BootJacker: Compromising

Computers using Forced

RestartsEllick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar,

Roy H. CampbellDepartment of Computer Science

University of Illinois at Urbana-ChampaignPresentation byTristan Gibeau

OutlineOverview of Direct Access SecurityLittle History of Computer ComponentsApproach of BootJackerThe ProcessEffectiveness on a Linux SystemHow to CounteractRelated WorkConclusion

Direct Access Security What prevents access to an attacker?

Screen Saver / Lock Screen Password Protection Password Protected Login Screens File Systems are Encrypted Virtual Private Network Connections Encrypted websites (SSL)

The Workings…..How exactly do these software measures work?

Passwords or Keys are entered by the user at login or resuming system state

Trusted Platform Module (TPM) supplies the operating system with the key

Where do they go? After successful verification they are stored in the

computers volatile memory or Random Access Memory (RAM)

Is that safe??????

Computer ComponentsComputers are made up of many different

parts, but lets focus on one specific one: RAM

Random Access Memory – This is where the computers programs, processes, and other temporary information is stored.

Continues power is needed to ensure contents are not corrupted or erased.

How long does the data stay active? In most cases the data is kept during restarts or

brief power outagesWith use of liquid nitrogen, memory can be stored

up to a week!

Oh Rebooting Woes…So how much data is actually intact after a

reboot? Most computer systems will overwrite sections of

memory at boot upContains caching information for peripherals, i/o

mappings, and other motherboard related operations

Unleash the BootJackerA few things to know about BootJacker

BootJacker is a proof of concept It will not work on Error Correcting Code (ECC)

memory Requires direct or physical access to the

computer It is Operating System dependent (Linux Kernel

2.6)

The ApproachHow does it work?

BootJacker uses a vulnerability that volatile memory is not completely erased when force restarted

Using the pieces left over, BootJacker then resuscitates the computer back to the live user session.

This allows the attacker to have full admin rights to the victim computer bypassing the security of the machine. Also allows for access to any open channels the

user may of have had open at the time of force restart

How does it really work…

BootJacker operates like a small bootstrap environment, at boot-up it begins to resuscitate the computer at its core systems. Core Systems include both Hardware and

SoftwareUsing what information is still provided within

the volatile memory BootJacker will be able to revive the machine in

the state is was before forced restart

This is done with a little help…MALWARE!TerminatorAttacks security and logging software

Antivirus, intrusion detection tools, system logger deamons

Allows Attacker to load tools

RootShell -- Superuser Shell spawned by BootJacker

Gives root access to the attacker Allows the attacker to implement what ever attack he

or she wishes

--Resuscitation--ITS ALIVE!!!!!

Hardware Interrupt Controller

All interrupts are re-enabled Interrupts include system timer to keyboard.

System TimerThe timer needs to be exactly the same

Otherwise this will prevent the system from resuscitating properly

Keyboard & MouseHot-Swappable

BootJacker sends a command to re-initialize them

Hardware Resuscitation….

Display Monitor Uses standard VGA or VESA video modes

Basic text mode to ensure compatibility After successful resuscitation, attacker can re-enable

graphics console

Disk Relies on Linux’s error recovery routines Linux sends a re-initialization command to drives

BootJacker responds after initialization is completed

Coprocessor Unit BootJacker has to reset and re-initialize

Coprocessor is disabled at system restart

Network BootJacker utilizes the API’s of Linux to re-

initialize the network adaptorSince system restart only takes up to a minute,

connections don’t usually time out.

Software Resuscitation Page Tables

BootJacker needs to discover the address of page locations If not, system resuscitation will fail

Alt-SysRq-B Reboot method used to enable resuming of

software processes This helps ensure that the Stack does not

become corruptAllow for proper process/context reconstructing to

occur Instructions are properly reloaded due to a call

back method caused by instructional fetch fault

Software Interrupts Schedule

Processes running before restart were on a scheduleSchedule is attempting to run during resuscitation

These are pushed on to a stack for future Using existing Linux API

Interrupts are successfully re-enabled for all processes

Scheduling is resumed

The ProcessHow does a attacker implement this?

