启动漏洞：搜寻 Windows 安全启动的远程攻击面.pdf

《启动漏洞：搜寻 Windows 安全启动的远程攻击面.pdf》由会员分享，可在线阅读，更多相关《启动漏洞：搜寻 Windows 安全启动的远程攻击面.pdf（86页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsBooting into BreachesHunting Windows SecureBootsRemote Attack SurfacesAzure Yang CyberKunlun#BHUSA BlackHatEventsAbout meAzure Yang 4zure9Security Researcher Cyber Kunlun|MSRC MVR(20222025)Started journey into Windows security from late 2021 Discovered 79 public CVEs in Windows

2、security,specializing in bootloaders,remote vulnerabilities.Ranked#5 on MSRCs 2024/2025 annual Windows Leaderboard and#2 in 2023Q4 for SecureBoot research.Retired CTF player,DEF CON CTF Black Badge owner.Blending offensive expertise into defensive evolution.#BHUSA BlackHatEventsAgenda Background Att

3、ack surface in bootloader Network protocol BCD Registry Security Policy Filesystem Logic flaw How to fuzz Attack surface beyond bootloader Future Work&Take Aways#BHUSA BlackHatEventsWhy Explore SecureBoot?Exploring unknown area is attractive for researcher The foundation of computer security starts

4、with SecureBoot process SecureBoot vulnerabilities in Windows is rare in past decade.#BHUSA BlackHatEventsSecureBoot The bigger picture Mobile Hardware lockout implementation PC UEFI Using digital signatures and certificates to establishing a chain of trust from hardware to OS#BHUSA BlackHatEventsMo

5、bile Secureboot#BHUSA BlackHatEventsSecureBoot Where is enforced#BHUSA BlackHatEventsWhat makes the SecureBoot breaches Despite fixed in code and the updates has already been shipped,all my 32 Secure Boot Vulnerabilities findings still exploitable by default PCA2011 gets expired in 2026 PCA2023 UEFI

6、 var DBX 32K limit Compatibility issue#BHUSA BlackHatEventsFixed in CVETitleIn wildScoreCVSS2016-Jul CVE-2016-3287Secure Boot Security Feature Bypass VulnerabilityFALSE6.2CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C2016-Aug CVE-2016-3320Secure Boot Security Feature Bypass Vulnerability