UEFI and PCI bootkits. Pierre Chifflier PacSec 2013

Size: px

Start display at page:

Download "UEFI and PCI bootkits. Pierre Chifflier PacSec 2013"

Jennifer Patrick
5 years ago
Views:

1 UEFI and PCI bootkits Pierre Chifflier PacSec 2013

2 ANSSI Created on July 7th 2009, the ANSSI (French Network and Information Security Agency) is the national authority for the defense and the security of information systems Under the authority of the Prime Minister Main missions are: prevention defense of information systems UEFI and PCI bootkits 2/42

3 UEFI study Motivations Study UEFI Raise awareness of pre-boot dangers Present and discuss countermeasures Study Boot sequence UEFI functions: Hooking the bootloader ACPI Tables Network functions PCI devices Countermeasures UEFI and PCI bootkits 3/42

4 Overview 1 UEFI 2 PCI 3 Description of UEFI VGA Bootkit 4 Demo 5 Countermeasures UEFI and PCI bootkits 4/42

5 UEFI UEFI and PCI bootkits 5/42

6 BIOS vs UEFI (1/2) BIOS x86 architectures Real mode (16 bits) No support for large disks (> 2 TB), MBR sector Memory mapping on 1MB No integrity check Old-school in 2013 :) UEFI and PCI bootkits 6/42

7 UEFI UEFI: recent? 2000 EFI (Intel) UEFI (Unified EFI Forum, Current version: UEFI 24 Objectives Overcome BIOS limitations Multi-architectures (x86, ARM, Itanium, ) Standardization of drivers Modern conception: modular, C language UEFI and PCI bootkits 7/42

8 UEFI: Specifications Services IP4/6, UDP/TCP 4/6, ARP, DHCP4/6, MTFP4/6, FTP, PXE, iscsi VLAN, EAP, IPsec (IKEv2) PCI, USB, SCSI, AHCI, removable media GPT, vfat Console, Graphical Mode, Human Interface, UTF-16 User Identification ACPI, SMRAM Debugger Compression EFI Byte Code Virtual Machine Firmware management UEFI and PCI bootkits 8/42

9 UEFI and Security EFI Development Kit (EDK) 2 1,000,000+ SLOC No protection on memory pages, rwx everywhere All code running in ring 0 Huge attack surface Most code written from scratch (including libc+, IPv4/IPv6 stack, IPsec, PE parser) Lots of StrCat and StrCpy UEFI and PCI bootkits 9/42

10 UEFI and Security (2) Services offered to malwares Network functions (IPv4 and IPv6) Get drivers over PXE Use an IPsec tunnel Manipulate ACPI tables Add new drivers UEFI and PCI bootkits 10/42

11 UEFI Boot Sequence Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 11/42

12 PCI bootkits UEFI and PCI bootkits 12/42

13 Overview: PCI Expansion ROMs (small) optional memory chip, present on PCI/PCIe/Thunderbolt/ExpressCard devices Provides some code, executed by Firmware Already exploited in the past, for the BIOS What about UEFI? UEFI and PCI bootkits 13/42

14 VGA Card UEFI and PCI bootkits 14/42

15 Scenario and assumptions Use case Attacker has already gained root/admin privileges She wants to install a persistent stealthy rootkit Bootkit: bootloader rootkit Visible modifications Hard if BIOS password set Use the hardware? Without re-flashing the BIOS UEFI and PCI bootkits 15/42

16 Example: graphics card Objective: (persistent of) privilege escalation Problems OS? Not yet in memory No access to hard disk (+ possible encryption) How to execute code? In a few kilobytes! And the graphics card must still work properly Initial reactions All combined: nice story for Matrix fans Need I go on? Mrk UEFI and PCI bootkits 16/42

17 UEFI Boot Sequence Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42

18 Scenario Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment Start: PCI card verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42

19 Scenario Pre Verifier CPU Init Device Drivers OS-absent App Transient OS Environment Target: OS verify Chipset Init Transient OS BootLoader Board Init EFI Driver Dispatcher Boot Manager OS Present App Intrinsic Services Final OS BootLoader Final OS Environment After Life Security (SEC) Pre EFI Initialization (PEI) Driver Execution Environment (DXE) BootDev Select (BDS) Transient SystemLoad (TSL) Run Time (RT) After Life (AL) Power on [Platform Initialization] [OS boot] Shutdown UEFI and PCI bootkits 17/42

20 UEFI Boot Sequence 1 Legacy Code Load Opt ROM SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 18/42

21 Real world scenario Get the expansion ROM, using one of: Extract PCI device Add a new internal or external PCI device Boot on a USB stick Gain admin privileges on OS New functionalities Add the UEFI code to create a hybrid ROM Flash expansion ROM Backdoor installed UEFI and PCI bootkits 19/42

$Dump(Importation) ROM Cat /sys/bus/pci/devices/0000\:00\:020/rom Manufacturer tools Example: ATI$

22 Dump(Importation) ROM Cat /sys/bus/pci/devices/0000\:00\:020/rom Manufacturer tools Example: ATI E:\> a t i f l a s h exe unlockrom 0 E:\> a t i f l a s h exe s 0 myrom bin UEFI and PCI bootkits 20/42

23 Crafting the UEFI ROM 1 Crafting a hybrid ROM Using the Development Kit (vim + gcc) Create a DXE driver: C code, 64 bits (make) Choose some PCI IDs Convert to ROM format (EfiRom) Patch image (cat) 1 ROM wasn t built in a day UEFI and PCI bootkits 21/42

24 PCI Expansion ROM format < 64 kb PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure Image 0 < 64 kb PCI Data Structure PCI ROM Header Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42

25 PCI Expansion ROM format Image 0 < 64 kb < 64 kb PCI ROM Header PCI Data Structure PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure ROM vanilla Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42

26 PCI Expansion ROM format Image 0 < 64 kb < 64 kb PCI ROM Header PCI Data Structure PCI ROM Header Offset Length Value Header Field 00h 01h 2 55AAh PCI Expansion ROM signature 02h 17h 16h Architecture Specific Data 18h 19h 2 Pointer to PCI Data Structure ROM vanilla Offset Length Header Field 00h 03h 04h 05h 4 2 Signature, the "PCIR" string Vendor Identification 06h 07h 08h 09h 0Ah 0Bh Device Identification Device List Pointer PCI Data Structure Length 0Ch 1 PCI Data Structure Revision 0Dh 0Fh 3 Class Code 10h 11h 2 Image Length 12h 13h 2 Vendor ROM Revision Level 14h 1 Code Type 15h 1 Last Image Indicator 16h 17h 2 Maximum Runtime Image Length 18h 19h 2 Pointer to Configuration Utility Code Header 1Ah 1Bh 2 Pointer to DTMF CLP Entry Point Image n PCI Data Structure UEFI Code Modification of the PCI Expansion ROM UEFI and PCI bootkits 22/42

$Writing ROM (1/2) Manufacturer tools Example: ATI E:\> a t i f l a s h exe unlockrom 0$

27 Writing ROM (1/2) Manufacturer tools Example: ATI E:\> a t i f l a s h exe unlockrom 0 E:\> a t i f l a s h exe p f 0 myrom bin Restart, and cross fingers UEFI and PCI bootkits 23/42

28 Writing ROM (2/2) Flash SPI: low-level tools UEFI and PCI bootkits 24/42

29 Execution in UEFI Malware Execution The UEFI firmware enumerates PCI devices Expansion ROMs are loaded into memory a : Legacy: (0xc0000 0xfffff) UEFI: dynamic The legacy is ROM loaded by the CSM UEFI ROMs are loaded afterward The C entry point is called The ExitBootServices function is hooked a All roads lead to ROM UEFI and PCI bootkits 25/42

30 Load PCI Expansion ROM 1 2 Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 26/42

31 Intercepting the bootloader Bootloader role Copy of kernel image into memory (address?) Call ExitBootServices Problem: memory can be reused by the OS Tested on Grub2 UEFI and PCI bootkits 27/42

32 Intercepting the bootloader Bootloader role Copy of kernel image into memory (address?) Call ExitBootServices Problem: memory can be reused by the OS Tested on Grub2 Challenges Persistent memory allocation Reconstruction of the call stack Identification of address Preparation of the next step UEFI and PCI bootkits 27/42

33 Next Step: bootloader Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 28/42

34 Intercepting the kernel (1/2) Memory image before decompression Physical addresses virtual addresses Kernel: initialize IDT, GDT, pagination, etc Mode change (32 -> 64 bits), CS and DS, Use a breakpoint? Not easy (IDT) 32 bits 32 bits bits reset GDT +IDT Reset GDT+IDT Early Kernel Decompression Code Init Part 2 Uncompressed Image 0x UEFI and PCI bootkits 29/42

