UEFI security has been gaining significant attention, especially in the context of national security and cloud security, due to its high stealth capabilities and strong privileges. However, existing UEFI malware has only scratched the surface of what BIOS can do. They all eventually perform malbehaviors in userland or kernel and are dependent on OS-level security after all. There is some research on SMM backdoors that are purely BIOS implemented, but these implementations tend to be device dependent, resulting in low-versatility backdoors that only work on a specific PC. Moreover, with the current trends of SMM deprivileging, they won't be able to function anymore. We propose the concept "pure-BIOS malware", which operates completely independent from OS-level security and performs malbehaviors without device dependence at runtime. Then, we will introduce Shade BIOS, which made this possible. Shade BIOS operates like an attacker-exclusive OS by running BIOS environment, which would normally lose its functionality after OS boot, in the shadow of OS at runtime. In this talk, we dive into the technical details of Shade BIOS. Moreover, considering the latest trends in BIOS security, such as SMM deprivileging, we will take a broad perspective on BIOS and examine the optimal entity for pure-BIOS malware. As a starting point for detecting pure-BIOS malware, we will also demonstrate a practical method for detecting Shade BIOS. By: Kazuki Matsuo | Security Researcher, FFRI Security, Inc. Presentation Materials Available at: https://ift.tt/nQ9qDMb
source https://www.youtube.com/watch?v=t17YEHymwE4
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment