SlideShare ist ein Scribd-Unternehmen logo

Bootkits: Past, Present & Future - Virus Bulletin

ESET
ESET

Presentation from ESET researchers Eugene Rodionov and David Harley, featured by Alex Matrosov about the history and evolution of bootkits.

Technologie
1 von 44
Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
Modern Bootkit History 20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014 eEye BootRoot Mebroot Vbootkit Mebratix Mebrootv2 Olmarik(TDL4) Olmasco(TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit Dream Boot OldBoot(AndroidBootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code bootmgr Load kernel and boot start drivers winload.efi MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) Load kernel and boot start drivers winload.efi UEFI boot loader (bootmgfw.efi) UEFI boot code UEFI
The Target of Modern Bootkits (MBR/VBR)
Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
Modern Bootkits ComparisonFunctionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
HiddenFsReader as a Forensic Tool (MBR/VBR)
HiddenFsReader as a Forensic Tool (MBR/VBR)
In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
• Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary Signed BIOS Updates Are Rare • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished? No Signature Checks of OS boot loaders (MBR/VBR)
UEFI BIOS Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset
UEFI Bootkits Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi DXE Driver UEFI OROM UEFI OROM OS Kernel / Drivers HDD Malware
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012 UEFI Bootkits
Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT) UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
What about Secure Boot?
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update DXE Driver OS Kernel OS Driver OS Exploit Modify Secure Boot FW or config in ROM Secure Boot bypass possible?
First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
BIOS Attack Surface System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables) … Summary of Attacks Against BIOS and Secure Boot
From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
CHIPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC
CHIPSEC: Platform Security Assessment Framework
CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
How to dump BIOS firmware directly from chip?
How to dump BIOS firmware directly from chip?
DEMO TIME
Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog

Empfohlen

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
Wave Digitech
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoC
Macpaul Lin
 
linux device driver
linux device driverlinux device driver
linux device driver
Rahul Batra
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modules
dibyajyotig
 

Empfohlen

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
Wave Digitech
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoC
Macpaul Lin
 
linux device driver
linux device driverlinux device driver
linux device driver
Rahul Batra
 
Introduction To Linux Kernel Modules
Introduction To Linux Kernel ModulesIntroduction To Linux Kernel Modules
Introduction To Linux Kernel Modules
dibyajyotig
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
RajKumar Rampelli
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
Emertxe Information Technologies Pvt Ltd
 
Platform Drivers
Platform DriversPlatform Drivers
Platform Drivers
SysPlay eLearning Academy for You
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
shimosawa
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
Houcheng Lin
 
Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver
艾鍗科技
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 
5 post , bios , cmos
5 post , bios , cmos5 post , bios , cmos
5 post , bios , cmos
hafizhanif86
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
joeylikernel
 
Linux memory
Linux memoryLinux memory
Linux memory
ericrain911
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
USB Drivers
USB DriversUSB Drivers
USB Drivers
Anil Kumar Pugalia
 
BeagleBoard-xM Booting Process
BeagleBoard-xM Booting ProcessBeagleBoard-xM Booting Process
BeagleBoard-xM Booting Process
SysPlay eLearning Academy for You
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
Dominique Cimafranca
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
Satpal Parmar
 
Linux SD/MMC Driver Stack
Linux SD/MMC Driver Stack Linux SD/MMC Driver Stack
Linux SD/MMC Driver Stack
Champ Yen
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 

Weitere ähnliche Inhalte

Was ist angesagt?

Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
Houcheng Lin
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 

Was ist angesagt? (20)

Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
Platform Drivers
Platform DriversPlatform Drivers
Platform Drivers
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
Uboot startup sequence
Uboot startup sequenceUboot startup sequence
Uboot startup sequence
 
Linux SD/MMC device driver
Linux SD/MMC device driverLinux SD/MMC device driver
Linux SD/MMC device driver
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
5 post , bios , cmos
5 post , bios , cmos5 post , bios , cmos
5 post , bios , cmos
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
 
Linux memory
Linux memoryLinux memory
Linux memory
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
USB Drivers
USB DriversUSB Drivers
USB Drivers
 
BeagleBoard-xM Booting Process
BeagleBoard-xM Booting ProcessBeagleBoard-xM Booting Process
BeagleBoard-xM Booting Process
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 
Linux SD/MMC Driver Stack
Linux SD/MMC Driver Stack Linux SD/MMC Driver Stack
Linux SD/MMC Driver Stack
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 

Ähnlich wie Bootkits: Past, Present & Future - Virus Bulletin

Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 

Ähnlich wie Bootkits: Past, Present & Future - Virus Bulletin (20)

Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Slimline Open Firmware
Slimline Open FirmwareSlimline Open Firmware
Slimline Open Firmware
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting Process
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 

Mehr von ESET

Mehr von ESET (20)

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Shopping Online
Shopping OnlineShopping Online
Shopping Online
 
Banking Online
Banking OnlineBanking Online
Banking Online
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Bootkits: Past, Present & Future - Virus Bulletin

  • 1. Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
  • 2. Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
  • 3. Modern Bootkit History 20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014 eEye BootRoot Mebroot Vbootkit Mebratix Mebrootv2 Olmarik(TDL4) Olmasco(TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit Dream Boot OldBoot(AndroidBootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
  • 4. Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code bootmgr Load kernel and boot start drivers winload.efi MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) Load kernel and boot start drivers winload.efi UEFI boot loader (bootmgfw.efi) UEFI boot code UEFI
  • 5. The Target of Modern Bootkits (MBR/VBR)
  • 6. Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 7. IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
  • 8. Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
  • 9. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 10. Gapz MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
  • 11. Modern Bootkits ComparisonFunctionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
  • 12. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 13. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 14.
  • 15. In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
  • 16. • Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary Signed BIOS Updates Are Rare • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished? No Signature Checks of OS boot loaders (MBR/VBR)
  • 17. UEFI BIOS Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset
  • 18. UEFI Bootkits Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi DXE Driver UEFI OROM UEFI OROM OS Kernel / Drivers HDD Malware
  • 19. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 20. Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables UEFI Bootkits
  • 21. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 22. Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables UEFI Bootkits
  • 23. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 24. Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012 UEFI Bootkits
  • 25. Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT) UEFI Bootkits
  • 26. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 28. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
  • 29. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update DXE Driver OS Kernel OS Driver OS Exploit Modify Secure Boot FW or config in ROM Secure Boot bypass possible?
  • 30. First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
  • 31.
  • 32. BIOS Attack Surface System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables) … Summary of Attacks Against BIOS and Secure Boot
  • 33.
  • 34. From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
  • 36. CHIPSEC: Platform Security Assessment Framework
  • 37. CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
  • 38. Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
  • 39. BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
  • 40. How to dump BIOS firmware directly from chip?
  • 41. How to dump BIOS firmware directly from chip?
  • 43.
  • 44. Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog