1 / 32

BootJacker : Compromising Computers using Forced Restarts

BootJacker : Compromising Computers using Forced Restarts. Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar , Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign Presentation by Tristan Gibeau. Outline.

kalei
Download Presentation

BootJacker : Compromising Computers using Forced Restarts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BootJacker: Compromising Computers using ForcedRestarts Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign Presentation by Tristan Gibeau

  2. Outline • Overview of Direct Access Security • Little History of Computer Components • Approach of BootJacker • The Process • Effectiveness on a Linux System • How to Counteract • Related Work • Conclusion

  3. Direct Access Security • What prevents access to an attacker? • Screen Saver / Lock Screen Password Protection • Password Protected Login Screens • File Systems are Encrypted • Virtual Private Network Connections • Encrypted websites (SSL)

  4. The Workings….. • How exactly do these software measures work? • Passwords or Keys are entered by the user at login or resuming system state • Trusted Platform Module (TPM) supplies the operating system with the key • Where do they go? • After successful verification they are stored in the computers volatile memory or Random Access Memory (RAM) • Is that safe??????

  5. Computer Components • Computers are made up of many different parts, but lets focus on one specific one: • RAM • Random Access Memory – This is where the computers programs, processes, and other temporary information is stored. • Continues power is needed to ensure contents are not corrupted or erased. • How long does the data stay active? • In most cases the data is kept during restarts or brief power outages • With use of liquid nitrogen, memory can be stored up to a week!

  6. Oh Rebooting Woes… • So how much data is actually intact after a reboot? • Most computer systems will overwrite sections of memory at boot up • Contains caching information for peripherals, i/o mappings, and other motherboard related operations

  7. Unleash the BootJacker • A few things to know about BootJacker • BootJacker is a proof of concept • It will not work on Error Correcting Code (ECC) memory • Requires direct or physical access to the computer • It is Operating System dependent (Linux Kernel 2.6)

  8. The Approach • How does it work? • BootJacker uses a vulnerability that volatile memory is not completely erased when force restarted • Using the pieces left over, BootJacker then resuscitates the computer back to the live user session. • This allows the attacker to have full admin rights to the victim computer bypassing the security of the machine. • Also allows for access to any open channels the user may of have had open at the time of force restart

  9. How does it really work… • BootJacker operates like a small bootstrap environment, at boot-up it begins to resuscitate the computer at its core systems. • Core Systems include both Hardware and Software • Using what information is still provided within the volatile memory • BootJacker will be able to revive the machine in the state is was before forced restart

  10. This is done with a little help…MALWARE! • Terminator • Attacks security and logging software • Antivirus, intrusion detection tools, system logger deamons • Allows Attacker to load tools • RootShell -- Superuser Shell spawned by BootJacker • Gives root access to the attacker • Allows the attacker to implement what ever attack he or she wishes

  11. --Resuscitation--ITS ALIVE!!!!! • Hardware • Interrupt Controller • All interrupts are re-enabled • Interrupts include system timer to keyboard. • System Timer • The timer needs to be exactly the same • Otherwise this will prevent the system from resuscitating properly • Keyboard & Mouse • Hot-Swappable • BootJacker sends a command to re-initialize them

  12. Hardware Resuscitation…. • Display Monitor • Uses standard VGA or VESA video modes • Basic text mode to ensure compatibility • After successful resuscitation, attacker can re-enable graphics console • Disk • Relies on Linux’s error recovery routines • Linux sends a re-initialization command to drives • BootJacker responds after initialization is completed

  13. Coprocessor Unit • BootJacker has to reset and re-initialize • Coprocessor is disabled at system restart • Network • BootJacker utilizes the API’s of Linux to re-initialize the network adaptor • Since system restart only takes up to a minute, connections don’t usually time out.

  14. Software Resuscitation • Page Tables • BootJacker needs to discover the address of page locations • If not, system resuscitation will fail • Alt-SysRq-B • Reboot method used to enable resuming of software processes • This helps ensure that the Stack does not become corrupt • Allow for proper process/context reconstructing to occur • Instructions are properly reloaded due to a call back method caused by instructional fetch fault

  15. Software Interrupts • Schedule • Processes running before restart were on a schedule • Schedule is attempting to run during resuscitation • These are pushed on to a stack for future • Using existing Linux API • Interrupts are successfully re-enabled for all processes • Scheduling is resumed

  16. The Process • How does a attacker implement this? • Attacker needs to have direct access to the computer • Stealing the computer • Un-authorized access to the computer • Removal of memory components • Removing hard-drive & volatile memory • Forced Restart is initialized • Pressing of restart button on computer system • Use of Hot-Key restarts (Alt-SysRq-B)

