Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
AI Bug Open Source Operating Systems Security

Microsoft Uses AI To Find Flaws In GRUB2, U-Boot, Barebox Bootloaders (bleepingcomputer.com) 49

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.

Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

Microsoft Uses AI To Find Flaws In GRUB2, U-Boot, Barebox Bootloaders

Comments Filter:
  • Why the obsession? (Score:3, Interesting)

    by jrnvk ( 4197967 ) on Saturday April 05, 2025 @02:47PM (#65283669)

    Why does MS always care so much about the boatloader? Just seems like a weird obsession to me.

    • by AvitarX ( 172628 ) <me@noSPAm.brandywinehundred.org> on Saturday April 05, 2025 @03:15PM (#65283703) Journal

      Because it's before the OS, so flaws there can be more severe.

      • by codebase7 ( 9682010 ) on Saturday April 05, 2025 @10:13PM (#65284217)
        More accurately, code that runs before the OS can patch the OS in memory to do things it otherwise wouldn't. I.e. Disable integrity checks, create fake users with full access, hide malicious code from detection attempts, exfiltrate data, surveil users, etc. Many jailbreaks / softmods of various things (phones, video game consoles, coffee makers, routers, farm tractors, etc.) use this to bypass restrictions put in place by manufacturers. (Often to the delight of those that bought the products, so there's a good reason this happens, but it's not always a good thing.)

        The real question that needs to be asked here isn't whether or not there's a vulnerability, but what the outcome of exploiting it is. As grub isn't really a boot loader that's installed by default on most systems, it's a low risk target and it's purpose is to boot to an OS who's kernels are often OSS. So not much to gain there. uboot is a different story. (It's used mostly in embedded products like phones.) Where the typical end user doesn't even know it exists on their device in the first place. So much greater risk.

        Of course, that assumes that these are actual vulnerabilities and not misconfigurations made by incompetent Microsoft-owned employees.....
        • I'm assuming they wrote this AI-powered test suite for their own implementation of UEFI, namely Project Mu and associated Windows bootloader.

          So then they ran it against alternative implementations as mentioned in the summary. This would be done for several reasons such as correctness of the test suite, diagnosing any MS-dependent quirks that deviate from the spec, improving the completeness of the test suite to verify their weren't non-diagnosed flaws in their own implementation.

          As for finding bugs in u-bo

    • Re: (Score:2, Interesting)

      by Z00L00K ( 682162 )

      They want to make sure that they can lock out anything they see really competing with them.

      Oh - sorry, we didn't realize that this UEFI key we blocked for malware in the coming BIOS update was also used by a million Linux installations.

    • Re: (Score:2, Funny)

      by RitchCraft ( 6454710 )

      Because if they used this tech on the Windows code base the AI would report the entire thing is flawed.

    • by sixminuteabs ( 1452973 ) on Saturday April 05, 2025 @03:30PM (#65283735)
      That is because you are a zealot who cannot see past the name Microsoft. The reasons are clear and obvious as one already responded but in typical form slashdot circles the wagons. This time it is doubly bad as we combined microsoft and AI which I read here daily actually doesnâ(TM)t do anything. A lot of dogma has to be torn down before some of you can accept this for what it is
    • by dnaumov ( 453672 ) on Saturday April 05, 2025 @04:02PM (#65283781)

      Because if you succesfully hacked the bootloader, your malware is invisible to the OS.

      • Because if you succesfully hacked the bootloader, your malware is invisible to the OS.

        Don't they call this kind of shit Denuevo?

        • Not even jokingly, no. Denuevo is self-contained at the executable level: it runs entirely in ring 3. It's not like, say, StarForce, which needed a ring 0 driver installed.

          • Not even jokingly, no. Denuevo is self-contained at the executable level: it runs entirely in ring 3. It's not like, say, StarForce, which needed a ring 0 driver installed.

            Ah, I was conflating the two.

    • by Slayer ( 6656 ) on Saturday April 05, 2025 @04:04PM (#65283785)

      As a linux/g++ developer I can give you an explanation: because it tells me, who has no use for Visual Studio and most other products from Microsoft, that I could put this tool to proper use. If a tool can analyze an open source boot loader, then it can likely analyze my own product, too. Thereby they widen their audience quite a bit. The fact, that they analyzed grub2 and not e.g. libqt6 raises eyebrows not only of GUI application programmers, but also of embedded programmers, which is one of the larger C/C++ programmer crowds in general and specifically for linux. I don't think I would have even read the article, had they reported 5 buffer overflows in MS Word or Libreoffice. Pure genius IMHO.

      One thing, which did not at all impress me was the finding actually shown in the bleepingcomputer article: malloc(size+1) can at worst produce an inadvertent malloc(0), which could lead to a heap overflow, but that's an error most decent static code checkers would also flag. It would impress me a lot more, if Copilot would have flagged something a bit more difficult.

      • by viperidaenz ( 2515578 ) on Saturday April 05, 2025 @05:44PM (#65283909)

        Microsoft donâ(TM)t care about QT, they donâ(TM)t use it.

        They do use Linux in general on a massive scale in their cloud infrastructure, and subsequently use grub to boot them.
        Azure is more than half Linux.

        • by Slayer ( 6656 )

          Their cloud offerings still don't have a need for uboot, and they analyzed it anyway. I insist, that this is one of Microsoft's clever marketing ploys to gain market share in the embedded market, something e.g. Google or Amazon seem to have ignored for now despite their much higher investment in embedded in general.

          Smart move on Microsoft's side, but I sure hope, that their Copilot learns to find more intricate bugs than malloc(size+1).

      • by tlhIngan ( 30335 )

        As a linux/g++ developer I can give you an explanation: because it tells me, who has no use for Visual Studio and most other products from Microsoft, that I could put this tool to proper use. If a tool can analyze an open source boot loader, then it can likely analyze my own product, too. Thereby they widen their audience quite a bit. The fact, that they analyzed grub2 and not e.g. libqt6 raises eyebrows not only of GUI application programmers, but also of embedded programmers, which is one of the larger C/

        • by Slayer ( 6656 )

          Because things like libqt6 aren't likely to be understood by Microsoft developers.

          One thing, which Microsoft has really been successful in the last 30 years was GUIs. Their UIs were typically slick and efficient, and for each and every Microsoft GUI strangeness I can probably show you 10 worse GTK or KDE UX defects. Yes, Microsoft has a footing in boot loaders, they were also engaged in embedded platforms for a while (is WinCE still a thing?), but that's all beside the point.

          If you look at typical code produced in Visual Studio, you'd expect a GUI driven DB connected Windows application

    • They want to justify their TPM requirement, which could ultimately lock out unauthorized (by them) bootloaders.

      • Wrong.
        SecureBoot is a standard, and as part of teh standard, the keys must be user-serviceable.

        Stop spreading misinformation.
        • by Anonymous Coward

          SecureBoot is a standard, and as part of teh standard, the keys on x86 systems must be user-serviceable.

          FTFY

        • For technical accuracy, MOKs are not part of the official Secure Boot standard. It is, however, a de facto standard on x86_64 hardware as every motherboard manufacturer and OEM (with one or two easily predicted notable exceptions, like Microsoft) has a vested interest in not crippling their hardware from running Linux securely.

          It would be nice if it was a standard so that ARM64 devices played by the same rules.

          • Wasn't talking about MOKs.
            The CA for the SecureBooth chain must be manageable.
            MOKs exist as a way to avoid having to try to talk users into installing a CA in their EFI.
      • Look! Someone still ignorant of the verifiable fact that basically every hardware manufacturer allows MOKs (Machine Owner Keys) in their Secure Boot firmware.

        I just loaded Ubuntu's keys into an HP laptop earlier this week. But do go on telling us how Microsoft is going to lock everyone out of being able to boot Linux, when half their damn cloud service offering is running Linux.

        And if they predictably don't (Microsoft Surface devices) allow you to manage MOKs, don't buy it. This isn't new, by the way. T

    • Observation bias.

    • Because it smells utterly enchanting!
    • "saved our team approximately a week's worth of time," . . . A week compared to what? Six months? Two weeks? It sounds as though if they'd just spent a damn week reviewing the code, they'd have found the bugs without Copilot. Why TF didn't they??! Looks like they cared less about finding the vulnerabilities than about notching a win story to promote Copilot. Sigh . . .
      • It's really not that complex of a sentence or context to parse.

        Hypothetically, you schedule doing a top-to-bottom security review of the code as taking six weeks. You then sic your AI on it while your team gets to work. The AI spits out results, which the team can then verify and document, and you get the job done in 5 weeks.

        It "saved [the] team approximately a week's worth of time" exactly as quoted.

    • Because they don't want their trash OS to get pre-owned by a chain loader.

      They're finding and fixing exploits, and freely publishing results. That's kind of nice of them.

  • Great! Now maybe they could leverage the vast potential of this super futuristic AI to find some spelling errors in TFS.

    • Those spelling mistakes were introduced when the original article was transcribed to/by Slashdot.
      A line I found rather amusing in that article was

      CVE-2025-0684 – Integer overflow in ReiserFS symbolic link handling leads to buffer overflow

      Does that lead to a jailbreak?

  • I wonder if it's the case that the AI is using an implicit model-checking approach. If so, then one could potentially use AI to -construct the model-, and not only prove the code correct to the model, but also assist in proving the model is correct. But I'd be very interested in hearing why not, if this doesn't work.

  • ...but hopefully they are not relying solely on AI for protection.

  • by ArchieBunker ( 132337 ) on Saturday April 05, 2025 @03:29PM (#65283729)

    I use lilo.

  • As in, nobody look over here (Microsoft), look over there (Linux etc)!
  • by Yo,dog! ( 1819436 ) on Saturday April 05, 2025 @06:11PM (#65283967)
    someone else will.
  • Who pushed everyone to UEFI Secureboot? Wasn't it by chance Microsoft? Who said right then, that would have a lot of issues? Everyone else and their grandmother. Now they have some balls to say something about opensource being at fault, when the concepts of it are. Concepts from themselves.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (8) I'm on the committee and I *still* don't know what the hell #pragma is for.

Working...