Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Can Your BIOS Be Flashed By Malware?

Alan: Can any vector currently re-flash the BIOS?

Joanna: No! There has been lots of confusion about it in the recent months. Some people thought that SMM attacks allow automatically to re-flash the BIOS. This is not true. Also, there was a bit unfortunate presentation at CanSecWest earlier this year by two researchers from Core, who presented on "Persistent BIOS Infection." I saw their slides and they made it look like if they found a generic way of re-flashing any BIOS and that there is hardly any way to protect against their attacks. Nothing could have been further from the truth, in fact.

First, they chose to attack two low-end, dated BIOSes: an Award BIOS and also VMWare's BIOS (that itself doesn't even count, as it's not a real BIOS). Those two BIOSes didn't require firmware updates to be digitally signed by the vendors. So, no big deal that it was possible to inject some malicious code there. On the other hand, most of the currently used BIOSes (Intel or Phoenix BIOSes) allow only signed firmware updates to be re-flashed. This mechanism has been used for years, and it has nothing to do with TPM or any of the Trusted Computing technologies.

This situation is especially not very comfortable for us, because next month at Black Hat, Rafal and Alex will be presenting on the real attacks on BIOS re-flashing, that would involve getting around Intel BIOS re-flash protection. So, Rafal and Alex will show how to re-flash a secure Intel BIOS, despite the fact that it normally only allows signed updates. This is going to be a really hardcore talk, and the actual exploit is really a masterpiece. I doubt, however, that malware would start using any similar attacks--they are just too complex and too much BIOS-specific. Yet, from the research point of view, the attack is extremely valuable with potential impact being more then just persistent BIOS infections. More on this next month, though.

Alan: I’m looking forward to that! So what's this talk about Ring -3 attacks now?

Joanna: This is going to be the second talk presented next month at Black Hat by Alex and Rafal. It's going to be something totally new, again very hardcore, but potentially offering even more power then SMM rootkits. How can something offer more privileges than SMM, when that already offers all of them? Unfortunately, I cannot say anything more right now. Let me just point out that we have been in touch with Intel for quite some time about the issues we exploit in both of the talks, and that Intel is targeting patch releases to be available a few weeks before the conference.

Alan: So what can you tell us about HyperCore?

Joanna: HyperCore is a thin hypervisor for laptop computers developed by Phoenix Technologies. We have been hired by Phoenix to do research on various technologies that could potentially be used to secure the hypervisor. As it is customary in the industry, I'm not at liberty to publicly discuss much about this research, and whether or how much of it has actually been used in the actual product.

Alan: So far, most of your research involves getting closer and closer to the CPU. What about the other approach, getting closer to the user. If you can take over the GPU memory, couldn't you spoof a password prompt and get the user to volunteer their admin password? Or how about taking over the USB controller and logging keystrokes?

Joanna: Oh, and you think that getting closer to the CPU means farther from the user? Really? It is the CPU that is the central part of the system. Everything that user does, all of his or her programs data, are eventually processed by the CPU. It's the closest element to the user one can imagine. It's where all the data are eventually being decrypted, and where all the actions are eventually being executed.

Alan: I’m a 3D graphics guy, a GPGPU guy, and my hobbies are photography and cinematography. Of course I think the GPU is closer to the user than the CPU! At the end of the day, it all comes back to your senses. What you can’t see can’t hurt you. You know how you sometimes find old food stashed somewhere in the back of the fridge that has gone bad? In the time that you had forgotten it and before you saw it, smelled it, tasted it, felt it, or heard it, you wouldn’t know anything or even care. It’s like Schrödinger’s Cat, but with food.

Joanna: As for your suggestion about taking over GPU memory--I think this would not be a very practical attack for malware. Even the traditional passwords are being entered in the "asterisked" form, so GPU would have troubles seeing what's under the asterisk! 

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • truehighroller
    I think she has very nice fat looking lips. xD
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be: