Overview
This article researches into the advent of vulnerabilities within Operating System boot processes. Specifically, the document focuses on the BIOS and UEFI boot processes and the vulnerabilities found within the implementations. The document then explains why the UEFI boot process is a much better approach as compared to BIOS boot process. Lastly, the document looks into the loopholes residing in the UEFI boot process and possible exploitation of it to carry out a rootkit infection. It then ends of by stating the importance of a UEFI boot process due to UEFI becoming a standard in the industry.
Introduction
What is the BIOS?
BIOS stands for Basic Input/Output. The system BIOS is the lowest-level software in the computer; it interfaces between the hardware and the OS. The BIOS provides access to the system hardware and enables the creation of the higher-level operating systems from which applications are run. The BIOS allows you to control your computer’s hardware settings, for booting up the machine when you turn on the power or hit the reset button, and various other system functions. [1]
The BIOS Boot Process
When the computer is powered on, the CPU loads the BIOS ROM which then initializes and executes a power-on self-test (POST). POST checks the BIOS chip and then tests CMOS RAM. The BIOS locates and reads the configuration information stored in CMOS and then examines the disk for the master boot record (MBR). With a valid MBR loaded into the memory, the BIOS transfer controls of the boot process to the partition loader code. The partition loader, or boot loader, examines the partition table marked as active and then then searches the very first sector of that partition for a boot record. The active partition’s boot record is checked for a valid boot signature, and if found the boot sector code is executed as a program. [2]
 |
| The Conventional BIOS Boot Process [3] |
What is UEFI?
UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification redefines the interface between PC operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications. [4]
The UEFI Boot Process
UEFI specifies a boot manager that manages the loading up of the Operating System Loader and all the needed drivers. Within the UEFI boot manager; there is a set of global NVRAM variables such as boot variables to state the paths to the various Operating System loaders.
Operating System loaders are stored within a hard drive which has a file system. These file systems has to be compatible with the UEFI standard to be accessed by the firmware. Supported File Systems include FAT32 and NTFS. The most commonly used partition table schemes such as the Master Boot Record (MBR) and GUID Partition Table (GPT) are both supported.
In order for the Operating System to be loaded, they are first automatically detected by the firmware, based on a standardized file path, for example EFIBOOTBOOTx64.EFI. The UEFI firmware then checks for the operating system bootloader’s validity and passes the boot control to the bootloader, essentially starting up the Operating System software. [3] [5]
What is a Rootkit?
A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. [6]
Content
BIOS Boot Process Vulnerabilities
Every personal computer that boots up has to go through a BIOS POST process. Any malicious changes to the POST process and the handling of boot process from a firmware and hardware level to the operating system is a threat to the computer system.
Since BIOS chips are made up of EEPROM chips, which can be easily updated by the user, hardware manufacturers frequently issue BIOS updates to their products to remove bugs. A BIOS firmware downloaded from an unknown source could contain malicious code that could compromise the computer.
Besides infection, detection and removal of viruses that has its source from a BIOS infection is also difficult because the BIOS is stored in memory rather than on the hard disk drive. A BIOS rootkit, for example, can survive most attempts to remove it such as reformatting or replacing the hard drive. Even if an anti-virus detects and remove a malicious rootkit infection on the hard drive, the infection will be restored at the next system startup. An anti-virus that detects malicious codes within the BIOS needs to be totally error-proof too to prevent accidental corruption of BIOS and causing the whole computer system to be unbootable and fail. This makes the BIOS a good and effective target when aiming to compromise a system. [7]
With more frequent BIOS updating technologies from various vendors, BIOS firmware updating can even be done remotely. This also means that the BIOS can be updated over the internet, which allows for a new source for attacks. Once an attacker gains administrative privileges from user probably from social engineering and phishing techniques, he can flash the BIOS over the Internet with malware-laden firmware. [8]
How is the rootkit introduced into the BIOS?
More commonly, BIOS are infected with rootkits which give privileged access to unknown and unauthorized sources.
The rootkit can be installed by flashing the ROM on the motherboard and this can be done only if the attacker has physical access to the PC. The attacker can also install the rootkit remotely but only if he or she has root level access to the system.
Rootkits can also be installed by the user, when using BIOS flashing utilities and flashing malware-laden BIOS. [8]
What does a BIOS rootkit do?
A BIOS rootkit, like many other rootkits, provides privilege access and unauthorized access. With the elevated access level, viruses such as file infectors can be executed easily. Normally, after BIOS rootkit infections, unknown viruses are also introduced into the computer system without any warnings. That is why, usually, a rootkit infection also comes packaged with other malware such as a Trojan downloader.
Case Study : Mebromi
Mebromi is one of the most well-known rootkits found in the wild. Mebromi is more than just a BIOS rootkit. It also consists of a kernel mode rootkit, a PE file infector and a Trojan downloader. This makes it the most malicious BIOS infected virus ever created.
To infect the computers, Mebromi has its own privilege elevated with a kernel mode driver written. It then makes use of a legitimate tool by Phoenix technologies called Cbrom.exe to modify the Award/Phoenix BIOS ROM binaries. By creating an infected BIOS ROM, Cbrom.exe then takes the ROM and modifies the bios.bin file. The bios.sys driver with its new privileges will then erase the BIOS flash and then write the new BIOS ROM code to the BIOS ROM, effectively infecting the BIOS. Upon the next boot at the BIOS POST phase, the Master Boot Record will then be infected by changing the part of executable code within the MBR. The rogue MBR will inject an encrypted file infection payload to the Operating System boot loader. When Windows starts up, the patched boot loader will be loaded into memory. By making use of the written rootkit kernel driver, it then downloads additional infection from a specified URL.
BIOS infected rootkit poses a major threat due to its high level of complexity and the mix and match of tools used to attain control over the use of the infected computer. It is nasty and almost impossible to be removed without a full reformat and BIOS flash at the same time. Therefore the BIOS rootkit poses a real threat, especially with the possible chances of further malware to be induced into the system. [9]
UEFI as a response to BIOS boot process vulnerabilities
In response to the highly vulnerable BIOS boot process, UEFI was introduced not long ago and is becoming a standard for all Personal Computers. At the moment, all Intel based 6 Series chipset and above requires UEFI firmware to be implemented. Macintosh computers were first known to implement UEFI back in 2006. Currently Windows 8 certified machines have to make use of the UEFI boot process to boot the operating system. It seems that UEFI is a much improved booting implementation and is widely accepted in current day personal computing technologies. This is because of its highly secure way of carrying out the boot process, checking integrity of drivers and Operating System boot loaders.
In UEFI, Secure Boot is a protocol which was introduced in revision 2.2. With Secure Boot, all boot process data were thoroughly checked through for integrity compromises. Unsigned Operating System boot loaders and firmware drivers will not be able to load in Secure Boot. When Secure Boot is instantiated, it gives a public key, known as ‘Platform Key’ to the firmware. Only drivers and loaders encrypted with the ‘Platform Key’ can be loaded by the firmware. This ensures that the hardware’s firmware intended to be loaded up to the UEFI shell for Operating System booting is not infected by any virus, as they are all certified by a Certificate Publisher.
With the use of Secure Boot technology within UEFI, the problems that are posed in a BIOS boot process are eradicated. However, Secure Boot process is not mandatory for all computers and therefore, vulnerabilities are still there if Secure Boot is not enabled on the firmware settings of the computer. [5] [10]
UEFI Implementation vulnerabilities
Although Secure Boot is known to prevent any malicious codes to be executed in the first place, it can be disabled, opening the vulnerabilities of UEFI boot process to malicious exploits.
By creating a UEFI shell based program, there are unlimited numbers of possibilities that a hacker can use to do damage to a computer. Of course, the program can then be to act similarly to a BIOS rootkit. The program can even intercept various system boot processes to inject malicious codes and execute them effectively, making the UEFI boot process as vulnerable as traditional BIOS boot process.
Sadly to say, Secure Boot is not compatible with previous generations of Windows Operating System such as Microsoft Windows XP and Secure Boot must be disabled on the UEFI firmware before Windows XP will boot normally. This makes new computer hardware systems running on old operating systems even more vulnerable to threats. [11]
Case Study : Windows 8 UEFI Bootkit
A Bootkit is kernel mode variant of a rootkit. Normally, a bootkit replaces an actual legitimate boot loader with one created by an attacker.
In September 2012, security researches managed to show a proof-of-concept on the vulnerabilities of Windows 8 UEFI boot process. A UEFI boot loader was developed by one of the security experts from ITSEC, which overwrites Windows 8 UEFI bootloader and bypasses security walls while doing it.
The bootloader exploited the UEFI disk Input Output routines and intercepted the loading of the Windows 8 kernel. The bootkit then modified the kernel by disabling security features of the Windows 8 Operating System, essentially changing itself into a rootkit. A machine booted with the tool will then be able to load unsigned drivers, which is the root of a viruses and malware infection. [12]
Consequences of a successful Rootkit exploit
Further Malware Infection – A Rootkit exploit will possibly result in further malware infections. Usually, rootkits come bundled with addition malicious programs such as Trojan or Virus downloader to introduce malware into the computer system. With the elevated privileges provided by the rootkit, these malware can then be installed without user approval and roam freely within the computer system.
Operating System Corruption – Since rootkits usually modify operating system files to allow privileged access to resources, it is easy for kernel corruption, resulting in the failure of availability of the computer system. Results of corruption of system kernels could be seen by usual Blue Screen of Death messages shown on Windows Operating Systems.
Loss of Data – Computers infected with rootkit are open to various malicious software threats which could modify local files. In an enterprise network, a rootkit infection may result in unauthorized access to data, and compromise integrity and availability of data. Confidential document thefts are also likely due to the unguarded computer systems, which are open to attacks. These attacks can even go unnoticed, preventing detection and countermeasure responses.
Unauthorized Remote Access to Computer – Hackers are able to access to a remote computer genuinely with the use of a rootkit. For example, keyloggers make use of a rootkit to allow key strokes taken from the keyboard to be passed onto a remote service for data theft. With the additional privilege from the rootkit, keyloggers can remain its stealth status within a computer system.
Countermeasures for boot process exploits
BIOS:
Hard Drive Encryption – Hard Drive Encryption prevents the modification of files within a hard drive at a hardware level. This means that a malicious MBR will not be able to write and modify any files within the encrypted hard drive. This means that the operating system boot loader will not be modified, preventing a rootkit exploit.
Trusted Platform Module (TPM) – The use of Trusted Computing technologies can be used to ensure the integrity of platform. TPM contains Platform Configuration Registers which takes charge in the storing and reporting of security relevant metrics securely. Changes to a platform will result in changes in the metrics which will be flagged, preventing a boot from taking place.
Remote Attestation – Allows a boot log taken from the Trusted Platform Module to be evaluated by a remote system and for trust and policy decisions to be made based on contents of that log. Remote Attestation allows the integrity of a boot process to be checked from a remote service before allowing access to boot. Mostly used in an enterprise environment on enterprise machines.
UEFI:
Secure boot – Secure Boot allows OEM to control the different boot images and device firmware to be executed. Secure boot allows OEM to both blacklist and whitelist of code signing keys as well as the boot binaries themselves. This essentially leaves no gaps for rootkits to be injected and implemented at all, making it the most secure boot environment up to date. [13]
Summary
Importance of knowing the vulnerabilities in UEFI boot process
With the influx of new Windows 8 devices relying on the UEFI boot process implementation, a possible rootkit infection may affect millions of users. Possibly due to the complacency of users in trusting that UEFI is an extremely secure boot process implementation, it is easy for hackers to find vulnerabilities within UEFI boot process and exploit it for malicious reasons. Writing malware on the UEFI is much simpler as compared to writing BIOS codes because of the use of high level programming languages to write programs compatible with the UEFI shell, as compared to low level programming languages used to create BIOS ROMs.
The extent of affected devices may be more than just personal computers. Currently, even tablet PCs and slates which runs off Windows 8 Operating System will be vulnerable if an exploit was to be found in UEFI boot process. The Windows Phone 8 devices also make use of the same process to boot its operating system. As UEFI becomes a standard in all consumer devices on the market, the threats and damages it can inflict on users also increases significantly. That is why it is extremely important to make sure that the UEFI boot process remains secure as it is today, and to prevent any possible exploits on the vulnerabilities before it becomes the next biggest problem in technological history.
An increasing popularity of Bring-Your-Own-Device concept to workplace increases the chances of infection of computers within an enterprise. Stealthy rootkits found in UEFI boot loaders which induces spyware can definitely compromise confidential company information and data to attackers. More importantly, the difficulty in identifying these threats and viruses within the UEFI boot process are the most annoying and most dangerous part of the threat. It is a new area which not many have researched into yet, making responses to these threats slow.
Secure Boot within UEFI technology could be the answer for all the problems. However, Secure Boot is also a controversial topic. Currently, only Windows 8 and 7 machines support Secure Boot. If personal computer manufacturing vendors were to mandatorily implement Secure Boot on their machines, it also means that the machine can only run Windows 8 or 7. Linux Operating System or older Windows operating systems will not be able to run on these machines, questioning the viability of Secure Boot technology.
References
[1] Korierok, C. M. (2001, April 17). System BIOS. Retrieved from PC Guide: http://www.pcguide.com/ref/mbsys/bios/index.htm
[2] Technology, N. A. (n.d.). Digital Forensics : Windows File System.
[3] Olzak, T. (2012, June 19). Chapter 8 – UEFI and the TPM: Building a foundation for platform trust. Retrieved from INFOSEC INSTITUTE RESOURCES: http://resources.infosecinstitute.com/uefi-and-tpm-2/
[4] (n.d.). Retrieved from UEFI: http://www.uefi.org/home/
[5] UEFI-Booting. (n.d.). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/UEFI
[6] McAfee. (2006). Rootkits, Part 1 of 3: The Growing Threat. McAfee. Retrieved from http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf
[7] BIOS – BIOS_chip_vulnerabilities. (n.d.). Retrieved from Wikipedia BIOS Page: http://en.wikipedia.org/wiki/BIOS#BIOS_chip_vulnerabilities
[8] Rouse, M. (2011, February). BIOS rootkit attack. Retrieved from SearchCloudSecurity: http://searchcloudsecurity.techtarget.com/definition/BIOS-rootkit-attack
[9] Giuliani, M. (n.d.). Mebromi: the first BIOS rootkit in the wild. Retrieved from Webroot : http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[10] Nicholas, P. (2012, December 18). Important Advancements Toward a Safer, More Trusted Internet. Retrieved from Microsoft Security Blog: http://blogs.technet.com/b/security/archive/2012/12/18/important-advancements-toward-a-safer-more-trusted-internet.aspx
[11] Shinder, D. (2012, September 12). The Secure Boot Controversy: What does it mean to IT? Retrieved from Windows Security: http://www.windowsecurity.com/articles/Secure-Boot-Controversy-What-does-mean-IT.html
[12] UEFI technology : say hello to the Windows 8 bootkit. (n.d.). Retrieved from ITSEC: http://www.itsec.it/2012/09/18/uefi-technology-say-hello-to-the-windows-8-bootkit/
[13] Griffin, D. (2012). Hacking Measured Boot and UEFI. DEFCON2012. Las Vegas.
