UEFI virtual machine firmware hardening through snapshots and attack surface reduction

The Unified Extensible Firmware Interface (UEFI) is a standardised interface between the firmware and the operating system used in all x86-based platforms over the past ten years. A side effect of the transition from conventional BIOS implementations to more complex and flexible implementations based on the UEFI was that it became easier for the malware to target BIOS in a widespread fashion, as these BIOS implementations are based on a common specification. This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction.