![]() ![]() If you’re interested in reading more about EFI attacks and vulnerabilities that have been previously discovered, then there are links for further reading at the end of this post. Recent leaks of attack tooling under the moniker Vault 7 reignited some interest in the space of EFI boot/rootkits as there was one dubbed SonicScrewdriver that made use of vulnerabilities that had been discussed publicly at security conferences in years past. ![]() In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI) it also makes the adversary very difficult to remove - installing a new OS or even replacing the hard disk entirely is not enough to dislodge them. In a nutshell, this means that attacking at the EFI layer means that you exert control of a system at a level that allows you to circumvent security controls put in place at higher levels, including the security mechanisms of the OS and applications. EFI is often talked about as operating at privilege level ring -2 (a great quick explanation of protection rings below 0 is here), which indicates it is operating at a lower level than both the OS (ring 0) and hypervisors (ring -1). In a modern system, the EFI environment holds particular fascination for security researchers and attackers due to the level of privilege it affords if compromise is successful. What’s This EFI Thing and Why Should I Care? Some further information comparing and contrasting certain aspects of BIOS and EFI can be found here. EFI is the pre-boot environment that has, by and large, replaced the legacy BIOS environment that had been common since the mid to late 1970s. The term firmware covers a wide range of things in a modern system, so for the sake of this study, we focused on looking at the security support given to EFI firmware. Over the last few months, Duo Labs has been working on a project researching the difference in security support provided by vendors to the firmware in their systems as compared to the software. This blog post summarizes some of the main areas of the research and interesting things we found during our analysis and acts as an accessible introduction to the technical paper which can be downloaded from the link below. In addition to the paper, we’re also pleased to be able to release some of the tooling and APIs we have developed during this work with the aim of helping Apple Mac users and admins get better visibility to the state of the EFI their Mac systems are running and any potential problems there may be. To accompany the conference talk, we are also releasing a technical paper that goes into greater detail covering the data we collected during our analysis. We are really excited to give a talk at Ekoparty in Buenos Aires on September 29th, 2017 covering some recent research we have done on the security support being given to Apple’s EFI firmware. Duo Labs SeptemRich Smith Pepijn Bruienne The Apple of Your EFI: Mac Firmware Security Research ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |