UEFI virtual machine firmware hardening through snapshots and attack surface reduction
This addresses security vulnerabilities in UEFI firmware for virtual machine environments, but it is incremental as it builds on existing hardening techniques.
The paper tackles security issues in UEFI firmware for virtual machines by introducing the Amaranth project, which uses snapshots for OS integrity checking and firmware size reduction to harden the firmware.
The Unified Extensible Firmware Interface (UEFI) is a standardised interface between the firmware and the operating system used in all x86-based platforms over the past ten years. A side effect of the transition from conventional BIOS implementations to more complex and flexible implementations based on the UEFI was that it became easier for the malware to target BIOS in a widespread fashion, as these BIOS implementations are based on a common specification. This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction.