当前位置:首页 > 报告详情

松尾和树_你已经被黑了如果你的UEFI OROM中有一个后门怎么办.pdf

上传人: 张** 编号:175537 2024-09-13 48页 2.88MB

1、#BHUSA BlackHatEventsYouve AlreadyYouve Already BeenBeen HackedHackedWhat if There Is a Backdoor in Your UEFI OROM?What if There Is a Backdoor in Your UEFI OROM?Kazuki Matsuo(InfPCTechStack)2024/8/8 South Seas CD,Level 3#BHUSA BlackHatEventsWhoami-Kazuki Matsuo(InfPCTechStack)Title:Security Research

2、erAffiliation:FFRI Security,Inc&Waseda University(This study was done during my masters degree)Interests:UEFI(Negative Rings)Trusted ComputingWindows Kernel#BHUSA BlackHatEventsContributorsYuki Mogi Security Researcher FFRI Security,Inc Recently interested in security observability Active in MWS,an

3、academic cybersecurity community in Japan.Koh M.Nakagawa(tsunek0h)Security Researcher FFRI Security,Inc Vulnerability Research on macOS/iOS Black Hat EU 2020/Asia 2023,CODE BLUE(2021,2023)Tatsuya Mori(valdzone)Professor Waseda University Autonomous vehicle security https:/seclab.jp#BHUSA BlackHatEve

4、ntsUEFI BIOS BIOS:System firmware that initializes hardware and boots the OS.UEFI:Standard for BIOS and defines the boot phases shown in the right figure.DXE:The phase where most devices are abstracted by multiple DXE modules/drivers.UEFI Protocol:Interface for accessing the device produced in the D

5、XE phase.(e.g.HttpProtocol,SimpleFileSystemProtocol)Runtime DXE modules:Some DXE modules persist in memory during runtime.(Most DXE modules are unloaded before OS boot)#BHUSA BlackHatEventsOROM(aka Option ROM,PCI Expansion ROM,XROM)Contains DXE drivers that initialize the device.Present both in exte

6、rnal and internal devices Often present in network cards,storage devices,graphic cards,and adapters.DXE drivers in OROM get loaded at PCI enumeration phase(pretty early in DXE).Legacy BIOS OROM and UEFI OROM is different.This talk is about UEFI OROM.OROM OROM#BHUSA BlackHatEventsThis Talk is about I

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文详细介绍了一种基于UEFI OROM(选项ROM)的恶意软件攻击方式,该攻击方式具有隐蔽性强、影响范围广的特点。文章指出,UEFI OROM是一个放置后门的好地方,可以直接感染UEFI,且能实现对用户空间和内核空间的直接访问。作者还实现了一种UEFI+Kernel+Userland的全层恶意软件,并提出了相应的防御措施,如启用安全启动(Secure Boot)保护UEFI OROM,修复安全启动绕过漏洞,以及在供应链攻击中提取和检查OROM。文章最后提供了联系方式,包括推特账号和电子邮件地址,以及用于构建OROM映像的工具链接。
隐秘的恶意软件温床?" "如何防范UEFI OROM中的潜在后门?" 恶意软件的新宠?"
客服
商务合作
小程序
服务号
折叠