35 Intercepting the kernel (2/2) Use Hardware Breakpoints Hardware Debug Registers Use interruption #DB Interrupt vector 1 Hardware BP 1: 0x Hardware BP 2: before IDT reload, in Init Part 2 UEFI and PCI bootkits 30/42

36 Next Step: early kernel Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS #DB added code SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 31/42

37 Syscall Modification Modification of a system call Patch code in memory Privileges escalation Chosen syscall: fork Address of syscall? Addresses of internal functions? Modified system call xor %rdi,% rdi call *0 x f f f f f f f f f ; prepare_kernel_cred call *0 x f f f f f f f f d b 6 ; commit_creds ret UEFI and PCI bootkits 32/42

38 Next Step: syscall Legacy Code Header Init Code Modified ExitBootServices Interrupt Handler Modified Fork Load Opt ROM Load ROM ExitBS #DB added code fork SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 33/42

39 Demo Legacy Code Header Load Opt ROM Init Code Load ROM Modified ExitBootServices ExitBS Interrupt Handler #DB Modified Fork added code fork SEC, DXE, PEI BDS Grub2 Linux App Power on UEFI firmware Bootloader Operating System UEFI and PCI bootkits 34/42

40 EFI Byte Code EBC: EFI Byte Code EBC Virtual Machine defined in specifications Assembly Intel-like instructions, platform-independent Can be used in Option ROMs Example of EFI Byte Code CC ADD64 R7, R6 0x4 B ,+48), R MOVnw 0,+48) CALL32 R7 UEFI and PCI bootkits 35/42

41 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes UEFI and PCI bootkits 36/42

42 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes UEFI and PCI bootkits 36/42

EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not

43 EFI Byte Code and Security EBC Hardware independent No memory restriction No types, can call / be called from C functions This makes analysis complicated Tools not available or EBC poorly supported For example, analyzing a file can lead to crashes Great way to obfuscate code Portable (including multiple payloads) UEFI and PCI bootkits 36/42

44 Consequences UEFI PCI Bootkits Stealthy: no disk or file modification, small memory footprint: almost invisible Portable Survives to upgrades or reinstall Can also use DMA Independent of disk encryption BIOS password: does not prevent Antivirus (even UEFI): useless grsec / randomization / : complicates the exploitation, but does not prevent the attack Solutions? UEFI and PCI bootkits 37/42

45 Solution 1: TPM [Should be a] Passive component Present on (almost) all PCs The Firmware measures elements Measures are used through atomic operations (eg unseal) Limitations Lack of applications Not supported by all bootloaders Makes updates complicated Requires Full Disk Encryption for integrity Not perfect a a see BIOS Chronomancy presentation UEFI and PCI bootkits 38/42

46 Solution 2: Secure Boot Part of UEFI specifications Verification of cryptographic signatures (RSA2048) of all loaded elements (executables, drivers, expansion ROMs, etc) UEFI and PCI bootkits 39/42

47 Solution 2: Secure Boot Part of UEFI specifications Verification of cryptographic signatures (RSA2048) of all loaded elements (executables, drivers, expansion ROMs, etc) Source: Intel Developer Forum 2012 UEFI and PCI bootkits 39/42

48 Solution 2: Secure Boot Limitations Optional (even if required for the Windows 8 Hardware Certification) Requires to disable Compatibility Support Module (CSM) Usage restrictions (ex ARM tablets) Management of the Certificate Authorities How to use another CA (Not Microsoft s)? Need to re-sign or whitelist ROMs? Can also be vulnerable (eg to direct SPI Flash writes a, or NVRAM access) a A tale of one software bypass of windows 8 secure boot, Blackhat 2013 UEFI and PCI bootkits 40/42

49 Conclusion Hardware Protections exist, but they are often poorly implemented or not used All firmware compoments must be protected from tampering Suggestions for OEMs / editors Protect UEFI from SPI writes (except in reboot mode) or direct NVRAM access Allow only signed updates Protect the initial steps (SEC/PEI) Protect the root of trust S-CRTM and do all of this without bugs UEFI and PCI bootkits 41/42

50 Future work Next Evaluate the (many) UEFI functions Analyze EFI Byte Code Virtualization a la Blue Pill Disassemble UEFI firmwares Look at (Secure Boot, IPsec) implementations Questions? UEFI and PCI bootkits 42/42

Comparison on BIOS between UEFI and Legacy

Comparison on BIOS between UEFI and Legacy Abstract The BIOS (Basic Input/Output System) connects the hardware with the system software. The system BIOS is between the system hardware and the system software,