Professional Documents
Culture Documents
1 2 UEFI Rootkits ZN 2016
1 2 UEFI Rootkits ZN 2016
1 2 UEFI Rootkits ZN 2016
Forensic Approaches
History of BIOS rootkits
T
LLO
BA
NA
NA n
BA w
kP or
in o
Th ckd
MS Win10: Virtualization Based Security Era
a
Ib
PE M
VM hole
2016
2016
->
M Sink
SM ry ke2
o tri
em rs r
M nde doo
u ck
Th b a
ad
er M
klo SM r
r te
HT Ea
ht
Lig
ke
tri
2015
2015
rs s
de
Move to UEFI world with Secure Boot
CE i
UN
BO u n am
ITY Th en
DE V ss
rth pa
Da By
ot
Bo
History of BIOS rootkits
re
2014
2014
ria
ste cu
Hy st Se
IOS 1 o t
dB
Ba Bo
m
ea
Dr
2013
2013
a
h as
ks
kit Ra
IOS
i/B
2012
2012
m
bro
Me
e ac
ng
2011
2011
utr
mp hi
Co tc
Pa
OS
BI kit
ot
Ro
2009
2009
M
SM
kit t
ot tki
Ro oo
2008
2008
rd R
Lo om
Ice ptR
O
I
PC
it
tk
2007
o
2007
Ro
PI
AC
Proof of Concept
2006
2006
IH
In the Wild
nC
Wi
1998
1998
T
LLO
BA
NA
NA n
BA w
kP or
in o
Th ckd
MS Win10: Virtualization Based Security Era
a
Ib
PE M
VM hole
2016
2016
->
M Sink
SM ry ke2
o tri
em rs r
M nde doo
u ck
Th b a
ad
er M
klo SM r
r te
HT Ea
ht
Lig
ke
tri
2015
2015
rs s
de
Move to UEFI world with Secure Boot
CE i
UN
BO u n am
ITY Th en
DE V ss
rth pa
Da By
ot
Bo
History of BIOS rootkits
re
2014
2014
ria
ste cu
Hy st Se
IOS 1 o t
dB
Ba Bo
m
ea
Dr
2013
2013
a
h as
ks
kit Ra
IOS
i/B
2012
2012
m
bro
Me
e ac
ng
2011
2011
utr
mp hi
Co tc
Pa
OS
BI kit
ot
Ro
2009
2009
M
SM
kit t
ot tki
Ro oo
2008
2008
rd R
Lo om
Ice ptR
O
I
PC
it
tk
2007
o
2007
Ro
PI
AC
Proof of Concept
2006
2006
IH
In the Wild
nC
Wi
1998
1998
Threat Model for UEFI Rootkits
OS Kernel-Mode (Ring 0)
OS Loader OS Loader
(winload.exe) (winload.efi)
Load kernel and boot start drivers Load kernel and boot start drivers
UEFI BIOS Firmware Rootkits
Boot Manager
Platform
Patching UEFI “Option ROM”
Initialization UEFI Binaries UEFI DXE Driver in Add-On Card (Network, Storage ..)
(Firmware)
Non-Embedded in FV in ROM
UEFI Driver
UEFI Application
Replacing Windows Boot Manager
EFI System Partition (ESP) on Fixed Drive
UEFI OS Loader Load
(Boot order select ) ESP\EFI\Microsoft\Boot\bootmgfw.efi
EFI_SYSTEM_TABLE
Pointers
EFI_RUNTIME_SERVICES
EFI_BOOT_SERVICES
EFI_DXE_SERVICES
Firmware Rootkit
Stage 1:
Client-Side Exploit drop installer (1)
Installer Elevate Privileges to System
Stage 2:
Bypass Code Signing Policies
Install Kernel-Mode Payload (2)
Stage 3:
Execute SMM exploit
Elevate Privileges to SMM
Execute Payload (3)
Stage 4:
Bypass Flash Write Protection
Install Rootkit into Firmware
Firmware Rootkit
Stage 1:
Client-Side Exploit drop installer (1)
Installer Elevate Privileges to System
Stage 2:
Bypass Code Signing Policies
Install Kernel-Mode Payload (2)
Stage 3:
Execute SMM exploit
Elevate Privileges to SMM
Execute Payload (3)
Stage 4:
Bypass Flash Write Protection
Install Rootkit into Firmware
Recent BIOS Vulns For Persistent Infection
SMI Handlers(always an issue) – memory corruption vulnerabilities
can lead arbitrary SMM code execution
https://github.com/chipsec/chipsec/blob/master/chipsec/modules/tools/smm/smm_ptr.py
http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html
Hacking Team UEFI Implant : Modules
• DXE module
ntfs • NTFS driver
fsbg
• UEFI application
• main bootkit
functionality rkloader
• DXE module
• bootkit trigger
Hacking Team UEFI Implant: How It Works
RkLoader is
executed at DXE • Load and execute main bootkit
phase by module fsbg
Firmware
https://github.com/hackedteam/soldier-win
https://github.com/hackedteam/scout-win
https://github.com/hackedteam/core-win64
https://github.com/hackedteam/core-win32
https://github.com/hackedteam/vector-edk
Hacking Team : Results
1. http://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/
DEITYBOUNCE Workflow
Computer Firmware
System Initialization
(BIOS)
ARKSTREAM DEITYBOUNCE
Execute OS bootloader
SMRAM
OS Kernel is initialized
BANANABALLOT and JETPLOW
(Equation Group)
Don’t miss the talk:
https://dsec.ru/ipm-research-center/research/architecture_jetplow/
Computrace/LoJack
Computrace/LoJack
Legitimate application that provides anti-theft protection.
LenovoComputraceLoaderDxe LenovoComputraceEnablerDxe
AbsoluteComputraceInstallerDxe LenovoComputraceSmiServices
OS Environment
Install Computrace Agent
Computrace
OS Process
OS Process
OS Process
...
Agent
Interface
Network
Computrace
C&C Servers
OS NTFS Volume
Computrace/LoJack
Computrace/LoJack
ComputraceAgentInstaller
Implements custom NTFS parsing functionality to
install the “agent” onto NTFS volumes
ComputraceAgentInstaller
EFI_ACPI_TABLE_PROTOCOL->InstallAcpiTable
BootServices->InstallConfigurationTable
EFI_ACPI_TABLE_PROTOCOL->InstallAcpiTable
BootServices->InstallConfigurationTable
https://github.com/chipsec/chipsec/blob/master/chipsec/modules/tools/uefi/blacklist.py
https://github.com/chipsec/chipsec
SMM Memory Forensics
Diff original and infected SMRAM to hunt for malicious SMI
Parse EFI_SMM_SYSTEM_TABLE to get SMM memory layout
Find all SMI handlers based on DATABASE_RECORD signature
FGO
FSMIE
Write size of data to read to HSFC HSFC: FDBC FCYCLE
FGO
FSMIE
Write read command to HSFC HSFC: FDBC FCYCLE
FGO
FSMIE
Set FGO (0x0001) bit in HSFC HSFC: FDBC FCYCLE
FCERR
FDONE
Wait for SPI read cycle
BERASE
...
SCIP
HSFS:
AEL
completion
FSMIE
HSFC:
FGO
FDBC FCYCLE
Flash SPI SMI# Enable (FSMIE) — R/W. When set to 1, the SPI asserts
an SMI# request whenever the Flash Cycle Done (FDONE) bit is 1.
SPI Flash Dump – Attacker’s Possibilities
Reader SPI Controller Attacker
Set FSMIE bit to 1 in HSFC
Write start address to FADDR
http://wiki.bios.io/doku.php?id=ida_pro_tracing
How Debug UEFI Firmware?
http://wiki.bios.io/doku.php?id=ida_pro_tracing
Intel Virtual Platform
http://wiki.minnowboard.org/
Minnowboard Max
http://wiki.minnowboard.org/
Intel XDP Hardware Debuggers
SMM Debug with Intel System Debugger
A few words about
UEFI Firmware Mitigations
Intel Boot Guard Technology
CPU reset -> bootrom -> ACM -> initial boot block -> BIOS -> boot loader -> OS
Intel Boot Guard Technology
https://firmware.intel.com/sites/default/files/STTS003%20-%20SF15_STTS003_100f.pdf
Intel Boot Guard Technology
http://vzimmer.blogspot.com/2013/09/where-do-i-sign-up.html
Don’t miss the talk:
BIOS Guard can reduces SMI handler attack surface because of one
signed and authenticated code module (ACM)
With active BIOS Guard only guarded module is able to modify SPI
flash memory
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf
Intel SMI transfer monitor (STM) Technology
STM - memory isolation approach for
SMM
https://firmware.intel.com/content/smi-transfer-monitor-stm
Windows SMM Security Mitigation Table
(WSMT)
Field Byte length Byte offset Description
Revision 1 8 1
Checksum 1 9 Entire table, which must sum to zero
OEMID 6 10 Original equipment manufacturer (OEM) identifier (ID)
OEM Table ID 8 16 Manufacturer model ID
OEM Revision 4 24 OEM revision for supplied OEM table ID
Creator ID 4 28 Vendor ID of the ASL compiler utility that created the table
Creator Revision 4 32 Revision of the ASL compiler utility that created the table
https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/acpi-system-description-tables#wsmt
Windows SMM Security Mitigation Table
(WSMT)
Length Bit offset Description
1 0 FIXED_COMM_BUFFERS
If set, expresses that for all synchronous SMM entries, SMM will validate that input and output buffers lie entirely within the expected fixed memory regions.
1 1 COMM_BUFFER_NESTED_PTR_PROTECTION
If set, expresses that for all synchronous SMM entries, SMM will validate that input and output pointers embedded within the fixed communication buffer
only refer to address ranges that lie entirely within the expected fixed memory regions.
1 2 SYSTEM_RESOURCE_PROTECTION
Firmware setting this bit is an indication that it will not allow reconfiguration of system
resources via non-architectural mechanisms.
https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/acpi-system-description-tables#wsmt
https://github.com/tianocore/edk2/blob/master/MdePkg/Include/IndustryStandard/WindowsSmmSecurityMitigationTable.h
Thank you for your attention!