Upload
duongliem
View
227
Download
4
Embed Size (px)
Citation preview
UEFI and PCI bootkitsPierre ChifflierPacSec 2013
ANSSI.. .
▶ Created on July 7th 2009, the ANSSI (French Network andInformation Security Agency) is the national authority forthe defense and the security of information systems.
▶ Under the authority of the Prime Minister▶ Main missions are:
▶ prevention▶ defense of information systems
http://www.ssi.gouv.fr/en/
UEFI and PCI bootkits 2/42
UEFI study.. ..Motivations..
......
▶ Study UEFI▶ Raise awareness of pre-boot dangers▶ Present and discuss countermeasures
.Study..
......
▶ Boot sequence▶ UEFI functions:
▶ Hooking the bootloader▶ ACPI Tables▶ Network functions▶ …
▶ PCI devices▶ Countermeasures
UEFI and PCI bootkits 3/42
Overview.. .
1 UEFI
2 PCI
3 Description of UEFI VGA Bootkit
4 Demo
5 Countermeasures
UEFI and PCI bootkits 4/42
UEFI
UEFI and PCI bootkits 5/42
BIOS vs UEFI (1/2).. .
.BIOS..
......
▶ x86 architectures▶ Real mode (16 bits)▶ No support for large disks (> 2 TB), MBR sector▶ Memory mapping on 1MB▶ No integrity check▶ Old-school in 2013 :)
UEFI and PCI bootkits 6/42
UEFI.. ..UEFI: recent ?..
......
▶ 2000 EFI (Intel)▶ 2004 http://tianocore.org▶ 2005 UEFI (Unified EFI Forum, http://www.uefi.org)▶ 2013 Current version: UEFI 2.4
.Objectives..
......
▶ Overcome BIOS limitations▶ Multi-architectures (x86, ARM, Itanium, …)▶ Standardization of drivers▶ “Modern” conception: modular, C language
UEFI and PCI bootkits 7/42
UEFI: Specifications.. ..Services..
......
▶ IP4/6, UDP/TCP 4/6, ARP, DHCP4/6, MTFP4/6, FTP, PXE, iSCSI▶ VLAN, EAP, IPsec (IKEv2)▶ PCI, USB, SCSI, AHCI, removable media▶ GPT, vFAT▶ Console, Graphical Mode, Human Interface, UTF-16▶ User Identification▶ ACPI, SMRAM▶ Debugger▶ Compression▶ EFI Byte Code Virtual Machine▶ Firmware management▶ …
UEFI and PCI bootkits 8/42
UEFI and Security.. .
.EFI Development Kit (EDK) 2..
......
▶ 1,000,000+ SLOC▶ No protection on memory pages, rwx everywhere▶ All code running in ring 0▶ Huge attack surface▶ Most code written from scratch (including libc+,
IPv4/IPv6 stack, IPsec, PE parser)▶ Lots of StrCat and StrCpy
UEFI and PCI bootkits 9/42
UEFI and Security (2).. .
.Services offered to malwares..
......
▶ Network functions (IPv4 and IPv6)▶ Get drivers over PXE▶ Use an IPsec tunnel▶ Manipulate ACPI tables▶ Add new drivers
UEFI and PCI bootkits 10/42
UEFI Boot Sequence.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 11/42
PCI bootkits
UEFI and PCI bootkits 12/42
Overview: PCI Expansion ROMs.. .
▶ (small) optional memory chip, present onPCI/PCIe/Thunderbolt/ExpressCard devices
▶ Provides some code, executed by Firmware▶ Already exploited in the past, for the BIOS▶ What about UEFI ?
UEFI and PCI bootkits 13/42
VGA Card.. .
UEFI and PCI bootkits 14/42
Scenario and assumptions.. .
.Use case..
......
▶ Attacker has already gained root/admin privileges▶ She wants to install a persistent stealthy rootkit
▶ Bootkit: bootloader rootkit▶ Visible modifications▶ Hard if BIOS password set▶ Use the hardware ?▶ Without re-flashing the BIOS
UEFI and PCI bootkits 15/42
Example: graphics card.. .Objective: (persistent of) privilege escalation.Problems..
......
▶ OS ? Not yet in memory▶ No access to hard disk (+ possible encryption)▶ How to execute code ?▶ In a few kilobytes !▶ And the graphics card must still work properly
.Initial reactions..
......
…All combined: nice story for Matrix fans ...Need I go on?Mrk
UEFI and PCI bootkits 16/42
UEFI Boot Sequence.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
Scenario.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
Start:PCI card
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
Scenario.. .
..
Security(SEC)
.
Pre EFIInitialization
(PEI)
.
DriverExecution
Environment(DXE)
.
BootDevSelect(BDS)
.
TransientSystemLoad
(TSL)
.
Run Time(RT)
.
AfterLife(AL)
.Power on.
[Platform Initialization].
[....OS boot....].
Shutdown.
PreVerifier
.
CPUInit
.
ChipsetInit
.
BoardInit
.
verify
.
IntrinsicServices
.
EFI DriverDispatcher
.
DeviceDrivers
.
BootManager
.
Final OSBootLoader
.
Transient OSBootLoader
.
Transient OSEnvironment
.
OS-absentApp
.
Final OSEnvironment
.
OS PresentApp
.
AfterLife
.
Target:OS
.
HOOK !
.
HOOK !
.
HOOK !
UEFI and PCI bootkits 17/42
UEFI Boot Sequence.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 18/42
Real world scenario.. .
.Get the expansion ROM, using one of:..
......
▶ Extract PCI device▶ Add a new internal or external PCI device▶ Boot on a USB stick▶ Gain admin privileges on OS
.New functionalities..
......
▶ Add the UEFI code to create a hybrid ROM▶ Flash expansion ROM✓□ Backdoor installed
UEFI and PCI bootkits 19/42
Dump(Importation) ROM.. .▶ Cat /sys/bus/pci/devices/0000\:00\:02.0/rom▶ Manufacturer tools
.Example: ATI..
......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −s 0 myrom. bin
UEFI and PCI bootkits 20/42
Crafting the UEFI ROM1.. .
.Crafting a “hybrid ROM”..
......
▶ Using the Development Kit (vim + gcc)▶ Create a DXE driver: C code, 64 bits (make)▶ Choose some PCI IDs▶ Convert to ROM format (EfiRom)▶ Patch image (cat)
1ROM wasn’t built in a dayUEFI and PCI bootkits 21/42
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
PCI Expansion ROM format.. .
..
PCI ROM Header< 64 kb
PCI Data Structure
PCI ROM Header< 64 kb
PCI Data Structure
Offset Length Value Header Field
00h−01h 2 55AAh PCI Expansion ROM signature
02h−17h 16h
218h−19h
Architecture Specific Data
Pointer to PCI Data Structure
Offset Length00h−03h
06h−07h08h−09h0Ah−0Bh
422
2
Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length
04h−05h
2
1 PCI Data Structure Revision3 Class Code0Dh−0Fh
0Ch
10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level
1 Code Type14h15h 1 Last Image Indicator
16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point
Image 0
Image n
.
UEFI Code
.
ROM vanilla
Modification of the PCI Expansion ROM
UEFI and PCI bootkits 22/42
Writing ROM (1/2).. .▶ Manufacturer tools
.Example: ATI..
......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −p −f 0 myrom. bin
▶ Restart, and cross fingers
UEFI and PCI bootkits 23/42
Writing ROM (2/2).. .
▶ Flash SPI: low-level tools
UEFI and PCI bootkits 24/42
Execution in UEFI.. .
.Malware Execution..
......
▶ The UEFI firmware enumerates PCI devices▶ Expansion ROMs are loaded into memorya:
▶ Legacy: (0xc0000 → 0xfffff)▶ UEFI: dynamic
▶ The legacy is ROM loaded by the CSM▶ UEFI ROMs are loaded afterward▶ The C entry point is called▶ The ExitBootServices function is hooked
aAll roads lead to ROM
UEFI and PCI bootkits 25/42
Load PCI Expansion ROM.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 26/42
Intercepting the bootloader.. ..Bootloader role..
......
▶ Copy of kernel image into memory (address ?)▶ Call ExitBootServices▶ Problem: memory can be reused by the OS▶ Tested on Grub2
.Challenges..
......
▶ Persistent memory allocation▶ Reconstruction of the call stack▶ Identification of address▶ Preparation of the next step
UEFI and PCI bootkits 27/42
Intercepting the bootloader.. ..Bootloader role..
......
▶ Copy of kernel image into memory (address ?)▶ Call ExitBootServices▶ Problem: memory can be reused by the OS▶ Tested on Grub2
.Challenges..
......
▶ Persistent memory allocation▶ Reconstruction of the call stack▶ Identification of address▶ Preparation of the next step
UEFI and PCI bootkits 27/42
Next Step: bootloader.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 28/42
Intercepting the kernel (1/2).. .▶ Memory image before decompression▶ Physical addresses ̸= virtual addresses▶ Kernel: initialize IDT, GDT, pagination, etc.▶ Mode change (32 -> 64 bits), CS and DS, …▶ Use a breakpoint ? Not easy (IDT)
..
EarlyKernel
.
DecompressionCode
.
InitPart 2
.
UncompressedImage
.
32 bits
.
32 bits
.
32 →64 bitsresetGDT
+IDT
.
ResetGDT+IDT
...
.
0x1000000
UEFI and PCI bootkits 29/42
Intercepting the kernel (2/2).. .
.Use Hardware Breakpoints..
......
▶ Hardware Debug Registers▶ Use interruption #DB▶ Interrupt vector 1▶ Hardware BP 1: 0x1000000▶ Hardware BP 2: before IDT reload, in Init Part 2
UEFI and PCI bootkits 30/42
Next Step: early kernel.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 31/42
Syscall Modification.. .
▶ Modification of a system call▶ Patch code in memory▶ Privileges escalation▶ Chosen syscall: fork▶ Address of syscall ?▶ Addresses of internal functions ?
.Modified system call..
......
xor %rdi ,%rdicall *0 x f f f f f f f f 8 1 0 6 4 0 6 f ; prepare_kernel_credcall *0 x f f f f f f f f 8 1063db6 ; commit_credsret
UEFI and PCI bootkits 32/42
Next Step: syscall.. .
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.
LoadRO
M
.ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 33/42
Demo
... SEC,PEI
. DXE,BDS
. Grub2. Linux. App.
Power on
.
UEFI firmware
.
Bootloader
.
Operating System
.
LegacyCode
.
Header
.
InitCode
.
ModifiedExitBootServices
.
InterruptHandler
.
ModifiedFork
.
added code
.
1
.
2
.
3
.
4
.
5
.
Load Opt. ROM
.Load
ROM
.
ExitBS.
.
#D
B
.
fork
UEFI and PCI bootkits 34/42
EFI Byte Code.. .
▶ EBC: EFI Byte Code▶ EBC Virtual Machine defined in specifications▶ Assembly Intel-like instructions, platform-independent▶ Can be used in Option ROMs
.Example of EFI Byte Code..
......
CC 67 04 00 ADD64 R7, R6 0x4B2 78 30 00 MOVnw @R0( 0 ,+48) , R772 87 30 00 MOVnw R7, @R0( 0,+48)03 07 CALL32 R7
UEFI and PCI bootkits 35/42
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes
▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes
▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
EFI Byte Code and Security.. .
.EBC..
......
▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes▶ Great way to obfuscate code▶ Portable (including multiple payloads)
..
UEFI and PCI bootkits 36/42
Consequences.. ..UEFI PCI Bootkits..
......
▶ Stealthy: no disk or file modification, small memoryfootprint: almost invisible
▶ Portable▶ Survives to upgrades or reinstall▶ Can also use DMA▶ Independent of disk encryption▶ BIOS password: does not prevent▶ Antivirus (even UEFI): useless▶ grsec / randomization / …: complicates the exploitation,
but does not prevent the attack▶ Solutions ?
UEFI and PCI bootkits 37/42
Solution 1: TPM.. .▶ [Should be a] Passive component▶ Present on (almost) all PCs▶ The Firmware measures elements▶ Measures are used through atomic operations (e.g unseal)
.Limitations..
......
▶ Lack of applications▶ Not supported by all bootloaders▶ Makes updates complicated▶ Requires Full Disk Encryption for integrity▶ Not perfecta
asee BIOS Chronomancy presentation
UEFI and PCI bootkits 38/42
Solution 2: Secure Boot.. .
▶ Part of UEFI specifications▶ Verification of cryptographic signatures (RSA2048) of all
loaded elements (executables, drivers, expansion ROMs,etc.)
...
Source: Intel Developer Forum 2012
UEFI and PCI bootkits 39/42
Solution 2: Secure Boot.. .
▶ Part of UEFI specifications▶ Verification of cryptographic signatures (RSA2048) of all
loaded elements (executables, drivers, expansion ROMs,etc.)
...
Source: Intel Developer Forum 2012
UEFI and PCI bootkits 39/42
Solution 2: Secure Boot.. ..Limitations..
......
▶ Optional (even if required for the Windows 8 HardwareCertification).
▶ Requires to disable Compatibility Support Module (CSM)▶ Usage restrictions (ex. ARM tablets)▶ Management of the Certificate Authorities▶ How to use another CA (Not Microsoft’s) ? Need to re-sign
or whitelist ROMs ?▶ Can also be vulnerable (e.g to direct SPI Flash writesa, or
NVRAM access)
aA tale of one software bypass of windows 8 secure boot, Blackhat 2013
UEFI and PCI bootkits 40/42
Conclusion.. ..Hardware..
......
▶ Protections exist, but they are often poorly implemented ornot used
▶ All firmware compoments must be protected fromtampering
.Suggestions for OEMs / editors..
......
▶ Protect UEFI from SPI writes (except in reboot mode) ordirect NVRAM access
▶ Allow only signed updates▶ Protect the initial steps (SEC/PEI)▶ Protect the root of trust S-CRTM▶ and do all of this without bugs
UEFI and PCI bootkits 41/42
Future work.. .
.Next..
......
▶ Evaluate the (many) UEFI functions▶ Analyze EFI Byte Code▶ Virtualization a la Blue Pill▶ Disassemble UEFI firmwares▶ Look at (Secure Boot, IPsec) implementations
Questions ?
UEFI and PCI bootkits 42/42