Extreme Privilege Escalation on Windows 8/UEFI Systems

Presented at Black Hat USA 2014, Aug. 7, 2014, 10:15 a.m. (60 minutes).

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM). This talk will disclose two of these vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.

Presenters:

  • Corey Kallenberg - The MITRE Corporation
    Corey Kallenberg is a Security Researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012, he co-authored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013, he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Black Hat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture.
  • Xeno Kovah - The MITRE Corporation
    Xeno is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs six federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification and timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker.
  • Samuel Cornwell - The MITRE Corporation
    Sam Cornwell is a Senior InfoSec Engineer at The MITRE Corporation, a not-for-profit company that runs six federally funded research and development centers (FFRDCs) as well as manages CVE. Since 2011, he has been working on projects such as Checkmate (a kernel and userspace memory integrity verification and timing-based attestation tool), Copernicus, (a BIOS extractor and configuration checker), and several other private security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.
  • John Butterworth - The MITRE Corporation
    John Butterworth is a Security Researcher at The MITRE Corporation who currently specializes in Intel firmware security. In 2012 he co-authored the whitepaper "New Results for Timing-Based Attestation" which used timing based attestation to detect Windows kernel hooks. This research was presented at DEFCON and the 2012 IEEE Symposium on Security and Policy. In 2013 he and his colleagues authored "BIOS Chronomancy:Fixing the Static Root of Trust for Measurement" which proposed using Timing-Based Attestation during the BIOS boot process to resolve critical problems which they had found with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement". He has presented this research at NoSuchCon, Black Hat USA, SecTor, SEC-T, Breakpoint, and Ruxcon. Following this he has created a tool called Copernicus designed to determine just how prevalent vulnerable BIOS is in industry. John is currently continuing to research the security of BIOS/UEFI and the Intel architecture.

Links:

Similar Presentations: