Ring 0/-2 Rootkits: Compromising Defenses
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39669 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Ring (mathematics)Pattern recognitionRoundness (object)Information securityMultiplication signGoodness of fitFormal languageRootkitEmail
01:11
Data structureKernel (computing)Proxy serverCodeBootingArchitectureRing (mathematics)RootkitBootingInformation securityTable (information)Thermische ZustandsgleichungTelecommunicationTable (information)RootkitContent (media)Ring (mathematics)
01:47
Read-only memoryProcess (computing)Antivirus softwareEvent horizonKernel (computing)Module (mathematics)Physical systemMathematicsRing (mathematics)RootkitLibrary (computing)Thread (computing)Message passingMilitary operationInformation systemsRadical (chemistry)CoroutineSicCellular automatonKernel (computing)Thread (computing)DataflowProcess (computing)Latent heatFunction (mathematics)Device driverFunctional (mathematics)RootkitAntivirus softwareSemiconductor memoryCoroutineEvent horizonHash functionProgrammer (hardware)Slide ruleGoodness of fitFile systemMalwareEndliche ModelltheorieElectronic mailing listPhysical systemNumbering schemeRadical (chemistry)SoftwareCASE <Informatik>MathematicsNetwork topologyState of matterMathematical analysisLengthCrash (computing)RoutingInternet service providerSoftware development kitLibrary (computing)Address spaceAsynchronous Transfer Mode
05:31
Information systemsRootkitRing (mathematics)Computer hardwareObject (grammar)Type theoryDigital filterEvent horizonSystem callComputer-generated imageryKernel (computing)Read-only memoryAddress spacePoint (geometry)Data structureMalwareField (computer science)Thread (computing)Key (cryptography)Software frameworkDevice driverWindowType theoryDifferent (Kate Ryan album)Doubling the cubeObject (grammar)Ring (mathematics)
06:14
Ring (mathematics)RootkitSimilarity (geometry)Slide ruleDigital filterObject (grammar)Operations researchObject (grammar)MalwareInstallation artDevice driverRing (mathematics)TelecommunicationFunctional (mathematics)Operator (mathematics)Source codeJSON
07:07
CoroutineParameter (computer programming)Table (information)Ring (mathematics)RootkitPointer (computer programming)Hill differential equationNetwork socketFunction (mathematics)File systemSystem callTelecommunicationDevice driverTable (information)Uniform resource locatorParameter (computer programming)Ocean currentLatent heatStack (abstract data type)PlastikkarteoutputLogic gateSource codeJSONXMLUML
08:36
Stack (abstract data type)Greatest elementCoroutineFunction (mathematics)Ring (mathematics)RootkitDigital filterObject (grammar)Functional (mathematics)Stack (abstract data type)Device driverRight angleOrder (biology)CoroutineObject (grammar)Complete metric spaceSystem callLocal ringReverse engineeringProcess (computing)outputAssociative propertyGreatest elementNeuroinformatik
09:36
Function (mathematics)Stack (abstract data type)IntelRootkitRing (mathematics)Formal verificationOvalSoftware development kitField (computer science)Uniform resource locatorPointer (computer programming)Data structureFunctional (mathematics)CoroutineParameter (computer programming)MereologyMathematicsMalwareNeuroinformatikStack (abstract data type)outputGreatest elementSource code
10:34
Function (mathematics)Parameter (computer programming)RAIDRootkitRing (mathematics)Group actionUser interfaceInformation and communications technologyInformation managementIntelControl flowParameter (computer programming)Functional (mathematics)Complete metric spaceElectronic mailing listData structureField (computer science)Slide ruleType theoryObject (grammar)outputGoodness of fitDevice driverUniform resource locatorStack (abstract data type)Source codeJSONXML
11:15
Ring (mathematics)RootkitDevice driverVector potentialChainMalwareGame controllerSpectrum (functional analysis)Reading (process)XMLUMLSource code
11:55
Ring (mathematics)RootkitUniformer RaumFermat's Last TheoremInformationMenu (computing)FlagDevice driverReverse engineeringChainObject (grammar)Spectrum (functional analysis)Vector potentialDerivation (linguistics)Source codeXML
12:25
Data typeImage registrationRootkitRing (mathematics)MiniDiscSCSIPhysical systemData structureOperations researchGreatest elementFunctional (mathematics)ChainReading (process)WritingModule (mathematics)Closed setIntercept theoremSpectrum (functional analysis)Operator (mathematics)Game controllerSource codeJSONXMLUML
13:20
RootkitRing (mathematics)Hacker (term)MiniDiscKernel (computing)Patch (Unix)Rule of inferenceRootkitAreaPasswordDevice driverStructural loadHookingFunctional (mathematics)Game controllerMiniDiscPatch (Unix)Electronic mailing listCoroutineSource codeJSONXMLUML
14:04
RootkitRing (mathematics)Complete metric spaceGeneric programmingFunction (mathematics)CoprocessorProcess (computing)CoroutineObject (grammar)Physical systemResource allocationBootingAsynchronous Transfer ModeFreewareComputer fileConfiguration spaceData structureLocal ringSystem callMachine codeKernel (computing)TelecommunicationWindows VistaSineInformation securityLatent heatTable (information)File systemPointer (computer programming)Parameter (computer programming)MalwareElectronic mailing listPasswordPacket Loss ConcealmentProcedural programmingoutputRight angleLatent heatMultiplication signConfiguration spaceEncryptionProjective planeKey (cryptography)Computer fileGame controllerInjektivitätDevice driverSystem callTelecommunicationFile systemTable (information)VelocityRow (database)WordBootingComplete metric spaceIntercept theoremOpen setDevice driverEntropiecodierungPhysical systemCartesian coordinate systemForcing (mathematics)Differential (mechanical device)Antivirus softwareComputer wormMalwareComputer hardwareFunctional (mathematics)Kernel (computing)RandomizationPlastikkarteData structureObject (grammar)Local ringSource codeJSON
16:38
RootkitRing (mathematics)Mathematical analysisRead-only memoryLambda calculusFunction (mathematics)Gastropod shellFunctional (mathematics)Semiconductor memoryResource allocationKey (cryptography)AlgebraSource codeJSONXMLUMLProgram flowchart
17:06
RootkitRing (mathematics)Machine codeLatent heatInjektivitätThread (computing)MalwareKernel (computing)Asynchronous Transfer ModeNormal (geometry)Context awarenessLevel (video gaming)Interrupt <Informatik>SoftwareSystem callMalwareInjektivitätThread (computing)Functional (mathematics)JSONUML
17:31
Ring (mathematics)RootkitPartition (number theory)Machine codeBootingInstallation artFirmwareFile systemVolumeMiniDiscInterrupt <Informatik>Physical systemData managementParameter (computer programming)Latent heatBlock (periodic table)Ring (mathematics)Device driverContext awarenessDataflowMathematicsMalwareParameter (computer programming)CASE <Informatik>AuthorizationLevel (video gaming)Block (periodic table)JSONXMLUMLSource code
18:24
BootingInstallable File SystemMiniDiscHacker (term)HypermediaTrailBinary fileModule (mathematics)Inclusion mapHill differential equationMalwareField (computer science)Address spaceKey (cryptography)EncryptionCASE <Informatik>Computer simulationMetropolitan area networkReal numberCuboidEmulatorSource code
19:19
Machine codeKernel (computing)Partition (number theory)Proxy serverBootingElectronic signatureAsynchronous Transfer ModeCodePhysical systemRead-only memoryFirmwareBootingWindowMathematicsFirmwareBootingTerm (mathematics)Kernel (computing)Software testingProxy serverAsynchronous Transfer ModeEntropiecodierungBitScaling (geometry)CASE <Informatik>Information securitySign (mathematics)Centralizer and normalizerSemiconductor memorySource codeJSON
19:58
Electronic signatureAsynchronous Transfer ModePhilips CD-iModule (mathematics)Modul <Datentyp>Data integrityCodeBootingForcing (mathematics)CASE <Informatik>Software testingWindowAsynchronous Transfer ModeDevice driverBootingRight angleStructural loadGroup actionProxy serverSource codeXMLUMLProgram flowchart
20:59
MiniDiscPatch (Unix)Modul <Datentyp>Interrupt <Informatik>Task (computing)Asynchronous Transfer ModeCoprocessorPhysical systemWindows RegistryStructural loadKernel (computing)Data integrityCodeMalwareMachine codeStructural loadWindowPatch (Unix)BootingReal numberKernel (computing)Device driverWindows RegistryTask (computing)Endliche ModelltheorieProcess (computing)Flow separationAsynchronous Transfer ModeSemiconductor memoryINTEGRALInterrupt <Informatik>Source codeJSONXMLUML
21:42
OpcodeFile systemControl flowKernel (computing)Data integrityConfiguration spaceAlgorithmMalwareSign (mathematics)DigitizingFile systemEncryptionPublic key certificateINTEGRALData storage deviceGame controllerWindowStructural loadElectronic signatureComputer wormConfiguration spaceSource codeJSONXMLUML
22:33
Machine codePhysical systemContent (media)Electric currentData managementInterrupt <Informatik>BefehlsprozessorRouter (computing)Service (economics)Kernel (computing)CodeRing (mathematics)RootkitInformation securityCache (computing)Structural loadBootingGastropod shellBootingAsynchronous Transfer ModeGodBootingBlock (periodic table)Phase transitionSource codeJSONProgram flowchart
23:18
BootingWindowBootingKernel (computing)Structural loadComputer hardwareInformation securityBootingGoodness of fitProcess (computing)Computer hardwareComplete metric spacePhase transitionProgram flowchart
23:57
Interface (computing)Physical systemComputer networkData managementFlash memoryField (computer science)Electronic signatureBootingConfiguration spaceIntelFlash memoryVideo GenieScripting languageBootingRootkitConfiguration spaceData managementMereologyPublic-key cryptographyFingerprintSource codeJSONXMLUML
24:42
CodeContent (media)AuthenticationRead-only memoryBootingBefehlsprozessorElectronic signatureNP-hardMachine codeFlash memoryModule (mathematics)Computing platformModul <Datentyp>Computer-generated imageryRevision controlBootingRootkitFirmwareFormal verificationDatabasePublic key certificateDigital signalVariable (mathematics)BootingWordBlock (periodic table)EntropiecodierungComputing platformVariable (mathematics)FirmwareKernel (computing)Public key certificatePhysical systemDigitizingSign (mathematics)Key (cryptography)RootkitDevice driverSchlüsselverteilungEndliche ModelltheorieFlash memoryConnectivity (graph theory)SoftwareInformation securityEntire functionValidity (statistics)Asynchronous Transfer ModeComputer fileAxiom of choicePasswordStress (mechanics)DatabaseElectronic signatureGreatest elementJSONUMLSource codeXML
27:10
Computer-generated imageryData integrityFile formatElectronic signatureFile formatDigitizingElectronic signaturePublic key certificateBootingInformation securityCASE <Informatik>State of matterSource codeJSONXMLUML
27:51
InterprozesskommunikationInformation securityTable (information)Exact sequenceFlagPhysical systemRead-only memoryMusical ensemblePointer (computer programming)Address spaceTelecommunicationTable (information)WindowFirmwareInformation securityFlagJSONXMLUML
28:30
Reading (process)WritingFlash memoryCASE <Informatik>Real numberPhysical systemRight angleWriting2 (number)
28:58
Normed vector spaceLimit (category theory)Module (mathematics)Reading (process)Configuration spaceUser interfaceMathematical analysisMalwarePhysical systemCASE <Informatik>Range (statistics)Virtual machineRight angleSet (mathematics)BitWritingSource code
29:55
Configuration spaceModule (mathematics)Modul <Datentyp>Event horizonEntire functionAreaTotal S.A.Computer hardwareFlash memoryBlock (periodic table)Mountain passLimit (category theory)Normed vector spaceProduct (business)Reading (process)Flash memoryConfiguration spaceSet (mathematics)Musical ensembleRange (statistics)Asynchronous Transfer ModeSource codeJSONXML
30:20
Configuration spaceEvent horizonModule (mathematics)Ewe languageModul <Datentyp>Asynchronous Transfer ModeInterface (computing)Control flowCASE <Informatik>MalwareAsynchronous Transfer ModeVector spaceBootingBackupBlock (periodic table)Source codeJSONXML
30:45
BefehlsprozessorModul <Datentyp>MassRange (statistics)Magnetic stripe cardPhysical systemShared memoryCache (computing)Data managementData integrityInformation securityDevice driverDigital signalElectronic signatureAlgorithmOracleEmailRead-only memorySoftwareTwitterAsynchronous Transfer ModeRange (statistics)Goodness of fitShooting methodMultiplication signDevice driverInformation securityFirmwareFood energyINTEGRALReal numberElectronic signatureTheoryPublic key certificateQuantum computerAlgorithmQuantumRing (mathematics)Source codeXMLJSONUML
Transcript: English(auto-generated)
00:00
Next up, we are going to have some fun with some low-level rootkits kind of stuff. Now, Alexandre Borges, I'm doing my best here, is all the way from Brazil. And he is a first-time speaker. So we want to give him a special recognition. So let's give him a round of applause.
00:24
Have a wonderful time. Hello, everybody. Good afternoon. My name is Alexandre Borges. I'm a modern security researcher at Blackstorm Security.
00:41
And let's talk about rootkits. First of all, two things. English is not my native language, so if you don't understand something, please send me an email. Thank you. And these professionals deserve my sincere thank you
01:04
and a deep respect for their researchers about the same thing. Let's start.
01:22
Honestly, I was expecting only 10 or 12 people here. This is a table of contents. I will talk about two topics, ring zero and advanced malware, ring minus two.
01:43
First, rootkits ring zero. Malicious drivers have been using the same tricks every single day to infect systems, but no doubts.
02:01
Callback methods or kernel callback functions is a good one because it's a kind of modern rootkits used by antivirus programmers for monitoring and alerting the kernel models about a specific event's occurrence. And kernel callback methods are a good trick to evade defenses.
02:28
Kernel callback methods provide us a notification when a process, a library, and a kernel memory is mapped into memory. When a file system becomes available,
02:44
when a system is going to run before a system crashes, when a thread starts or ends or finishes, when a process starts or finishes,
03:03
when some hash entries are modified or removed. For example, I have seen some malware using this specific callback method, cm-hash2-callback,
03:20
for checking if there are persistent entries are kept, and just an analyst or software or a programmer removes it, so the malware is able to add back. Callback is a nice trick to keep the persistence.
03:42
To find the number of callback methods is so easy, using win-the-back, the first comment there, and running a couple of comments, we have a very nice way to list the callback methods. For example, psset creates process notify routine,
04:07
adds a kind of list of callback routines to be called when a process is created or deleted. So in this case, it's so easy to find the number of installed callbacks,
04:22
the first comment at win-the-back, and a very easy way to comment at the middle to list all the callback methods that are installed. In the last few weeks, I have seen several malware
04:43
using this specific callback method, psset-legal-notify-routine callback methods. To register a malicious routine, that is called during the thread termination. In this case, the malware changed the keythread.lego-data
05:04
to provide a malicious address, and the routine redirects the execution flow to the malicious code. It's a very nice and different trick. Here, we have the output from the last slide
05:22
about the callback methods associated to create process. And here, we have the structure of keythread in the legal data field that is changed by the malware.
05:45
Windows offers different types of drivers, such as legacy drivers, filter drivers, and many filter drivers. All of them are developed by using our WDM or WDF frameworks.
06:02
Basically, a driver is composed by one or more device objects, and each object is associated to a driver object. So, most Ring Zero malware install filter drivers
06:20
for modified aspects and behavior of existing drivers, filtering and filtering of operations, adding new malicious features, for example, keyloggers. The trick is almost the same. We have a driver stack,
06:42
and the malware first creates an unnamed device object by using this first function, add device, and secondly, the malware adds the unnamed device object on the top of the stack by using this functional IO attached device.
07:09
All communications in the driver stack is done by using IRP packets, and each IRP packet is processed by a dispatch routine
07:23
that's retrieved from the major function table. Uh, the IRP parameters are retrieved from, uh, the IO stack location by using this function, IO get current IP stack location.
07:41
Additionally, it's possible to pass down the IRP parameters to the next layer by using IO skip current stack location, or copy them by using IO copy current IRP stack location.
08:00
Alternatively, IRP packets can be passed down to the layer driver by using this specific call, IO call driver. Here, we have a very nice trick. Some malware try to pass the IRP package to the lowest driver by passing the middle of the drivers, and so,
08:24
avoid it should be detected for, by monitoring tools and, uh, hooking tools. So, it's a very nice, uh, and smart trick to evade defenses. Here, I show you, uh, uh, complete picture about it.
08:45
Uh, at left, we have the driver stack. At right, we have the associated device objects to each driver.
09:01
Pay attention that, uh, the IO call driver function is called to pass down the IRP package to the next layer. At bottom, we have competence routines that are called in the reverse order.
09:20
So, uh, the competence routine is the function that do, that, that does the job. All of them are managed by the IO compete request function at right. Here, we have the IRP structure composed by a stack part
09:47
and a dynamic part. The dynamic part is composed by IO stack locations. So, each, uh, IRP is created by calling the IO allocates IRP function,
10:01
and as I mentioned before, this function and the other three in your head, uh, are interesting functions to be analyzed, uh, when you, uh, reverse the malware. At right bottom, we have the IO stack locations structure composed by the major function.
10:24
The major function, uh, uh, holds the pointers to G-SPAT routines. Uh, parameters field and computational change field. Parameters fields, uh, depends, uh, on the major and minor functions.
10:41
So, in this slide, we have, uh, their, uh, its structure, uh, of the parameters fields. Uh, in the next slide, we have a complete list of IRP types. So easy. Here, we have, uh, complete relationship between the IO stack location structure,
11:06
device object structure, and driver object structure. It's, uh, good luck to read tomorrow night. Here, I show you, uh, a step-by-step investigation about a potential malicious driver,
11:25
name is A-Barges, uh, with some comments in the back. And pay attention, this specific malware uses some spectral chain such as create, read,
11:43
close, write, and device control. It's, uh, so usual to see things like that when you are analyzing malicious drivers. Here, uh, more complete overview, uh, showing you, uh, the relationship between the
12:04
reverse code, driver object, and the spectral chains. In this slide, I started, uh, an investigation about, uh, potential malicious filter drive by using some comments in the back.
12:29
Naturally, uh, as close as the bottom of device stack occurs the infection, the more effective it is, or, uh, I mean, most, uh, most monitoring tools and hooking tools try to
12:47
check the middle of the stack. So, if the infection happen at the bottom, you are skipping all these tools and evaluating the defenses.
13:00
Some malware try to intercept requests such as read and write operations, uh, by manipulating the module functional AI, for example. MG, uh, device control, and IRP, uh, internal control, uh, callback, uh, uh, the spectral chains.
13:23
Rootkits try to protect itself from being removed by modifying functions such as IRP, MG, device control, and hooking requests going to the disk, uh, is other kind of tricks. Some malware try to hook the, uh, uh, driver and load routine for preventing the
13:44
rootkits of being removed. Another trick. However, most malicious drivers or most malicious, uh, uh, mailers try to avoid touching areas protected by patch guard, uh, because patch guard is so tough, it's
14:03
circumvented. Here, we have, uh, we have, uh, list of protected areas by patch guard, uh, thanks to Alexi on the scope by this command. Most time, uh, malware have been storing, uh, their payloads and configurations
14:26
and encrypt hiding file systems, and, uh, additionally, they have, uh, created the random device object name is during the boot to associate, uh, to the, the
14:40
special file system. Some malware composed by executable drivers have been using APLC, uh, differential local procedure, QUAL, to perform the communication between the user code and the driver code, uh, instead of using IO control commands.
15:04
Is, uh, another smart trick. Some malware, uh, don't choose the, uh, any specific driver for injection, uh, but try to randomly, uh, pick up a driver by parsing just less structure there.
15:21
Key loader data table entry. Certainly, uh, hooking the file system access is so easy. Here, I show you, uh, complete list of, uh, APIs. It's so easy to do that. Few malware, uh, have been hooking this specific API, ZW4H, for intercept all open
15:48
requests, uh, sent to two devices. It's a very, uh, smart trick because AVs, uh, antivirus use the same tricks. Some malware after infecting, uh, a system by dropping devices, uh, by dropping
16:05
kernel drivers, try to, uh, force a reboot, uh, by calling ZW raise hardware function. It's a very special error, uh, trick.
16:21
Other malware, try to use, uh, the last routine here in red. Uh, you register to download notification for restoring, uh, the malicious drivers in the next reboot. So, if you try to remove, uh, the back. Fortunately, most malware have been using, uh, X allocate pool with tag function to
16:47
allocate memory pool. But it's so easy to find that because we have the volatility here. We can find it by using either prod, as you already know, or execute a command,
17:04
anyway in the back. Finally, most malicious drivers, uh, have been using APC injection to inject, uh, some malicious code instead of using create remote thread.
17:21
So, my recommendation is to pay attention, uh, at, uh, these three lasting functions in red.
17:41
Now, I'm talking about advanced drivers. Basically, which gets minus, uh, ring minus two. When we talk about, uh, ring minus two malware, the context is so different. Uh, most, most malware, uh, actually in this level, attack MBR, VBR, UFI,
18:11
for example. Some malware alter the BBB, BIOS parameter block, should change the, uh, execution flow to another, uh, place for, in this case, this kind of malware
18:26
alters, uh, these less field hiding sectors to change to, uh, another address and, uh, execute the malicious code instead of executing the IPL.
18:43
Here, we have a real case, uh, about, uh, mirrors, uh, such as TDL4 or Apache, uh, which encrypt, uh, and infect the MBR. So, in this case, the trick is try to load, uh, good MBR and a bad one
19:04
in the IDA Pro and emulate them, uh, using box emulator. So, I try to compare to make my, my analysis easier.
19:21
MBR modifications and VBR modifications, uh, are effective ways to bypass QCS kernel mode code signing policy. QCS is responsible for validating the drive signer term. So, uh, there are some ways to bypass QCS.
19:41
Disable it, put on Windows in test mode, but in this case, secure boot must be disabled. Change the kernel memory, it's so easy. Or, even trying to find a flaw in the firmware. In this case, again, secure boot must be disabled. Here, we have, uh, a real case about a traffic banker, uh, where the mirror is
20:08
putting the Windows in test mode. In this case, the goal is to, uh, force in a near future to load, uh, unsigned malicious driver.
20:22
Here, I show you, uh, more complete overview. Composed by BIOS, here we have the boot process. Composed by BIOS, MBR, VBR, boot manager. And, look at the left down.
20:43
Uh, there we have the wing load easy. Many boot kids try to attack the before, load the kernel, and healing protection. Uh, it's, uh, another smart, uh, trick to bypass defenses.
21:01
Marwers have been, uh, infecting boot manager. Boot manager is responsible to switch the process execution, uh, from real mode to protection mode. So, marwers have been using some interrupts, uh, to access the drivers, to patch models, and load malicious drivers. Uh, at bottom, I show you some, uh, some tasks associated to wing load easy.
21:27
Uh, it, uh, enable the protect mode, check the model's integrity, and load the Windows kernel. Load several DLLs and healing protection. And finally, load drivers and system registry data.
21:46
Therefore, integrity checking, uh, of healing load, uh, is critical. And, uh, if it is subverted, everything fall because integrity control don't, doesn't exist anymore.
22:02
So, pay attention here. All modern protections are based on digital certificates and digital sign returns. So, it's critical. Most advanced rootkits, as I mentioned previously, store their payload, and, um, configuration, and, uh,
22:25
encrypt hidden file system by using, uh, some special upcodes. As you know, SM mode is a kind of magical mode or god mode. Uh, that's a perfect place to hide a malware.
22:42
Here, I show you, uh, a first approach, composed by SPI flash, SMM, UEFI services, MBR, VBR, the OS loader, and OS.
23:03
Uh, pay attention here. Uh, mirrors can attack any block here, so you are not safe. Here is a quick reminder about the UEFI phases. So is.
23:20
Here, uh, I show you, uh, more complete overview about the boot process composed, uh, by hardware, and the UEFI phases, and things like that. Again, mirrors can attack everywhere here, but we have good protection such as boot guard, UEFI secure boot, OS secure boot, and, and so on.
23:58
Remember, the SPI flash is composed by descriptors,
24:04
Gigabit Ethernet, managing Gini, ACPI, and BIOS. So, for example, the boot guard, controlled by managing Gini, is responsible, uh, for validating the boot process, uh, by flashing a public key, uh, into the Intel managing Gini.
24:27
Uh, obviously, for a perfect working of the boot guard, the SPI flash region must be locked, and the boot guard configuration must be set and protected against SMM rootkits.
24:44
Here, I show you a quick picture, uh, about the boot guard blocks. Basically, each block verify the next one. Uh, it's kind of, uh, search keychain.
25:02
Another, uh, very interesting proce- uh, protection, uh, is the BIOS guard, uh, which runs, uh, within the SMM, and protect the platform against an authorized the SPI flash, BIOS update, boot infection, and corruption. And basically, uh, BIOS guard only, uh, allows trust models to modify the SPI flash memory.
25:30
Secure boot is responsible for protecting the entire path against bootkits infection, protects the key components during the kernel load,
25:41
key drivers and important system files, uh, and at the end, secure boot prevent any, uh, loading of strange code without a valid sign- uh, digital sign network. Two essential- uh, two essential items in the secure boot are the platform key.
26:04
The platform key establish a relationship between the platform owner and platform firmware, and is responsible, uh, for verifying the key exchange key. And at bottom, key exchange key establish, uh, uh, trust relationship between the
26:22
platform firmware and OS. Actually, uh, the key exchange key verifies the authorized database, which contains authorized sign-in certificates and digital, uh, sign ensures, and forbidden database, which contains the forbidden certificates and digital sign ensures.
26:45
Obviously, if the platform key is corrupt, everything fall because the secure boot must be or can be disabled. Uh, unfortunately, some vendors, uh, store, uh, important, uh, secure boot set using two F5 variables. However, if some, uh, uh, rootkit exploit these
27:07
variables, secure boot can be disabled. UFI BIOS support, uh, terse executable formats. However, terse executable formats
27:21
doesn't support signatures. And remember, uh, what, uh, what I told you, uh, all the modern protections are based on, uh, digital signature and digital certificate. So, in this case, if a rootkit, uh, is able to re- replace the typical, uh, PL
27:41
loader by, uh, terse executable, so, uh, secure boot can be disabled. Fortunately, new, uh, release of Windows 10 introduced, uh, uh, very interesting feature, uh, about, uh, SMM protections, uh, known as Windows SMM
28:05
security mitigation table. Uh, in Windows 10, the firmware executing SMM must be authorized and trusted by VBS. So, it's, uh, it's an additional protection for us. SMM protection flags, uh, in Windows, uh, can be configured for your use.
28:26
Uh, here, I show you some flags. Finally, I, I'm showing here, uh, practical case, uh, real case about a customer in Brazil. In this case, the
28:43
system, uh, is not protect against BIOS writing. You see, the second one, BIOS read-write permission. So, it's terrible. In, in the same system, BIOS
29:03
write enable is set. It's terrible, too, because, uh, any malware, uh, can write a malicious code there. The BIOS lock enable is unset. It's terrible, too, because this is a kind of a notification bit. The SMM BIOS write protection is
29:27
disabled. Horrible again. At bottom, write. The protection range register are disabled, too. So, in this case, we have, uh, complete exposed machine, complete exposed
29:47
system. Here, I'm using chipset, uh, to perform my analysis, my checking. Here, we
30:03
have the flash configuration lock is enabled. That's okay. However, it's not which are disabled, so, it don't matter. Here, the BIOS top swap mode is disabled.
30:32
That's okay, because, in this case, it's impossible to redirect the resetting vector to, uh, backup boot block. So, it's impossible to execute malicious code.
30:47
Finally, the SMM range is enabled. It's a good one, it's a good news. Uh, so, it's impossible to access the SMM from, uh, no SMM mode. My conclusion are, most
31:11
security professionals are not ready to analyze malicious drivers, because the theory is huge and not easy, and I know that. Real customers, real world, are not aware about,
31:25
uh, ring minus two threads, and they know how to, they don't know how to update the firmware. Uh, most customers don't know how to do that. And finally, remember, uh,
31:43
all modern protections are based on the integrity. For example, digital certificates and signature. However, I leave a question here. What would happen if these algorithms were broken, for example, using quantum computation? Uh, this talk, uh,
32:06
is dedicated to my wife, and for you, who, who reserved some time to be here. Thank you for attending my talk.