Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks

Presented at Black Hat USA 2017, July 26, 2017, 2:40 p.m. (50 minutes)

In this work we analyzed two recent trends. The first trend is the growing threat of firmware attacks which include recent disclosures of Vault7 Mac EFI implants. We will detail vulnerabilities and attacks we discovered recently in system firmware including UEFI, Mac EFI and Coreboot which could lead to stealth and persistent firmware implants. We have also developed multiple techniques that can be used to detect that something wrong is going on with the firmware using open source CHIPSEC framework.

The second trend is modern operating systems started adopting stronger software defenses based on virtualization technology. Windows 10 introduced Virtualization Based Security (VBS) to provide hypervisor-based isolated execution environment to critical OS components and to protect sensitive data such as domain credentials. Previously, we discovered multiple ways adversaries could leverage firmware in attacks against hypervisors. We also demonstrated the first proof-of-concept attack on Windows 10 VBS exposing domain credentials protected by Credential Guard technology. We will apply this knowledge to analyze the security of modern hypervisor based OS defenses from the perspective of firmware and hardware attacks. We will detail firmware assisted attack vectors which can be used to compromise Windows 10 VBS. We will also describe changes done by platform vendors and Windows to improve mitigation against these attacks.

Presenters:

• Oleksandr Bazhaniuk - Researcher, Independent
  Oleksandr Bazhaniuk (@ABazhaniuk) is a independent security researcher. In the past member of the Advanced Threat Research team and Security Center of Excellence (SeCoE) at Intel Inc. His primary interests are low-level security, hardware and firmware security, exploitation and automation of binary analysis. His work has been presented at many conferences, including Black Hat, Recon, DefCon, CanSecWest, Troopers, USENIX. He is also a co-founder of DCUA, the first DefCon group in Ukraine and ctf team.
• Mikhail Gorobets - Security Researcher, Advanced Threat Research, McAfee
  Mikhail Gorobets is a security researcher in the Advanced Threat Research team. His area of expertise includes hardware security, virtualization technologies, reverse engineering, and vulnerability analysis. Prior to joining ATR, he led a team of security researchers working on Intel Virtualization Technology and Intel Atom core security evaluation.
• Andrew Furtak - Security Researcher, Advanced Threat Research, McAfee
  Andrew Furtak is a security researcher focusing on security analysis of firmware and hardware of modern computing platforms. He was previously a security software engineer. Andrew holds a MS in applied mathematics and physics from the Moscow Institute of Physics and Technology.
• Yuriy Bulygin - Researcher, Independent
  Yuriy Bulygin (@c7zero) has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team. Previously, Yuriy led microprocessor vulnerability analysis team at Intel. Yuriy is the author of open source CHIPSEC framework.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#fractured-backbone-breaking-modern-os-defenses-with-firmware-attacks-7609
• https://www.youtube.com/watch?v=ryKy9LvmSIs
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Bulygin-Fractured-Backbone-Breaking-Modern-OS-Defenses-With-Firmware-Attacks.pdf

Similar Presentations:

• Black Hat USA 2018 / Remotely Attacking System Firmware
• REcon 2017 / Digging Into the Core of Boot
• Black Hat USA 2016 / Analysis of the Attack Surface of Windows 10 Virtualization-Based Security