⬆️ ⬇️

Black Hat 2009: Invisible Things Lab Team Slides

Today, the world-renowned conference of information security specialists Black Hat 2009 (Las Vegas, USA) is ending. In connection with this, slides of experts of the Invisible Things Lab team (in English) have become available.



Alexander Tereshkin and Rafal Voytchuk revealed the following topics:



1. Acquaintance with rootkits of level-3 ring (original: Introducing "Ring-3" rootkits) .

2. Attack the Intel BIOS (orig .: Attacking Intel BIOS).

')



Familiarity with rootkits ring -3rd level





This presentation demonstrates the results of research on how malware can use Intel AMT technology (part of the vPro brand) to secretly take control of the machine.

Intel AMT technology provides attractive opportunities for an attacker: the AMT code is executed by an independent processor located in the chipset (vPro-compatible MCH), the AMT memory is separated from the host memory (isolation is provided by the chipset), the AMT code has a special link to the network interface card (regardless of host OS and drivers), and finally, the AMT remains active even when the computer is in sleep mode (S3).



The paper shows how malware can bypass the AMT's memory protection and, as a result, compromise the AMT code running on the chipset. Additionally disclosed techniques used for reverse engineering AMT'shnogo code. They were needed to create rootkits that may have access to host memory (the rootkit runs on a chipset, but has full access to the host OS, for example, Windows).



This study emphasizes the need for a more detailed study of the security of the main system components, including firmware and hardware.



Slides: invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf

Code: in the near future





We attack Intel BIOS





This presentation discusses and demonstrates how to flash Intel BIOS on desktop systems based on the latest Intel Q45 microchip.



This work is aimed at the most secure vPro-compatible BIOSes that allow using only those firmware that have a digital signature from the vendor. The paper demonstrates how to bypass this check with an exploit using a complex heap overflow.



To carry out the attack will need administrator rights, as well as one reboot. No specific actions or consent from the user will be required, as well as physical access to the machine.



This attack emphasizes the importance of other means of ensuring reliable boot (for example, TPM ), as well as the importance of a more detailed study of the main system software and firmware (firmware).



Slides: invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf

Code: in the near future

Source: https://habr.com/ru/post/65863/



All Articles