Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypassing UEFI Secure Boot with Thin-Hypervisor

8dc3958dc2480bd681e4b5c197817047?s=47 Akira Moroo
November 30, 2020

Bypassing UEFI Secure Boot with Thin-Hypervisor

UEFI Secure Boot is one of the core security features in modern computing systems. It verifies boot images and runs authorized images only. Bypassing UEFI Secure Boot is one of the big topics for attacking UEFI targets. In this presentation, I propose a general bypassing method using a thin-hypervisor.

8dc3958dc2480bd681e4b5c197817047?s=128

Akira Moroo

November 30, 2020
Tweet

Transcript

  1. Bypassing UEFI Secure Boot with Thin-Hypervisor November 30, 2020 BitVisor

    Summit 9 @retrage
  2. Disclaimer: This work is developed for research purpose. No systems

    were harmed.
  3. Secure Boot

  4. Secure Bootstrapping Secure Boot and Trusted Boot • Booting is

    a chain of state transitions: • Secure Boot: Verifies every state using certificates and hashes • Trusted Boot: Computes hashes of every state [1]
  5. UEFI Secure Boot • UEFI image is PE/COFF format •

    Image may have signatures • Firmware verifies images • Loads image if: • It has a valid signature • Its hash is in allowed list • Runs trusted images only Overview [2]
  6. LoadImage () • UEFI gives a image the pointer to

    EFI_SYSTEM_TABLE • UEFI image accesses UEFI features via the table • LoadImage () loads UEFI image • Verifies UEFI image on Secure Boot enabled Secure Boot Verification EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...
  7. Attacking UEFI Secure Boot

  8. Disabling Secure Boot #1 Patching PI firmware • DxeImageVerificationHandler ():

    • Called at LoadImage () to verify the image • Patching it to always return EFI_SUCCESS [2]
  9. Disabling Secure Boot #2 Modifying the UEFI Variables in NVRAM

    • Secure Boot state is stored as UEFI variables in NVRAM [4]
  10. Alternative Way to Bypass Secure Boot • #1: Patching PI

    Firmware to Disable Secure Boot • Requires manual reverse engineering • #2 Modifying the UEFI Variables in NVRAM to Bypass Security Checks • NVRAM must be write protected (sometimes not) • Alternative way: Patching whole EFI_BOOT_SERVICES
  11. Patching EFI_BOOT_SERVICES • DxeBackdoor.efi LoadImage () with Secure Boot disabled

    • Patch target LoadImage () pointer to DxeBackdoor.efi LoadImage () EFI_BOOT_SERVICES + L adI a e (): EFI_IMAGE_LOAD + S a I a e (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ... c EFI_BOOT_SERVICES: EFI_IMAGE_LOAD ... ... D eC e.e D eBac d .e L adI a e: (Sec eB E ab ed): Ve I a e () L adI a e: (Sec eB E ab ed): /* Ve I a e () */ L adI a e:
  12. DxeBackdoor.efi • Almost all service calls are delegated to target

    functions • .conf section: • Place required functions • Save original functions • Ref: Cr4sh/SmmBackdoor[3]
  13. Injecting Backdoor

  14. Employing BitVisor to Inject Backdoor Attacker needs to be able

    to access target’s arbitrary memory • Exploiting Vulnerabilities: • Hard to find usable vulnerabilities (especially 0-day) • Deeply depends on target environment • Let’s use BitVisor to emulate the injection attack: • Search tables and function pointers • Load backdoor image and hook function pointers
  15. Search Function Pointers Search signatures and locate function pointers •

    Search “IBI SYST”: EFI_SYSTEM_TABLE • Search “BOOTSERV”: EFI_BOOT_SERVICES • Locates from EFI_BOOT_SERVICES: • LoadImage () • StartImage () EFI_BOOT_SERVICES + LoadImage (): EFI_IMAGE_LOAD + S ar Image (): EFI_IMAGE_START + ... EFI_SYSTEM_TABLE + EFI_RUNTIME_SERVICES + EFI_BOOT_SERVICES + ...
  16. Load Backdoor UEFI Image • Deploys backdoor from bitvisor.elf •

    Backdoor UEFI image is embedded in bitvisor.elf • Loader parses and loads the backdoor image to guest memory • Creates LoadImage () and StartImage () hooks • Overwrites function pointers
  17. Booting Unauthorized Linux

  18. Secure Boot is Enabled Enrolls custom PK/KEK/db

  19. Denys Booting Unauthorized Linux Secure Boot works properly

  20. BitVisor Backdoor Injector Driver

  21. BitVisor Backdoor Injector Driver Search tables and functions

  22. BitVisor Backdoor Injector Driver Parse embedded backdoor image

  23. BitVisor Backdoor Injector Driver Load backdoor image and hook functions

  24. Boots Unauthorized Linux Successfully bypass Secure Boot

  25. Summary • Existing methods to attacking Secure Boot is limited

    • Patching whole EFI_BOOT_SERVICES • For more general way to bypass Secure Boot • Used BitVisor to emulate arbitrary memory manipulation attack • Mitigations: • Do not reuse system tables • Check function pointer ranges
  26. References • [0] https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf • [1] B. Parno, J. M.

    McCune, and A. Perrig, “Bootstrapping trust in commodity computers,” in IEEE Symposium on Security and Privacy, 2010, pp. 414–429. • [2]A. Matrosov, E. Rodionov, and S. Bratus, “Rootkits and Bootkits”, No Starch Press, 2019. • [3] https://github.com/Cr4sh/SmmBackdoor • [4] Y. Bulygin, J. Loucaides, A. Furtak, O.Bazhaniuk, and A. Matrosov, “Summary of Attacks Against BIOS and Secure Boot,” DEF CON, 2014.
  27. Appendix

  28. Legacy BIOS • Master Boot Record: • First 512 byes

    of disk • Includes: • Bootstrap code • 4 partition entries • No native security features • Easily modify MBR No Security Features [2]
  29. Backdoor Injector BitVisor Driver • Create DxeBackdoor.efi from custom EDK2

    package • Use “objcopy -lbinary” to convert DxeBackdoor.efi to backdoor.o • Implemented PE/COFF loader for backdoor injector BitVisor driver • Parses headers • Loads based on section information • Supports minimal relocations