uefi and pci bootkits - pacsec if bios password set ... interrupt handler modiﬁed fork added code...

UEFI and PCI bootkitsPierre ChifflierPacSec 2013

ANSSI.. .

▶ Created on July 7th 2009, the ANSSI (French Network andInformation Security Agency) is the national authority forthe defense and the security of information systems.

▶ Under the authority of the Prime Minister▶ Main missions are:

▶ prevention▶ defense of information systems

http://www.ssi.gouv.fr/en/

UEFI and PCI bootkits 2/42

http://www.ssi.gouv.fr/en/

UEFI study.. ..Motivations..

......

▶ Study UEFI▶ Raise awareness of pre-boot dangers▶ Present and discuss countermeasures

.Study..

......

▶ Boot sequence▶ UEFI functions:

▶ Hooking the bootloader▶ ACPI Tables▶ Network functions▶ …

▶ PCI devices▶ Countermeasures


Overview.. .

1 UEFI

2 PCI

3 Description of UEFI VGA Bootkit

4 Demo

5 Countermeasures


UEFI


BIOS vs UEFI (1/2).. .

.BIOS..

......

▶ x86 architectures▶ Real mode (16 bits)▶ No support for large disks (> 2 TB), MBR sector▶ Memory mapping on 1MB▶ No integrity check▶ Old-school in 2013 :)


UEFI.. ..UEFI: recent ?..

......

▶ 2000 EFI (Intel)▶ 2004 http://tianocore.org▶ 2005 UEFI (Unified EFI Forum, http://www.uefi.org)▶ 2013 Current version: UEFI 2.4

.Objectives..

......

▶ Overcome BIOS limitations▶ Multi-architectures (x86, ARM, Itanium, …)▶ Standardization of drivers▶ “Modern” conception: modular, C language


http://tianocore.org

http://www.uefi.org

UEFI: Specifications.. ..Services..

......

▶ IP4/6, UDP/TCP 4/6, ARP, DHCP4/6, MTFP4/6, FTP, PXE, iSCSI▶ VLAN, EAP, IPsec (IKEv2)▶ PCI, USB, SCSI, AHCI, removable media▶ GPT, vFAT▶ Console, Graphical Mode, Human Interface, UTF-16▶ User Identification▶ ACPI, SMRAM▶ Debugger▶ Compression▶ EFI Byte Code Virtual Machine▶ Firmware management▶ …


UEFI and Security.. .

.EFI Development Kit (EDK) 2..

......

▶ 1,000,000+ SLOC▶ No protection on memory pages, rwx everywhere▶ All code running in ring 0▶ Huge attack surface▶ Most code written from scratch (including libc+,

IPv4/IPv6 stack, IPsec, PE parser)▶ Lots of StrCat and StrCpy


UEFI and Security (2).. .

.Services offered to malwares..

......

▶ Network functions (IPv4 and IPv6)▶ Get drivers over PXE▶ Use an IPsec tunnel▶ Manipulate ACPI tables▶ Add new drivers


UEFI Boot Sequence.. .

..

Security(SEC)

.

Pre EFIInitialization

(PEI)

.

DriverExecution

Environment(DXE)

.

BootDevSelect(BDS)

.

TransientSystemLoad

(TSL)

.

Run Time(RT)

.

AfterLife(AL)

.Power on.

[Platform Initialization].

[....OS boot....].

Shutdown.

PreVerifier

.

CPUInit

.

ChipsetInit

.

BoardInit

.

verify

.

IntrinsicServices

.

EFI DriverDispatcher

.

DeviceDrivers

.

BootManager

.

Final OSBootLoader

.

Transient OSBootLoader

.

Transient OSEnvironment

.

OS-absentApp

.

Final OSEnvironment

.

OS PresentApp

.

AfterLife

.

.

HOOK !

.

HOOK !

.

HOOK !


PCI bootkits


Overview: PCI Expansion ROMs.. .

▶ (small) optional memory chip, present onPCI/PCIe/Thunderbolt/ExpressCard devices

▶ Provides some code, executed by Firmware▶ Already exploited in the past, for the BIOS▶ What about UEFI ?


VGA Card.. .


Scenario and assumptions.. .

.Use case..

......

▶ Attacker has already gained root/admin privileges▶ She wants to install a persistent stealthy rootkit

▶ Bootkit: bootloader rootkit▶ Visible modifications▶ Hard if BIOS password set▶ Use the hardware ?▶ Without re-flashing the BIOS


Example: graphics card.. .Objective: (persistent of) privilege escalation.Problems..

......

▶ OS ? Not yet in memory▶ No access to hard disk (+ possible encryption)▶ How to execute code ?▶ In a few kilobytes !▶ And the graphics card must still work properly

.Initial reactions..

......

…All combined: nice story for Matrix fans ...Need I go on?Mrk



..

Security(SEC)

.


(PEI)

.

DriverExecution

Environment(DXE)

.

BootDevSelect(BDS)

.

TransientSystemLoad

(TSL)

.

Run Time(RT)

.

AfterLife(AL)

.Power on.


[....OS boot....].

Shutdown.

PreVerifier

.

CPUInit

.

ChipsetInit

.

BoardInit

.

verify

.

IntrinsicServices

.


.

DeviceDrivers

.

BootManager

.

Final OSBootLoader

.


.


.

OS-absentApp

.

Final OSEnvironment

.

OS PresentApp

.

AfterLife

.

.

HOOK !

.

HOOK !

.

HOOK !


Scenario.. .

..

Security(SEC)

.


(PEI)

.

DriverExecution

Environment(DXE)

.

BootDevSelect(BDS)

.

TransientSystemLoad

(TSL)

.

Run Time(RT)

.

AfterLife(AL)

.Power on.


[....OS boot....].

Shutdown.

PreVerifier

.

CPUInit

.

ChipsetInit

.

BoardInit

.

verify

.

IntrinsicServices

.


.

DeviceDrivers

.

BootManager

.

Final OSBootLoader

.


.


.

OS-absentApp

.

Final OSEnvironment

.

OS PresentApp

.

AfterLife

.

Start:PCI card

.

HOOK !

.

HOOK !

.

HOOK !


Scenario.. .

..

Security(SEC)

.


(PEI)

.

DriverExecution

Environment(DXE)

.

BootDevSelect(BDS)

.

TransientSystemLoad

(TSL)

.

Run Time(RT)

.

AfterLife(AL)

.Power on.


[....OS boot....].

Shutdown.

PreVerifier

.

CPUInit

.

ChipsetInit

.

BoardInit

.

verify

.

IntrinsicServices

.


.

DeviceDrivers

.

BootManager

.

Final OSBootLoader

.


.


.

OS-absentApp

.

Final OSEnvironment

.

OS PresentApp

.

AfterLife

.

Target:OS

.

HOOK !

.

HOOK !

.

HOOK !



... SEC,PEI

. DXE,BDS

. Grub2. Linux. App.

Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.

ModifiedExitBootServices

.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.

LoadRO

M

.ExitBS.

.

#D

B

.

fork


Real world scenario.. .

.Get the expansion ROM, using one of:..

......

▶ Extract PCI device▶ Add a new internal or external PCI device▶ Boot on a USB stick▶ Gain admin privileges on OS

.New functionalities..

......

▶ Add the UEFI code to create a hybrid ROM▶ Flash expansion ROM✓□ Backdoor installed


Dump(Importation) ROM.. .▶ Cat /sys/bus/pci/devices/0000\:00\:02.0/rom▶ Manufacturer tools

.Example: ATI..

......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −s 0 myrom. bin


Crafting the UEFI ROM1.. .

.Crafting a “hybrid ROM”..

......

▶ Using the Development Kit (vim + gcc)▶ Create a DXE driver: C code, 64 bits (make)▶ Choose some PCI IDs▶ Convert to ROM format (EfiRom)▶ Patch image (cat)

1ROM wasn’t built in a dayUEFI and PCI bootkits 21/42

PCI Expansion ROM format.. .

..

PCI ROM Header< 64 kb

PCI Data Structure

PCI ROM Header< 64 kb

PCI Data Structure

Offset Length Value Header Field

00h−01h 2 55AAh PCI Expansion ROM signature

02h−17h 16h

218h−19h

Architecture Specific Data

Pointer to PCI Data Structure

Offset Length00h−03h

06h−07h08h−09h0Ah−0Bh

422

2

Header FieldSignature, the "PCIR" stringVendor IdentificationDevice IdentificationDevice List PointerPCI Data Structure Length

04h−05h

2

1 PCI Data Structure Revision3 Class Code0Dh−0Fh

0Ch

10h−11h 2 Image Length12h−13h 2 Vendor ROM Revision Level

1 Code Type14h15h 1 Last Image Indicator

16h−17h 2 Maximum Runtime Image Length18h−19h 2 Pointer to Configuration Utility Code Header1Ah−1Bh 2 Pointer to DTMF CLP Entry Point

Image 0

Image n

.

UEFI Code

.

ROM vanilla

Modification of the PCI Expansion ROM


Writing ROM (1/2).. .▶ Manufacturer tools

.Example: ATI..

......E:\> a t i f l a s h . exe −unlockrom 0E:\> a t i f l a s h . exe −p −f 0 myrom. bin

▶ Restart, and cross fingers


Writing ROM (2/2).. .

▶ Flash SPI: low-level tools


Execution in UEFI.. .

.Malware Execution..

......

▶ The UEFI firmware enumerates PCI devices▶ Expansion ROMs are loaded into memorya:

▶ Legacy: (0xc0000 → 0xfffff)▶ UEFI: dynamic

▶ The legacy is ROM loaded by the CSM▶ UEFI ROMs are loaded afterward▶ The C entry point is called▶ The ExitBootServices function is hooked

aAll roads lead to ROM


Load PCI Expansion ROM.. .

... SEC,PEI

. DXE,BDS


Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.


.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.

LoadRO

M

.ExitBS.

.

#D

B

.

fork


Intercepting the bootloader.. ..Bootloader role..

......

▶ Copy of kernel image into memory (address ?)▶ Call ExitBootServices▶ Problem: memory can be reused by the OS▶ Tested on Grub2

.Challenges..

......

▶ Persistent memory allocation▶ Reconstruction of the call stack▶ Identification of address▶ Preparation of the next step


Next Step: bootloader.. .

... SEC,PEI

. DXE,BDS


Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.


.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.

LoadRO

M

.ExitBS.

.

#D

B

.

fork


Intercepting the kernel (1/2).. .▶ Memory image before decompression▶ Physical addresses ̸= virtual addresses▶ Kernel: initialize IDT, GDT, pagination, etc.▶ Mode change (32 -> 64 bits), CS and DS, …▶ Use a breakpoint ? Not easy (IDT)

..

EarlyKernel

.

DecompressionCode

.

InitPart 2

.

UncompressedImage

.

32 bits

.

32 bits

.

32 →64 bitsresetGDT

+IDT

.

ResetGDT+IDT

...

.

0x1000000


Intercepting the kernel (2/2).. .

.Use Hardware Breakpoints..

......

▶ Hardware Debug Registers▶ Use interruption #DB▶ Interrupt vector 1▶ Hardware BP 1: 0x1000000▶ Hardware BP 2: before IDT reload, in Init Part 2


Next Step: early kernel.. .

... SEC,PEI

. DXE,BDS


Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.


.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.

LoadRO

M

.ExitBS.

.

#D

B

.

fork


Syscall Modification.. .

▶ Modification of a system call▶ Patch code in memory▶ Privileges escalation▶ Chosen syscall: fork▶ Address of syscall ?▶ Addresses of internal functions ?

.Modified system call..

......

xor %rdi ,%rdicall *0 x f f f f f f f f 8 1 0 6 4 0 6 f ; prepare_kernel_credcall *0 x f f f f f f f f 8 1063db6 ; commit_credsret


Next Step: syscall.. .

... SEC,PEI

. DXE,BDS


Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.


.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.

LoadRO

M

.ExitBS.

.

#D

B

.

fork


Demo

... SEC,PEI

. DXE,BDS


Power on

.

UEFI firmware

.

Bootloader

.

Operating System

.

LegacyCode

.

Header

.

InitCode

.


.

InterruptHandler

.

ModifiedFork

.

added code

.

1

.

2

.

3

.

4

.

5

.

Load Opt. ROM

.Load

ROM

.

ExitBS.

.

#D

B

.

fork


EFI Byte Code.. .

▶ EBC: EFI Byte Code▶ EBC Virtual Machine defined in specifications▶ Assembly Intel-like instructions, platform-independent▶ Can be used in Option ROMs

.Example of EFI Byte Code..

......

CC 67 04 00 ADD64 R7, R6 0x4B2 78 30 00 MOVnw @R0( 0 ,+48) , R772 87 30 00 MOVnw R7, @R0( 0,+48)03 07 CALL32 R7


EFI Byte Code and Security.. .

.EBC..

......

▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes

▶ Great way to obfuscate code▶ Portable (including multiple payloads)

..


EFI Byte Code and Security.. .

.EBC..

......

▶ Hardware independent▶ No memory restriction▶ No types, can call / be called from C functions▶ This makes analysis complicated▶ Tools not available or EBC poorly supported▶ For example, analyzing a file can lead to crashes▶ Great way to obfuscate code▶ Portable (including multiple payloads)

..


Consequences.. ..UEFI PCI Bootkits..

......

▶ Stealthy: no disk or file modification, small memoryfootprint: almost invisible

▶ Portable▶ Survives to upgrades or reinstall▶ Can also use DMA▶ Independent of disk encryption▶ BIOS password: does not prevent▶ Antivirus (even UEFI): useless▶ grsec / randomization / …: complicates the exploitation,

but does not prevent the attack▶ Solutions ?


Solution 1: TPM.. .▶ [Should be a] Passive component▶ Present on (almost) all PCs▶ The Firmware measures elements▶ Measures are used through atomic operations (e.g unseal)

.Limitations..

......

▶ Lack of applications▶ Not supported by all bootloaders▶ Makes updates complicated▶ Requires Full Disk Encryption for integrity▶ Not perfecta

asee BIOS Chronomancy presentation


Solution 2: Secure Boot.. .

▶ Part of UEFI specifications▶ Verification of cryptographic signatures (RSA2048) of all

loaded elements (executables, drivers, expansion ROMs,etc.)

...

Source: Intel Developer Forum 2012


Solution 2: Secure Boot.. ..Limitations..

......

▶ Optional (even if required for the Windows 8 HardwareCertification).

▶ Requires to disable Compatibility Support Module (CSM)▶ Usage restrictions (ex. ARM tablets)▶ Management of the Certificate Authorities▶ How to use another CA (Not Microsoft’s) ? Need to re-sign

or whitelist ROMs ?▶ Can also be vulnerable (e.g to direct SPI Flash writesa, or

NVRAM access)

aA tale of one software bypass of windows 8 secure boot, Blackhat 2013


Conclusion.. ..Hardware..

......

▶ Protections exist, but they are often poorly implemented ornot used

▶ All firmware compoments must be protected fromtampering

.Suggestions for OEMs / editors..

......

▶ Protect UEFI from SPI writes (except in reboot mode) ordirect NVRAM access

▶ Allow only signed updates▶ Protect the initial steps (SEC/PEI)▶ Protect the root of trust S-CRTM▶ and do all of this without bugs


Future work.. .

.Next..

......

▶ Evaluate the (many) UEFI functions▶ Analyze EFI Byte Code▶ Virtualization a la Blue Pill▶ Disassemble UEFI firmwares▶ Look at (Secure Boot, IPsec) implementations

Questions ?


uefi and pci bootkits - pacsec if bios password set ... interrupt handler modiﬁed fork added code...

Documents