Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode

Julian Rauchberger, Robert Luh, Sebastian Schrittwieser

Abstract

The theoretical threat of malware inside the BIOS or UEFI of a computer has been known for almost a decade. It has been demonstrated multiple times that exploiting the System Management Mode (SMM), an operating mode implemented in the x86 architecture and executed with high privileges, is an extremely powerful method for implanting persistent malware on computer systems. However, previous BIOS/UEFI malware concepts described in the literature often focused on proof-of-concept implementations and did not have the goal of demonstrating the full range of threats stemming from SMM malware. In this paper, we present Longkit, a novel framework for BIOS/UEFI malware in the SMM. Longkit is universal in nature, meaning it is fully written in position-independent assembly and thus also runs on other BIOS/UEFI implementations with minimal modifications. The framework fully supports the 64-bit Intel architecture and is memory-layout aware, enabling targeted interaction with the operating system's kernel. With Longkit we are able to demonstrate the full potential of malicious code in the SMM and provide researchers of novel SMM malware detection strategies with an easily adaptable rootkit to help evaluate their methods.

References

  1. Appelbaum, J., Horchert, J., and St öcker, C. (2013). Shopping for spy gear: Catalog advertises nsa toolbox. (last access: 9.8.2016).
  2. Butterworth, J., Kallenberg, C., Kovah, X., and Herzog, A. (2013). Bios chronomancy: Fixing the static core root of trust for measurement. ACM Conference on Computer and Communications Security, Berlin, Germany.
  3. Domas, C. (2015). The memory sinkhole - unleashing an x86 design flaw allowing universal privilege escalation. BlackHat, Las Vegas, USA.
  4. Duflot, L., Etiemble, D., and Grumelard, O. (2006). Using cpu system management mode to circumvent operating system security functions. CanSecWest, Vancouver, Canada.
  5. Duflot, L., Levillain, O., Morin, B., and Grumelard, O. (2009). Getting into the smram: Smm reloaded. CanSecWest, Vancouver, Canada.
  6. Duflot, L., Levillain, O., Morin, B., and Grumelard, O. (2010). System management mode design and security issues. IT-DEFENSE, Brühl, Germany.
  7. Embleton, S. and Sparks, S. (2008). Smm rootkits. SecureComm, Istanbul, Turkey.
  8. Embleton, S., Sparks, S., and Zou, C. C. (2013). Smm rootkit: a new breed of os independent malware. Security and Communication Networks.
  9. Forristal, J. (2011). Hardware involved software attacks. CanSecWest, Vancouver, Canada.
  10. Intel (2013). Hardware-based security for intelligent retail devices. (last access: 9.8.2016).
  11. Intel (2016). Intel 64 and ia-32 architectures software developers manual.
  12. Kallenberg, C. and Kovah, X. (2015). How many million bioses would you like to infect. CanSecWest, Vancouver, Canada.
  13. Kallenberg, C., Kovah, X., Butterworth, J., and Cornwell, S. (2014). Extreme privilege escalation on windows 8/uefi systems. BlackHat, Las Vegas, USA.
  14. Kallenberg, C. and Wojtczuk, R. (2015). Speed racer: Exploiting an intel flash protection race condition. Bromium Labs.
  15. Luh, R., Marschalek, S., Kaiser, M., Janicke, H., and Schrittwieser, S. (2016). Semantics-aware detection of targeted attacks: a survey. Journal of Computer Virology and Hacking Techniques.
  16. Schiffman, J. and Kaplan, D. (2014). The smm rootkit revisited: Fun with usb. Availability, Reliability and Security (ARES), Fribourg, Switzerland.
  17. Wojtczuk, R. and Kallenberg, C. (2014). Attacking uefi boot script. 31st Chaos Communication Congress, Hamburg, Germany.
  18. Wojtczuk, R. and Rutkowska, J. (2009). Attacking smm memory via intel cpu cache poisoning. Invisible Things Lab.
Download


Paper Citation


in Harvard Style

Rauchberger J., Luh R. and Schrittwieser S. (2017). Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 346-353. DOI: 10.5220/0006165603460353


in Bibtex Style

@conference{icissp17,
author={Julian Rauchberger and Robert Luh and Sebastian Schrittwieser},
title={Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={346-353},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006165603460353},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode
SN - 978-989-758-209-7
AU - Rauchberger J.
AU - Luh R.
AU - Schrittwieser S.
PY - 2017
SP - 346
EP - 353
DO - 10.5220/0006165603460353