efi_fuzz: coverage-guided fuzzer for UEFI NVRAM variables
In recent years, firmware-level attacks against UEFI have grown in popularity and became more and more complex. Prominent examples of such attacks from this year alone include CVE-2020-12890 (SMM callout vulnerability in AMD’s Mini PCs), CVE-2020-10713 (BootHole, an effective bypass for Secure Boot) as well as the discovery of a new UEFI implant, dubbed MosaicRegressor. As a growing area of concern, these UEFI vulnerabilities shouldn’t be taken lightly. Given any of these vulnerabilities, an attacker can get extremely stealthy persistence on the machine, while bypassing many traditional kernel-based or even hypervisor-based mitigations.
Unfortunately, the set of tools available to the UEFI research community is still in its infancy phase. As a result, most of the research so far was driven by static analysis of UEFI modules or by leveraging some ad-hoc “dumb” fuzzers. Obviously, these approaches have some serious limitations and downsides: static analysis, while not complemented by dynamic analysis, is limited at best, and “dumb” fuzzers don’t get any feedback from the fuzzed target and as a result, are likely to miss key vulnerabilities.
efi_fuzz is a modern, coverage-guided fuzzer for UEFI modules based on the Qiling emulation framework and the AFL++ fuzzing engine. The fuzzer is currently capable of fuzzing the contents of NVRAM variables and further work is being made to support fuzzing of other attack vectors such as SWSMIs. Written by Itai Liba (@liba2k) and Assaf Carlsbad (@assaf_carlsbad).