CHIPSEC Support against Vault 7 disclosure scanning

Following recent WikiLeaks Vault 7 disclosures, including details regarding the firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society.  In addition, there was reference to a vulnerability related to the Intel Security stinger.

First, we can confirm that the stinger tool issue is no longer present in our current technology. Users downloading the stinger today will not be subject to attacks using the suggested exploit scenario.

As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.

This work is based on many years of dedicated research conducted by the Advanced Threat Research team ( within the field of firmware security. CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.

NOTE: This software is for security testing purposes. Use at your own risk. Read WARNING.txt before using.

The framework is available at the following link:


The following outlines a method that can be used to scan system firmware to determine whether it has been modified.  The example we have used below is shows the UEFI rootkit found in the HackingTeam disclosure ( To test against the most recent disclosures, a known clean list of EFI executable binaries (whitelist) must be developed and can be checked.

Below is an example of using the new tools.uefi.whitelist module on a UEFI firmware image modified to include HackingTeam’s UEFI rootkit.

  1. Generate a “whitelist” of EFI executable binaries from a clean/original UEFI firmware image (file named “original” in the example below). The list is generated in “original.json”. (This step assumes that there’s a way to obtain a good clean image.) In our example, 276 EFI executables were extracted from the “original” UEFI firmware image.

# chipsec_main -i -n -m tools.uefi.whitelist -a generate,original.json,original



[x][ =======================================================================

[x][ Module: Simple white-list generation/checking for UEFI firmware

[x][ =======================================================================


[*] reading firmware from ‘original’…

[*] generating a list of EFI executables from firmware image…

[*] found 276 EFI executables in UEFI firmware image ‘original’

[*] creating JSON file ‘C:\chipsec\original.json’…


  1. At a later time, one can verify the integrity of UEFI firmware extracted from flash ROM memory against this list of expected EFI executables. The previous step records hashes in the “efilist.json” file. In our example, we verify the integrity of another UEFI firmware image named “unpacked”. Running the tools.uefi.whitelist module against this image with “original.json” containing expected list (whitelist) of EFI executables yields the following output.


# chipsec_main -i -n -m tools.uefi.whitelist -a check,original.json,unpacked


[x][ =======================================================================

[x][ Module: Simple white-list generation/checking for UEFI firmware

[x][ =======================================================================


[*] reading firmware from ‘unpacked’…

[*] checking EFI executables against the list ‘C:\chipsec\original.json’

[*] found 279 EFI executables in UEFI firmware image ‘unpacked’

[!] found EFI executable not in the list: d359a9546b277f16bc495fe7b2e8839b5d0389a8



ed0dc060e47d3225e21489e769399fd9e07f342e2ee0be3ba8040ead5c945efa (sha256)

[!] found EFI executable not in the list: 64d44b705bb7ae4b8e4d9fb0b3b3c66bcbaae57f



3a4cdca9c5d4fe680bb4b00118c31cae6c1b5990593875e9024a7e278819b132 (sha256)

[!] found EFI executable not in the list: 4a1628fa128747c77c51d57a5d09724007692d85



dd2b99df1f10459d3a9d173240e909de28eb895614a6b3b7720eebf470a988a0 (sha256)

[!] WARNING: found 3 EFI executables not in the list ‘C:\chipsec\original.json’


The tools.uefi.whitelist module found three additional EFI executable binaries, which were not present in the original firmware image. The “unpacked” firmware image has 279 EFI executable binaries including the 276 original executables and three executables injected by the HackingTeam’s UEFI rootkit (rkloader, Ntfs and unnamed EFI application).


The above example is just for illustration purposes and assumes you’ve extracted EFI firmware on your system prior to generating the whitelist and later before checking the firmware. This can be done with CHIPSEC framework using the following command:

# chipsec_util spi dump firmware.bin


However, a separate step to dump the firmware image isn’t required when using tools.uefi.whitelist module. It extracts EFI firmware from flash ROM memory automatically if the firmware file isn’t specified.

We recommend generating an EFI “whitelist” after purchasing a system or when sure it hasn’t been infected :

# chipsec_main -m tools.uefi.whitelist -a generate


Then check EFI firmware on your system periodically or whenever concerned, such as when a laptop was left unattended:

# chipsec_main -m tools.uefi.whitelist -a check


In the recent disclosures, another EFI firmware malware for Mac OSX systems, darkmatter, has become known. It appears to include multiple EFI executable components which it injects into the EFI firmware on a target system at different stages of infection. If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the darkmatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.

EFI firmware malware is a new frontier for stealth and persistent attacks which may be used by sophisticated adversaries to penetrate and persist within the organization’s and national infrastructure for very long time. Use open source CHIPSEC to defend from this threat and stay safe.

The post CHIPSEC Support against Vault 7 disclosure scanning appeared first on McAfee Blogs.

Read more: CHIPSEC Support against Vault 7 disclosure scanning

Story added 9. March 2017, content source with full text you can find at link above.