Saved in:
Bibliographic Details
Main Authors: Segal, Kalanit Suzan, Gorelik, Hadar Cochavi, Brodt, Oleg, Elbahar, Yuval, Elovici, Yuval, Shabtai, Asaf
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2501.16962
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916586834624512
author Segal, Kalanit Suzan
Gorelik, Hadar Cochavi
Brodt, Oleg
Elbahar, Yuval
Elovici, Yuval
Shabtai, Asaf
author_facet Segal, Kalanit Suzan
Gorelik, Hadar Cochavi
Brodt, Oleg
Elbahar, Yuval
Elovici, Yuval
Shabtai, Asaf
contents Modern computing systems rely on the Unified Extensible Firmware Interface (UEFI), which has replaced the traditional BIOS as the firmware standard for the modern boot process. Despite the advancements, UEFI is increasingly targeted by threat actors seeking to exploit its execution environment and take advantage of its persistence mechanisms. While some security-related analysis of UEFI components has been performed--primarily via debugging and runtime behavior testing--to the best of our knowledge, no prior study has specifically addressed capturing and analyzing volatile UEFI runtime memory to detect malicious exploitation during the pre-OS phase. This gap in UEFI forensic tools limits the ability to conduct in-depth security analyses in pre-OS environments. Such a gap is especially surprising, given that memory forensics is widely regarded as foundational to modern incident response, reflected by the popularity of above-OS memory analysis frameworks, such as Rekall, Volatility, and MemProcFS. To address the lack of below-OS memory forensics, we introduce a framework for UEFI memory forensics. The proposed framework consists of two primary components: UefiMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules capable of detecting malicious activities such as function pointer hooking, inline hooking, and malicious image loading. Our proof-of-concept implementation demonstrates our framework's ability to detect modern UEFI threats, such as ThunderStrike, CosmicStrand, and Glupteba bootkits. By providing an open-source solution, our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security through UEFI memory analysis.
format Preprint
id arxiv_https___arxiv_org_abs_2501_16962
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle UEFI Memory Forensics: A Framework for UEFI Threat Analysis
Segal, Kalanit Suzan
Gorelik, Hadar Cochavi
Brodt, Oleg
Elbahar, Yuval
Elovici, Yuval
Shabtai, Asaf
Cryptography and Security
Modern computing systems rely on the Unified Extensible Firmware Interface (UEFI), which has replaced the traditional BIOS as the firmware standard for the modern boot process. Despite the advancements, UEFI is increasingly targeted by threat actors seeking to exploit its execution environment and take advantage of its persistence mechanisms. While some security-related analysis of UEFI components has been performed--primarily via debugging and runtime behavior testing--to the best of our knowledge, no prior study has specifically addressed capturing and analyzing volatile UEFI runtime memory to detect malicious exploitation during the pre-OS phase. This gap in UEFI forensic tools limits the ability to conduct in-depth security analyses in pre-OS environments. Such a gap is especially surprising, given that memory forensics is widely regarded as foundational to modern incident response, reflected by the popularity of above-OS memory analysis frameworks, such as Rekall, Volatility, and MemProcFS. To address the lack of below-OS memory forensics, we introduce a framework for UEFI memory forensics. The proposed framework consists of two primary components: UefiMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules capable of detecting malicious activities such as function pointer hooking, inline hooking, and malicious image loading. Our proof-of-concept implementation demonstrates our framework's ability to detect modern UEFI threats, such as ThunderStrike, CosmicStrand, and Glupteba bootkits. By providing an open-source solution, our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security through UEFI memory analysis.
title UEFI Memory Forensics: A Framework for UEFI Threat Analysis
topic Cryptography and Security
url https://arxiv.org/abs/2501.16962