Dave Bullock / eecue

photographer, programmer, husband,
photojournalist, caver, blogger, search and rescuer,
angeleno, foodie, hacker, nerd, geek, human

Black Hat 2007 : Day 2 : John Heasman

BIOS is the system in your computer that initializes hardware, memory and loads basic user settings then finally loads a bootloader which will start your operating system. For years there have been methods of loading malicious code into a compromised host's BIOS, although physical access may be required.

John Heasman

One popular method of compromising a host through a BIOS is an option ROM rootkit. A rootkit prevents the user of a compromised system from being able to tell their system has been hacked by hiding traces of the malicious code, and thus gives full control of the compromised system to the attacker. A BIOS rootkit has multiple interrupts available to hook to including video, disk, and memory. Detection of this type of rootkit is fairly easy and is just a matter of dumping the content of the BIOS ROM.

Another method of of BIOS rootkitting is through ACPI, which is the hardware that controls power management of your system as well as provides temperature information to your operating system. ACPI has the ability to modify system memory and allow the attacker to deploy a rootkit. ACPI rootkits are independent of the operating system so will work on multiple platforms. ACPI is written in a high level language called AML that makes writing both malicious and non-malicious code easy. Not all operating systems have ACPI device drivers, and some prevent AML from accessing system memory by sandboxing it.

The Extensible Firmware Interface (EFI) is the replacement for the legacy BIOS system. EFI reuses existing systems including FAT filesystem and ACPI. EFI is a much more robust system than BIOS and is also backwards compatible with BIOS. The implementation that Intel uses is called "The Framework," it is partially open source and it what is inside the new Intel based Apple OS X systems.

There are many ways to get code into the EFI environment. An attacker can modify the bootlader directly, modify bootloader varibles in NVRAM, modify and reflash firmware or exploit an implementation flaw in the driver. Once the attacher is in, they can shim a boot service, modify an ACPI table like in the tradition BIOS attack, load an SMM driver, or hook interrup handlers. Modifying the boot loader is actually quite simple in Mac OSX as the bootloader binary is located in user disk space: /System/Library/CoreSerbvice.boot.efi. This isn't very stealthy as you are modifying a file on disk which could easily be detected by verifying checksums with an application like tripwire.

System Management Mode (SMM) is a "get out of jail free bard" for system designers. It allows an attacker to execute code that is hidden from the operating system like virtualization rootkits. EFI provides various protocols and a set of services for accessing SMM. SMM is normally used for error logging, enabling/disabling ACPI, power button spport when not using ACPI and various other system workarounds. SMM may be triggered on external events, I/O events, and timed events. SMM has been used in the past to disable BSD securelevel by Loic Duflot [PDF Download].

John Heasman

Detecting an SMM rootkit would be very difficult as hardware breakpoins to SMM and SMM memory access can be blocked. There currently is no SMM malware because bugging SMM code requires a hardware analyzer and the platform may be already using SMM.

The bottom line is that with the added functionality, EFI offers an attacker many more options than BIOS for exploitation. The EFI specification is not very clear with regards to security which will result in various vendors implementing insecure versions of EFI. In the future look out for nasty rootkits based on EFI.

John Heasman

John Heasman is an employee of Next Generation Security Software. The information in this post came from his "Hacking the Extensible Firmware Interface" talk at the Black Hat 2007 Briefings in Las Vegas.