SlideShare a Scribd company logo

Bootkits step by-step-slides-final-v1-release

Download as PPTX, PDF
Eric Koeppen
Eric Koeppen

These are the slides from my presentation on Bootkits at HOPE X Conference in New York City, July 20, 2014.

Presentations & Public Speaking
1 of 53
IBM Security Systems | © 2014 IBM Corporation BOOTKITS STEP-BY-STEP AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop (v1)
IBM Security Systems | © 2014 IBM Corporation AGENDA  Introduction  Snapshot of Boot Process for various OSes  A Look at Low-Level Technologies – Case studies as examples of exploitation – Advice for detection and prevention  Conclusion
IBM Security Systems | © 2014 IBM Corporation INTRODUCTION BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation DEFINITION  For the purposes of this presentation, we will define Bootkit as any malware (rootkit) that is persistent and exists below the level of the operating system kernel environment (ring 0).
IBM Security Systems | © 2014 IBM Corporation INTRODUCTION  Purpose: To look at how Bootkits achieve persistence and to give advice in regards to detection & prevention.  Scope is limited to x86 and x64 compatible architectures.  Scope does not include Virtualization technology.  More details can be found in the forthcoming companion white paper
IBM Security Systems | © 2014 IBM Corporation THE BOOT PROCESS BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS XP > BIOS BIOS Boot Process for Windows XP POST BIOS MBR/VBR NTLDR (using ntdetect.com) NT Kernel
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WIN VISTA & LATER > BIOS BIOS Boot Process for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 POST BIOS MBR/VBR Windows Boot Mgr Boot Conf Data (BCD) Win Loader (winload.exe) OS
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS VISTA SP 1 & LATER > UEFI UEFI Boot Process for Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 POST UEFI MBR/VBR or GPT Windows Boot Mgr Boot Conf Data (BCD) Win Loader (winload.exe) OS
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS 8 & LATER > SECURE BOOT Secure Boot Process for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT. POST UEFI MBR/VBR or GPT Verified Boot Mgr Verified OS Loader OS
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > MAC > EFI BOOT EFI Boot Process for Mac. BootROM POST Hw Init Boot Loader (boot.efi) EFI OS Select
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > BIOS BIOS Boot Process for Linux POST BIOS MBR/VBR or GPT Boot Loader (LILO or Grub) Linux Kernel
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > UEFI UEFI Boot Process for Linux POST UEFI MBR/VBR or GPT Boot Loader Linux Kernel Boot MGR Data
IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > SECURE BOOT Secure Boot Process for Linux POST UEFI MBR/VBR or GPT Signed Boot Loader Linux Kernel Signed Boot MGR
IBM Security Systems | © 2014 IBM Corporation A LOOK AT LOW-LEVEL TECHNOLOGIES BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation  Basic Input/Output System (BIOS) – Firmware interface used to boot older machines. – Stored on nonvolatile ROM chip on mobo – Made of modules compressed with LZH • Each Module has 8 bit checksum for verification – Some modules uncompressed: • Bootblock that handles POST & emergency boot • Decompression routine – Modifying module without updating checksum makes system unbootable LOW-LEVEL TECHNOLOGIES > BIOS
IBM Security Systems | © 2014 IBM Corporation Persistent BIOS Infection by Core @ Cansec West 09 – Used 2 techniques for flashing the BIOS: 1. BIOS Building tool such as Pinczakko’s method 2. Patch & update checksums – Three steps for flashing BIOS 1. Dump BIOS with flashrom 2. Patch & update checksums 3. Re-flash LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Four ways to avoid this attack: 1.Stop initial access with common methods (AV, firewalls, etc) to avoid BIOS modification 2.Enable flash write protection on motherboard 3.Use digitally signed BIOS firmware 4.Don’t download BIOS updates from untrusted sources LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Unified Extensible Firmware Interface (UEFI) – Designed as a BIOS replacement – Larger, more powerful, and more modular – Basically bare-bones Operating System – Allows pre-OS networking – Some versions provide pre-OS AV – Provides 2 types of Services: 1. Boot services: only available at boot time 2. Runtime services: available while OS is running LOW-LEVEL TECHNOLOGIES > UEFI
IBM Security Systems | © 2014 IBM Corporation Dreamboot - Presented by Sebastian Kaczmarek @ Hack in the Box, Amsterdam 2013 – Finds boot loader on hardware & patches it – Hijacks kernel entry point call in loader to redirect control flow – Deactivates kernel protections (once it gets around PatchGuard) – Hides payload in ntoskrnl relocation table LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Prevent initial infection through normal means (AV, IPS, HIPS, secure use policies) – Secure Boot means that the boot loader signature will have to match the stored key. – Intel TXT’s “Late Launch” can help prevent loading modified software. – Bitlocker in TPM mode will provide encryption to make patching the boot loader more difficult, it stores software measurements and won’t even boot if they don’t match up. LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Secure Boot (UEFI) – UEFI option where all applications and services must have a valid digital signature – Secure Boot Keys stored in UEFI firmware – Offers protection that makes compromise more difficult LOW-LEVEL TECHNOLOGIES > SECURE BOOT
IBM Security Systems | © 2014 IBM Corporation Setup For Failure: Defeating Secure Boot Presented by Corey Kallenberg and Mitre research team at Hack In the Box, Amsterdam 2014 – Found that Secure Boot doesn’t always run the signature check on all target EFI executables, especially Option ROMs (such as for graphics cards) – Found a way to manually modify the Setup variable that determines how lax the signature checking policy is; making it so that all target EFI executables can be run without signature check. LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Make sure the UEFI version follows the spec in regards to variable protection, the UEFI spec does not allow this exploit – BIOS_CNTL & SMM BIOS Write Enable protection – Intel Protected Range SPI Flash Protections • Flash Configuration Lockdown (HSFS.FLOCKDN) Bit – Setting SMM BIOS Write Protection (SMM_BWP) Bit – Common Security measures to prevent initial infection LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Mac EFI – Does basic hardware initialization – Selects Operating System to load – Modular: comprised of core components, apps, drivers, bootloader – Lots of jump tables with function pointers – Core components reside on Mac BootROM – Used on all Intel Macs LOW-LEVEL TECHNOLOGIES > MAC EFI
IBM Security Systems | © 2014 IBM Corporation DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS presented by Snare at Black Hat 2012 – Lists 3 valid options for persistence: 1. Patch or replace the bootloader /System/Library/CoreServices/boot.efi 2. Write to PCI device expansion ROM - writeable from OS via device firmware updates and/or flashrom application 3. Flash the firmware - also flashrom, but Firmware Volume signature gets checked by BootROM & new macs write protect flash LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – EFI password can prevent changing boot target, but can be bypassed – UEFI Secure Boot would be nice but unsupported – Use normal measures to prevent initial infection. – Restrict physical access and consider blocking ports to avoid “Evil Maid” scenario LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  System Management Mode (SMM) – Most privileged execution mode on x86/x64 architectures – Has access to all of system memory • Not subject to standard OS memory protections such as page tables – Stored in system firmware (BIOS or UEFI) – Can be accessed via System Management Interrupts (SMI) handlers LOW-LEVEL TECHNOLOGIES > SMM
IBM Security Systems | © 2014 IBM Corporation A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers Phrack article by Filip Wecherowski – Modified System Management Interrupt (SMI) handler to create I/O Trap based keylogger – Only applies to Asus motherboards AMIBIOS LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Common methods (AV, IPS, HIPS, good security policies, educated users, etc) to prevent initial infection. – Author wrote simple C program to detect keylogger. Reads the Root Complex Base Address Register (RCBA). Tests keyboard controller port to see if I/O Trap is enabled. – SMM Transfer Monitor (STM) to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. Unfortunately it’s not available yet. LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Intel Active Management Technology (AMT) – Allows for remote system administration • Doesn’t require Powered-On state or Installed OS – Stores various data in firmware memory • System parameters (OEM-defined, setup, etc) • Configuration details (including startup hdw) • Credentials (passwords, certificates) • Network configuration • Security configuration (ACLs, Defense policies) – Provides Direct Memory Access (DMA) • Independent of CPU LOW-LEVEL TECHNOLOGIES > INTEL AMT
IBM Security Systems | © 2014 IBM Corporation Evaluating “Ring -3” Rootkits presented by Patrick Stewin of Berlin Institute of Technology – AMT disabled by default – Some AMT code runs even if AMT is disabled – Leverages exploit from Tereshkin BH 09 based on calculating the re-mapped memory address and hooking function that runs periodically regardless of whether AMT is enabled or not. – Only works on old Q35 chipset, not Q45. – May require a BIOS downgrade, doesn’t require consent – Resides completely in ARC4 execution environment – Keylogger with covert communications channel – Working versions for Linux and Windows LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Replacing BIOS with UEFI Secure Boot – Intel Trusted Execution Technology (TXT) – Upgrading chipset to Q45 or later – Common security practices LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Trusted Platform Module (TPM) – Standard for a secure, dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices. – Developed by the Trusted Computing Group (TCG) for the purposes of: • Key Generation • System Hashing • Binding – encryption with factory burned key • Sealing – machine-state-dependent decryption LOW-LEVEL TECHNOLOGIES > TPM
IBM Security Systems | © 2014 IBM Corporation Thoughts about Trusted Computing presented by Joanna Rutkowska of Invisible Things Labs – Evil Maid Scenario – physical access allowing malicious user to grab keys LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Restrict physical access and consider blocking ports to avoid “Evil Maid” scenario LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Intel Trusted Execution Technology (TXT) – Relies heavily on TPM for basic services • Secure Storage – Provides trusted mechanism for securely loading & executing system software • Stores software metrics • Called “Late Launch” – AMD’s version implemented with SKINT instruction LOW-LEVEL TECHNOLOGIES > INTEL TXT
IBM Security Systems | © 2014 IBM Corporation Invisible Things Labs 2011 whitepaper – Exploiting flaw in SINIT Authenticated Code Module (ACM), when executed by SENTER instruction to cause an overwrite when adding a maliciously crafted ACPI DMAR table • Requires execution prior to SENTER instruction • Requires some TXT heap manipulation • Causes TXT, LCP bypass & hijacks SMM • Advisories issued to customers to install updates LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Intel update fixes SINIT overflow – Intel processor microcode update to prevent rollback and running buggy modules – Coordinating with OEM vendors to ensure that above fixes get disseminated – Launch Control Policy (LCP) code moved to beginning of SINIT code to offer blacklisting without the need for BIOS and microcode updates LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Master Boot Record (MBR) – Boot sector at the beginning of storage devices – Stores partition information – Stores code for loading OS – Maximum addressable storage space = 2 TB – Typically 512 bytes in size LOW-LEVEL TECHNOLOGIES > MBR
IBM Security Systems | © 2014 IBM Corporation Stoned Bootkit presented by Peter Kleissner at Black Hat 2009 (and many more) – Replaces MBR with its own – Patches ntoskrnl.exe LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Common practices will completely mitigate this particular malware and go a long way towards any future MBR attacks – Full disk encryption using BitLocker in TPM mode – UEFI Secure Boot LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Volume Boot Record (VBR) – First sector of an individual partition on a partitioned storage device – Loaded the same way as MBR LOW-LEVEL TECHNOLOGIES > VBR
IBM Security Systems | © 2014 IBM Corporation Reconstructing Gapz: Position-Independent Code Analysis Problem presented by Aleksandr Matrosov and Eugene Rodionov at RECon 2013 – Relies on Windows VBR format – Hooks Int 13h – Patches 4 bytes in VBR to modify number of “Hidden Sectors” – Also patches Bootmgr and Winload.exe LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – UEFI Secure Boot – Switching to GPT – BitLocker in TPM mode – Common security practices to prevent initial infection LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  GUID Partition Table (GPT) – Replacement for MBR – Allows storages devices larger than 2 TB – Not being targeted yet LOW-LEVEL TECHNOLOGIES > GPT
IBM Security Systems | © 2014 IBM Corporation  NT Loader (NTLDR) – Boot loader for all legacy releases of NT-based versions of Windows, including Windows XP – Works with ntldr file stored on bootable media – Loads boot.ini for specific boot options – Runs ntdetect.com to gather information about the computer’s hardware – Passes that info to ntoskrnl.exe in order to load the NT Kernel LOW-LEVEL TECHNOLOGIES > NTLDR
IBM Security Systems | © 2014 IBM Corporation  Windows Boot Manager (Bootmgr.exe) – Replaces NTLDR – bootmgr is a hidden system file stored in the System Reserved Volume – Locates the active partition – Reads Boot Configuration Database (BCD) file • For boot-time configuration data – Passes data from BCD to Windows Loader (winload.exe) LOW-LEVEL TECHNOLOGIES > BOOTMGR
IBM Security Systems | © 2014 IBM Corporation Vboot Kit (1 & 2) from Nitin & Vipin Kumar of NVLABs – Not really persistent, runs from CD – Used cdrom to hook INT 13 (Win Vista) – When bootmgr.exe loaded, hook runs payload – Patches bootmgr.exe in 3 places in memory – Bypassed checksums, digital signatures, & DEP – Gains control when winload.exe runs LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Don’t allow physical access to machine – Turn off cdrom boot in BIOS if not using – Find a better way to prevent in-memory modification between loading executable into memory and execution – Bitocker Drive Encryption (BDE) in TPM Mode: Measurements will be off in TPM, so it declines unsealing Volume Master Key (VMK), thus preventing boot LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation CONCLUSION  Everything has potential for vulnerabilities  New technologies such as UEFI Secure Boot, TPM, TXT offer a lot of mitigation  Intel should do everyone a favor and release STM  Common security practices such as Antivirus, Intrusion Detection, Intrusion Prevention, Host- Based Intrusion Prevention, timely patches, and solid secure use policies can all help with detection and prevention.
IBM Security Systems | © 2014 IBM Corporation REFERENCES  Complete Bibliography will be included in the forthcoming whitepaper  Presentations referenced are all available on the web sites for the conferences mentioned
IBM Security Systems | © 2014 IBM Corporation BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS Thank You! Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop

Recommended

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Updateinsydesoftware
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
NIST Security Bulletin for October 2014
NIST Security Bulletin for October 2014NIST Security Bulletin for October 2014
NIST Security Bulletin for October 2014David Sweigert
 
Big ip-ltm-asm-dg
Big ip-ltm-asm-dgBig ip-ltm-asm-dg
Big ip-ltm-asm-dgwardell henley
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Review paper on bios vs uefi
Review paper on bios vs uefiReview paper on bios vs uefi
Review paper on bios vs uefiFaizan Mushtaq
 

Recommended

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Updateinsydesoftware
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
NIST Security Bulletin for October 2014
NIST Security Bulletin for October 2014NIST Security Bulletin for October 2014
NIST Security Bulletin for October 2014David Sweigert
 
Big ip-ltm-asm-dg
Big ip-ltm-asm-dgBig ip-ltm-asm-dg
Big ip-ltm-asm-dgwardell henley
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Review paper on bios vs uefi
Review paper on bios vs uefiReview paper on bios vs uefi
Review paper on bios vs uefiFaizan Mushtaq
 
Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible DefconRussia
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLinaro
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
XS Japan 2008 BitVisor English
XS Japan 2008 BitVisor EnglishXS Japan 2008 BitVisor English
XS Japan 2008 BitVisor EnglishThe Linux Foundation
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded SystemsAnil Kumar Pugalia
 
I2C Drivers
I2C DriversI2C Drivers
I2C DriversSysPlay eLearning Academy for You
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefiFaizan Mushtaq
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Intel update
Intel updateIntel update
Intel updateThe Linux Foundation
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systemsمحمد عبد الحى
 
LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLinaro
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Rnote17
Rnote17Rnote17
Rnote17jppecora
 
Information Gathering 2
Information Gathering 2Information Gathering 2
Information Gathering 2Aero Plane
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02Manikandan Suresh
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 

More Related Content

What's hot

Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible DefconRussia
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLinaro
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded SystemsAnil Kumar Pugalia
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbamOlav Tvedt
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLinaro
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Information Gathering 2
Information Gathering 2Information Gathering 2
Information Gathering 2Aero Plane
 

What's hot (20)

Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure boot
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
XS Japan 2008 BitVisor English
XS Japan 2008 BitVisor EnglishXS Japan 2008 BitVisor English
XS Japan 2008 BitVisor English
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
I2C Drivers
I2C DriversI2C Drivers
I2C Drivers
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefi
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and bios
 
Managing bitlocker with mbam
Managing bitlocker with mbamManaging bitlocker with mbam
Managing bitlocker with mbam
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Intel update
Intel updateIntel update
Intel update
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure boot
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
Rnote17
Rnote17Rnote17
Rnote17
 
Information Gathering 2
Information Gathering 2Information Gathering 2
Information Gathering 2
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
 

Similar to Bootkits step by-step-slides-final-v1-release

Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI securityDenis Gundarev
 
IBM i Security Best Practices
IBM i Security Best PracticesIBM i Security Best Practices
IBM i Security Best PracticesPrecisely
 
Measured boot for embedded devices
Measured boot for embedded devicesMeasured boot for embedded devices
Measured boot for embedded devicesDmitry Baryshkov
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on PowerSebastien Chabrolles
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsRay Overby
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsPriyanka Aash
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the InstallersKlaus Bild
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 

Similar to Bootkits step by-step-slides-final-v1-release (20)

Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
 
IBM i Security Best Practices
IBM i Security Best PracticesIBM i Security Best Practices
IBM i Security Best Practices
 
Measured boot for embedded devices
Measured boot for embedded devicesMeasured boot for embedded devices
Measured boot for embedded devices
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
 
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
File000124
File000124File000124
File000124
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity Gaps
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the Installers
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 

Recently uploaded

Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedDelhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Pooja Nehwal
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 

Recently uploaded (20)

Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 

Bootkits step by-step-slides-final-v1-release

  • 1. IBM Security Systems | © 2014 IBM Corporation BOOTKITS STEP-BY-STEP AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop (v1)
  • 2. IBM Security Systems | © 2014 IBM Corporation AGENDA  Introduction  Snapshot of Boot Process for various OSes  A Look at Low-Level Technologies – Case studies as examples of exploitation – Advice for detection and prevention  Conclusion
  • 3. IBM Security Systems | © 2014 IBM Corporation INTRODUCTION BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
  • 4. IBM Security Systems | © 2014 IBM Corporation DEFINITION  For the purposes of this presentation, we will define Bootkit as any malware (rootkit) that is persistent and exists below the level of the operating system kernel environment (ring 0).
  • 5. IBM Security Systems | © 2014 IBM Corporation INTRODUCTION  Purpose: To look at how Bootkits achieve persistence and to give advice in regards to detection & prevention.  Scope is limited to x86 and x64 compatible architectures.  Scope does not include Virtualization technology.  More details can be found in the forthcoming companion white paper
  • 6. IBM Security Systems | © 2014 IBM Corporation THE BOOT PROCESS BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
  • 7. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS XP > BIOS BIOS Boot Process for Windows XP POST BIOS MBR/VBR NTLDR (using ntdetect.com) NT Kernel
  • 8. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WIN VISTA & LATER > BIOS BIOS Boot Process for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 POST BIOS MBR/VBR Windows Boot Mgr Boot Conf Data (BCD) Win Loader (winload.exe) OS
  • 9. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS VISTA SP 1 & LATER > UEFI UEFI Boot Process for Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 POST UEFI MBR/VBR or GPT Windows Boot Mgr Boot Conf Data (BCD) Win Loader (winload.exe) OS
  • 10. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > WINDOWS 8 & LATER > SECURE BOOT Secure Boot Process for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT. POST UEFI MBR/VBR or GPT Verified Boot Mgr Verified OS Loader OS
  • 11. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > MAC > EFI BOOT EFI Boot Process for Mac. BootROM POST Hw Init Boot Loader (boot.efi) EFI OS Select
  • 12. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > BIOS BIOS Boot Process for Linux POST BIOS MBR/VBR or GPT Boot Loader (LILO or Grub) Linux Kernel
  • 13. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > UEFI UEFI Boot Process for Linux POST UEFI MBR/VBR or GPT Boot Loader Linux Kernel Boot MGR Data
  • 14. IBM Security Systems | © 2014 IBM Corporation BOOT PROCESSES > LINUX > SECURE BOOT Secure Boot Process for Linux POST UEFI MBR/VBR or GPT Signed Boot Loader Linux Kernel Signed Boot MGR
  • 15. IBM Security Systems | © 2014 IBM Corporation A LOOK AT LOW-LEVEL TECHNOLOGIES BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
