Booting “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” ~Head of Sony BMG’s global digital business.

Slides:



Advertisements
Similar presentations
Storage Management Lecture 7.
Advertisements

Working with Disks and Devices
Troubleshooting Startup Problems
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Windows Vista Boot process. All the computer running Windows vista have the same start up sequence: Power-on self test (POST) phase Initial startup phase.
DIT314 ~ Client Operating System & Administration CHAPTER 4 CONFIGURING HARDWARE DEVICES AND STARTUP PROCESS Prepared By : Suraya Alias.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
EET 450 Chapter 2 – How hardware and Software Work Together.
1 Web Server Administration Chapter 3 Installing the Server.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
FDISK Partitioning Hard Disks. History We bought our new hard disk drive –Right size for BIOS and OS –Right connections (PATA/SATA) We installed our new.
System Configuration Chapter 3. Objectives Distinguish between the various methods used to configure a computer Describe how to replace a motherboard.
Tel : 同济大学软件学院 UEFI 与固件程序设计.
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
Host and Application Security Lesson 4: The Win32 Boot Process.
Linux Booting Procedure
By the end of this lesson you will be able to explain: 1. What is the BOOT process 2. A Cold Boot 3. A Warm Boot.
Session Agenda Designed to address BIOS Limitations Needed for the larger server platforms (Intel-HP Itanium) First called Intel Boot Initiative.
A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 2 How an OS Works with Hardware and Other Software.
Booting. Booting is the process of powering it on and starting the operating system. power on your machine, and in a few minutes your computer will be.
How Hardware and Software Work Together
Hardware Boot Sequence. Vocabulary BIOS = Basic Input Output System UEFI = Unified Extensible Firmware Interface POST= Power On Self Test BR = Boot Record.
DUAL BOOTING  KNOWING LEGACY BIOS & UEFI FIRMWARE  KNOWING MBR & GPT PARTITION D.BHARANI AM.EN.U4CSE12013.
Firmware Storage : Technical Overview Copyright © Intel Corporation Intel Corporation Software and Services Group.
Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)
Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.
Module 15 Managing Windows Server® 2008 Backup and Restore.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
Genesis: From Raw Hardware to Processes Andy Wang Operating Systems COP 4610 / CGS 5765.
Copyright © Genetic Computer School 2008 Computer Systems Architecture SA 8- 0 Lesson 8 Secondary Management.
Adding a Hard Drive. BIOS / UEFI The Unified Extensible Firmware Interface (UEFI) defines a software interface between an operating system and platform.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Overview A) Power on or reset B) 1st stage boot loader C) 2nd stage boot loader D) Operate system.
NT1110 Computer Structure and Logic Unit 8 (Module 5A) COMPUTER OPERATION AND SECURITY.
Tech Level Cyber Security
Operating System & Application Software
Trusted Computing and the Trusted Platform Module
Chapter Objectives In this chapter, you will learn:
Protecting Memory What is there to protect in memory?
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Computer Maintenance Unit Subtitle: Basic Input/Output System (BIOS)
Trusted Computing and the Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
TOPIC 6: SYSTEM START-UP AND CONFIGURATION
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Windows XP File Systems
Introduction to Computers
Outline What does the OS protect? Authentication for operating systems
Introduction to Computers
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Booting Up 15-Nov-18 boot.ppt.
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
Genesis: From Raw Hardware to Processes
Chapter Overview Operating System Basics
SUSE Linux Enterprise Desktop Administration
Hardware Security – Highlevel Survey Review for Exam 4
BIOS Chapter 6.
Modern PC operating systems
TPM, UEFI, Trusted Boot, Secure Boot
Motherboard BIOS and Troubleshooting
The bios.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Partitioning & Formatting
Storage Management Lecture 7.
OS Boot Sequence and File System
Instructor Materials Chapter 5: Windows Installation
OS Boot Sequence and File System
Presentation transcript:

Booting “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” ~Head of Sony BMG’s global digital business.

Overview MBR/BIOS GPT/UEFI HELL Attacking the Boot Process Example Boot Process Attacks and Malware

Rationale It is important to learn the process by which OSes are loaded because, Many attackers exploit certain aspects of this process to gain access to a machine. You need to recover the boot sector of a corrupted drive Create your own forensic tools that take advantage of the boot sequence Understand limitation placed on forensic tools due to different boot processes Understand why your removable media is not booting Understand persistence mechanisms malicious software uses Less important but useful: usually asked during an interview for a technical position and more...

MBR/BIOS Boot Process First instruction stored at a fixed address in read-only-memory (ROM) On 32 bit systems ROM/NOR stores Basic Input/Output System (BIOS) BIOS - Contains low level functions for accessing some basic system devices (disk I/O, reading the keyboard, etc.) as well as code to load a stage 1 boot loader BIOS Process Power-on self-test (POST) Detect the video card’s chip BIOS and execute its code to initialize the video hardware

MBR/BIOS BIOS Process (ctd) Detect any other device BIOSes and invoke their initialize functions Display the BIOS start-up screen Perform a brief memory test Set memory and drive params Configure Plug & Play devices (traditionally PCI bus devices) Assign resources (Direct Memory Access (DMA) channels & Interrupt Request Lines) Identify the boot device Once the boot device is identified BIOS reads block 0 from that device into memory and jumps there

MBR/BIOS Boot Process Disk Block 0 is called the Master Boot Record and contains the first stage bootloader Review, How large is this block? The bootloader is 16 bit code This block also contains the Disk signature and the disk partition table Because bootloaders would have to load information about file systems, and other information

MBR/BIOS Boot Process The MBR scans through it’s partition table and loads the Volume Boot Record for that partition. The VBR identifies the partition type and size that contains an Initial Program Loader (IPL) The IPL loads additional blocks that comprise the second stage boot loader On Windows NT derived systems (server 2003, windows xp) the IPL loads a program called NTLDR. This then loads the OS Why can’t BIOS or MBR just jump right into loading the OS? Because bootloaders would have to load information about file systems, and other information

MBR/BIOS Boot Process NTDLR Accesses the FS on the device If windows was put in the hibernation state, the contents of the hiberfil.sys are loaded into memory and the system resumes where it left off. Otherwise it reads boot.ini and prompts the user with the boot menu accordingly. If a non NT-based OS is selected: NTDLR loads the associated file listed in boot.ini and gives it control If an NT-based OS is selected NTDLR runs ntdetect which gathers information about the computer's hardware Then it starts Ntoskrnl.exe Because bootloaders would have to load information about file systems, and other information

MBR/BIOS Boot Process BOOTMGR (Windows 7 and above) It now uses bcdedit to edit boot files and to manage Multiboot OSes BCD (Boot Configuration Data) file From Microsoft, “BCD replaces the traditional Boot.ini text file in BIOS-based systems. Storing boot parameters in a text file, however simple, was considered to be too vulnerable to malicious attacks to justify its use.” More info: https://docs.microsoft.com/en-us/windows- hardware/drivers/devtest/boot-options-in-windows Because bootloaders would have to load information about file systems, and other information

MBR/BIOS Boot Process BOOTMGR (Windows 7 and above) You can manage BCD remotely and manage BCD when the system boots from media other than the media on which the BCD store resides. Similar to NTDLR but uses winload.exe to load essential device drivers It uses winresume.exe when loading a hibernation file Then starts ntoskrn.exe Because bootloaders would have to load information about file systems, and other information

BCD Malware Side Note: Some BCD using malware https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n- ransomware/ https://www.pcworld.com/article/228955/new_malware_targets_6 4_bit_windows.html and more..

MBR/BIOS EXAM

MBR/BIOS Address of first instruction is stored in a fixed location and is executed BIOS is loaded and performs POST BIOS scans for boot device MBR is loaded from the boot device MBR scans for bootable partition and loads the Volume Boot Record for that partition The VBR identifies the partition type and size and contains an Initial Program Loader which then loads a second stage boot loader NTDLR/BOOTMGR loads the OS kernel, which then starts the OS

Catching up to the Present Day

GPT/UEFI(Unified Extensible Firmware Interface) Why? We now had 64-bit architectures and we are still using a MBR that requires 16-bit code and 20-bit memory addressing? We can do better than that.

GPT/UEFI(Unified Extensible Firmware Interface) EFI supported features BIOS components - power management (Advanced Configuration and Power Interface), and system management components Support for larger disks BIOS 2.2 TB partitions… UEFI 9.4 ZB partitions No need to start in 16-bit real mode UEFI device drivers (architecture independent EFI byte code). OS still uses its own drivers Boot Manager No longer need a dedicated bootloader, simply place bootable files into the UEFI boot partition This boot partition is formatted as a FAT file system Extensibility

GPT/UEFI Much larger than legacy BIOS Often is used in conjunction with a TPM Trusted Platform Module - “A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys” More of a spec rather than a circuit

GPT/UEFI

GPT/UEFI

GPT/UEFI Boot Process Notes Stage 1 bootloader no longer needed (goodbye MBR and simplistic stage 1 boot loader) UEFI can parse a file system and load files on it’s own Fixed Address stored in flash memory to call UEFI code Pre verification of CPU init, Chipset Init, Board Init Code (SEC - Security phase, this is a misnomer) POST → “Platform Initialization” (Pre EFI Initialization, Driver Execution Environment) Boot Device Select

GPT/UEFI Boot Process Transient System Load UEFI reads the GUID (Globally Unique Identifier) Partition Table (GPT), which resides in block 0 with the MBR, which is there for legacy reasons UEFI identifies the EFI system partition This partition contains boot loaders for all OSes that are installed on other partitions Windows Boot Manager bootmgr.efi for windows, IA64ldr for older 64-bit NT systems, for linux there are many options but probably going to be EFI aware GRUB( grub.efi) Jumps to bootloader code Provide Run Time interface for OS

GPT/UEFI EXAM

GPT/UEFI SEC - Security phase (misnomer) PEI - Pre EFI Initialization DXE - Driver Execution Environment BDS - Boot Device Select TSL - Transient System Load (Selects and loads the appropriate boot loader) RT - Run time (provides OS access to some UEFI services) AL - After Life (shutdown process)

Forensic Tool Limitations Due to UEFI May have issues booting from external media (often used in forensics investigations) UEFI often comes with a TPM (trusted platform module) and potentially full disk encryption Hardware vendors may build-in varying degrees of UEFI support on a model- by-model basis. They may also include setup menus that enable UEFI features to be turned off, with the intention of allowing access, or even boot access, to non-UEFI boot media. The terminology for these options may vary, but can include “Compatibility Support Mode (CSM) mode” or “legacy mode”. The result is that it may be possible, in some cases, to turn off UEFIbased external boot restrictions while maintaining access to the subject device’s original boot media.

This is Fun! Let’s Go Deeper...

Some Terminology Malware - software that is intended to damage or disable computers and computer systems. Rootkit - a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. Bootkit - Advanced form of rootkits that take the basic functionality of a rootkit and extend it with the ability to infect the MBR or VBR for MBR/BIOS systems and other parts of the boot process for GPT/UEFI.

UEFI vs. BIOS Firmware Storage

UEFI Firmware Volumes PEI and DXE code will often exist on separate volumes

Signed Code Signed BIOS requirements did not address malicious boot loaders Bootkit Evil Maid Attacks So, Secure Boot was introduced

We are all safe now...

Or so we thought... The signature check on target EFI executables doesn’t always occur Depending on the origin of the target executable, the target may be allowed to execute automatically In the EDK2, these policy values are hard coded Attack 1: If attackers compromise these devices, there is no code signing mechanism in place to protect these drivers.

Or so we thought... Attack 2: There is a UEFI setup variable and is accessible by Boot Services and Runtime Services This variable contains the UEFI secure boot ON/OFF switch Furthermore there are policy bytes for removable media probably set to DENY_EXECUTE_ON_SECURITY_VIOLATION, the OS can change this to ALWAYS_EXECUTE Read more here https://cansecwest.com/slides/2014/AllYourBoot_csw14-mitre-final.pdf

UEFI Variables Keys If the flash system isn’t locked down properly attackers can overwrite the keys UEFI variables rely solely on SMM to protect them UEFI variables must be kept writeable because at some point the system is going to need to write to them

That’s Enough Low Level Nemesis - Suite of malware. Used in 2015 with a bootkit and targeted banks and payment card processors. It was able to legitimately modify the VBR. This allowed nemesis to survive across OS reboots Nemesis hijacks the normal boot sequence using an installer dubbed "BOOTRASH." It invokes a multi-step process that involves the creation of a virtual file system that stores malicious components in unallocated space between partitions. The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process.

Remediation/Mitigation Wipe your drive completely and reinstall the OS Mitigation GPT/UEFI - Does not work on a GPT/UEFI setup We now know how safe this is ;)

Questions?

Relevant Links Some UEFI malware exploits (multiple examples, 2016) https://2016.zeronights.ru/wp- content/uploads/2016/12/1_2_UEFI_Rootkits_ZN_2016.pdf Malware VBR Hijacking https://arstechnica.com/information- technology/2015/12/nemesis-malware-hijacks-pcs-boot-process-to- gain-stealth-persistence/ Boot Process https://www.cs.rutgers.edu/~pxk/416/notes/02-boot.html

Relevant Links UEFI Specification: Don’t worry I skimmed this for you. http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_7 _A%20Sept%206.pdf Beyond BIOS: Developing with the Unified Extensible Firmware Interface 2nd Edition by Zimmer et al. https://www.amazon.com/Beyond-BIOS-Developing-Extensible- Interface/dp/1934053295 https://www.blackhat.com/docs/eu-14/materials/eu-14-Kovah- Analyzing-UEFI-BIOSes-From-Attacker-And-Defender-Viewpoints.pdf

Relevant Links All Your Boot Are Belong To Us https://cansecwest.com/slides/2014/AllYourBoot_csw14-mitre-final.pdf For you RE’s out there https://www.youtube.com/watch?v=R-5UO6jLkEI #Analyzing UEFI code Windows 7 Boot Process - https://social.technet.microsoft.com/wiki/contents/articles/11341.the- windows-7-boot-process-sbsl.aspx TPM and UEFI http://resources.infosecinstitute.com/uefi-and-tpm/#gref