Corey Kallenberg
Script error: No such module "Draft topics".
Script error: No such module "AfC topic".
Corey Kallenberg is a computer security expert with a specialization in the exploitation of Intel x86 UEFI BIOS firmware. He won the 2015 Pwnie Award for Best Privilege Escalation for a memory-corruption vulnerability in the UEFI “Capsule Update” interface for performing in-place firmware updates. This interface is specified in the UEFI specification, and the Tianocore reference-implementation code was found across many vendors, such as AMI, Apple, Dell, HP, Phoenix, and Lenovo.[1]
Corey co-founded LegbaCore LLC in 2015 with Xeno Kovah. This firmware security consultancy publicly demonstrated weaknesses in Apple’s UEFI-based BIOS at Black Hat Briefings USA 2015[2]. It was subsequently acquired in 2015 by Apple to improve the firmware security of their systems.
Corey was responsible for presenting the 2nd and 3rd ever public exploits to achieve arbitrary code execution via memory corruption on Intel-based systems. The third exploit was the Pwnie Award-winning entry. The 2nd, designated CERT VU #912156 [3], which affected to Dell systems, was presented at Black Hat USA 2013. The first memory-corrupting exploit was demonstrated by Rafal Wojtczuk and Alexander Tereshkin at Black Hat USA 2008.[4] The classified ANT catalog leaked by Edward Snowden later demonstrated that the [NSA] has had a long-term interest in firmware exploitation, and in fact had weaponized BIOS exploits and malware implants available for US government use even before the first public demonstrations by researchers.
In his career Corey presented many Intel firmware vulnerability findings that didn't require memory corruption in order to achieve arbitrary code execution. For instance in the “Speed Racer” vulnerability[5], co-presented with Rafal Wojtczuk, it was demonstrated that Intel systems code named “Sandy Bridge” and older contained a race condition in the hardware locking mechanism that would allow attackers to write to the SPI flash storage medium, despite a configuration lock bit having been set. This vulnerability was later found to be exploited by the first ever UEFI malware found in the wild, “LoJax”.[6] Another example finding was the re-discovery that a vulnerability previously discussed by Wojtczuk in 2008 (labeled CERT VU #12728 in [7], but never published as a CERT VU), later termed “SMM call-out” vulnerabilities, were actually still extremely prevalent in all vendors’ BIOSes 2014[8]. These vulnerabilities occur when System Management Mode code uses data from outside of its protected memory range to influence control flow.
References[edit]
- ↑ "CERT/CC Vulnerability Note VU#552286".
- ↑ https://legbacore.com/Research_files/ts2-blackhat.pdf
- ↑ "CERT/CC Vulnerability Note VU#912156".
- ↑ https://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf
- ↑ https://bromiumlabs.files.wordpress.com/2015/01/speed_racer_whitepaper.pdf
- ↑ https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
- ↑ https://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf
- ↑ https://legbacore.com/Research_files/HowManyMillionBIOSWouldYouLikeToInfect_Full2.pdf
This article "Corey Kallenberg" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Corey Kallenberg. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.