Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Demo Exploits Bypassing UEFI Secure Boot

Posted by Unknown on from the didn't-see-that-one-coming dept.

itwbennett writes "Researchers demonstrated at Black Hat this week two attacks that bypassed Secure Boot in order to install a UEFI bootkit — boot rootkit — on affected computers. The first exploit works because certain vendors do not properly protect their firmware, allowing an attacker to modify the code responsible for enforcing Secure Boot, said researcher Yuriy Bulygin, who works at McAfee. The second exploit demonstrated by the researchers can run in user mode, which means that an attacker would only need to gain code execution rights on the system by exploiting a vulnerability in a regular application like Java, Adobe Flash, Microsoft Office or others. In both cases, the exploits are possible not because of vulnerabilities in Secure Boot itself, but because of UEFI implementation errors made by platform vendors." Of course, a hardware security system that is too complex to verify seems like a fatal flaw.

14 of 100 comments (clear)

  1. Hence why UEFI should be dismissed by Nikademus · · Score: 4, Informative

    Hence why UEFI should be dismissed. If it's useless, just don't implement it, it's cheaper...

    --
    I gave up with the idea of an useful sig...
    1. Re:Hence why UEFI should be dismissed by Joining+Yet+Again · · Score: 3, Insightful

      That's like saying metal should be dismissed because one application is the building of nuclear bombs.

      UEFI's just a more modular/uniform sort of BIOS. Even the old 16-bit BIOSes could have had anti-competitive restrictions bolted on, but it wouldn't have been as easy to sell.

    2. Re:Hence why UEFI should be dismissed by v.dog · · Score: 3, Insightful

      Also, we should just get rid of the ignition keys for cars, since some of them can be hot wired. On an unrelated note, whereabouts is you car?

      --
      Don't Panic.
    3. Re:Hence why UEFI should be dismissed by thsths · · Score: 2

      > UEFI's just a more modular/uniform sort of BIOS.

      I don't know. The BIOS usually seems to work, whereas UEFI usually has so many bugs (in my experience) that it is hard to get to work. So if you find bugs without looking for them, that would indicate that you can find even more if you are looking for them, most likely with security implications.

      Some people say that UEFI is too complex - and the evidence seems to support that notion. All a boot loader has to do is to load a binary from disk into RAM and execute it. BIOS got that right - but unfortunately the boot sector of 512 bytes is way too small for modern software. Let the boot loader say how long it is, and load everything into RAM. Any decent kernel can deal with the rest, using hardware discovery etc.

  2. TPM is all you need. by boorack · · Score: 5, Informative

    UEFI was never intended to improve security. Along with Microsoft's extensions it was designed as a lock-in tool. Too bad we had to wait until it pops up everywhere just to realize it.

    1. Re:TPM is all you need. by Vanderhoth · · Score: 5, Interesting

      I don't know who this "we" you're talking about is. Every comment section for every article on UEFI and secure boot that was posted on /. was filled with commenter saying it was useless, would be bypassed within a year and was how MS was going to use it to lock average people into Windows. Followed by reams of MS shills saying it was only mandatory on ARM devices and it can be turned off on anything else. Followed by more posts of "Until MS requires it and it can't be turned off".

      So far to me it looks like things are playing out exactly as /. predicted. Looks like the next step will be for MS to just require it on everything, even though it doesn't work.

    2. Re:TPM is all you need. by blueg3 · · Score: 2

      I won't speak for Microsoft's intentions, but UEFI Secure Boot is a derivative of trusted-computing designs that are actually designed and intended to improve security. (And for what it's worth, Microsoft Research is actually quite serious about security.)

    3. Re:TPM is all you need. by Alsee · · Score: 2

      UEFI was never intended to improve security. Along with Microsoft's extensions it was designed as a lock-in tool.

      Reality check. ...Secure Boot wouldn't a problem for the geek if OEM Linux had a significant share of the x86 desktop.

