Is there an EFI monster inside your apple? by Pedro Vilaça – CODE BLUE 2015

thank you welcome to the last presentation of the day before the keynote you probably are very tired and I have 173 slides to present about a very interesting topic if I as so let’s start it’s my second code blue I was here last year so you probably feel few know me I’m a very famous or me famous mac OS hacker I like a lot of stuff like I’m an economist I like politics if you follow me on Twitter you’ll see many times ranting about politics and these days i work for that company Sentinel one it’s a next-generation AV company I developed with another colleague the first version of the mac product these days I’m just doing random research and helping the developing team because we have a development team and they have the problem to develop the product and I just say it’s broken or help them develop new techniques just a quick note for the translators thank you alcantara for translating the slides to japanese and the life translators who ever artwork with me because I talk too much and so thank you very much what is this presentation about I want to introduce you to if I I don’t know how many of you know if I it’s not a topic that many people do research on or know about and the the main core of this is to how to teach you to reverse if I binaries many people think it’s very difficult to reverse this stuff because it’s very low level what I want to show you it’s not not that difficult as long you can reverse engineer Intel wineries you can reverse if I and then to terminate i want to show you how to search for if I would get some techniques there aren’t many if I would kids one of the reasons as I will conclude this no way no one or very few people are looking for them and if you are not looking we will not find anything assumptions of this presentation my research machine was that computer a macbook pro rutina 10.1 this means if you try within different machines you’ll see some small differences but everything is more or less the same as long you find out what those differences are you will have no problem with that I only care about 64 bit operating systems from Mac OS and the thing is 32 bits is dead in terms of Apple so I don’t care about the debt and also the Sandy Bridge our newest chipset this means that for example core2duo machines that I’m not interested i will show you why those machines are basically a breakable and they are not secure so if you use those machines just by anyone so why if I why I’m doing this presentation why I wrote 173 slides about this why why it’s important why i want to show you to convince you this is an important topic if I is a replacement to buy as if you were working with computers for the past 30 years 20 years you in some point in time you had violence these days it’s if I or you fi yuh fi is a new branch an inversion of if I because Intel developed the first version until version 11 point well Apple fourth version on one point 10 by forking it means most of the stuff is there if you read the documentation from intel on that side you can understand everything from apple and then apple as some very specific stuff that i will show you some things some of those things and the others are not very important or something you can reverse easily so you you fi is the new version is the one that you find out normal pcs you don’t find that one on on max if you can talk if I if you can understand if I you can ufi there’s new features mostly but it’s you can interchange between the two portions and that’s that is the website and the first one you have all the documentation or regional documentation so if you read the first documentation you can understand you fi and then if there’s something specific you can you can move between between the two versions why is the if I and very important it’s the first component or one of the first components when you

start your computer the first instruction that your CPU will execute is in a fixed position in the bias so it starts your machine if you control the wires you start controlling most of the machine because everything comes up after the bias it is access to all the artwork and because it will need to talk to the hardware to the memory to to to start the machine it is very module you’ll see that everything is a model so it’s very it’s very feature-rich and modular you can for example you can have an HTTP server there’s a new standard that wants to boot the image of the machine from HTTP why HTTP and not https that’s another discussion it’s very easy to develop if you do it in ec you have a two SDKs piano car and IDK too they are the same with some differences doesn’t matter for for now but it’s very easy to develop we just need to know see some very specifics about the development and because it’s modular we can develop a lot of models that will work in our machines that have if I are you fi before we the buyers this wasn’t true most of the stuff was developing assembler most stuff was specific to machines so it was the development was a lot more complicated than if I interesting things attacks only five examples of what we can do why if I is important you can build a rootkit and that never touches your art disk this is very interesting and because if you touch large have our disc forensics you just need to have an image of your art disc if someone changes a bit in your disk you can detect if there is something that modified usually a rootkit so the idea is you put the rootkit plate in the flash chip wonder where they fi is when the machine starts you patch something the colonel the browser you can attack the browser for example and you never put information on under our jeez this is very interesting in terms of detection because nothing will go to the art disk if you want to more details about these you can check the snares Siskin presentation where it shows the technique to patch the colonel to attack the colonel from if I and then after that you can do whatever you want against operating system this attack can be very hard to detect as I told you you are starting at very very early in the machine so we control our Dwyer and then you have an operating system on top of the hardware so if you control the art where and you try to detect something from software this is very difficult to do my position is that it’s impossible to do unless you have an assistant from hardware a very safe channel that allows you to communicate this if you want to see a discussion about this I was discussing this week or last week on Twitter with a few more guys about this because there was a volatility developer and saying it could detect this and we were trying to prove that if you are from software it will be very difficult to detect something at hardware more things you can persist across system operating system or installs this would be for example a very interesting feature for apt this would be really pity because if the user you have a Windows installation and you have some malware well as you saw an entity’s presentation you can disinfect the machine or he told you that it could be very difficult for example this will make a very big obstacle and to clean the machine because you will reinstall the Machine and the rootkit on if I would install itself again so you will never clean the machine unless you clean the flush ship one example of a rootkit from this is acting team as you know they were hacked to my sis ago or something and they added this kind of rootkit they wanted to if the victim or the target was infected with this it could reinstall windows as many times he wanted that it will always be under control of the rootkit from a kinky more more interesting stuff how to attack full disk encryption even collect your machine if you’ve been following on Twitter Stefan answer says he was attacked this week someone broke into his hotel and try to copy the largest if you have your hard disk encrypted that

will do and not not do anything because you miss the password what you can do you install a firmware rootkit and if I rootkit and you get the password many attacks many attack scenarios are possible these on this you can have a rootkit that always gets the password or you can ever for example a rootkit that you install once you get the password and you send you find a way to send the password to a remote server or something and then you remove the rootkit the next step you go to the hotel you copied are these hopefully the password is the same and you can decrypt everything so this is very interesting attack scenario for people that travel and the rule is never travel with important information or travel with the least important information you can do attack an operating system I’m not sure if you know tales tells is an operating system that starts from a cd-rom the purpose is nothing goes to the artist apt is not possible because every time you start the computer its Quinn the lego car which are the guys that do a lot of research on if I firmware they have shown and I an attack from if I which is you boot from tales you assume you have a secure operating system you are writing private emails for example you are a journalist or a whistleblower and trying to disclose information and they show they can get the the keys the PGP keys they can get you the password for the PG Kiki’s so the operating system tails is not secure in this scenario once again we are attacking from hardware to software the software cannot guarantee that it’s safe even if it’s booting from a cd-rom or something that is will on with some other attacks you can attack the bootloader this is something that you saw in windows with the TV lr branch to the TV o-tar are three and four for example or very old viruses in in the bias times you would attack the bios and and put something there this is very simple this one you can put smm back doors there’s the very interesting post from that russian researcher crush about installing the SMN backdoors smm is a privilege level on your cpu very interesting if you can roll run code there you can control the whole machine so this is very interesting to to put rootkits hopefully I’ve convinced you with this that if you control if I your computer is under the control of the attacker you cannot do anything from software you have to search or you have to guarantee the integrity at hardware level this is why if I is very important or the security of if I is important well let let me go briefly above and around a zero-day story so two months ago or three months ago re in my I woke up probably not in a very good mood and decided to release a zero-day the thing is what it was an accidental zero day because i didn’t knew it was a zero day I assume that Apple knew about the book because there was the Thunderstrike presentation at black hat and I assume okay they disclosed they know the bug there is no problem in disclosing and it made the whole confusion may then headlines on on a bunch of newspapers and in the websites which is basically a bug that allows you to control the the firmware of the max you can read on that on that website on my on my blog the whole description about this i will just go very fast on on that what happens is the operating system you have an operating system you have the e-file they are at different levels and if you can write the front operating system to the flash your computer is basically as a very severe security problem and this is what happens with with with with this bug and with apple there was a way to write to the firmware from the software the advantage of this is that for example you have a safari bug remote code execution bug on the browser you can start there the user goes to a website the exploit is executed and then you continue to go down you install rootkits or you just come to to root and then you write to to flash device you right to the flash meaning you mean stolen if i would get so if you install them if i would key to control that machine as long as you want because

probably no one will search rootkits there this one was very similar to turn the strike if you follow and max security issues 10 the strike was presented in 2014 at cccc which was basically an attack with a pen with a thunderbolt adapter so this is one of the reasons why when someone offers to you to way you can use mine you never use because this is very interesting for installing rootkits the difference is that would kids that the thunderstrike you need to plug in this so this is physical attack and my blog was a remote attack or it could be triggered as a remote attack which is the way more powerful because I don’t hate physical access to your computer the funny thing is that in 2002 and 2012 snare was writing this on his presentation he was writing that equals whites from the operating system to the flash and this is a reason why and the core two duo machines or everything older than sandy bridge is vulnerable because those machines don’t have any flash protections Intel develop those protections for under under sandy bridge chip sets so those machines if you have access if you still use one of those machines remote attacker can put a unified rootkit on your machine easily so don’t use those machines the book was very simple to trigger you just need to put your computer to sleep or force it to sleep when you woke up the computer it will be in a vulnerable state this was one of the reasons why the bug was very funny and created a bit of a mess in in in the media and with Apple because it was very simple we don’t need complicated exploit you just need to put your machine to sleep I found this when I was researching I started we defy because I had a computer right was lot I couldn’t I couldn’t remember the password and i found this but while doing some research there as i told you the core 2 duo machines are vulnerable the only machines that are vulnerable or donnelly max that are worth honorable or this one sandy bridge and ivy bridge this was funny and this was one of the reasons I released the book because the newer versions were unfavorable what happened is that Apple patch the bug white plug they didn’t knew the blog was there they just patched by my luck probably because Intel gives reference code to the to the developers and the bug was fixed there and Apple parted the bug parted the figs and that’s it you have a plate available for all this Apple fix the bug three weeks later so you probably if you installed is some new version of Mac OS or the latest updates your computers are not vulnerable I mean anymore if you didn’t install you should install because the bug as I shown you is very easy to exploit if you are interested in details about reversing then i wrote a second post with a lot of reversing details which is basically a complement to this presentation a lot more details a lot more technical if this presentation isn’t already technical go there if you are interested in these i explain you how to understand the bug how to create your own fix so it’s very very interesting post in terms of that i also put the other relevant documentation or the basic documentation that you need because if I standards are like thousands of pieces manuals like with thousands of pages so it’s a lot of stuff to read if you with those or if you skip through skin true on those on those manuals that I have there you’ll know the basics of if I there were more bugs that were already patched that are finally already patched they were the same type of books that allow you to write to the flesh from the operating system this was presented by the like book or guys the guys that were a lot of research on this these bugs are finally fixed Apple released the patch a new patch last week because there were more bugs presented in in Thunder strike two at Blackett they were still Apple was didn’t still didn’t patch yet those bugs but finally last week they release this so this this slide is not updated and the like Booker’s guys were saying this one which was mine and there’s was Patchett and there was a bunch of venerable books that were in see attached but Apple finally finally patched those bugs we had a very interesting slide from the representation where they complained that typo wasn’t fast enough fixing fixing the boats I finally talked to Apple about my book they did a lot of hard work fixing the books the thing is

that you can discuss that I make the very responsible or not sink in disclosing the zero-day the thing is that they fix the bug really fast and my position is that Apple doesn’t like when they have bad publicity and they react faster when something is against time when they get bad publicity so this is the same slide from last year I know a lot of people are unable but I still tell them a lot of times that they don’t know what they are doing most of the time hopefully they will improve their quality less secure quality so all of this was really to convince you or until now to convince you the importance of if I now let’s go into if I what do you need to know the basics so if you want to go into if I don’t need to spend 1-2 mass is to learn the basics or I’m giving you the most important things that I think so if you want you can go home get the slides if the conference publishes them today and start learning if I start working with it and don’t need to know all the basics or the small problems that I had to go through the first thing is where is the the chip we need access to the chip the chip usually is something like this you can find in your computer you have to search we have to open an search for the chip it’s usually a CMOS serial serial flash these are the two most popular chips in the in the sandy bridge and ivory Ivy Bridge models it’s the chip doesn’t matter you can find usually the specs on on the manufacturer website so it’s not a big problem the interesting detail they are all spi spi is a serial protocol to talk to the chips if you are an artwork person you probably know and this protocol it’s very easy it’s eight pins to that you need connect or usually you don’t need some the white protection and the reset so it’s very easy to talk and in terms of programming and the code that you need to talk it’s not very difficult so it’s a very interesting protocol to read the contents of the chips that support most of the ships are eight megabytes in size for these machines for all other machines the core to do you have two megabytes and something else you can also find some that are 16 megabytes in in size on on newer machines it depends on a model this is also another cheap one and the newer machines the wind bond version this is probably Apple just doing sourcing they got a better price from these guys and got the ships from them this is all the list from all the ships that you will find on max might be updated with new versions but nothing very important an important detail for for us most of the ships are 8p psyche which is the formats on a net picture but new machines are starting to use and these SMD rbg a BGA is with the small pins that underside this make this brings a problem because with the psyche you just need test clips or a probe clip which you plug into the chip and you are connected to the chip with SMD it’s solder so you cannot usually connect a probe nbg a is even worse because they are under side they are not soldered or they could be they are under the small balls and they see player the problem is if we want to access those ships we need to disorder those ships so this is this is a potentially destructive process accessing the ship for example if you want to do like I do if you want to dump before you travel if you want to dump if you have one of these virgins it’s very complicated to do that because i can destroy the computer and these are some of the models that I think using are using the SMD or BGA because i cannot i don’t have these computers but I was seeing pictures and I cannot find the soy chip or on those if you want to do xperiment you can buy this from Aliexpress you probably have the same better access to to electronics in Japan then I have in Portugal but they are very easy to buy from this they are cheap enough so if you want to do experiments testing your code instead going on on the ship on the machine chip you can buy them and that’s it important thing so I have shown you what is the chip where it is how it is how it looks now where it is inside the machine

because you have to know where where it is the routine a model the like mine the routine 15 inches as the easiest axis you just disassemble it and the chip is there other Macintoshes or other macs are very difficult you need to disassemble the whole machine because usually they are under side the machine but I have this machine which is a macro 8.1 8.1 an older machine and with some practice our I already can disassemble the machine in five minutes so for example of an hour is enough time to go to your room to your hotel room open the Machine disassemble everything install a rootkit directly assemble again and leave everything so it depends a lot on the machine let me show you some pictures so this is the routine the routine a model that I talked about you just remove the underside cover and you i vere the chip this is the power where the battery is connected to and the ship is there you just plug in and very easy to access this is a macbook doesn’t matter the model the chip is always on underside the motherboard so you need to disassemble the whole machine extract the motherboard and then you finally have access to the chip mac mini design the mac mini is very compact so you need to disassemble everything again and access the chip the mac pro the the one that is run the trash can is also very complicated if you need to disassemble the whole machine to finally access in this chip if you do that be careful with these connectors they are very you need to put some strengths on them to connect backs I know this because I bought one of these computers or the company sent me one of this and the first thing idea that was open and then play flash I was clear as curious to say to see if someone would install a rootkit on my machine I don’t think so and then when i connect these these things the computer goes red and I was thinking okay I just destroyed the five thousand dollars computer because I wanted to to access the chip the reason was that this cable wasn’t well plucked last this is one of my motherboards and you can see what you can see here is that this is the ship’s there it has dual ships and the thing is that gigabyte put the ship’s put the cooler this is a chipset cooler put the color on top of the chips so what I need to do I need to bend the pins of the cooler to access the chips the case here it’s not always easy to to access the chips so this presents a problem for example at a company you cannot be these assembling people’s computers all the time to access the chip next point we know where is the chip what we need to know now or what we want to do is to extract the contents of the chip there are two ways hardware which is connecting the test clips to the to the chip this is why I was showing you where the chip was because this is the only way the only reliable way to find if there’s a rootkit this is a first of all as I told you it’s trustable method the chip is disconnected the chip has no power you are so what the one supplying power so you are reading a asking the chip give me your contents and the chip will give you our contents i’m not sure i’m not a nerd where guide and the only way to to make these not work would be to install a rootkit inside the chip inside the serial protocol and somehow the chip would lie to you adult this is possible at least on this type of ships so this is at least the best method we can use for software you can use some software talk to the chip software is able to talk to talk to the chip but hopefully I convinced you that this is not very trustable because if the machine has a rootkit it can modify your software and tell tell you know there’s no rootkit here you are not looking at anything nothing here everything is ok so this cannot work this is good for experiments but it’s not good to chase if I rootkits what you need in in artwork in either something that talks SPI the protocol you have a list of programmers that that are able to let do this you can get an ftdi chip the true 3 through age that does this I use this version from trauma lots and the hotter of thunder strike the reason is that it works if it does the job it easy it’s easy to use does the job I don’t care anymore about that

problem is its flashier is based on the TZ 2.0 and 3.0 we have two versions both work well as you can see is very simple this is the team’s eboard and this is the chip is the Eels is a test clip to connect to the chip this is the easiest way because they don’t need to connect every every probe it is very cheap to build it costs you like thirty dollars if you buy a Chinese phone it’s even cheaper and it doesn’t matter much and it’s very simple so you don’t you can be okay with a clone and not a big problem its biggest advantage is that it dumps the whole contents in eight megabytes I try to do some research on if I like two or three years ago and the only thing I had was a buzz pirate the problem is that the best pirate takes four hours to dump an eight megabyte 64 megabit or eight megabytes flush this is not feasible if you are doing research waiting four hours for something to finish it’s not it’s not good to to do research this is why i like this version is fast eight minutes is good enough for for this purpose let me just skip this stuff this is for your reference this is the pin out of an spi ship usually you need to check with data cheat if he’s there if it’s the same but most manufacturers follow this this respect these pins so it shouldn’t be a problem if not you can adapt to the chip not very complicated this is the layout on under teensy nothing nothing very complicated solar there solely through the chip and you have the your waist spi flasher you can you can use it for four with just a small detail if use the TZ to its default voltage is 5 volts the chips the flash chips are all all 3.3 so you need to put a voltage regulator if you go to this website it contains the the part number which is that 1 and CP and where to solve it so it’s five minute job or less solar days and and it’s okay if people to do some small tip and tricks you might have some problems with the chip not working not not talking one visit one very basic trick is you just shunt connect the right protect and reset pins to the voltage pin I don’t know why this works it works so for me it’s not a problem anymore last thing you see some diagrams everyone calls the pins different names i just left these for you if you see different diagrams they will use different names and so you have a small map to to map the pins how to read the flesh if use the teensy it simply use the ex model command and you ask Liz chip to read the contents of the chip you ask that easy to read the contents of the chip six minutes seven minutes later you have the content in this case it’s a eight megabytes from and you can see it’s you this is a dump that I did before traveling to Korea I dumped my room so I have something to verify if someone attacked me which would not be very smart this is outright a you connect to the program you say i want to write the whole whole chip and then you send the image to the to the chip and the TZ will do the work for you and write the contents this is some problems let me keep this and not very important software i will go just just on the first one on the first technique to save time the other ones you also can use these two but nothing very important something that you can easily do yourself you need the flash run this utility is a very non agility open source utility that is able to talk to many different types of ships not justify ships or flash ships where the spi is you can use this and this is a kernel extension that allows you to the machine to talk directly to the hardware the spinal extension is not code signed meaning that in theory you’ll not be able to load on the latest mac OS versions but Apple whitelists this so it’s it were it’s two words with all versions except the latest one El Capitan because if you were here last year for my presentation I use these to load rootkits into into the system this is an example how to how to damp with flash rom you just load the kernel

extension and then use flash from and tell far from done the contacts you can see here flash rom identifying the chip in this case it’s a micron one of the ships that I told you it’s very common it tells you some information about the chip and then starts reading here and then few minutes usually it’s very fast so this was probably like one minute or something you have the same contents of the of the tip then you can use these to to analyze this is the part I want to skip some something a different way to do it but essentially it’s by software so same problems nothing there as I told you software is good enough to for experiments if you are looking for if you are doing Incident Response software will not save you unless you’re would Kate is something like acting team aking team was only interested in persistence in keeping across reinstalled they did nothing to hide the rootkit so if you dump a machine that is infected with a king king rootkit from software you’ll see the rootkit there if you know me I say a lot of bad things from hacking team if I was designing this rootkit this is this would be the first thing I would work on just hide the rootkit make make yourself invisible 22 Incident Response next topic what are the contents you know where this chip is you finally got its contents now what’s in there what what we need to look at what are you looking at this is one example of the content you always see this this is the descriptor region which says content is here there and there and there and there this type of content this is the Intel management engine contents there was a presentation at the first code blue by eagle which is a very big black box a very interesting black box for rootkits Igor is the only person in public doing research on this I will talk about bodies in a bit and then you have the bias region which contains all the contents that we want to work to work for finding rootkits or reverse engineering another example of bias from a newer machine you here you have the jiggy beat region which is basically contents of on boards the network card intel on this their standard size you can use the flash to put some data there so they are using the flash for other stuff I once again the management engine region and then you have another region here I never explored the contents of this it’s irrelevant it doesn’t have it’s very small and it doesn’t have anything interesting at least from the manuals but it serves to show you that you can see different contents in the bias but this is something that you always see the bias and the descriptor and they are there for sure a small image that shows you the contents of the bias you can see the descriptor here and this is the information about the scripture and then this is the contents of the bias files a dif different dump that contains a different region the platform region the PVR region just to show you the different examples what is the descriptor as I told you it contains says contents are these the bias region you can find that address X the gigabit can be at address Zetas and so on it contains access permissions meaning you don’t want for example the network card to access the bias because that would be an obvious way to make a rootkit you attack the network heart and then from the network card you attacked the the flash and install any 5 root kids so it guarantees that each region cannot talk to each other if you don’t want intel management in engine region if you remember Igor presentation he told you that Intel management engine it’s basically a cpu inside your CPU it runs there the most surprising thing is that it runs java so your Intel CPU is java running inside in parallel and that’s not very very secure Java is the source of a lot of problems it can be active when your machine is powered off if as long there is a battery inside the machine or power source connected to it that that ship can do something for

example it has it can connect it to can talk to the network because that ship as an independent MAC address this is used for for administration you have a big company your machines are off and you want to for example to boot them for launching a place or something it’s a very interesting feature but the problem is that it can be a very powerful feature for attackers if they find vulnerabilities there there is no access from buyers and operating system unless you find a vulnerability you can’t talk to that you don’t know what is there you can not find what is running what is happening there as I told you Igor made three presentations in different years one of one of those presentations was at code blue this is an area that requires more research people are talking about this again Joanna ho Tosca from the blue pill fame released the paper this week about she says x86 is insecure forever because you have Intel management engine you have another stuff that is insecure or that we don’t know what is running Intel management engine engine is definitely something that we need more research on these are the links for Igor presentations you can read them or revisit again those presentations bias region the contents of the bias region this is the one that we are working with on this presentation it contains binaries if I binaries for different phases i will show you in a brief what are these phases contains nvram non-volatile ram for example your Mac’s store the Wi-Fi password on this region so if I find a way to dump the memory or I can extract your Wi-Fi password and then crack it this is one of the reasons when y-you formats or you reinstall your Mac when after we were installed it knows your network because the information is saved there it is tall some cpu microcode you’ll not always see these in every models it depends on the models I guess if Intel releases a new version then when there’s an update the microcode is there if the CPU version doesn’t have microcode it’s not there important thing everything happens in a firmware vol firmware volume is a container for different data for for for the day Tony file for example the nvram is a firm or volume different wineries you will be in different former volumes this is a picture of my buyers with different different content as you can see each of these is the firmware volume for example this volume is microcode this one is the non-volatile ram and this is where the machine starts booting from what you can see here is that everything is a number and letters this is called the get if you don’t know this from windows it’s a standard format 180 bit characters formats basically to describe something it should be unique so everything in if I isn’t is a gift you don’t have file names you don’t have something saying platform security da teef I everything is a gift this makes things a bit different a bit difficult to read because you don’t have names on things so when you are reverse engineering you don’t have any names you have to do then you have to translate that yourself the content of most of those gives you can find on the under ephi specs this is where you download all the manuals and then use the PDF search version to see you find the gift and you want to know what it means there are many gifts that are vendor-specific or private meaning Apple as some gifts that doesn’t publish you don’t know the meaning so you need to reverse engineer to understand what they are doing are they are privates some manufacturers publish their targets others they kept them private and you only reverse engineering you know its contents so Google and some what are your friends in this case if you can google and it give some heat it will save you reverse engineering work if not you have to load either and fixing yourselves this is an example of a script that snare created what it does for either what it does it translates all the gates to something to English that you can read and this is one of your tools you load the binary into either execute the script hopefully it knows the gates and it will translate something to English your job will be

