Hacking the Extensible Firmware Interface

Presented at DEF CON 15 (2007), Aug. 4, 2007, 2 p.m. (50 minutes)

"Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries." - Quote taken from http://www.apple.com/macosx/bootcamp/ The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits. We start by discussing the limitations of the traditional BIOS and the growing need for an extensible pre-boot environment. We also cover the key components of the EFI Framework and take a look at the fundamental design decisions affecting EFI and their consequences. Next we consider the entry points that an EFI system exposes - just how an attacker may set about getting their code into the EFI environment - taking the Apple Macbook as our reference implementation. After demonstrating several means of achieving the above, we turn our attention to subverting the operating system from below, drawing parallels wherever possible to attacks against systems running a traditional BIOS. The final part of this presentation discusses the evolution of EFI into the Unified Extensible Firmware Interface (UEFI), soon to be supported by Windows Server (Longhorn) and discusses the application of the previously discussed attacks to UEFI.

Presenters:

• John Heasman - NGSSoftware
  John Heasman is the Director of Research at NGS Software. He has significant experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, Norton Antivirus, Exchange Server and PostgreSQL. His primary research interest is in rootkit and anti-rootkit technologies though he also has a strong interest in database security and was a co-author of the Database Hackers Handbook (Wiley, 2005). He holds a Masters degree in Engineering and Computing from Oxford University and is certified as a CHECK Team Leader allowing him to lead penetration tests of UK government systems.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Heasman
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - John Heasman - Hacking the Extensible Firmware Interface - Video.mp4
• https://www.youtube.com/watch?v=g-n42Q-Pxsg

Similar Presentations:

• Black Hat USA 2012 / DE MYSTERIIS DOM JOBSIVS: Mac EFI Rootkits
• Black Hat Europe 2017 / The Apple of Your EFI: An Updated Analysis of the State of Apple's EFI Security Support
• 31C3 (2014) / Thunderstrike: EFI bootkits for Apple MacBooks