      It looks like your post was intended to show the prior commenter was "not in touch with reality", however what you actually did was confirm that he was right. Your conclusion states "Secure Boot wouldn't be a problem ...if...", which pretty explicitly states that Secure Boot is a problem. Your conclusion is actually confirming that lock in problem of Secure Boot, regardless of what anyone claims the intent was, and regardless of any arguments over whether the system is otherwise noble or malicious.

      And yeah, TrustedComputing&Secureboot are a truckload of extremely malignant problems even if Linux were a majority share of desktops.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  3. Bad implementations of security are vulnerable by msobkow · · Score: 2

    Film at 11.

    --
    I do not fail; I succeed at finding out what does not work.
  4. Re:I can't install Linux on a UEFI machine? by bill_mcgonigle · · Score: 2

    Does this mean I can't install Linux or Windows 7 on a UEFI Secure Boot machine? (Newbie here)

    It depends. You usually can, in a BIOS-compatibility mode, which most offer. But those can be buggy and/or incompatible. I have a server that can't go over 2GB of RAM in the Xen Dom0 because of lack of support for the UEFI memory space, which is beyond the BIOS compatibility region apparently.

    Some of the distros have gone hat-in-hand to Microsoft to get their own keys to avoid such issues. That work is leading to verifiable boots, which is a good thing, and Microsoft's spec is supposed to allow people to install their own keys, but I've read that some UEFI implementations don't do that right (more coding mistakes, I'd assume).

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. Re:I favor UEFI by Billly+Gates · · Score: 2

    Just not how it is implemented with MS as the gatekeeper with the private key.

    I hate the BIOS. It is 30 years old, archaic, has weird instructions such as do not use more than 1 meg of ram, and many hacks and patches to get around the original 30 year old hacks like the 1 meg limit, etc. ACPI for a fucking decade never quite worked! Linux got blamed because companies like Dell did things a little differently with their ACPI so when the computer went to sleep sound would not work when it came up etc.

    Remember the SOYO boards 10 years ago which you had to disable power management before they even booted? What about the 10 year old Dell machines which put everything in IRQ 11? Want to upgrade your video card? Nope conflicts and BSOD. OF course slashdotters blamed XP, but investigation showed the IRQ conflicts were caused by crappy ACPI.

    The list goes on and on.

    EFI was supposed to fix this and use firmware like everything else modern. I like the secure boot idea and wish you could change the keys so you can sign any OS with a C.A.? Just put in a jumper or a master password. I like the idea of TPM for encryption as well. UEFI was supposed to replace the archaic ancient BIOS. Not supplement it and have MS be the gatekeeper.

    To me perhaps a new UEFI where these issues are addressed and intel could perhaps provide a Windows 7 driver too as many of us and corps who need Windows God forbid wont touch Windows 8 or anything else and would like these features.

    Linux as a result would be less buggy if everyone played by the same standards.

    --
    http://saveie6.com/
  6. Switching to competitor requires a competitor by tepples · · Score: 2, Insightful

    Good luck finding new "machines which cannot run the Secure Boot feature" at an affordable price once virtually every name-brand home PC not made by Apple ships with Secure Boot turned on in Windows-only mode. The last time GNU/Linux had a reasonable chance to ship on home PCs was netbooks, and Microsoft quickly killed that by offering deeply discounted Windows XP licenses for ULCPCs.

  7. Required in Windows 8; forbidden in Windows RT by tepples · · Score: 4, Interesting

    A method of disabling Secure Boot is required by the spec and by Microsoft.

    In Windows 8 (x86 and x86-64), it is required. In Windows RT, it is forbidden. And other comments to this topic speculate that Microsoft is likely to license Windows 10 like Windows RT in this respect.

  8. UEFI will hinder my testing of embedded by michaelmalak · · Score: 2

    In my blog, I describe my use of BootIt Bare Metal to rapidly test installs of "semi-embedded" software I write that involve wrapping third-party installs of drivers as sub-installs. This will work only as long as BIOS's and Microsoft continue to support "legacy mode". I'm just hoping that the scientific & embedded world finishes moving to Linux before "legacy mode" disappears.