Skip to navigation Skip to main content Skip to footer

Research Blog

Insights and research from our global cybersecurity team.

Filter content

Reset filters

Public Report – Caliptra Security Assessment

During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. It serves as the internal root-of-trust for both measurement and identity of a system-on-chip. The main use cases for Caliptra are to assure integrity of mutable […]


LeaPFRogging PFR Implementations

Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP).  Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the firmware and protect firmware integrity. […]


Intel BIOS Advisory – Memory Corruption in HID Drivers 

In this post, I will be focusing on two additional BIOS vulnerabilities. The first bug impacts the Bluetooth keyboard driver (HidKbDxe in BluetoothPkg) and the second bug impacts a touch panel driver (I2cTouchPanelDxe in AlderLakePlatSamplePkg).


Stepping Insyde System Management Mode

In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and reported to Insyde Software. These […]


A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM

About four months ago, in October 2022, I was idly poking around the “ICE TEA” leak. This leak was of particular interest to me, because it happened to expose the source code for Intel’s Alder Lake platform BIOS. It’s always fun to finally get to see the code for modules that you previously reverse engineered. […]


Alternative Approaches for Fault Injection Countermeasures (Part 3/3)

Authors: Jeremy Boone, Sultan Qasim Khan In the previous blog post we described a set of software-based fault injection countermeasures. However, we recognize that software-based mitigations are not a silver bullet and do have several drawbacks. Though they can frustrate an attacker and reduce the reliability of an exploit attempt, a persistent attacker may possess […]


Software-Based Fault Injection Countermeasures (Part 2/3)

This post contains various C functions, macros and programming patterns that can be used to achieve double glitch resistance within software. By “double glitch resistance”, we mean that skipping or incorrect evaluation of any two instructions should not be able to induce incorrect entry to the protected side of a conditional check. Entry to protected code paths in disallowed states must require the skipping or incorrect evaluation of three or more instructions.


An Introduction to Fault Injection (Part 1/3)

This blog post is the first in a series on the topic of fault injection, also known as glitching. This first post covers the basic principles of fault injection – types of glitches, their effects, and how an attacker can characterize hardware and firmware to achieve a successful glitch. In later posts we will describe how fault injection weaknesses typically manifest in software, and how they can be mitigated at both the software and hardware levels. 


Domestic IoT Nightmares: Smart Doorbells

Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of […]


There’s A Hole In Your SoC: Glitching The MediaTek BootROM

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an attack vector that is limited […]