Bypassing UEFI Secure Boot with Thin-Hypervisor

Slide 1

Slide 1 text

Bypassing UEFI Secure Boot with Thin-Hypervisor November 30, 2020 BitVisor Summit 9 @retrage

Slide 2

Slide 2 text

Disclaimer: This work is developed for research purpose. No systems were harmed.

Slide 3

Slide 3 text

Secure Boot

Slide 4

Slide 4 text

Secure Bootstrapping Secure Boot and Trusted Boot • Booting is a chain of state transitions: • Secure Boot: Verifies every state using certificates and hashes • Trusted Boot: Computes hashes of every state [1]

Slide 5

Slide 5 text

UEFI Secure Boot • UEFI image is PE/COFF format • Image may have signatures • Firmware verifies images • Loads image if: • It has a valid signature • Its hash is in allowed list • Runs trusted images only Overview [2]

Slide 6

Slide 6 text

LoadImage () • UEFI gives a image the pointer to EFI_SYSTEM_TABLE • UEFI image accesses UEFI features via the table • LoadImage () loads UEFI image • Verifies UEFI image on Secure Boot enabled Secure Boot Verification EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...

Slide 7

Slide 7 text

Attacking UEFI Secure Boot

Slide 8

Slide 8 text

Disabling Secure Boot #1 Patching PI firmware • DxeImageVerificationHandler (): • Called at LoadImage () to verify the image • Patching it to always return EFI_SUCCESS [2]

Slide 9

Slide 9 text

Disabling Secure Boot #2 Modifying the UEFI Variables in NVRAM • Secure Boot state is stored as UEFI variables in NVRAM [4]

Slide 10

Slide 10 text

Alternative Way to Bypass Secure Boot • #1: Patching PI Firmware to Disable Secure Boot • Requires manual reverse engineering • #2 Modifying the UEFI Variables in NVRAM to Bypass Security Checks • NVRAM must be write protected (sometimes not) • Alternative way: Patching whole EFI_BOOT_SERVICES

Slide 11

Slide 11 text

Patching EFI_BOOT_SERVICES • DxeBackdoor.efi LoadImage () with Secure Boot disabled • Patch target LoadImage () pointer to DxeBackdoor.efi LoadImage () EFI_BOOT_SERVICES + L adI a e (): EFI_IMAGE_LOAD + S a I a e (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ... c EFI_BOOT_SERVICES: EFI_IMAGE_LOAD ... ... D eC e.e D eBac d .e L adI a e: (Sec eB E ab ed): Ve I a e () L adI a e: (Sec eB E ab ed): /* Ve I a e () */ L adI a e:

Slide 12

Slide 12 text

DxeBackdoor.efi • Almost all service calls are delegated to target functions • .conf section: • Place required functions • Save original functions • Ref: Cr4sh/SmmBackdoor[3]

Slide 13

Slide 13 text

Injecting Backdoor

Slide 14

Slide 14 text

Employing BitVisor to Inject Backdoor Attacker needs to be able to access target’s arbitrary memory • Exploiting Vulnerabilities: • Hard to find usable vulnerabilities (especially 0-day) • Deeply depends on target environment • Let’s use BitVisor to emulate the injection attack: • Search tables and function pointers • Load backdoor image and hook function pointers

Slide 15

Slide 15 text

Search Function Pointers Search signatures and locate function pointers • Search “IBI SYST”: EFI_SYSTEM_TABLE • Search “BOOTSERV”: EFI_BOOT_SERVICES • Locates from EFI_BOOT_SERVICES: • LoadImage () • StartImage () EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...

Slide 16

Slide 16 text

Load Backdoor UEFI Image • Deploys backdoor from bitvisor.elf • Backdoor UEFI image is embedded in bitvisor.elf • Loader parses and loads the backdoor image to guest memory • Creates LoadImage () and StartImage () hooks • Overwrites function pointers

Slide 17

Slide 17 text

Booting Unauthorized Linux

Slide 18

Slide 18 text

Secure Boot is Enabled Enrolls custom PK/KEK/db

Slide 19

Slide 19 text

Denys Booting Unauthorized Linux Secure Boot works properly

Slide 20

Slide 20 text

BitVisor Backdoor Injector Driver

Slide 21

Slide 21 text

BitVisor Backdoor Injector Driver Search tables and functions

Slide 22

Slide 22 text

BitVisor Backdoor Injector Driver Parse embedded backdoor image

Slide 23

Slide 23 text

BitVisor Backdoor Injector Driver Load backdoor image and hook functions

Slide 24

Slide 24 text

Boots Unauthorized Linux Successfully bypass Secure Boot

Slide 25

Slide 25 text

Summary • Existing methods to attacking Secure Boot is limited • Patching whole EFI_BOOT_SERVICES • For more general way to bypass Secure Boot • Used BitVisor to emulate arbitrary memory manipulation attack • Mitigations: • Do not reuse system tables • Check function pointer ranges

Slide 26

Slide 26 text

References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] B. Parno, J. M. McCune, and A. Perrig, “Bootstrapping trust in commodity computers,” in IEEE Symposium on Security and Privacy, 2010, pp. 414–429. • [2]A. Matrosov, E. Rodionov, and S. Bratus, “Rootkits and Bootkits”, No Starch Press, 2019. • [3] https://github.com/Cr4sh/SmmBackdoor • [4] Y. Bulygin, J. Loucaides, A. Furtak, O.Bazhaniuk, and A. Matrosov, “Summary of Attacks Against BIOS and Secure Boot,” DEF CON, 2014.

Slide 27

Slide 27 text

Appendix

Slide 28

Slide 28 text

Legacy BIOS • Master Boot Record: • First 512 byes of disk • Includes: • Bootstrap code • 4 partition entries • No native security features • Easily modify MBR No Security Features [2]

Slide 29

Slide 29 text

Backdoor Injector BitVisor Driver • Create DxeBackdoor.efi from custom EDK2 package • Use “objcopy -lbinary” to convert DxeBackdoor.efi to backdoor.o • Implemented PE/COFF loader for backdoor injector BitVisor driver • Parses headers • Loads based on section information • Supports minimal relocations