  17. The Process Continued • BootJacker is connected to the computer • Bootable Device • DVD / CD • USB Flash/Hard Drive • Network Boot • BootJacker boots instead of host system

  18. Process… • BootJacker successfully revives the host operating system • Attacker can now break the system with malware payloads • If needed, the system can then be returned to the unsuspecting owner • A few hiccups… • If the drive is inserted before force restart • Could cause intrusion software to detect the insertion

  19. A Few Side Notes • Alternate booting • Attacker may need to configure bios to boot from removable media • Most BIOS will boot from CD • Most will not boot from USB • Operating Systems Attack • BootJacker will need to be recompiled for different kernels • Timing • The quicker you are the better chance you have • Memory is volatile, could be refreshed over time (BIOS dependant)

  20. Effectiveness • Test System Hardware • IBM InteliStation M Pro • 2 GHZ Intel Pentium 4 • 512 MB of RAM • IDE Disk Drive • Intel Pro/100 Network Card • This configuration is optimal for Hardware Resuscitation • Operating System • Linux 2.6 Kernel (x86 – 32 Bit)

  21. Time to Test… • Test Tasks Performed • gcc: Compilation of the C source file containing the H.264/MPEG-4 AVC video compression codec in the MPlayer [37] media program. • gzip: File compression using the deflate compression algorithm. • wget: File download. • convert: JPEG image encoding. • aespipe: AES file encryption. • During the middle each test the computer was force restarted • The tasks were successfully completed after resuscitation

  22. Security Test Applications • SSH • Secure shell connection between two computers • SSL • Web browser session to a secure web server • PPTP • Secure connection to a secure network • University or Business • dm-crypt & Loop-AES • Encrypted File Systems

  23. Results • SSH & SSL • Both are stored in user space • After successful resuscitation • Attacker was able to access secured sessions on SSH • Attacker was also able to view secured websites • Email • Online Banks • VPN • During the process of BootJacker • VPN connections stay intact

  24. Results… • Linux File Encryption • After successful exploitation • Full access to encrypted drives remained • dm-crypt • Loop-AES

  25. Time • So how long does this take to do…. • Less then 60 seconds! • In most cases it took less then 30 seconds • In most test runs • Most time was consumed by the BIOS boot process

  26. How to Counteract BootJacker • System Reconfiguring • Prevent the system from alternate booting • Password protecting BIOS • Use of ECC memory • Requiring memory tests at each boot • Clears out memory • Operating System Reconfiguration • Prevent secrets/keys from being stored in volatile memory • Drop secure connections when screen saver / lock screen events occur • Encrypt memory & stop computations until user has authenticated

  27. Related Work • FireWire Protocol Attack • Access physical memory thru FireWire port • Allows access to keys and other secret data stored in volatile memory • Cold Boot Attacks • Access memory to view keys and other secret information stored in volatile memory • Uses a memory tool that analyses contents of volatile memory for specific secured data

  28. Vbootkit & eEye BootRoot • Install code that is executed on next boot cycle • Place malware on the system to monitor secrets • Does not attempt to recover information from memory or revive the system

  29. Conclusion • Pros • Easily achieve access to the system • No need for knowledge about the user • Bypass security algorithms within the system • Intrusion Detection, Antivirus, Loggers • Have access to current secure sessions • VPN, SSH, SSL, File Encryption • Complete processes being executed before force restart • gcc, gzip, wget, convert, aepipe • Achieve Root access to the system • Terminator, RootShell

  30. Conclusion…. • Pros Continued • Mass Distribution • Since most corporations and companies use the same software & hardware setup • One compiled version can be used on a wide amount of machines • Practical Use • Forensics • Recovery of data

  31. Conclusion…. • Cons • Not a very diverse attack • Needs to be recompiled based on: • System Hardware • Operating System Kernel • Not effective against ECC • Newer computers implement ECC memory • Limited to older systems • No support for multi-core • New systems built today are exercising multi-core • Physical Interaction needed • Direct access to the computer is required

  32. References • J. Mäkinen. Automated OS X Macintosh password retrieval via firewire. http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrievalvia-firewire, 2008. • Trusted Computing Group. Trusted Platform Module version 1.2.http://www.trustedcomputinggroup.org/specs/TPM/. • WiebeTech. HotPlug: Transport a live computer without shutting it down. http://www.wiebetech.com/products/HotPlug.php, 2008. • R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, First edition, January 2001. • A. Boileau. Hit By A Bus: Physical Access Attacks with Firewire. In RUXCON, Sydney, Australia, Sep 2006. • Wikipedia • W. Link and H. May. Eigenshaften von MOS-Ein-Transistorspeicherzellen bei tieften Temperaturen. In Archiv fur Elektronik und Ubertragungstechnik, pages 33–229–235, June 1979

More Related