DECAF: Automatic, Adaptive De-bloating and Hardening of COTS Firmware


Jake Christensen, Private Machines; Ionut Mugurel Anghel, Univ. Politehnica Bucharest; Rob Taglang, Private Machines; Mihai Chiroiu, Univ. Politehnica Bucharest; Radu Sion, Private Machines


Once compromised, server firmware can surreptitiously and permanently take over a machine and any stack running thereon, with no hope for recovery, short of hardware-level intervention. To make things worse, modern firmware contains millions of lines of unnecessary code and hundreds of unnecessary modules as a result of a long firmware supply chain designed to optimize time-to-market and cost, but not security. As a result, off-the-shelf motherboards contain large, unnecessarily complex, closed-source vulnerability surfaces that can completely and irreversibly compromise systems.

In this work, we address this problem by dramatically and automatically reducing the vulnerability surface. DECAF is an extensible platform for automatically pruning a wide class of commercial UEFI firmware. DECAF intelligently runs dynamic iterative surgery on UEFI firmware to remove a maximal amount of code with no regressive effects on the functionality and performance of higher layers in the stack (OS, applications).

DECAF has successfully pruned over 70% of unnecessary, redundant, reachable firmware in leading server-grade motherboards with no effect on the upper layers, and increased resulting system performance and boot times.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {255256,
author = {Jake Christensen and Ionut Mugurel Anghel and Rob Taglang and Mihai Chiroiu and Radu Sion},
title = {{DECAF}: Automatic, Adaptive De-bloating and Hardening of {COTS} Firmware},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1713--1730},
url = {},
publisher = {{USENIX} Association},
month = aug,

Presentation Video