• No results found

Race to bare metal: UEFI and hypervisors

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Race to bare metal: UEFI and hypervisors"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

Race to bare metal:

(2)

Agenda

1. Race to bare metal 2. Overview UEFI

3. UEFI in practice

4. Advantages of UEFI for anti/malware hypervisors

(3)
(4)

Importance of early loading

• Natural protection from hypervisor

malware is installing another (security) hypervisor first

• After one of them is active, “game is over” for the other one

• That means, both should strive to get loaded as soon as possible

(5)

Importance of loading mechanism

• Weak point in preventing detection • Weak point in security

(6)
(7)

[Unified] Extensible Firmware

Interface (EFI / UEFI)

• Pre-boot firmware interface (sort of BIOS replacement)

• Architecture-independent (portable: x86, x86-64, Itanium, ARM)

• C interface

• Big part of implementation available as open-source

(8)

Why replace BIOS?

• Outdated 16-bit real mode assembly interface

• Lack of functionality • Lack of extensibility

• Short supply of real mode assembly programmers

(9)

History of UEFI

• mid 90s - First steps towards EFI • 2000 - Itanium • 2003 - x86-32 • 2005 - UEFI Forum • 2006 - Intel-based Macs • 2008 - x86-64 • 2008 - Vista SP1

(10)

UEFI Forum

• Unified EFI

• Intel, AMD, ARM, Dell, HP, Apple, IBM, Lenovo, Phoenix, AMI, Insyde, Microsoft • UEFI Specification, Platform Initialization

Specification

(11)

Design

• Architecture-independent • Modular

(12)

Features

• Console I/O • Graphics • Unicode • Remote debugging • Bytecode • Networking (IPv4, IPv6, IPsec, TCP, UDP, FTP, PXE…) • ACPI

• PCI bus support • SCSI stack

• USB stack

• User management • Filesystem access • Secure boot, code

(13)

Implementation

• Intel Tiano / The Framework

• TianoCore (see http://www.tianocore.org) • InsydeH2O, InsydeDIY

• Phoenix SecureCore, TrustedCore, AwardCore Tiano

(14)

UEFI-BIOS relationship

• UEFI only (Non-x86 machines, Macs) • Optional UEFI on top of legacy BIOS

(15)

Current state of UEFI

• Pushed forward by all major players

• Standard on Itanium machines and Macs • Available on non-Mac PCs as option

• Supported by 64-bit Windows Vista SP1 • Supported by grub and elilo (EFI lilo)

(16)
(17)

UEFI boot process

• Security phase (SEC)

• Pre-EFI Initialization (PEI)

• Driver Execution Environment (DXE) • Boot device selection

• OS Boot loader / EFI application • ExitBootServices()

(18)

UEFI Pre-boot (DXE) Environment

• Uniprocessor

• Protected mode in 32/64-bit mode • Paging disabled, or identity-mapped • Only timer interrupt

(19)

UEFI boot manager

• Controlled by NVRAM variables: • Boot####, BootOrder, BootNext • Driver####, DriverOrder

• When UEFI Boot is enabled in BIOS, this has priority over legacy BIOS boot from MBR

(20)

UEFI Drivers

• Boot Drivers

unloaded on ExitBootServices() call • Runtime Driver

persists until shutdown, preserved and respected by OS

(21)

4. Advantages of UEFI for

anti/malware hypervisors

(22)

Loading

• Earliest possible without reflashing BIOS • Secure boot (code validation)

• Legal loading mechanism - no hacks needed

(23)

Stealth

• Untouched by OS

• No “missing” resources

• Novel technology omitted by current security products

(24)

Code complexity reduction

• Common routines available

• Transitional modes virtualization • Minimal code required for loading

(25)

Pre-boot features

• Limited disk access

– Data gathering

– Validation of system boot

• Full network access

– Data sending – Self-updating

(26)

5. Some practical

considerations

(27)

Adding NVRAM variable

• SetVariable() EFI runtime service • Undocumented APIs on Vista:

NtAddDriverEntry, NtSetDriverEntryOrder, NtQuerySystemEnvironmentValue, etc…

(28)

NtAddDriverEntry()

Prototype: NTSTATUS NtAddDriverEntry( EFI_DRIVER_ENTRY *DriverEntry, DWORD Id ); Returns:

STATUS_SUCCESS (zero) when okay, NTSTATUS error code upon failure

(29)

NtAddDriverEntry()

struct EFI_DRIVER_ENTRY {

DWORD Version; // must be 1

DWORD Length; // must be at least 20 DWORD Id; // at most 0xFFFF

DWORD FriendlyNameOffset; // from beginning of struc DWORD DriverFilePathOffset; // detto

BYTE data[1]; }

(30)

NtAddDriverEntry()

struct FILE_PATH {

DWORD Version; // must be 1 DWORD Length;

DWORD Type; BYTE path[1]; }

(31)

Real mode with VMX

• Intel VMX doesn’t yet (?) support real mode virtualization

• 64-bit Vista emulates real mode code - no problem

• UEFI still calls some real mode code, by switching back to real mode - problem

(32)

Enabling virtualization

• Virtualization may be disabled by BIOS • Once disabled, it can’t be re-enabled

programatically

• However, on some BIOSes we can

(33)

Alternative: PCI Option ROM

• UEFI (like legacy BIOS) automatically loads Option ROM code for every PCI device which has some

• No traces of loading left (no NVRAM modification needed)

• No extra file on disk

(34)

Links

• www.uefi.org

• www.tianocore.org

• Also see my articles “Introduction to UEFI”

and “UEFI programming: First steps” at

www.x86asm.net.

References

Download now ( PDF - 34 Page - 73.48 KB )

Related documents

Annual Report 2011/2012. Connectivity. Coordination of Care Cost Savings

Working collaboratively with local health integration networks, hospitals, doctors and clinicians, eHealth Ontario is systematically enabling health care providers to talk to

Electronic Structure of the Atom; the Periodic Table

Because the screening constant of these electrons is smaller than 100% and at the same time the nuclear charge increases with one for each electron added upon increasing the

FCPA. Private Equity. The REPORT. Government Focus on FCPA Violations in the Financial Services Industry

Third parties are a perennial source of FCPA risk across industries. In the financial services space, FCPA investigations have focused on sovereign wealth funds using

Learning landscapes in Europe: Historical perspectives on organised adult learning 1500-1914

This article is intended as a contribution to the relatively ill-developed historiography of the ‘social organisation of adult learning.’ It argues that the historical development

MASTER AGREEMENT BETWEEN BUCKLEY COMMUNITY SCHOOLS BOARD OF EDUCATION AND NORTHERN MICHIGAN EDUCATION ASSOCIATION, MEA/NEA

The Employer reserves all rights granted to school District Employers under the FMLA, such as but not limited to the right to require Employees to substitute paid leave for

TEACHERS AGREEMENT GLEN ELLYN SCHOOL DISTRICT 41 BOARD OF EDUCATION GLEN ELLYN EDUCATION ASSOCIATION

A teacher who qualifies for the retirement benefits set forth in Section 11.3(a) and (b) above and submits the notice of resignation and intent to retire after August 1 and before

Comparative proteomic analysis of horseweed (Conyza canadensis) biotypes identifies candidate proteins for glyphosate resistance.

There is an overlap between proteins differentially expressed in response to glyphosate (ATP synthase, fructose-bisphosphate aldolase, unknown protein) and pro- teins with

Modulation of the Biosynthesis of Phenylpropanoids and Hydrolyzable Tannin Derivatives in Fruits through Long-distance Stresses

The objective of this dissertation is to test the hypothesis that the production of phenolic secondary metabolites (such as phenylpropanoids and ellagic acid derivatives) in fruits