  • 16. IBM Security Systems | © 2014 IBM Corporation  Basic Input/Output System (BIOS) – Firmware interface used to boot older machines. – Stored on nonvolatile ROM chip on mobo – Made of modules compressed with LZH • Each Module has 8 bit checksum for verification – Some modules uncompressed: • Bootblock that handles POST & emergency boot • Decompression routine – Modifying module without updating checksum makes system unbootable LOW-LEVEL TECHNOLOGIES > BIOS
  • 17. IBM Security Systems | © 2014 IBM Corporation Persistent BIOS Infection by Core @ Cansec West 09 – Used 2 techniques for flashing the BIOS: 1. BIOS Building tool such as Pinczakko’s method 2. Patch & update checksums – Three steps for flashing BIOS 1. Dump BIOS with flashrom 2. Patch & update checksums 3. Re-flash LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
  • 18. IBM Security Systems | © 2014 IBM Corporation  Four ways to avoid this attack: 1.Stop initial access with common methods (AV, firewalls, etc) to avoid BIOS modification 2.Enable flash write protection on motherboard 3.Use digitally signed BIOS firmware 4.Don’t download BIOS updates from untrusted sources LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
  • 19. IBM Security Systems | © 2014 IBM Corporation  Unified Extensible Firmware Interface (UEFI) – Designed as a BIOS replacement – Larger, more powerful, and more modular – Basically bare-bones Operating System – Allows pre-OS networking – Some versions provide pre-OS AV – Provides 2 types of Services: 1. Boot services: only available at boot time 2. Runtime services: available while OS is running LOW-LEVEL TECHNOLOGIES > UEFI
  • 20. IBM Security Systems | © 2014 IBM Corporation Dreamboot - Presented by Sebastian Kaczmarek @ Hack in the Box, Amsterdam 2013 – Finds boot loader on hardware & patches it – Hijacks kernel entry point call in loader to redirect control flow – Deactivates kernel protections (once it gets around PatchGuard) – Hides payload in ntoskrnl relocation table LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
  • 21. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Prevent initial infection through normal means (AV, IPS, HIPS, secure use policies) – Secure Boot means that the boot loader signature will have to match the stored key. – Intel TXT’s “Late Launch” can help prevent loading modified software. – Bitlocker in TPM mode will provide encryption to make patching the boot loader more difficult, it stores software measurements and won’t even boot if they don’t match up. LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
  • 22. IBM Security Systems | © 2014 IBM Corporation  Secure Boot (UEFI) – UEFI option where all applications and services must have a valid digital signature – Secure Boot Keys stored in UEFI firmware – Offers protection that makes compromise more difficult LOW-LEVEL TECHNOLOGIES > SECURE BOOT
  • 23. IBM Security Systems | © 2014 IBM Corporation Setup For Failure: Defeating Secure Boot Presented by Corey Kallenberg and Mitre research team at Hack In the Box, Amsterdam 2014 – Found that Secure Boot doesn’t always run the signature check on all target EFI executables, especially Option ROMs (such as for graphics cards) – Found a way to manually modify the Setup variable that determines how lax the signature checking policy is; making it so that all target EFI executables can be run without signature check. LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
  • 24. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Make sure the UEFI version follows the spec in regards to variable protection, the UEFI spec does not allow this exploit – BIOS_CNTL & SMM BIOS Write Enable protection – Intel Protected Range SPI Flash Protections • Flash Configuration Lockdown (HSFS.FLOCKDN) Bit – Setting SMM BIOS Write Protection (SMM_BWP) Bit – Common Security measures to prevent initial infection LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
  • 25. IBM Security Systems | © 2014 IBM Corporation  Mac EFI – Does basic hardware initialization – Selects Operating System to load – Modular: comprised of core components, apps, drivers, bootloader – Lots of jump tables with function pointers – Core components reside on Mac BootROM – Used on all Intel Macs LOW-LEVEL TECHNOLOGIES > MAC EFI
  • 26. IBM Security Systems | © 2014 IBM Corporation DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS presented by Snare at Black Hat 2012 – Lists 3 valid options for persistence: 1. Patch or replace the bootloader /System/Library/CoreServices/boot.efi 2. Write to PCI device expansion ROM - writeable from OS via device firmware updates and/or flashrom application 3. Flash the firmware - also flashrom, but Firmware Volume signature gets checked by BootROM & new macs write protect flash LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
  • 27. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – EFI password can prevent changing boot target, but can be bypassed – UEFI Secure Boot would be nice but unsupported – Use normal measures to prevent initial infection. – Restrict physical access and consider blocking ports to avoid “Evil Maid” scenario LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
  • 28. IBM Security Systems | © 2014 IBM Corporation  System Management Mode (SMM) – Most privileged execution mode on x86/x64 architectures – Has access to all of system memory • Not subject to standard OS memory protections such as page tables – Stored in system firmware (BIOS or UEFI) – Can be accessed via System Management Interrupts (SMI) handlers LOW-LEVEL TECHNOLOGIES > SMM
  • 29. IBM Security Systems | © 2014 IBM Corporation A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers Phrack article by Filip Wecherowski – Modified System Management Interrupt (SMI) handler to create I/O Trap based keylogger – Only applies to Asus motherboards AMIBIOS LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
  • 30. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Common methods (AV, IPS, HIPS, good security policies, educated users, etc) to prevent initial infection. – Author wrote simple C program to detect keylogger. Reads the Root Complex Base Address Register (RCBA). Tests keyboard controller port to see if I/O Trap is enabled. – SMM Transfer Monitor (STM) to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. Unfortunately it’s not available yet. LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
  • 31. IBM Security Systems | © 2014 IBM Corporation  Intel Active Management Technology (AMT) – Allows for remote system administration • Doesn’t require Powered-On state or Installed OS – Stores various data in firmware memory • System parameters (OEM-defined, setup, etc) • Configuration details (including startup hdw) • Credentials (passwords, certificates) • Network configuration • Security configuration (ACLs, Defense policies) – Provides Direct Memory Access (DMA) • Independent of CPU LOW-LEVEL TECHNOLOGIES > INTEL AMT
  • 32. IBM Security Systems | © 2014 IBM Corporation Evaluating “Ring -3” Rootkits presented by Patrick Stewin of Berlin Institute of Technology – AMT disabled by default – Some AMT code runs even if AMT is disabled – Leverages exploit from Tereshkin BH 09 based on calculating the re-mapped memory address and hooking function that runs periodically regardless of whether AMT is enabled or not. – Only works on old Q35 chipset, not Q45. – May require a BIOS downgrade, doesn’t require consent – Resides completely in ARC4 execution environment – Keylogger with covert communications channel – Working versions for Linux and Windows LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
  • 33. IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Replacing BIOS with UEFI Secure Boot – Intel Trusted Execution Technology (TXT) – Upgrading chipset to Q45 or later – Common security practices LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
  • 34. IBM Security Systems | © 2014 IBM Corporation  Trusted Platform Module (TPM) – Standard for a secure, dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices. – Developed by the Trusted Computing Group (TCG) for the purposes of: • Key Generation • System Hashing • Binding – encryption with factory burned key • Sealing – machine-state-dependent decryption LOW-LEVEL TECHNOLOGIES > TPM
  • 35. IBM Security Systems | © 2014 IBM Corporation Thoughts about Trusted Computing presented by Joanna Rutkowska of Invisible Things Labs – Evil Maid Scenario – physical access allowing malicious user to grab keys LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
  • 36. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Restrict physical access and consider blocking ports to avoid “Evil Maid” scenario LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
  • 37. IBM Security Systems | © 2014 IBM Corporation  Intel Trusted Execution Technology (TXT) – Relies heavily on TPM for basic services • Secure Storage – Provides trusted mechanism for securely loading & executing system software • Stores software metrics • Called “Late Launch” – AMD’s version implemented with SKINT instruction LOW-LEVEL TECHNOLOGIES > INTEL TXT
  • 38. IBM Security Systems | © 2014 IBM Corporation Invisible Things Labs 2011 whitepaper – Exploiting flaw in SINIT Authenticated Code Module (ACM), when executed by SENTER instruction to cause an overwrite when adding a maliciously crafted ACPI DMAR table • Requires execution prior to SENTER instruction • Requires some TXT heap manipulation • Causes TXT, LCP bypass & hijacks SMM • Advisories issued to customers to install updates LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
