// Shikhin Sethi
// Option ROMs: A Hidden (But Privileged) World
Each modern x86 computer uses PCI option ROMs to initialize devices during early boot. The option ROMs not only get privileged and unsupervised access to the machine, but are also typically relied upon by the operating system to provide key device services such as video.
We show how malicious option ROMs can be executed in the background, "stealing" the host machine resources such as logical cores, memory, and PCI devices. We further show how to man-in-the-middle interrupts from devices, and how to gather useful information without destroying the device state, and how such malicious ROMs can snoop on the OS, especially with poorly designed kernels (or drivers) using the option ROMs themselves.
Although UEFI attempts to address the issue by using bytecode option ROMs, we show how to bypass its security restriction. We look at how "weird machines" in the boot process could be used to undermine the trust model of the OS, and how these might be prevented.
Given that option ROMs are ubiquitous, we look at how such malicious ROMs could be detected and protected against. Shikhin Sethi is a systems hacker with a keen interest in using low-level knowledge for exploits. Shikhin writes an article series on the x86 architecture and nifty tricks surrounding it for the International Journal of PoC||GTFO. A student in India, Shikhin is also interested in operating system design and creating standard components for a secure OS.