July 31, 2009 at Black Hat 2009: Invisible Things Lab Team Slides
Today ends the world-famous conference of information security experts Black Hat 2009 (Las Vegas, USA). In this regard, slides of the Invisible Things Lab team experts (in English) became available.
Alexander Tereshkin and Rafal Voitchuk discussed the following topics:
1. Acquaintance with rootkits of the 3rd-level ring (original: Introducing “Ring -3” rootkits) .
2. Attack Intel BIOS (original: Attacking Intel BIOS).
This presentation demonstrates research on how malware can use Intel AMT technology (part of the vPro brand ) to secretly take control of a machine.
Intel AMT technology provides attractive opportunities for an attacker: the AMT code is executed by an independent processor located on the chipset (vPro-compatible MCH), the AMT memory is separated from the host memory (isolation is provided by the chipset), the AMT code has a special link to the network card (regardless host OS and drivers), and finally, AMT remains in the active state even when the computer is in sleep mode (S3).
The work shows how malware can bypass AMT's memory protection and, as a result, compromise the AMT code executed on the chipset. Additionally, techniques used for reverse engineering AMT'sh code are disclosed. They were needed to create rootkits that can have access to host memory (the rootkit runs on the chipset, but has full access to the host OS, for example, Windows).
This study emphasizes the need for a more detailed study of the security of key system components, including firmware and hardware.
Slides: invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf
Code: in the near future
This presentation discusses and demonstrates how to flash the Intel BIOS on desktop systems based on the latest Intel Q45 microchip.
This work is aimed at the most secure vPro-compatible BIOSes, which allow you to use only those firmware that have a digital signature from the supplier. This work demonstrates how to get around this test using an exploit that uses complex heap overflows.
To carry out an attack, you will need administrator rights, as well as one reboot. Performing any specific actions or consent from the user will not be required, as well as physical access to the machine.
This attack emphasizes the importance of other means of ensuring reliable boot (e.g. TPM), as well as the importance of a more detailed study of the main system software and firmware (firmware).
Slides: invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf
Code: in the near future
Alexander Tereshkin and Rafal Voitchuk discussed the following topics:
1. Acquaintance with rootkits of the 3rd-level ring (original: Introducing “Ring -3” rootkits) .
2. Attack Intel BIOS (original: Attacking Intel BIOS).
Introducing Level 3 Rootkits
This presentation demonstrates research on how malware can use Intel AMT technology (part of the vPro brand ) to secretly take control of a machine.
Intel AMT technology provides attractive opportunities for an attacker: the AMT code is executed by an independent processor located on the chipset (vPro-compatible MCH), the AMT memory is separated from the host memory (isolation is provided by the chipset), the AMT code has a special link to the network card (regardless host OS and drivers), and finally, AMT remains in the active state even when the computer is in sleep mode (S3).
The work shows how malware can bypass AMT's memory protection and, as a result, compromise the AMT code executed on the chipset. Additionally, techniques used for reverse engineering AMT'sh code are disclosed. They were needed to create rootkits that can have access to host memory (the rootkit runs on the chipset, but has full access to the host OS, for example, Windows).
This study emphasizes the need for a more detailed study of the security of key system components, including firmware and hardware.
Slides: invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf
Code: in the near future
Attack Intel BIOS
This presentation discusses and demonstrates how to flash the Intel BIOS on desktop systems based on the latest Intel Q45 microchip.
This work is aimed at the most secure vPro-compatible BIOSes, which allow you to use only those firmware that have a digital signature from the supplier. This work demonstrates how to get around this test using an exploit that uses complex heap overflows.
To carry out an attack, you will need administrator rights, as well as one reboot. Performing any specific actions or consent from the user will not be required, as well as physical access to the machine.
This attack emphasizes the importance of other means of ensuring reliable boot (e.g. TPM), as well as the importance of a more detailed study of the main system software and firmware (firmware).
Slides: invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf
Code: in the near future