Attacking and Defending the Platform

Similar documents
An Introduction to Platform Security

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

UEFI Test Tools For Linux Developers

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Tailoring TrustZone as SMM Equivalent

General Firmware Overview of Recommendations for Window OS

UEFI and the Security Development Lifecycle

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks. Yuriy Bulygin Mikhail Gorobets Andrew Furtak Alex Bazhaniuk

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

UEFI updates, Secure firmware and Secure Services on Arm

UEFI and PCI bootkits. Pierre Chifflier PacSec 2013

WHERE THE GUARDIANS OF THE BIOS ARE FAILING

O p t i m i z e d U E F I I m p l e m e n t a t i o n o n I n t e l X e o n B a s e d O C P P l a t f o r m

Digging Into The Core of Boot

CIS 4360 Secure Computer Systems Secured System Boot

OS Security IV: Virtualization and Trusted Computing

Implementing MicroPython as a UEFI Test Framework

ARM Server s Firmware Security

Mohan J. Kumar Intel Fellow Intel Corporation

UEFI Plugfest March

Implementing Secure Boot: A Refresher on Key & Database Configuration

Hacking the Extensible Firmware Interface. John Heasman, Director of Research

Manufacturing Tools in the UEFI Secure Boot Environment

CIS 4360 Secure Computer Systems SGX

SMM. System Management Mode The forgotten In Circuit Emulator. ruxmon.com/sydney

Deploying Secure Boot: Key Creation and Management

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

UEFI Firmware Security Concerns and Best Practices

UEFI Secure Boot and DRI. Kalyan Kumar N

AMD Security and Server innovation

STM/PE & XHIM. Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018

A Tour Beyond BIOS Capsule Update and Recovery in EDK II

Mark Tuttle, Lee Rosenbaum, Oleksandr Bazhaniuk, John Loucaides, Vincent Zimmer Intel Corporation. August 10, 2015

ARM Trusted Firmware ARM UEFI SCT update

AMD SEV Update Linux Security Summit David Kaplan, Security Architect

I Don't Want to Sleep Tonight:

PreBoot Provisioning Solutions with UEFI

Virtually Impossible

The following modifications have been made to this version of the DSM specification:

A Tour Beyond BIOS Using the Intel Firmware Support Package with the EFI Developer Kit II

The Phantom Menace: Intel ME Manufacturing Mode. Mark Ermolov & Maxim Goryachy

UEFI and IoT: Best Practices in Developing IoT Firmware Solutions

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Microsoft UEFI Certification Authority

Operating system hardening

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Standardized Firmware for ARMv8 based Volume Servers

Security Issues Related to Pentium System Management Mode

Introduction to Intel Boot Loader Development Kit (Intel BLDK) Intel SSG/SSD/UEFI

The TPM 2.0 specs are here, now what?

Designing Security & Trust into Connected Devices

Boot Mode Considerations: BIOS vs. UEFI

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

GSE/Belux Enterprise Systems Security Meeting

Creating Advanced Graphics Libraries on top of GOP

HP Sure Start Gen3. Table of contents. Available on HP Elite products equipped with 7th generation Intel Core TM processors September 2017

Resilient IoT Security: The end of flat security models

UEFI in Arm Platform Architecture

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.

Buffer Overflow Attack (AskCypert CLaaS)

Big and Bright - Security

Intel Virtualization Technology Roadmap and VT-d Support in Xen

DELLEMC. TUESDAY September 19 th 4:00PM (GMT) & 10:00AM (CST) Webinar Series Episode Nine WELCOME TO OUR ONLINE EVENTS ONLINE EVENTS

Comparison on BIOS between UEFI and Legacy

System Prep Applications A Powerful New Feature in UEFI 2.5

Intel Software Guard Extensions (Intel SGX) SGX2

Intel Security Dev API 1.0 Production Release

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

AMT vpro ME. How to Become the Sole Owner of Your PC. ptsecurity.com

PROTECTING VM REGISTER STATE WITH AMD SEV-ES DAVID KAPLAN LSS 2017

Introducing UEFI-Compliant Firmware on IBM System x and BladeCenter Servers. Revision 1.2

Firmware Rootkits: The Threat to the Enterprise. John Heasman, Director of Research

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Speculative Execution Side Channel Mitigations

A Tour Beyond BIOS Using the Intel Firmware Support Package 1.1 with the EFI Developer Kit II

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Platform Configuration Registers

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Designing Security & Trust into Connected Devices

The Role UEFI Technologies Play in ARM Platform Architecture

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

Trusted Computing and O/S Security

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Baseboard Management Controller Messages

NVDIMM DSM Interface Example

One-Stop Intel TXT Activation Guide

ARM Security Solutions and Numonyx Authenticated Flash

BIOS Update Release Notes

Scalable Architectural Support for Trusted Software

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

Impact of platform firmware on Linux kernel. Megha Dey, Sai Praneeth Prakhya Intel Open Source Technology Center

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

Back To The Future: A Radical Insecure Design of KVM on ARM

Fix it yourself detecting and fixing UEFI firmware vulnerabilities without access to it s source code

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Computer Architecture Background

Transcription:

presented by Attacking and Defending the Platform Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Erik Bjorge and Maggie Jauregui (Intel)

Legal Notice No computer system can be absolutely secure. Intel, the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others Intel Corporation.

Today s Attack Scenarios Boot Media (SPI) SMM NVRAM Supply Chain Attack SMM Confused Deputy UEFI Variables Attack Open Case Access IO, MSR, MMIO, etc Ring 3 SW Decreasing Attacker Power Unlimited Limited Privileged Unprivileged Physical Software 3

Example: UEFI Variable Attack from privileged ring 3 process Unprivileged Software Attack 4

Possible Security Impacts Overwrite early firmware code/data if (physical address) pointers are stored in unprotected variables Bypass UEFI and OS Secure Boot if its configuration or keys are stored in unprotected variables Bypass or disable hardware protections if their policies are stored in unprotected variables Make the system unable to boot (brick) if bootessential settings are stored in unprotected variables Communication Channel if malware uses variables for retrieval of data at a later time (e.g. after OS wipe) 5

Authenticated Variables EDK II Variable Lock Protocol (Read-only Variables) VarCheckLib UEFI Variable Mitigation Options 6

Variables Protection Attributes Boot Service (BS) Accessible to DXE drivers / Boot Loaders at boot time No longer accessible at run-time (after ExitBootServices) Authenticated Write Access Digitally signed with MonotonicCount incrementing each successive variable update to protect from replay attacks List of signatures supported by the firmware is stored in SignatureSupport variable Time Based Authenticated Write Access Signed with TimeStamp (time at signing) to protect from replay attacks TimeStamp should be greater than TimeStamp in existing variable Used by Secure Boot: PK verifies PK/KEK update, KEK verifies db/dbx update certdb variable stores certificates to verify non PK/KEK/db(x) variables 7

EDK II Read-Only Variables EDK II implements VARIABLE_LOCK_PROTOCOL which provides a mechanism to make some variables Read-Only during Run-time OS DXE drivers make UEFI variables Read-Only using RequestToLock() API before EndOfDxe event After EndOfDxe event (e.g. during OS runtime), all registered variables cannot be updated or removed (enforced by SetVariable API) Lock is transient, firmware has to request locking variables every boot. Before EndOfDxe variables are not locked

VarCheckLib A single place to check for acceptable variable contents Each variable name/guid is mapped to rules Return appropriate error when attempting to set invalid data to a given variable Begin checking at EndOfDxe (prior to execution of 3 rd party code) https://github.com/tianocore/edk2/blob/master/mdemodulepkg/library/varchecklib/varchecklib.c 9

chipsec_util uefi var-write Attack: Storing Data in UEFI Variables 10

Example: SMM Confused Deputy Privileged Software Attack 11

SMI Input Pointer Vulnerabilities When OS triggers SMI (e.g. SW SMI via I/O port 0xB2) it passes arguments to SMI handler via general purpose registers OS may also pass an address (pointer) to a structure through which an SMI handler can read arguments & returns result SMI handlers traditionally were not validating that such pointers are outside of SMRAM If an exploit passes an address which is inside SMRAM, SMI handler may write onto itself on behalf of the exploit References: A New Class of Vulnerability in SMI Handlers (2015)

SMI Confused Deputy Attacks Phys Memory RAX (code) RBX (pointer) RCX (function) SMI Saved SMBASE value SMI Handler SMM State Save Area SMI Entry Point (SMBASE + 8000h) SMBASE VMM Memory Guest OS Memory Guest OS Memory Attacker can target SMM itself or bypass VMM protections, writing to VMM or other Guest VM memory

Limiting SMI Handler Memory Map to Addresses Reserved for Firmware CHIPSEC Testing Mitigation Options 14

SMI Handler Access SMI Handler Access SMI Handler Memory Map Restriction Phys Memory Phys Memory SMM State Save Area SMRAM SMI Entry Point (SMBASE Comm+ Buffer 8000h) SMM State SMRAM Save Area SMI Entry Point Comm Buffer (SMBASE + 8000h) OS/VMM Memory OS/VMM Memory 15

Finding SMM Pointer vulnerabilities [x][ ======================================================================= [x][ Module: Testing SMI handlers for pointer validation vulnerabilities [x][ =======================================================================... [*] Allocated memory buffer (to pass to SMI handlers) : 0x00000000DAAC3000 [*] >>> Testing SMI handlers defined in 'smm_config.ini'..... [*] testing SMI# 0x1F (data: 0x00) SW SMI 0x1F [*] writing 0x500 bytes at 0x00000000DAAC3000 > SMI 1F (data: 00) RAX: 0x5A5A5A5A5A5A5A5A RBX: 0x00000000DAAC3000 RCX: 0x0000000000000000 RDX: 0x5A5A5A5A5A5A5A5A RSI: 0x5A5A5A5A5A5A5A5A RDI: 0x5A5A5A5A5A5A5A5A < checking buffers contents changed at 0x00000000DAAC3000 +[29,32,33,34,35] [!] DETECTED: SMI# 1F data 0 (rax=5a5a5a5a5a5a5a5a rbx=daac3000 rcx=0 rdx=...) [-] <<< Done: found 2 potential occurrences of unchecked input pointers https://www.youtube.com/watch?v=z2qf45nueaa

Example: Supply Chain Attack Limited Physical Access Attack 17

PoC SmmBackdoor by Dmytro Oleksiuk Installed by adding additional sections to existing SMM driver Provides SMI interfaces for OS level caller Provides read/write memory access. Easily extensible Building reliable SMM backdoor for UEFI based platforms

First Commercial UEFI Rootkit from HackingTeam

From Secure Boot, Network Boot, Verified Boot, oh my and almost every publication on UEFI

Attacking without Physical Access (targeting vulnerable firmware) OS Driver OS Exploit Signed BIOS Update OS Kernel UEFI OS Loaders DXE Driver DXE Driver Modify UEFI BIOS Firmware in ROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware I/O Memory Network Graphics

CHIPSEC Vulnerability testing CHIPSEC Whitelist testing Hardware Root of Trust Protection and Mitigation Options 22

Checking for BIOS Write Protection # chipsec_main.py --module common.bios_wp [*] running module: chipsec.modules.common.bios_wp [x][ ======================================================================= [x][ Module: BIOS Region Write Protection [x][ ======================================================================= [*] BIOS Control = 0x02 [05] SMM_BWP = 0 (SMM BIOS Write Protection) [04] TSS = 0 (Top Swap Status) [01] BLE = 1 (BIOS Lock Enable) [00] BIOSWE = 0 (BIOS Write Enable) [!] Enhanced SMM BIOS region write protection has not been enabled (SMM_BWP is not used) [*] BIOS Region: Base = 0x00500000, Limit = 0x007FFFFF SPI Protected Ranges ------------------------------------------------------------ PRx (offset) Value Base Limit WP? RP? ------------------------------------------------------------ PR0 (74) 87FF0780 00780000 007FF000 1 0 PR1 (78) 00000000 00000000 00000000 0 0 PR2 (7C) 00000000 00000000 00000000 0 0 PR3 (80) 00000000 00000000 00000000 0 0 PR4 (84) 00000000 00000000 00000000 0 0 [!] SPI protected ranges write-protect parts of BIOS region (other parts of BIOS can be modified) [!] BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire BIOS region [-] FAILED: BIOS is NOT protected completely

CHIPSEC: Detecting Firmware Modification Use CHIPSEC to generate and check hashes of firmware modules Use whitelists to detect changes from the original firmware Whitelist can be generated by user or manufacturer Whitelists can be signed to verify source of information More info including full module source and blog: https://github.com/chipsec/chipsec/blob/master/chipsec/modules/tools/uefi/whitelist.py https://software.intel.com/en-us/blogs/2017/12/05/using-whitelists-to-improve-firmware-security 24

Generating Whitelist chipsec_main -n -m tools.uefi.whitelist -a generate,orig.json,fw.bin Assumes there is a way to generate clean (uninfected) list of EFI executables. For example, from the update image downloaded from the vendor web-site

Checking Against Whitelist chipsec_main n m tools.uefi.whitelist a check,orig.json,fw.bin Extra EFI executables belong to HackingTeam s UEFI rootkit

Firmware Forensic Artifacts to Consider 1. Layout and entire contents of SPI Flash memory 2. BIOS/UEFI firmware including EFI binaries and NVRAM 3. Runtime or Boot UEFI Variables (nonvolatile and volatile) 4. UEFI Secure Boot certificates (PK, KEK, db/dbx..) 5. UEFI system and configuration tables (Runtime, Boot and DXE services) 6. UEFI S3 resume boot script table 7. PCIe Option (Expansion) ROMs 8. Settings stored in RTC-backed CMOS memory 9. ACPI tables 10. SMBIOS table 11. HW protection settings (e.g. SPI W/P) 12. System security settings (Secure Boot, etc.) 13. Contents of TPM Platform Configuration Registers (PCR) 14. Firmware images from other components: Embedded Controller, HDD/SSD, NIC, Baseboard Management Controller (BMC) etc. 15. MBR/VBR or UEFI GUID Partition Table (GPT) 16. Files on EFI system partition (boot loaders)

Conclusions 28

Resilient Defense Boot Media Runtime Firmware (eg. SMM) Protect Detect HW Configuration Recover Decreasing Attacker Power Unlimited Limited Privileged Unprivileged Physical Software 29

Thanks for attending the Spring 2018 UEFI Plugfest For more information on the UEFI Forum and UEFI Specifications, visit http://www.uefi.org presented by UEFI Plugfest Spring 2018 www.uefi.org 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback