046-},
title = {Design of DDR3 SDRAM read-write controller based on FPGA},
volume = {1846},
year = {2021},
publisher = {IOP Publishing}
}
@article{VersenM.2020Rhaa,
% abstract = {A DDR3 SDRAM test setup implemented on the Griffin III test system from HILEVEL Technologies is used to analyse the row hammer bug. Row hammer pattern experiments are compared to standard retention tests for different manufacturing technologies. The row hammer effect is depending on the number of stress activation cycles. The analysis is extended to an avoidance scheme with refreshes similar to the Target Row Refresh scheme for the DDR4 SDRAM technology.},
author = {Versen, M. and Ernst, W.},
copyright = {2020},
issn = {0026-2714},
journal = {Microelectronics and reliability},
language = {eng},
pages = {113744-},
title = {Row hammer avoidance analysis of DDR3 SDRAM},
volume = {114},
year = {2020},
publisher = {Elsevier Ltd}
}
@article{WangDong2019AIUb,
% abstract = {The Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In this paper, we evaluated the security mechanisms used to protected SPI Flash, and then analyzed the attack surface presented by those security mechanisms. Intel provides several registers in its chipset relevant to locking down the SPI Flash chip that contains the UEFI in order to prevent arbitrary writes. Since these registers implement their functions through the system management mode, the main attack surface is concentrated in the system management mode. In this paper, we propose an attack vector for the system management mode, which uses the method of cache poisoning to attack the system management mode and destroy the protection mechanism of SPI Flash. This method can overcome the limitations for the traditional attacks. Experimental results proved that this kind of attack can arbitrarily write to the UEFI.},
author = {Wang, Dong and Dong, Wei Yu},
address = {Bristol},
copyright = {Published under licence by IOP Publishing Ltd},
issn = {1742-6588},
journal = {Journal of physics. Conference series},
keywords = {Alliances ; Integrated circuits ; Poisoning},
language = {eng},
number = {4},
pages = {42072-},
title = {Attacking Intel UEFI by Using Cache Poisoning},
volume = {1187},
year = {2019},
publisher = {IOP Publishing}
}
@article{SridharanVilas2015MEiM,
% abstract = {Several recent publications have shown that hardware faults in the memory subsystem are commonplace. These faults are predicted to become more frequent in future systems that contain orders of magnitude more DRAM and SRAM than found in current memory subsystems. These memory subsystems will need to provide resilience techniques to tolerate these faults when deployed in high-performance computing systems and data centers containing tens of thousands of nodes. Therefore, it is critical to understand the efficacy of current hardware resilience techniques to determine whether they will be suitable for future systems. In this paper, we present a study of DRAM and SRAM faults and errors from the field. We use data from two leadership-class high-performance computer systems to analyze the reliability impact of hardware resilience schemes that are deployed in current systems. Our study has several key findings about the efficacy of many currently deployed reliability techniques such as DRAM ECC, DDR address/command parity, and SRAM ECC and parity. We also perform a methodological study, and find that counting errors instead of faults, a common practice among researchers and data center operators, can lead to incorrect conclusions about system reliability. Finally, we use our data to project the needs of future large-scale systems. We find that SRAM faults are unlikely to pose a significantly larger reliability threat in the future, while DRAM faults will be a major concern and stronger DRAM resilience schemes will be needed to maintain acceptable failure rates similar to those found on today's systems.},
author = {Sridharan, Vilas and DeBardeleben, Nathan and Blanchard, Sean and Ferreira, Kurt B. and Stearley, Jon and Shalf, John and Gurumurthi, Sudhanva},
issn = {0163-5964},
journal = {Computer architecture news},
language = {eng},
number = {1},
pages = {297-310},
title = {Memory Errors in Modern Systems: The Good, The Bad, and The Ugly},
volume = {43},
year = {2015}
}
@book{freiberger2000fire,
title={Fire in the Valley: The Birth and Death of the Personal Computer},
author={Freiberger, Paul and Swaine, Michael},
year={2000},
publisher={McGraw-Hill}
}
@misc{shustek2016kildall,
title={In His Own Words: Gary Kildall},
author={Leonard J. Shustek},
year={2016},
howpublished={Computer History Museum Blog},
url={https://computerhistory.org/blog/in-his-own-words-gary-kildall/},
note={Accessed: August 16, 2024}
}
@misc{wiki_bios,
author = "{Wikipedia contributors}",
title = "BIOS --- {Wikipedia}{,} The Free Encyclopedia",
year = "2024",
howpublished = "\url{https://en.wikipedia.org/w/index.php?title=BIOS&oldid=1240397019}",
note = "[Online; accessed 16-August-2024]"
}
@misc{fsf_ryf,
author = {{Free Software Foundation}},
title = {Respects Your Freedom (RYF) Certification},
year = 2017,
url = {https://ryf.fsf.org/products/VikingsD16},
note = {Accessed: 2024-08-17}
}
@misc{vikings,
author = {{Vikings GmbH}},
title = {Vikings Hardware Recommendations for KGPE-D16},
url = {https://wiki.vikings.net/KGPE-D16},
note = {Accessed: 2024-08-17}
}
@misc{amd_chipsets,
author = {{Advanced Micro Devices (AMD)}},
title = {AMD Embedded Chipsets: SR5690 and SP5100},
url = {https://www.amd.com/en/products/embedded-chipsets},
note = {Accessed: 2024-08-17}
}
@manual{winbond,
title = {WINBOND W83667HG-A Datasheet},
author = {{Winbond Electronics Corporation}},
url = {https://www.winbond.com/},
note = {Accessed: 2024-08-17}
}
@manual{nuvoton,
title = {Nuvoton W83795G/ADG Hardware Monitor Datasheet},
author = {{Nuvoton Technology Corporation}},
url = {https://www.nuvoton.com/},
note = {Accessed: 2024-08-17}
}
@manual{amd_bsp,
title = {AMD Family 15h Models 30h-3Fh Processors BIOS and Kernel Developer's Guide},
author = {{Advanced Micro Devices (AMD)}},
year = 2014,
url = {https://www.amd.com/system/files/TechDocs/48751_15h_Mod_30h-3Fh_BKDG.pdf},
note = {Accessed: 2024-08-17}
}
@misc{northbridge_wiki,
author = "{Wikipedia contributors}",
title = "Northbridge (computing) --- {Wikipedia}{,} The Free Encyclopedia",
year = "2024",
howpublished = "\url{https://en.wikipedia.org/w/index.php?title=Northbridge_(computing)&oldid=1231509957}",
note = "[Online; accessed 17-August-2024]"
}
@misc{southbridge_wiki,
author = "{Wikipedia contributors}",
title = "Southbridge (computing) --- {Wikipedia}{,} The Free Encyclopedia",
year = "2024",
howpublished = "\url{https://en.wikipedia.org/w/index.php?title=Southbridge_(computing)&oldid=1239483618}",
note = "[Online; accessed 17-August-2024]"
}
@inproceedings{coreboot_fsf,
author = {Ward Vandewege},
title = {Coreboot: the view from the FSF},
year = {2008},
}
@manual{amd_6200,
title = {AMD Opteron 6200 Series Processor},
author = {{AMD}},
year = 2011,
note = {Available at AMD Developer Central},
url = {https://developer.amd.com/}
}
@article{anandtech_bulldozer,
author = {Anand Lal Shimpi},
title = {The Bulldozer Review: AMD FX-8150 Tested},
journal = {AnandTech},
year = 2011,
url = {https://www.anandtech.com/show/4955/the-bulldozer-review-amd-fx8150-tested}
}
@article{hill_impact_caching,
author = {Hill, M. D. and Marty, M. R.},
title = {The Impact of Caching on Multicore Performance},
journal = {Communications of the ACM},
volume = {51},
number = {12},
pages = {48--54},
year = {2008},
publisher = {ACM}
}
@manual{amd_ddr3_guide,
title = {AMD DDR3 Memory Controller: Technical Overview},
author = {{AMD}},
year = 2011,
note = {Available at AMD Developer Central},
url = {https://developer.amd.com/}
}
@manual{amd_ht_guide,
title = {HyperTransport Technology: Technical Overview},
author = {{AMD}},
year = 2011,
note = {Available at AMD Developer Central},
url = {https://developer.amd.com/}
}

File diff suppressed because it is too large Load Diff

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -3,29 +3,36 @@
\contentsline {chapter}{\numberline {1}Introduction to firmware and BIOS evolution}{5}{chapter.1}%
\contentsline {section}{\numberline {1.1}Historical context of BIOS}{5}{section.1.1}%
\contentsline {subsection}{\numberline {1.1.1}Definition and origin}{5}{subsection.1.1.1}%
\contentsline {subsection}{\numberline {1.1.2}Functionalities and limitations}{5}{subsection.1.1.2}%
\contentsline {section}{\numberline {1.2}Modern BIOS and UEFI}{6}{section.1.2}%
\contentsline {subsection}{\numberline {1.2.1}Transition from traditional BIOS to UEFI (Unified Extensible Firmware Interface)}{6}{subsection.1.2.1}%
\contentsline {subsection}{\numberline {1.2.2}An other way with coreboot}{7}{subsection.1.2.2}%
\contentsline {section}{\numberline {1.3}Shift in firmware responsibilities}{7}{section.1.3}%
\contentsline {chapter}{\numberline {2}Characteristics of Asus KGPE-D16 Mainboard}{9}{chapter.2}%
\contentsline {section}{\numberline {2.1}Overview of Asus KGPE-D16 Hardware}{9}{section.2.1}%
\contentsline {section}{\numberline {2.2}Firmware's Role in Asus KGPE-D16}{9}{section.2.2}%
\contentsline {chapter}{\numberline {3}Key Components in Modern Firmware}{10}{chapter.3}%
\contentsline {section}{\numberline {3.1}Advanced Configuration and Power Interface (ACPI)}{10}{section.3.1}%
\contentsline {section}{\numberline {3.2}System Management Mode (SMM)}{10}{section.3.2}%
\contentsline {section}{\numberline {3.3}AMD Platform Security Processor (PSP) and Intel Management Engine (ME)}{10}{section.3.3}%
\contentsline {chapter}{\numberline {4}Memory Initialization and Training Algorithms}{11}{chapter.4}%
\contentsline {section}{\numberline {4.1}Importance of Memory Initialization}{11}{section.4.1}%
\contentsline {section}{\numberline {4.2}Memory Training Algorithms}{11}{section.4.2}%
\contentsline {section}{\numberline {4.3}Practical Examples}{12}{section.4.3}%
\contentsline {chapter}{\numberline {5}Firmware and Hardware Virtualization}{13}{chapter.5}%
\contentsline {section}{\numberline {5.1}Introduction to Hardware Virtualization}{13}{section.5.1}%
\contentsline {section}{\numberline {5.2}Role of BIOS/UEFI in Virtualization}{13}{section.5.2}%
\contentsline {section}{\numberline {5.3}Security and freedom considerations}{13}{section.5.3}%
\contentsline {section}{\numberline {5.4}Future Trends in Firmware and Virtualization}{13}{section.5.4}%
\contentsline {chapter}{Conclusion}{14}{chapter*.2}%
\contentsline {section}{\numberline {5.5}Summary of Key Points}{14}{section.5.5}%
\contentsline {section}{\numberline {5.6}Call for Action}{14}{section.5.6}%
\contentsline {chapter}{Bibliography}{15}{section.5.6}%
\contentsline {chapter}{GNU Free Documentation License}{18}{chapter*.4}%
\contentsline {subsection}{\numberline {1.1.2}Functionalities and limitations}{6}{subsection.1.1.2}%
\contentsline {section}{\numberline {1.2}Modern BIOS and UEFI}{7}{section.1.2}%
\contentsline {subsection}{\numberline {1.2.1}Transition from traditional BIOS to UEFI (Unified Extensible Firmware Interface)}{7}{subsection.1.2.1}%
\contentsline {subsection}{\numberline {1.2.2}An other way with \textit {coreboot}}{7}{subsection.1.2.2}%
\contentsline {section}{\numberline {1.3}Shift in firmware responsibilities}{9}{section.1.3}%
\contentsline {chapter}{\numberline {2}Characteristics of ASUS KGPE-D16 mainboard}{10}{chapter.2}%
\contentsline {section}{\numberline {2.1}Overview of ASUS KGPE-D16 hardware}{11}{section.2.1}%
\contentsline {section}{\numberline {2.2}Chipset}{12}{section.2.2}%
\contentsline {section}{\numberline {2.3}Processors}{14}{section.2.3}%
\contentsline {section}{\numberline {2.4}Baseboard Management Controller}{15}{section.2.4}%
\contentsline {chapter}{\numberline {3}Key components in modern firmware}{16}{chapter.3}%
\contentsline {section}{\numberline {3.1}General structure of coreboot}{16}{section.3.1}%
\contentsline {subsection}{\numberline {3.1.1}Bootblock stage}{17}{subsection.3.1.1}%
\contentsline {subsection}{\numberline {3.1.2}Romstage}{17}{subsection.3.1.2}%
\contentsline {subsection}{\numberline {3.1.3}Ramstage}{18}{subsection.3.1.3}%
\contentsline {subsection}{\numberline {3.1.4}Payload}{18}{subsection.3.1.4}%
\contentsline {section}{\numberline {3.2}Advanced Configuration and Power Interface}{18}{section.3.2}%
\contentsline {section}{\numberline {3.3}System Management Mode}{19}{section.3.3}%
\contentsline {section}{\numberline {3.4}AMD Platform Security Processor and Intel Management Engine}{19}{section.3.4}%
\contentsline {chapter}{\numberline {4}Memory initialization and training algorithms}{21}{chapter.4}%
\contentsline {section}{\numberline {4.1}Importance of memory initialization}{21}{section.4.1}%
\contentsline {section}{\numberline {4.2}Memory training algorithms}{21}{section.4.2}%
\contentsline {section}{\numberline {4.3}Practical examples}{21}{section.4.3}%
\contentsline {chapter}{\numberline {5}Firmware and hardware virtualization}{23}{chapter.5}%
\contentsline {section}{\numberline {5.1}Introduction to hardware virtualization}{23}{section.5.1}%
\contentsline {section}{\numberline {5.2}Role of BIOS/UEFI in virtualization}{23}{section.5.2}%
\contentsline {section}{\numberline {5.3}Security and freedom considerations}{23}{section.5.3}%
\contentsline {section}{\numberline {5.4}Future trends in firmware and virtualization}{23}{section.5.4}%
\contentsline {chapter}{Conclusion}{24}{chapter*.2}%
\contentsline {section}{\numberline {5.5}Summary of key points}{24}{section.5.5}%
\contentsline {section}{\numberline {5.6}Call for action}{24}{section.5.6}%
\contentsline {chapter}{Bibliography}{25}{section.5.6}%
\contentsline {chapter}{GNU Free Documentation License}{30}{chapter*.4}%