Last-minute paper: Into the unknown: how to detect BIOS-level attackers

Thursday 25 September 15:00 - 15:30, Green room.

Xeno Kovah The MITRE Corporation
Corey Kallenberg The MITRE Corporation
John Butterworth The MITRE Corporation
Sam Cornwell The MITRE Corporation

What do you know about BIOS vulnerabilities & attackers? Do you know that current data suggests that more than half of enterprise BIOSes in the wild have known vulnerabilities going unpatched? Do you know which vendors have patches that fix issues, and which vendors don't? Do you know how many exploits have come out in the past year that allow attackers to bypass all security features and take control of a BIOS and thus defeat all security software? Do you know that state-sponsored attackers attack at the BIOS level but have never been caught by the AV industry?

This talk will shed some light on the largely out-of-sight, out-of-mind problem of security at the lowest level of the platform. But it will suggest actions that can be taken immediately to improve BIOS-level malware detection by leveraging free tools for Windows and *nix platforms. These tools and techniques have significantly matured over the past year, and are now appropriate for incorporation into COTS security products. This talk will also show how malware analysts with existing Windows executable static analysis knowledge can be taught a little bit of BIOS-specific information in order to become BIOS malware analysts too.

Click here for more details about the conference.

Xeno Kovah

Xeno Kovah

Xeno Kovah leads a team of five researchers focusing on low-level PC firmware and BIOS security. His speciality is stealth malware and its ability to hide from security software and force security software to lie and report that the system is clean when it is not. To combat such attacks he researches trusted computing systems that can provide much stronger guarantees than normal COTS. He is also the founder and lead contributor to, where he has posted eight days of material and videos on x86 assembly, architecture, binary formats and rootkits.



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.