BootJacker: Compromising
Computers using Forced
RestartsEllick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar,
Roy H. CampbellDepartment of Computer Science
University of Illinois at Urbana-ChampaignPresentation byTristan Gibeau
OutlineOverview of Direct Access SecurityLittle History of Computer ComponentsApproach of BootJackerThe ProcessEffectiveness on a Linux SystemHow to CounteractRelated WorkConclusion
Direct Access Security What prevents access to an attacker?
Screen Saver / Lock Screen Password Protection Password Protected Login Screens File Systems are Encrypted Virtual Private Network Connections Encrypted websites (SSL)
The Workings…..How exactly do these software measures work?
Passwords or Keys are entered by the user at login or resuming system state
Trusted Platform Module (TPM) supplies the operating system with the key
Where do they go? After successful verification they are stored in the
computers volatile memory or Random Access Memory (RAM)
Is that safe??????
Computer ComponentsComputers are made up of many different
parts, but lets focus on one specific one: RAM
Random Access Memory – This is where the computers programs, processes, and other temporary information is stored.
Continues power is needed to ensure contents are not corrupted or erased.
How long does the data stay active? In most cases the data is kept during restarts or
brief power outagesWith use of liquid nitrogen, memory can be stored
up to a week!
Oh Rebooting Woes…So how much data is actually intact after a
reboot? Most computer systems will overwrite sections of
memory at boot upContains caching information for peripherals, i/o
mappings, and other motherboard related operations
Unleash the BootJackerA few things to know about BootJacker
BootJacker is a proof of concept It will not work on Error Correcting Code (ECC)
memory Requires direct or physical access to the
computer It is Operating System dependent (Linux Kernel
2.6)
The ApproachHow does it work?
BootJacker uses a vulnerability that volatile memory is not completely erased when force restarted
Using the pieces left over, BootJacker then resuscitates the computer back to the live user session.
This allows the attacker to have full admin rights to the victim computer bypassing the security of the machine. Also allows for access to any open channels the
user may of have had open at the time of force restart
How does it really work…
BootJacker operates like a small bootstrap environment, at boot-up it begins to resuscitate the computer at its core systems. Core Systems include both Hardware and
SoftwareUsing what information is still provided within
the volatile memory BootJacker will be able to revive the machine in
the state is was before forced restart
This is done with a little help…MALWARE!TerminatorAttacks security and logging software
Antivirus, intrusion detection tools, system logger deamons
Allows Attacker to load tools
RootShell -- Superuser Shell spawned by BootJacker
Gives root access to the attacker Allows the attacker to implement what ever attack he
or she wishes
--Resuscitation--ITS ALIVE!!!!!
Hardware Interrupt Controller
All interrupts are re-enabled Interrupts include system timer to keyboard.
System TimerThe timer needs to be exactly the same
Otherwise this will prevent the system from resuscitating properly
Keyboard & MouseHot-Swappable
BootJacker sends a command to re-initialize them
Hardware Resuscitation….
Display Monitor Uses standard VGA or VESA video modes
Basic text mode to ensure compatibility After successful resuscitation, attacker can re-enable
graphics console
Disk Relies on Linux’s error recovery routines Linux sends a re-initialization command to drives
BootJacker responds after initialization is completed
Coprocessor Unit BootJacker has to reset and re-initialize
Coprocessor is disabled at system restart
Network BootJacker utilizes the API’s of Linux to re-
initialize the network adaptorSince system restart only takes up to a minute,
connections don’t usually time out.
Software Resuscitation Page Tables
BootJacker needs to discover the address of page locations If not, system resuscitation will fail
Alt-SysRq-B Reboot method used to enable resuming of
software processes This helps ensure that the Stack does not
become corruptAllow for proper process/context reconstructing to
occur Instructions are properly reloaded due to a call
back method caused by instructional fetch fault
Software Interrupts Schedule
Processes running before restart were on a scheduleSchedule is attempting to run during resuscitation
These are pushed on to a stack for future Using existing Linux API
Interrupts are successfully re-enabled for all processes
Scheduling is resumed
The ProcessHow does a attacker implement this?
Attacker needs to have direct access to the computerStealing the computerUn-authorized access to the computerRemoval of memory components
Removing hard-drive & volatile memory Forced Restart is initialized
Pressing of restart button on computer systemUse of Hot-Key restarts (Alt-SysRq-B)
The Process ContinuedBootJacker is connected to the computer
Bootable DeviceDVD / CDUSB Flash/Hard DriveNetwork Boot
BootJacker boots instead of host system
Process…BootJacker successfully revives the host
operating system Attacker can now break the system with malware
payloads If needed, the system can then be returned to
the unsuspecting ownerA few hiccups…
If the drive is inserted before force restartCould cause intrusion software to detect the
insertion
A Few Side NotesAlternate booting
Attacker may need to configure bios to boot from removable media
Most BIOS will boot from CDMost will not boot from USB
Operating Systems Attack BootJacker will need to be recompiled for different
kernelsTiming
The quicker you are the better chance you haveMemory is volatile, could be refreshed over time (BIOS
dependant)
EffectivenessTest System Hardware
IBM InteliStation M Pro2 GHZ Intel Pentium 4512 MB of RAM IDE Disk Drive Intel Pro/100 Network Card
This configuration is optimal for Hardware Resuscitation
Operating System Linux 2.6 Kernel (x86 – 32 Bit)
Time to Test…Test Tasks Performed
gcc: Compilation of the C source file containing the H.264/MPEG-4 AVC video compression codec in the MPlayer [37] media program.
gzip: File compression using the deflate compression algorithm.
wget: File download. convert: JPEG image encoding. aespipe: AES file encryption.
During the middle each test the computer was force restarted The tasks were successfully completed after
resuscitation
Security Test Applications
SSH Secure shell connection between two computers
SSL Web browser session to a secure web server
PPTP Secure connection to a secure network
University or Business
dm-crypt & Loop-AES Encrypted File Systems
ResultsSSH & SSL
Both are stored in user space After successful resuscitation
Attacker was able to access secured sessions on SSH
Attacker was also able to view secured websites Email Online Banks
VPN During the process of BootJacker
VPN connections stay intact
Results…Linux File Encryption
After successful exploitationFull access to encrypted drives remained
dm-crypt Loop-AES
TimeSo how long does this take to do….
Less then 60 seconds! In most cases it took less then 30 seconds
In most test runsMost time was consumed by the BIOS boot process
How to Counteract BootJacker
System Reconfiguring Prevent the system from alternate booting
Password protecting BIOS Use of ECC memory Requiring memory tests at each boot
Clears out memory
Operating System Reconfiguration Prevent secrets/keys from being stored in volatile
memory Drop secure connections when screen saver / lock screen
events occur Encrypt memory & stop computations until user has
authenticated
Related WorkFireWire Protocol Attack
Access physical memory thru FireWire port Allows access to keys and other secret data
stored in volatile memoryCold Boot Attacks
Access memory to view keys and other secret information stored in volatile memory
Uses a memory tool that analyses contents of volatile memory for specific secured data
Vbootkit & eEye BootRoot Install code that is executed on next boot cycle
Place malware on the system to monitor secrets Does not attempt to recover information from
memory or revive the system
ConclusionPros
Easily achieve access to the systemNo need for knowledge about the userBypass security algorithms within the system
Intrusion Detection, Antivirus, LoggersHave access to current secure sessions
VPN, SSH, SSL, File EncryptionComplete processes being executed before force
restart gcc, gzip, wget, convert, aepipe
Achieve Root access to the system Terminator, RootShell
Conclusion….Pros Continued
Mass DistributionSince most corporations and companies use the
same software & hardware setup One compiled version can be used on a wide amount of
machines Practical Use
Forensics Recovery of data
Conclusion….Cons
Not a very diverse attackNeeds to be recompiled based on:
System Hardware Operating System Kernel
Not effective against ECCNewer computers implement ECC memory
Limited to older systems No support for multi-core
New systems built today are exercising multi-core Physical Interaction needed
Direct access to the computer is required
References J. Mäkinen. Automated OS X Macintosh password retrieval via firewire.
http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrievalvia-firewire, 2008.
Trusted Computing Group. Trusted Platform Module version 1.2.http://www.trustedcomputinggroup.org/specs/TPM/.
WiebeTech. HotPlug: Transport a live computer without shutting it down. http://www.wiebetech.com/products/HotPlug.php, 2008.
R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, First edition, January 2001.
A. Boileau. Hit By A Bus: Physical Access Attacks with Firewire. In RUXCON, Sydney, Australia, Sep 2006.
Wikipedia
W. Link and H. May. Eigenshaften von MOS-Ein-Transistorspeicherzellen bei tieften Temperaturen. In Archiv fur Elektronik und Ubertragungstechnik, pages 33–229–235, June 1979