Attacker needs to have direct access to the computerStealing the computerUn-authorized access to the computerRemoval of memory components

Removing hard-drive & volatile memory Forced Restart is initialized

Pressing of restart button on computer systemUse of Hot-Key restarts (Alt-SysRq-B)

The Process ContinuedBootJacker is connected to the computer

Bootable DeviceDVD / CDUSB Flash/Hard DriveNetwork Boot

BootJacker boots instead of host system

Process…BootJacker successfully revives the host

operating system Attacker can now break the system with malware

payloads If needed, the system can then be returned to

the unsuspecting ownerA few hiccups…

If the drive is inserted before force restartCould cause intrusion software to detect the

insertion

A Few Side NotesAlternate booting

Attacker may need to configure bios to boot from removable media

Most BIOS will boot from CDMost will not boot from USB

Operating Systems Attack BootJacker will need to be recompiled for different

kernelsTiming

The quicker you are the better chance you haveMemory is volatile, could be refreshed over time (BIOS

dependant)

EffectivenessTest System Hardware

IBM InteliStation M Pro2 GHZ Intel Pentium 4512 MB of RAM IDE Disk Drive Intel Pro/100 Network Card

This configuration is optimal for Hardware Resuscitation

Operating System Linux 2.6 Kernel (x86 – 32 Bit)

Time to Test…Test Tasks Performed

gcc: Compilation of the C source file containing the H.264/MPEG-4 AVC video compression codec in the MPlayer [37] media program.

gzip: File compression using the deflate compression algorithm.

wget: File download. convert: JPEG image encoding. aespipe: AES file encryption.

During the middle each test the computer was force restarted The tasks were successfully completed after

resuscitation

Security Test Applications

SSH Secure shell connection between two computers

SSL Web browser session to a secure web server

PPTP Secure connection to a secure network

University or Business

dm-crypt & Loop-AES Encrypted File Systems

ResultsSSH & SSL

Both are stored in user space After successful resuscitation

Attacker was able to access secured sessions on SSH

Attacker was also able to view secured websites Email Online Banks

VPN During the process of BootJacker

VPN connections stay intact

Results…Linux File Encryption

After successful exploitationFull access to encrypted drives remained

dm-crypt Loop-AES

TimeSo how long does this take to do….

Less then 60 seconds! In most cases it took less then 30 seconds

In most test runsMost time was consumed by the BIOS boot process

How to Counteract BootJacker

System Reconfiguring Prevent the system from alternate booting

Password protecting BIOS Use of ECC memory Requiring memory tests at each boot

Clears out memory

Operating System Reconfiguration Prevent secrets/keys from being stored in volatile

memory Drop secure connections when screen saver / lock screen

events occur Encrypt memory & stop computations until user has

authenticated

Related WorkFireWire Protocol Attack

Access physical memory thru FireWire port Allows access to keys and other secret data

stored in volatile memoryCold Boot Attacks

Access memory to view keys and other secret information stored in volatile memory

Uses a memory tool that analyses contents of volatile memory for specific secured data

Vbootkit & eEye BootRoot Install code that is executed on next boot cycle

Place malware on the system to monitor secrets Does not attempt to recover information from

memory or revive the system

ConclusionPros

Easily achieve access to the systemNo need for knowledge about the userBypass security algorithms within the system

Intrusion Detection, Antivirus, LoggersHave access to current secure sessions

VPN, SSH, SSL, File EncryptionComplete processes being executed before force

restart gcc, gzip, wget, convert, aepipe

Achieve Root access to the system Terminator, RootShell

Conclusion….Pros Continued

Mass DistributionSince most corporations and companies use the

same software & hardware setup One compiled version can be used on a wide amount of

machines Practical Use

Forensics Recovery of data

Conclusion….Cons

Not a very diverse attackNeeds to be recompiled based on:

System Hardware Operating System Kernel

Not effective against ECCNewer computers implement ECC memory

Limited to older systems No support for multi-core

New systems built today are exercising multi-core Physical Interaction needed

Direct access to the computer is required

References J. Mäkinen. Automated OS X Macintosh password retrieval via firewire.

http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrievalvia-firewire, 2008.

Trusted Computing Group. Trusted Platform Module version 1.2.http://www.trustedcomputinggroup.org/specs/TPM/.

WiebeTech. HotPlug: Transport a live computer without shutting it down. http://www.wiebetech.com/products/HotPlug.php, 2008.

R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, First edition, January 2001.

A. Boileau. Hit By A Bus: Physical Access Attacks with Firewire. In RUXCON, Sydney, Australia, Sep 2006.

Wikipedia

W. Link and H. May. Eigenshaften von MOS-Ein-Transistorspeicherzellen bei tieften Temperaturen. In Archiv fur Elektronik und Ubertragungstechnik, pages 33–229–235, June 1979