  • 39. IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Intel update fixes SINIT overflow – Intel processor microcode update to prevent rollback and running buggy modules – Coordinating with OEM vendors to ensure that above fixes get disseminated – Launch Control Policy (LCP) code moved to beginning of SINIT code to offer blacklisting without the need for BIOS and microcode updates LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
  • 40. IBM Security Systems | © 2014 IBM Corporation  Master Boot Record (MBR) – Boot sector at the beginning of storage devices – Stores partition information – Stores code for loading OS – Maximum addressable storage space = 2 TB – Typically 512 bytes in size LOW-LEVEL TECHNOLOGIES > MBR
  • 41. IBM Security Systems | © 2014 IBM Corporation Stoned Bootkit presented by Peter Kleissner at Black Hat 2009 (and many more) – Replaces MBR with its own – Patches ntoskrnl.exe LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
  • 42. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – Common practices will completely mitigate this particular malware and go a long way towards any future MBR attacks – Full disk encryption using BitLocker in TPM mode – UEFI Secure Boot LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
  • 43. IBM Security Systems | © 2014 IBM Corporation  Volume Boot Record (VBR) – First sector of an individual partition on a partitioned storage device – Loaded the same way as MBR LOW-LEVEL TECHNOLOGIES > VBR
  • 44. IBM Security Systems | © 2014 IBM Corporation Reconstructing Gapz: Position-Independent Code Analysis Problem presented by Aleksandr Matrosov and Eugene Rodionov at RECon 2013 – Relies on Windows VBR format – Hooks Int 13h – Patches 4 bytes in VBR to modify number of “Hidden Sectors” – Also patches Bootmgr and Winload.exe LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
  • 45. IBM Security Systems | © 2014 IBM Corporation  Countermeasures: – UEFI Secure Boot – Switching to GPT – BitLocker in TPM mode – Common security practices to prevent initial infection LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
  • 46. IBM Security Systems | © 2014 IBM Corporation  GUID Partition Table (GPT) – Replacement for MBR – Allows storages devices larger than 2 TB – Not being targeted yet LOW-LEVEL TECHNOLOGIES > GPT
  • 47. IBM Security Systems | © 2014 IBM Corporation  NT Loader (NTLDR) – Boot loader for all legacy releases of NT-based versions of Windows, including Windows XP – Works with ntldr file stored on bootable media – Loads boot.ini for specific boot options – Runs ntdetect.com to gather information about the computer’s hardware – Passes that info to ntoskrnl.exe in order to load the NT Kernel LOW-LEVEL TECHNOLOGIES > NTLDR
  • 48. IBM Security Systems | © 2014 IBM Corporation  Windows Boot Manager (Bootmgr.exe) – Replaces NTLDR – bootmgr is a hidden system file stored in the System Reserved Volume – Locates the active partition – Reads Boot Configuration Database (BCD) file • For boot-time configuration data – Passes data from BCD to Windows Loader (winload.exe) LOW-LEVEL TECHNOLOGIES > BOOTMGR
  • 49. IBM Security Systems | © 2014 IBM Corporation Vboot Kit (1 & 2) from Nitin & Vipin Kumar of NVLABs – Not really persistent, runs from CD – Used cdrom to hook INT 13 (Win Vista) – When bootmgr.exe loaded, hook runs payload – Patches bootmgr.exe in 3 places in memory – Bypassed checksums, digital signatures, & DEP – Gains control when winload.exe runs LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
  • 50. IBM Security Systems | © 2014 IBM Corporation  Countermeasures – Don’t allow physical access to machine – Turn off cdrom boot in BIOS if not using – Find a better way to prevent in-memory modification between loading executable into memory and execution – Bitocker Drive Encryption (BDE) in TPM Mode: Measurements will be off in TPM, so it declines unsealing Volume Master Key (VMK), thus preventing boot LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
  • 51. IBM Security Systems | © 2014 IBM Corporation CONCLUSION  Everything has potential for vulnerabilities  New technologies such as UEFI Secure Boot, TPM, TXT offer a lot of mitigation  Intel should do everyone a favor and release STM  Common security practices such as Antivirus, Intrusion Detection, Intrusion Prevention, Host- Based Intrusion Prevention, timely patches, and solid secure use policies can all help with detection and prevention.
  • 52. IBM Security Systems | © 2014 IBM Corporation REFERENCES  Complete Bibliography will be included in the forthcoming whitepaper  Presentations referenced are all available on the web sites for the conferences mentioned
  • 53. IBM Security Systems | © 2014 IBM Corporation BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS Thank You! Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop