Microsoft Uses AI To Find Flaws In GRUB2, U-Boot, Barebox Bootloaders (bleepingcomputer.com) 49
Slashdot reader zlives shared this report from BleepingComputer:
Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.
GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.
The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")
They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...
As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."
GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.
The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")
They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...
As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."
Why the obsession? (Score:3, Interesting)
Why does MS always care so much about the boatloader? Just seems like a weird obsession to me.
Re:Why the obsession? (Score:5, Insightful)
Because it's before the OS, so flaws there can be more severe.
Re:Why the obsession? (Score:4, Informative)
The real question that needs to be asked here isn't whether or not there's a vulnerability, but what the outcome of exploiting it is. As grub isn't really a boot loader that's installed by default on most systems, it's a low risk target and it's purpose is to boot to an OS who's kernels are often OSS. So not much to gain there. uboot is a different story. (It's used mostly in embedded products like phones.) Where the typical end user doesn't even know it exists on their device in the first place. So much greater risk.
Of course, that assumes that these are actual vulnerabilities and not misconfigurations made by incompetent Microsoft-owned employees.....
Re: (Score:2)
I'm assuming they wrote this AI-powered test suite for their own implementation of UEFI, namely Project Mu and associated Windows bootloader.
So then they ran it against alternative implementations as mentioned in the summary. This would be done for several reasons such as correctness of the test suite, diagnosing any MS-dependent quirks that deviate from the spec, improving the completeness of the test suite to verify their weren't non-diagnosed flaws in their own implementation.
As for finding bugs in u-bo
Re: (Score:2, Interesting)
They want to make sure that they can lock out anything they see really competing with them.
Oh - sorry, we didn't realize that this UEFI key we blocked for malware in the coming BIOS update was also used by a million Linux installations.
Re: (Score:1)
Re: (Score:2, Funny)
Because if they used this tech on the Windows code base the AI would report the entire thing is flawed.
Re: Why the obsession? (Score:4, Insightful)
Re:Why the obsession? (Score:5, Informative)
Because if you succesfully hacked the bootloader, your malware is invisible to the OS.
Re: (Score:2)
Because if you succesfully hacked the bootloader, your malware is invisible to the OS.
Don't they call this kind of shit Denuevo?
Re: (Score:2)
Not even jokingly, no. Denuevo is self-contained at the executable level: it runs entirely in ring 3. It's not like, say, StarForce, which needed a ring 0 driver installed.
Re: (Score:2)
Not even jokingly, no. Denuevo is self-contained at the executable level: it runs entirely in ring 3. It's not like, say, StarForce, which needed a ring 0 driver installed.
Ah, I was conflating the two.
Re:Why the obsession? (Score:5, Interesting)
As a linux/g++ developer I can give you an explanation: because it tells me, who has no use for Visual Studio and most other products from Microsoft, that I could put this tool to proper use. If a tool can analyze an open source boot loader, then it can likely analyze my own product, too. Thereby they widen their audience quite a bit. The fact, that they analyzed grub2 and not e.g. libqt6 raises eyebrows not only of GUI application programmers, but also of embedded programmers, which is one of the larger C/C++ programmer crowds in general and specifically for linux. I don't think I would have even read the article, had they reported 5 buffer overflows in MS Word or Libreoffice. Pure genius IMHO.
One thing, which did not at all impress me was the finding actually shown in the bleepingcomputer article: malloc(size+1) can at worst produce an inadvertent malloc(0), which could lead to a heap overflow, but that's an error most decent static code checkers would also flag. It would impress me a lot more, if Copilot would have flagged something a bit more difficult.
Re: Why the obsession? (Score:4, Informative)
Microsoft donâ(TM)t care about QT, they donâ(TM)t use it.
They do use Linux in general on a massive scale in their cloud infrastructure, and subsequently use grub to boot them.
Azure is more than half Linux.
Re: (Score:2)
Their cloud offerings still don't have a need for uboot, and they analyzed it anyway. I insist, that this is one of Microsoft's clever marketing ploys to gain market share in the embedded market, something e.g. Google or Amazon seem to have ignored for now despite their much higher investment in embedded in general.
Smart move on Microsoft's side, but I sure hope, that their Copilot learns to find more intricate bugs than malloc(size+1).
Re: (Score:2)
Re: (Score:2)
Because things like libqt6 aren't likely to be understood by Microsoft developers.
One thing, which Microsoft has really been successful in the last 30 years was GUIs. Their UIs were typically slick and efficient, and for each and every Microsoft GUI strangeness I can probably show you 10 worse GTK or KDE UX defects. Yes, Microsoft has a footing in boot loaders, they were also engaged in embedded platforms for a while (is WinCE still a thing?), but that's all beside the point.
If you look at typical code produced in Visual Studio, you'd expect a GUI driven DB connected Windows application
Re: (Score:2, Troll)
They want to justify their TPM requirement, which could ultimately lock out unauthorized (by them) bootloaders.
Re: (Score:3)
SecureBoot is a standard, and as part of teh standard, the keys must be user-serviceable.
Stop spreading misinformation.
Re: (Score:1)
SecureBoot is a standard, and as part of teh standard, the keys on x86 systems must be user-serviceable.
FTFY
Re: (Score:3)
For technical accuracy, MOKs are not part of the official Secure Boot standard. It is, however, a de facto standard on x86_64 hardware as every motherboard manufacturer and OEM (with one or two easily predicted notable exceptions, like Microsoft) has a vested interest in not crippling their hardware from running Linux securely.
It would be nice if it was a standard so that ARM64 devices played by the same rules.
Re: (Score:2)
The CA for the SecureBooth chain must be manageable.
MOKs exist as a way to avoid having to try to talk users into installing a CA in their EFI.
Re: (Score:2)
Look! Someone still ignorant of the verifiable fact that basically every hardware manufacturer allows MOKs (Machine Owner Keys) in their Secure Boot firmware.
I just loaded Ubuntu's keys into an HP laptop earlier this week. But do go on telling us how Microsoft is going to lock everyone out of being able to boot Linux, when half their damn cloud service offering is running Linux.
And if they predictably don't (Microsoft Surface devices) allow you to manage MOKs, don't buy it. This isn't new, by the way. T
Re: (Score:2)
Observation bias.
Re: (Score:2)
A week? (Score:2)
Re: (Score:3)
It's really not that complex of a sentence or context to parse.
Hypothetically, you schedule doing a top-to-bottom security review of the code as taking six weeks. You then sic your AI on it while your team gets to work. The AI spits out results, which the team can then verify and document, and you get the job done in 5 weeks.
It "saved [the] team approximately a week's worth of time" exactly as quoted.
Re: A week? (Score:2)
Re: (Score:2)
Because they don't want their trash OS to get pre-owned by a chain loader.
They're finding and fixing exploits, and freely publishing results. That's kind of nice of them.
Miccrosoft/Micxrosoft (Score:1)
Great! Now maybe they could leverage the vast potential of this super futuristic AI to find some spelling errors in TFS.
Re: (Score:3)
Those spelling mistakes were introduced when the original article was transcribed to/by Slashdot.
A line I found rather amusing in that article was
Does that lead to a jailbreak?
Re: (Score:1)
Slashdot invented the AI Dupe Generator. Slashdot invented the AI Dupe Generator.
What AI could find, should be provable? (Score:2)
I wonder if it's the case that the AI is using an implicit model-checking approach. If so, then one could potentially use AI to -construct the model-, and not only prove the code correct to the model, but also assist in proving the model is correct. But I'd be very interested in hearing why not, if this doesn't work.
Expected and normal (Score:2)
...but hopefully they are not relying solely on AI for protection.
Ha! (Score:3)
I use lilo.
Re:Ha! (Score:4, Funny)
I use lilo.
That could still be hacked.
That's why I've got toggle switches and a paper tape reader.
Re:Flaws? or? (Score:5, Funny)
Ok I don't want to use it anyway.
I don't want to use encrypted email services. That doesn't mean I don't care about flaws in them being corrected.
Me, doing what I want, with what I own is not a flaw!
This isn't about you. Keep reading TFS and you may get a hint.
Besides, I make it a point not to work on or use anything Microsoft.
This story is literally about Linux.
Yawn!!
Don't yawn. Go shave your beard. You're a disgrace to greybeards.
Re: (Score:2)
Yes, let's shit on the company that found actual vulnerabilities in open source software, and then proceeded to document the problems and suggest fixes. How dare they!
Maybe just a "thank you" for contributing to open source and security? Sheesh.
I guess the Windows boot loader is special (Score:1)
If Microsoft doesn't do it... (Score:3)
Hypocrisy (Score:2)