EXTREME PRIVILEGE ESCALATION ON WINDOWS 8/UEFI SYSTEMS

Black Hat USA 2014

Presented by: Sam Cornwell, Corey Kallenberg, Xeno Kovah
Date: Thursday August 07, 2014
Time: 10:15 - 11:15
Location: Mandalay Bay D

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the operating system and the firmware.

This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).

This talk will disclose two of these vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.

Corey Kallenberg

Corey Kallenberg is a Security Researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012, he co-authored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013, he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Black Hat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture.

Xeno Kovah

Xeno is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs six federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification and timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker.

Sam Cornwell

Sam Cornwell is a Senior InfoSec Engineer at The MITRE Corporation, a not-for-profit company that runs six federally funded research and development centers (FFRDCs) as well as manages CVE. Since 2011, he has been working on projects such as Checkmate (a kernel and userspace memory integrity verification and timing-based attestation tool), Copernicus, (a BIOS extractor and configuration checker), and several other private security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats