On This Page


John Butterworth, LegbaCore, LLC | Oct 14-15


This course is designed for those who are interested in being able to detect BIOS attackers and want to learn about the BIOS' role in configuring platform security. Because BIOS is such a large subject, this course extrapolates and explains specifically those aspects of BIOS that relate to platform security. However, this course will also explain the core concepts required to understand the security aspects of the presented material as well as de-abstract the subject as a whole.

We will cover the various system components that the BIOS is responsible for configuring and the security they can provide. This course will also show you what capabilities and opportunities are provided to an attacker when they are not properly configured. This course will also provide you tools which you can use to measure many of these configurations and, most importantly, show you how to understand and interpret the results.

This course covers both legacy BIOS and the new UEFI, but will show you how much of the security configurations are agnostic with respect to the BIOS manufacturer and whether the BIOS is legacy or UEFI. UEFI-specific differences will be discussed on the second day.

You will also learn how to apply your existing reverse engineering skills to the analysis of UEFI firmware when changes to it have been detected.
Day 1:

Day 2:

Learning Objectives:

Who Should Take this Course

People who want to detect BIOS/SMM attackers

Student Requirements

Must have x86 assembly and architecture knowledge equal to or greater than what is provided here:

Being familiar with IDA Pro is also helpful. A refresher is here:

What Students Should Bring

Students should bring their own laptops so they can perform experiments on it in parallel to e.g. inspect their BIOS and determine if it is vulnerable.


John Butterworth specializes in low-level system security. He is applying his electrical engineering background and firmware engineering background to investigate UEFI/BIOS security. Over the past year, his "BIOS Chronomancy" work was presented in a number of venues including NoSuchCon, Black Hat, EkoParty, Breakpoint, Hack.lu, ToorCon, SecTor, and others. This work analyzed a Dell laptop implementation of the Trusted Computing Group's "Static-Core Root of Trust for Measurement" (S-CRTM) and showed how it had weaknesses that made it untrustworthy. It also showed how even if a full measurement was performed it could still not be trusted, because a "tick" malware could still attach itself to the BIOS and forge measurements. Or, a "flea" could infect the BIOS and hop between BIOS revisions to persist. But this work also proposed a solution by doing a better measurement of the BIOS using TPM-timing-based attestation. John also wrote the initial version of Copernicus, a tool for checking the security of your BIOS on Windows.