Rootkit Detection Framework for UEFI
Black Hat 2013 Presentation
Title: Press ROOT to Continue: Detecting OSX and Windows bootkits with RDFU
Presenters: Mario Vuksan & Tomislav Pericin
Date: Thursday, August 1st @ 2:15pm (14:15pm)
Location: Palace 1
UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.
To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple Mac OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the Mac OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality:
- Sniffing FileVault passwords (sniffing keys while booting)
- Privilege escalation (to root)
- Hiding PIDs, files and directories with selected pattern
Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.