Slyck Chatbox - And More

The Apple of Your EFI: Mac Firmware Security Research

What's happening in the technology world related to software. Please submit stories for this forum here.
Forum rules

The Apple of Your EFI: Mac Firmware Security Research

Postby MrFredPFL » Fri Sep 29, 2017 6:32 pm

Story :

Over the last few months, Duo Labs has been working on a project researching the difference in security support provided by vendors to the firmware in their systems as compared to the software. The term firmware covers a wide range of things in a modern system, so for the sake of this study, we focused on looking at the security support given to EFI firmware. EFI is the pre-boot environment that has, by and large, replaced the legacy BIOS environment that had been common since the mid to late 1970s. Some further information comparing and contrasting certain aspects of BIOS and EFI can be found here.

In a modern system, the EFI environment holds particular fascination for security researchers and attackers due to the level of privilege it affords if compromise is successful. EFI is often talked about as operating at privilege level ring -2 (a great quick explanation of protection rings below 0 is here), which indicates it is operating at a lower level than both the OS (ring 0) and hypervisors (ring -1). In a nutshell, this means that attacking at the EFI layer means that you exert control of a system at a level that allows you to circumvent security controls put in place at higher levels, including the security mechanisms of the OS and applications.

In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove - installing a new OS or even replacing the hard disk entirely is not enough to dislodge them. Recent leaks of attack tooling under the moniker Vault 7 reignited some interest in the space of EFI boot/rootkits as there was one dubbed SonicScrewdriver that made use of vulnerabilities that had been discussed publicly at security conferences in years past. If you’re interested in reading more about EFI attacks and vulnerabilities that have been previously discovered, then there are links for further reading at the end of this post.

Our research focused on the Apple Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed. This single stakeholder ecosystem made the job of gathering and analyzing relevant data for our research quite a bit simpler, however, we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple.

User avatar
Posts: 15317
Joined: Wed Aug 17, 2005 4:48 pm

Return to Tech/Software News

Who is online

Users browsing this forum: No registered users and 1 guest

© 2001-2008