Exposing Bootkits with BIOS Emulation

Presented at Black Hat USA 2014, Aug. 7, 2014, 5 p.m. (60 minutes)

Stealth and persistency are invaluable assets to an intruder. You cannot defend against what you cannot see. This talk discusses techniques to counter attempts at subverting modern security features, and regain control of compromised machines, by drilling down deep into internal structures of the operating system to battle the threat of bootkits. The security features added in modern 64-bit versions of Windows raise the bar for kernel mode rootkits. Loading unsigned drivers, which is what most rootkits will attempt to do, is denied by Driver Signature Enforcement. PatchGuard protects the integrity of the running kernel, preventing them from modifying critical structures and setting up hooks. Although time has shown that these security measures are not perfect, and some may in fact be bypassed while actively running, an alternative approach is to subvert the system by running code before any of the security features kick in. Secure Boot has been introduced to protect the integrity of the boot process. However, the model only works when booting from signed firmware (UEFI). Legacy BIOS systems are still vulnerable as the Master Boot Record, Volume Boot Record, and the bootstrap code all reside in unsigned sectors on disk, with no security features in place to protect them from modification. Using a combination of low-level anti-rootkit techniques, emulation, and heuristic detection logic, we have devised a way to detect anomalies in the boot sectors for the purpose of detecting the presence of bootkits.

Presenters:

• Lars Haukli - Blue Coat Systems
  Lars Haukli holds an M.Sc. in Information Security from the Norwegian University of Science and Technology, and has been reverse engineering malware professionally since 2007. He designs and develops anti-malware technology, and is especially fascinated by obscure low level code and kernel mode rootkits. The primary source of inspiration for his work is the malicious code itself, as he realized a long time ago that many of the techniques used by malware authors may be used for both good and bad. Lars Haukli currently holds the position of Senior Security Researcher at Blue Coat Systems, who recently acquired his former employer Norman Shark. Prior to joining Norman, he held the position of Senior Engineer at NorCERT, where he reverse engineered malware to aid incident response.

Links:

• https://www.blackhat.com/us-14/archives.html#exposing-bootkits-with-bios-emulation
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Exposing Bootkits with BIOS Emulation.mp4
• https://www.youtube.com/watch?v=siMj4bFx5nI
• https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf

Similar Presentations:

• DEF CON 30 (2022) / One Bootloader to Load Them All
• ToorCon San Diego 14 (2012) / Hacking Measured Boot and UEFI
• DEF CON 22 (2014) / Summary of Attacks Against BIOS and Secure Boot