UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code...
Transcript of UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code...
![Page 1: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/1.jpg)
UEFI and PCI bootkitsPierre ChifflierPacSec 2013
![Page 2: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/2.jpg)
ANSSI.. .
▶ Created on July 7th 2009, the ANSSI (French Network andInformation Security Agency) is the national authority forthe defense and the security of information systems.
▶ Under the authority of the Prime Minister▶ Main missions are:
▶ prevention▶ defense of information systems
http://www.ssi.gouv.fr/en/
UEFI and PCI bootkits 2/42
![Page 3: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/3.jpg)
UEFI study.. ..Motivations..
......
▶ Study UEFI▶ Raise awareness of pre-boot dangers▶ Present and discuss countermeasures
.Study..
......
▶ Boot sequence▶ UEFI functions:
▶ Hooking the bootloader▶ ACPI Tables▶ Network functions▶ …
▶ PCI devices▶ Countermeasures
UEFI and PCI bootkits 3/42
![Page 4: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/4.jpg)
Overview.. .
1 UEFI
2 PCI
3 Description of UEFI VGA Bootkit
4 Demo
5 Countermeasures
UEFI and PCI bootkits 4/42
![Page 5: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/5.jpg)
UEFI
UEFI and PCI bootkits 5/42
![Page 6: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/6.jpg)
BIOS vs UEFI (1/2).. .
.BIOS..
......
▶ x86 architectures▶ Real mode (16 bits)▶ No support for large disks (> 2 TB), MBR sector▶ Memory mapping on 1MB▶ No integrity check▶ Old-school in 2013 :)
UEFI and PCI bootkits 6/42
![Page 7: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/7.jpg)
UEFI.. ..UEFI: recent ?..
......
▶ 2000 EFI (Intel)▶ 2004 http://tianocore.org▶ 2005 UEFI (Unified EFI Forum, http://www.uefi.org)▶ 2013 Current version: UEFI 2.4
.Objectives..
......
▶ Overcome BIOS limitations▶ Multi-architectures (x86, ARM, Itanium, …)▶ Standardization of drivers▶ “Modern” conception: modular, C language
UEFI and PCI bootkits 7/42
![Page 8: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/8.jpg)
UEFI: Specifications.. ..Services..
......
▶ IP4/6, UDP/TCP 4/6, ARP, DHCP4/6, MTFP4/6, FTP, PXE, iSCSI▶ VLAN, EAP, IPsec (IKEv2)▶ PCI, USB, SCSI, AHCI, removable media▶ GPT, vFAT▶ Console, Graphical Mode, Human Interface, UTF-16▶ User Identification▶ ACPI, SMRAM▶ Debugger▶ Compression▶ EFI Byte Code Virtual Machine▶ Firmware management▶ …
UEFI and PCI bootkits 8/42
![Page 9: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/9.jpg)
UEFI and Security.. .
.EFI Development Kit (EDK) 2..
......
▶ 1,000,000+ SLOC▶ No protection on memory pages, rwx everywhere▶ All code running in ring 0▶ Huge attack surface▶ Most code written from scratch (including libc+,
IPv4/IPv6 stack, IPsec, PE parser)▶ Lots of StrCat and StrCpy
UEFI and PCI bootkits 9/42
![Page 10: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/10.jpg)
UEFI and Security (2).. .
.Services offered to malwares..
......
▶ Network functions (IPv4 and IPv6)▶ Get drivers over PXE▶ Use an IPsec tunnel▶ Manipulate ACPI tables▶ Add new drivers
UEFI and PCI bootkits 10/42
![Page 11: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/11.jpg)
UEFI Boot Sequence.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 11/42
![Page 12: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/12.jpg)
PCI bootkits
UEFI and PCI bootkits 12/42
![Page 13: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/13.jpg)
Overview: PCI Expansion ROMs.. .
▶ (small) optional memory chip, present onPCI/PCIe/Thunderbolt/ExpressCard devices
▶ Provides some code, executed by Firmware▶ Already exploited in the past, for the BIOS▶ What about UEFI ?
UEFI and PCI bootkits 13/42
![Page 14: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/14.jpg)
VGA Card.. .
UEFI and PCI bootkits 14/42
![Page 15: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/15.jpg)
Scenario and assumptions.. .
.Use case..
......
▶ Attacker has already gained root/admin privileges▶ She wants to install a persistent stealthy rootkit
▶ Bootkit: bootloader rootkit▶ Visible modifications▶ Hard if BIOS password set▶ Use the hardware ?▶ Without re-flashing the BIOS
UEFI and PCI bootkits 15/42
![Page 16: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/16.jpg)
Example: graphics card.. .Objective: (persistent of) privilege escalation.Problems..
......
▶ OS ? Not yet in memory▶ No access to hard disk (+ possible encryption)▶ How to execute code ?▶ In a few kilobytes !▶ And the graphics card must still work properly
.Initial reactions..
......
…All combined: nice story for Matrix fans ...Need I go on?Mrk
UEFI and PCI bootkits 16/42
![Page 17: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/17.jpg)
UEFI Boot Sequence.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
![Page 18: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/18.jpg)
Scenario.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
Start:PCI card
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
![Page 19: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/19.jpg)
Scenario.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
Target:OS
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
![Page 20: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/20.jpg)
UEFI Boot Sequence.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 18/42
![Page 21: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/21.jpg)
Real world scenario.. .
.Get the expansion ROM, using one of:..
......
▶ Extract PCI device▶ Add a new internal or external PCI device▶ Boot on a USB stick▶ Gain admin privileges on OS
.New functionalities..
......
▶ Add the UEFI code to create a hybrid ROM▶ Flash expansion ROM✓□ Backdoor installed
UEFI and PCI bootkits 19/42
![Page 22: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/22.jpg)
Dump(Importation) ROM.. .▶ Cat /sys/bus/pci/devices/0000\:00\:02.0/rom▶ Manufacturer tools
.Example: ATI..
......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −s 0 myrom. bin
UEFI and PCI bootkits 20/42
![Page 23: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/23.jpg)
Crafting the UEFI ROM1.. .
.Crafting a “hybrid ROM”..
......
▶ Using the Development Kit (vim + gcc)▶ Create a DXE driver: C code, 64 bits (make)▶ Choose some PCI IDs▶ Convert to ROM format (EfiRom)▶ Patch image (cat)
1ROM wasn’t built in a dayUEFI and PCI bootkits 21/42
![Page 24: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/24.jpg)
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
![Page 25: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/25.jpg)
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
![Page 26: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/26.jpg)
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
![Page 27: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/27.jpg)
Writing ROM (1/2).. .▶ Manufacturer tools
.Example: ATI..
......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −p −f 0 myrom. bin
▶ Restart, and cross fingers
UEFI and PCI bootkits 23/42
![Page 28: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/28.jpg)
Writing ROM (2/2).. .
▶ Flash SPI: low-level tools
UEFI and PCI bootkits 24/42
![Page 29: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/29.jpg)
Execution in UEFI.. .
.Malware Execution..
......
▶ The UEFI firmware enumerates PCI devices▶ Expansion ROMs are loaded into memorya:
▶ Legacy: (0xc0000 → 0xfffff)▶ UEFI: dynamic
▶ The legacy is ROM loaded by the CSM▶ UEFI ROMs are loaded afterward▶ The C entry point is called▶ The ExitBootServices function is hooked
aAll roads lead to ROM
UEFI and PCI bootkits 25/42
![Page 30: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/30.jpg)
Load PCI Expansion ROM.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 26/42
![Page 31: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/31.jpg)
Intercepting the bootloader.. ..Bootloader role..
......
▶ Copy of kernel image into memory (address ?)▶ Call ExitBootServices▶ Problem: memory can be reused by the OS▶ Tested on Grub2
.Challenges..
......
▶ Persistent memory allocation▶ Reconstruction of the call stack▶ Identification of address▶ Preparation of the next step
UEFI and PCI bootkits 27/42
![Page 32: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/32.jpg)
Intercepting the bootloader.. ..Bootloader role..
......
▶ Copy of kernel image into memory (address ?)▶ Call ExitBootServices▶ Problem: memory can be reused by the OS▶ Tested on Grub2
.Challenges..
......
▶ Persistent memory allocation▶ Reconstruction of the call stack▶ Identification of address▶ Preparation of the next step
UEFI and PCI bootkits 27/42
![Page 33: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/33.jpg)
Next Step: bootloader.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 28/42
![Page 34: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/34.jpg)
Intercepting the kernel (1/2).. .▶ Memory image before decompression▶ Physical addresses ̸= virtual addresses▶ Kernel: initialize IDT, GDT, pagination, etc.▶ Mode change (32 -> 64 bits), CS and DS, …▶ Use a breakpoint ? Not easy (IDT)
..
EarlyKernel
.
DecompressionCode
.
InitPart 2
.
UncompressedImage
.
32 bits
.
32 bits
.
32 →64 bitsresetGDT
+IDT
.
ResetGDT+IDT
...
.
0x1000000
UEFI and PCI bootkits 29/42
![Page 35: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/35.jpg)
Intercepting the kernel (2/2).. .
.Use Hardware Breakpoints..
......
▶ Hardware Debug Registers▶ Use interruption #DB▶ Interrupt vector 1▶ Hardware BP 1: 0x1000000▶ Hardware BP 2: before IDT reload, in Init Part 2
UEFI and PCI bootkits 30/42
![Page 36: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/36.jpg)
Next Step: early kernel.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 31/42
![Page 37: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/37.jpg)
Syscall Modification.. .
▶ Modification of a system call▶ Patch code in memory▶ Privileges escalation▶ Chosen syscall: fork▶ Address of syscall ?▶ Addresses of internal functions ?
.Modified system call..
......
xor %rdi ,%rdicall *0 x f f f f f f f f 8 1 0 6 4 0 6 f ; prepare_kernel_credcall *0 x f f f f f f f f 8 1063db6 ; commit_credsret
UEFI and PCI bootkits 32/42
![Page 38: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/38.jpg)
Next Step: syscall.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 33/42
![Page 39: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/39.jpg)
Demo
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.Load
ROM
.
ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 34/42
![Page 40: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/40.jpg)
EFI Byte Code.. .
▶ EBC: EFI Byte Code▶ EBC Virtual Machine defined in specifications▶ Assembly Intel-like instructions, platform-independent▶ Can be used in Option ROMs
.Example of EFI Byte Code..
......
CC 67 04 00 ADD64 R7, R6 0x4B2 78 30 00 MOVnw @R0( 0 ,+48) , R772 87 30 00 MOVnw R7, @R0( 0,+48)03 07 CALL32 R7
UEFI and PCI bootkits 35/42
![Page 41: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/41.jpg)
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes
▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
![Page 42: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/42.jpg)
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes
▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
![Page 43: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/43.jpg)
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
![Page 44: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/44.jpg)
Consequences.. ..UEFI PCI Bootkits..
......
▶ Stealthy: no disk or file modification, small memoryfootprint: almost invisible
▶ Portable▶ Survives to upgrades or reinstall▶ Can also use DMA▶ Independent of disk encryption▶ BIOS password: does not prevent▶ Antivirus (even UEFI): useless▶ grsec / randomization / …: complicates the exploitation,
but does not prevent the attack▶ Solutions ?
UEFI and PCI bootkits 37/42
![Page 45: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/45.jpg)
Solution 1: TPM.. .▶ [Should be a] Passive component▶ Present on (almost) all PCs▶ The Firmware measures elements▶ Measures are used through atomic operations (e.g unseal)
.Limitations..
......
▶ Lack of applications▶ Not supported by all bootloaders▶ Makes updates complicated▶ Requires Full Disk Encryption for integrity▶ Not perfecta
asee BIOS Chronomancy presentation
UEFI and PCI bootkits 38/42
![Page 46: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/46.jpg)
Solution 2: Secure Boot.. .
▶ Part of UEFI specifications▶ Verification of cryptographic signatures (RSA2048) of all
loaded elements (executables, drivers, expansion ROMs,etc.)
...
Source: Intel Developer Forum 2012
UEFI and PCI bootkits 39/42
![Page 47: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/47.jpg)
Solution 2: Secure Boot.. .
▶ Part of UEFI specifications▶ Verification of cryptographic signatures (RSA2048) of all
loaded elements (executables, drivers, expansion ROMs,etc.)
...
Source: Intel Developer Forum 2012
UEFI and PCI bootkits 39/42
![Page 48: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/48.jpg)
Solution 2: Secure Boot.. ..Limitations..
......
▶ Optional (even if required for the Windows 8 HardwareCertification).
▶ Requires to disable Compatibility Support Module (CSM)▶ Usage restrictions (ex. ARM tablets)▶ Management of the Certificate Authorities▶ How to use another CA (Not Microsoft’s) ? Need to re-sign
or whitelist ROMs ?▶ Can also be vulnerable (e.g to direct SPI Flash writesa, or
NVRAM access)
aA tale of one software bypass of windows 8 secure boot, Blackhat 2013
UEFI and PCI bootkits 40/42
![Page 49: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/49.jpg)
Conclusion.. ..Hardware..
......
▶ Protections exist, but they are often poorly implemented ornot used
▶ All firmware compoments must be protected fromtampering
.Suggestions for OEMs / editors..
......
▶ Protect UEFI from SPI writes (except in reboot mode) ordirect NVRAM access
▶ Allow only signed updates▶ Protect the initial steps (SEC/PEI)▶ Protect the root of trust S-CRTM▶ and do all of this without bugs
UEFI and PCI bootkits 41/42
![Page 50: UEFI and PCI bootkits - PacSec if BIOS password set ... Interrupt Handler Modified Fork added code 1 2 3 4 5 OM OM ... 14h 1 Code Type 15h 1 Last Image Indicator](https://reader033.fdocuments.us/reader033/viewer/2022052710/5aa70ded7f8b9aee748b90c2/html5/thumbnails/50.jpg)
Future work.. .
.Next..
......
▶ Evaluate the (many) UEFI functions▶ Analyze EFI Byte Code▶ Virtualization a la Blue Pill▶ Disassemble UEFI firmwares▶ Look at (Secure Boot, IPsec) implementations
Questions ?
UEFI and PCI bootkits 42/42