UEFI virtual machine firmware hardening through snapshots and attack surface reduction

TL;DR

This paper presents the Amaranth project, a method to enhance UEFI firmware security in virtual machines by reducing attack surface and using snapshots for integrity verification.

Contribution

It introduces a novel approach combining firmware size reduction and snapshot-based integrity checks to improve UEFI security in virtual environments.

Findings

Enhanced firmware security through size reduction

Effective attack surface minimization

Improved integrity verification with snapshots

Abstract

The Unified Extensible Firmware Interface (UEFI) is a standardised interface between the firmware and the operating system used in all x86-based platforms over the past ten years. A side effect of the transition from conventional BIOS implementations to more complex and flexible implementations based on the UEFI was that it became easier for the malware to target BIOS in a widespread fashion, as these BIOS implementations are based on a common specification. This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction.