host and application security lesson 4: the win32 boot process

Host and Application SecurityLesson 4: The Win32 Boot Process

Last foundational item What steps does our machine go through to

start running?

First Step: Power On! This may seem like a trivial step, but a lot is

happening A timer kicks off once the MB voltages

stabilize Execution passes to a location in Read Only

Memory (ROM) Information about the hardware configuration

is read from the CMOS

POST Power On Self Test (POST) Check CMOS validity Check for Keyboard etc. A side note: beep codes

Where next? Understanding the boot sequence here is

important Can boot from LAN, Floppy, Hard Drive, CD-

ROM… Boot priority typically set in CMOS

But how? At this point, there is no operating system System used at the lowest level: Int 13h Aside: how Int xxh instructions work Typically, load “program” in the MBR as a

single sector

Three Possible Outcomes Success! First sector is loaded into memory

and executed. A READ ERROR occurs A DISK I/O ERROR occurs

What does a boot sector look like? On Win95… debug

l 7c00 0 0 1u 7c00

Two Paths: Fixed and Removable Not identical Hard drive provides more options – MBR and

PBS

Next… MBR PBS NTLDR NTOSKRNL.EXE SMSS WINLOGON SCM

NTLDR The boot code “understands” the underlying

file system, and loads NTLDR from the root directory of that disk

NTLDR starts life in “real mode”

And What is “Real Mode” No Virtual to Physical memory translation

(tell me about that…) Only 1MB of memory available to the

machine (why?) Just like DOS…

Protected Mode

Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual

32-bit memory now available Paging turned on Protected mode with paging is “normal” for

Win32

Now we switch to PM All disk IO still handled by the “old” code NTLDR now examines BOOT.INI for more

information If more than one selection, display choices…

DOS? If BOOT.INI refers to a DOS option BOOTSEC.DOS is loaded and executed as if

it were a boot sector, switching back to Real Mode

NTDETECT.COM Runs in real mode Reads the BIOS to determine OS basics, such

as: Time and Date Types of Buses Number/type of drive Type of mouse Parallel Ports…

And then back to NTLDR Load the Kernel and the HAL Read the SYSTEM registry hive to determine

required boot-time device drivers Start Value = SERVICE_BOOT_START

Loads the File System Drivers required for boot (e.g. NTFS)

NTLDR Continued Loads the boot drivers and displayed

“Starting Windows” NB: Drivers only load at this time, they are

not run Prepare CPU registers for the execution of the

kernel Calls main() in NTOSKRNL

NTOSKRNL Two stage initialization process called…

Phase 0 Phase 1

Phase 0 Interrupts Disabled Build the data structures required by the

Phase 1 processes Calls ExpInitializeExecutive

Finalizes HAL Initializes Memory Manager Initializes Object Manager Initializes Security Reference Monitor, Process

Mangler, Plug and Pray Manager

Phase 1 Control goes to Idle loop… allowing other

processes to init Interrupts turned on Boot Video Driver On (The Win32 Startup

Screen now displays) SMSS (Session Manager SubSystem) called

SMSS User-mode process (but trusted part of the OS) Native application – doesn’t use Win32 APIs but uses

Windows 2000 Native APIs Does lots of things… But we’re interested in:

Runs any programs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

Performs delayed file rename operations as directed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Starts Winlogon

Security? So, let’s discuss… how can the Windows boot

process be exploited?

Enhancements UEFI

Intel specifications to replace the BIOS interface that is standard to all PCs

Secure boot, however, is a really interesting discussion

The idea is to lock the hardware to a particular chain of trust Things must be signed by a particular key… this lead

to some interesting debates

Enhancements (cntd) ELAM

Try and get antimalware loaded much earlier in the boot process

Purpose is to provide white/black listing services only early in the process

Forces load of the AM solution before anything else is loaded

TPM Of course there is the TPM Trusted Platform Module

“The proper definition is that a trusted system or component is one whose failure can break the security policy, while a trustworthy system or component is one that won’t fail” (Anderson)

Questions and Assignment Assignment: 2500 words or more, on

“Security Enhancements to the PC Boot Process”

Basically, in detail, tell me about UEFI, TPM etc.

Due, next Thursday, printed out, in class. PLUS electronic copy to moi!