Appendix:Threat Model for EDK II
This chapter provides the basic assumptions for the threat model of EDK II firmware. The threat model discussed here is a general guide and serves as the baseline of the EDK II firmware. For each specific feature in EDK II firmware, there might be additional feature-based threat models in addition to the general threat model.
In UEFI Threat Model, we discussed the asset, threat and mitigation. Here we will revisit these items and based upon STRIDE).
| Threat | Desired Property |
|---|---|
| Spoofing | Authentication |
| Tampering | Integrity |
| Repudiation | Non-Repudiation |
| Information Disclosure | Confidentiality |
| Denial of Service | Availability |
| Elevation of Privilege | Authorization |
In EDK II firmware, the denial of service can be temporary in the current boot, or permanent in which case the system never boot again. The latter is more serious and it is named as permanent denial of service (PDoS).
We will consider the below adversary for the EDK II firmware:
| Adversary | Capability |
|---|---|
| Network Attacker | The attacker may connect to the system by network in order to eavesdrop, intercept, masquerade, or modify the network packet. |
| Unprivileged Software Attacker | The attacker may run ring-3 software in an OS application layer. The attacker may perform a software based side channel attack (such as using cache timing). |
| System Software Attacker | The attacker may run ring-0 software in the OS kernel or hypervisor, or run 3rd party firmware code in firmware boot phase. The attacker may perform the software based side channel attack (such as using cache timing, performance counters, branch information, or power status). |
| Simple Hardware Attacker | The attacker may touch the platform hardware (such as power button or jumper) and attach/remove a simple malicious device (such as hardware debugger, PCI Leach to the external port, PCIE card to the PCIE slot, memory DIMM, NIC cable, hard drive, keyboard, USB device, Bluetooth device). The attacker may hijack the simple system bus (such as the SPI bus or I2C bus). |
| Skilled Hardware Attacker | The attacker may hijack the complex system bus (such as memory bus, or PCI express bus). The attacker may perform the hardware based side channel attack, such as power analysis, thermal analysis, or electromagnetic analysis. The attacker may perform a glitch attack. |
We will consider the below mitigations for the EDKII firmware:
| Mitigation | Objective |
|---|---|
| Protection | The mitigation is to prevent such an attack for damaging the system. |
| Detection | The mitigation is to detect if the system is under attack. |
| Recovery | The mitigation is to recover the system if it is under attack. |
- Asset: Flash Content
- Asset: Boot Flow
- Asset: S3 Resume
- Asset: Management Mode
- Asset: Build Tool