much easier next type the boot flow what happens when you start your computer this is the most famous charting if I almost every if I presentation uses this one what happens this is the security files when you start your machine this is the first phase it tries to assure that everything is okay with a machine so if everything is ok you can continue in the process then you have the play phase which is bri if I initialization this is the face where it will start setting your machine ready for the next phases for example one of the most important tasks is to set memory your memory your layout memory is different phases of the machine this is one of the phases that takes care of setting my memory for days for the DXE this is the face that takes longer time because it loads drivers let’s talk to the hardware you can put for example an HTTP server here and and so on this is the face that many things happen here and then when this fight is over it pest control to the boots to the bootloader if it’s in Linux it can be grub or other loader if it’s a windows machine it passes control to the windows boot loader and so on so at this phase the operating system or the bootloader is starting to take control so if I is ending on this on this on this face and everything here is operating system stuff as you can see always boot and then you close your machine anything starts to shut down and so on as I told you this is one of the most important set up memory for the exe phase this is one of the important tasks of the pay sales this is another chart that shows you to boot pass this is the normal one when you when your computer is off and you start it follows this one the sack the play the DX e and then the boot the boot device this file this phase is the sleep phase this is where the bug that I discos was so exam this is the fight for example when you put your computer to sleep your computer there’s a bunch of stuff puts some some information in memory and what happened is there there is a script and the reason for the script is if you had to execute the DX DX e face all over again it will take a lot of time for your machine to resume from from sleep there is a standard I didn’t know that but i think it’s like six seconds that it says your windows when when or mac OS when it comes from sleep it must take maximum six seconds to boot so what they do is they save the information that they need in a script and when will you come back come back from the sleep what happens is the sacrifice is executed the play phase is executed but the dxz phase is not executed anymore because all the information is in a boot script so you don’t need to execute the drivers again this is a reason why your computer is so fast coming up from from from sleep like me bypass this or very quickly you have many drivers inside the bias I’ll do know the order of execution there is basically one dispatcher in the papers and one dispatcher and in the d XE face and you have dependencies between them which is this very small language of stack there’s the stack you push you push there and everything goes push push and pop from there and there’s a boolean logic there and so these dispatcher knows what things or what what the order things need to be loaded last five how to reverse c5 you have the contents you know what is there you can access the contents you can find the files how do we start reversing what is the critical information to start reversing if I these are the two tools most important tools you can have on your to set this is nurse scripts the ones that reverse from give to file names very important very useful and these two you fi two and you fi extract allow you to extract the contents very easy you don’t need to create your or your own utility those screenshots that I have with the contents come from this tool it’s a graphical tool so it’s a very nice tool and this is are the most critical tools you should have fun your tool set important thing I told you if I as binary they execute so what is the

format what is the format of the execute the format end is very very very funny because it’s P is 32 and p30 to plus or P 64 and you should know that these are the formats or the windows format of the binary so you have the same format of the same binary format used on windows being executed on on if I it could be anything else format just says this is the Dukes I’ll do execute our our the contents they applauded for p there is also another format which is the terse executable I will just explain on the next slide what is this and you can find 16-bit 32-bit and 64-bit codes inside if I depending on the face if you don’t know your computer still egg starts when you start to a computer it still runs in 16-bit Jesus comes from legacy the first computers or the first entail some of the first or 16 bits so your computer starts in 16-bit then switches to 32 bit and then the dxz phase is mostly 64 bits so will you need to reverse all this kind of code all this kind of assembly different assembly on your machines t it’s basically a version of P so nothing very complicated what happens is that they’ve removed some headers that are not used for anything or they are not required I guess it was to save space because the first biases or the first if I and they were 2 megabits so you need to save space there you can find this format only on these faces the sec and pay face is everything on DXE phase is p so you want to have trouble here very important detail either is still unable to disassemble this format so if you load these files into either you’ll all get very confused either will get confused the disassembly is incorrect I have this problem and I couldn’t understand and then I finally start reversing the problem itself and I found out it fells to parse the headers as I tell you is not fix it the solution is you build your own loader I really something here so if you want to reverse these binaries you just download my code compile the plug in 4 for either and if can either can finally deal okay with these binaries lipsy or kernel32.dll if you come from windows you don’t have libraries to link against if you develop you know you can in UNIX you have lip see if you want to do a printf it’s on lip see if you want to do a message box a on Windows you have another system 32 or something like that I don’t reverse Windows binary in like in 10 years or so what happens is there are services so instead of having a library that you link against you have services and what you say I want to use that service and services are nothing more than functions or you can logically understand them as functions that you say I want to use them you get a function pointer for the function and you can execute as a normal function an example of a function in the PI phi’s you can see there’s a function to install a ppi I will show you what is a ppi and other stuff there for example function so locate memory so this is the basic function of the basic set of functions that you have when you when you are in any fight some more example let me go forward how do you access these functions you know the functions are somewhere but you need to know how to access what happens is that the entry point often if I binary you always have a pointer to a table in this case this is the exe face so you have a pointer to the system table on the PI phi’s you have a different pointer this is the table and you can see here are the two pointers to the to the services are available on the under on the DX e face so you’ll often you’ll see this type of codes on the exe binaries which is basically it’s making a local copy of the system table to a local pointer the boot service table and the runtime services after you have these pointers you know the offsets the compiler will know the offsets when it compiles and it can access the services from from me five functions reverse-engineering you need to know the cowl convention because if you see a call to some function or to some function pointer if you don’t know what is being passed the order of the arguments it will be very difficult to reverse engineer the 32 bit binaries use

the standard sea convention so everything is passed under stack nothing very complicated as I told you you find these in the SEC and the pale-faces don’t ask me the 16 beta I was reviewing the slide and I don’t remember the 16 bit because there’s very few code running in 60 in 16 bits this is an example where you can see everything the stack 0 on ESP being moved on the stack normal code that you see reversing 32 bit binaries that used stack convention there the 64 bits use the Microsoft x64 call convention so the first for argument first four parameters are passed on registers and everything else on the stack the core difference and the first time you see if I binaries of this kind you’ll get confused because there is a shadow space of 32 bytes on the function very easy to understand these with an example you have your service being cold and you see the the first four parameters being used on the registers as expected and then you see the fifth parameter like this 20 32 bytes ahead on the stack the first time you see these you see where are the other arguments because the 32 bits uses on the stack normally but the 64 version always is 32 bytes as long as you know this there’s no problem you know that 32 white sea is the fifth parameter in this case is 64 8 bytes ahead the next parameter so very easy to to understand protocols and PBIS last thing on this as I told you there are basic services so that those services don’t allow it to do a lot of things but if I is very modular and chuckles and ppi’s it’s what make make it module what happens is you can put a binary that makes more services available for example you want to put a message to a log as a log function if I doesn’t have that what happens is you create a new file binary that will make a function to to make logs available so what you do you create that function you have to attribute the gate because the kids are like everything he’s going to be found in virus and you publish that service everyone that wants to use this service basically needs to look up if that service is available if it’s available you can use it you get a function pointer you can use that there’s a distinction between protocols and ppi’s they have a different thing I’m not sure why probably because they are in different phases the protocols are on DXE and PP is on the places in practice you can say they are the same services the protocols and PP is are nothing more than a gift identifies what is the protocol and then they contain function pointers and maybe some data very quickly example I’m running out of time this is the protocol it has a get it says the if I ACP is 3 safe is this key so you always know that if you call this give you are calling this protocol then you have the definition of the protocol with two functions the s3 safe and get legacy memory sizes these are the two functions that this protocol implements and then you have the prototypes of each function you know this you’ll find this gift and you can use the these surface let me skip this this is how you use the protocols first you locate the get and then you use it if you have a valid function pointer you can simply use the the service or the function pointers that’s that you got let me go over these also one fill out of time this is very self-explanatory to be fine if you have some doubts about this email me but it’s very easy to understand hopefully but if contact me if you have problems or else i will have not time no time last part how to find the Masters we can access the contents we know where the Panthers we can dump everything what we want now is some techniques to find put potential rootkits in any file the two most important phrases band the flash contents because we need to know we need to get the data from from from the from the flagship always from our girl hopefully I make a very strong case why

hardware is necessary and then you need something to compare with technically you don’t need because you can reverse every binary you have like 200 or 300 binaries inside your your ePHI so that would take like a couple of months is even if you are a very good reverse engineer it will take a lot of time the best way is have something to compare against you can do like I do dump before you travel or have something that you you assume it’s okay or you can use updates that I poll released to compare against because in theory Apple and those plates will be ok they will not be attacked to you can find that updates from Apple Apple as a bunch publishes updates for firmware for example to fix my blog there to publish an appellate you can access on these url url most of the plates or you can extract them when for example a new version El Capitan add some firmware updates on me if I up late last week Apple release the also new for more updates so you can extract from them apple doesn’t publish the hashes of those updates I’m trying to convince them to do this so we can verify if everything is legit these are plates are only useful for machines that have them for example if there’s a new machine without the plates you don’t have an update to download so you cannot compare anything against either you assume that the machine has never been tampered with for example i open my mac pro because i assume it could be tempered it stayed like a few days in the united states and then three days more in in Germany probably too much time and I assume this machine might be compromised so this creates a problem in terms of how to do this if the machine is very new one solution is wait for an update and then you can compare I published if you trust me I published on on my github everything I was looking for every form world that exists and I put there I signed those firmwares with my PG Kiki my pgp key so it means that my reputation is at stake if I put a rootkit Iran this and if someone finds it my reputation will be it will be very bad for my reputation so everything is extracted from available updates I did my best to guarantee that they are legit that they are not tempered with soon i will put the smc updates there so it’s probably a very good reference if you don’t want to chase or to download yourself you can go there and you have all updates available there let me skip this one of the plates format is this a s cap is a standard formats what you can do you extract the contents of this of these updates and you then compare compare with these are dependents you have a different gift for example you have the fe capsule as a capsule as some contents and then the contest that you want come to compare with our inside another volume so this is what i try to show you there’s a firmware volume and they’re different contents are there on one you have the non volatile region on to you have microcode and three boot volume and then it continues so it’s not a direct comparison you have to process the blade file and find the information and then you can start comparing your contents techniques to to to find the rootkit you extract you dump the defy content and then you compare against the desk up easiest way you start locating all the wineries and start comparing one by one you have one too many match so it doesn’t take that much time computers are verified he checks some against if something is different it’s very suspicious you have to analyze manually it’s the point where you start reversing the binaries things that you need to do you need to verify if the contents are I’ve been tempered but you also are interested to see if there are new files because there are two ways to put a rootkit either you modify something or you install a new file you also be interested for example to see if there are any missing files imagine some if I binary that creates a protection and you extract the protection and you get a back door you also want to analyze all the free and bedding space that would be what I would use to put a rootkit data instead of putting a new file I will try

to hide in the free space and then the rootkit will try to find that day to encrypt it or somehow so always verify this data because it could be could have interesting data there also verify the non-volatile Ram contents for example the food device where the boot loader is located is stored there so we could modify the pass on boot there aking team for example have the to understand if they wanted to reinstall the rootkit they put a variable they’re so easy way to detect tacking team is to see if that variable exists in the in the nvram and this is for example the code from heck what you can do is what you can see is that they were doing this function get variable to read is the variable there if the variable is one we need to in fact the system or 0 we need to infect the system again if the system is already in fact that we don’t need to do anything let me step plus this conclusion it’s very fast if I rootkits or UF I would kids aren’t unicorns not many people talk about them I have no doubt they exist hacking team developed one we know they are very rare there are not many samples from this but my thing is this and some presentations talked about these TT talk briefly about these we don’t know what’s out there TT talked about most viruses antivirus vendors they have the samples they can find the samples that they know about but what you don’t know about it brings another very big problem if especially if no one is looking for if I would kids I can detect my machines but without enough samples we cannot be sure that they are not if I would kids or not out there this is one of the reasons for this presentation is to get people to start dumping their contents to start searching for these kind of food kits to see if they are really out there and what is their quality what is their techniques and so on so don’t assume that that they don’t exist this creates a very big problem chasing these type of food kits were he requires artwork so you need in most cases to disassemble computers and for example in a large enterprise I don’t see a big Japanese enterprise with a big building everyone going there to open the computer once a month or twice a month or whatever they assemble everything to dump manually this is not feasible this is not scalable so this brings a big problem at enterprise level I don’t know what is a solution vendors are hardware vendors need to start think about this because this is important an enterprise can be attacked with this kind of root kit and then they will be they will have serious apt not apt at software level but apt at hardware level and hopefully I have convinced you that these very really interesting stuff and it will stay on the company for for a long time other problems in if I the vendors are very slow to release updates for example my gigabyte that gigabyte motherboard is fully vulnerable it doesn’t use any protections there are no updates no firmware updates in terms of security most of the vendors you align in this situation it’s a bit like Android you they release the phone or they release the computer they don’t care about updates so you have a problem because if there’s a bug where you don’t have any updates you could try to fix yourself let me pass this very last think this was a picture some pictures if you follow the Guardian case and Snowden case the secret services GCHQ from the UK demanded to destroy their computer the funny thing is that they destroy the bunch of of chips and the main question is are those ships that they destroyed interesting for would kids what was the reason why they destroyed they could destroy them because they wanted to just roll people they saying yeah we are destroying everything because we are going to cause fear or their other or they really know more about those ships so this brings interesting research questions if you want research topics for next year for present start looking at this stuff at these ships you see you’ll see on the slides there’s smc there’s Intel management also very interesting so start looking at this stuff you can find from China from China boards and they publish they steal all

the logic board diagrams if you go see these diagrams you can see very lot of interconnections between ships and cpu and interesting buzz so there’s a lot of interesting research topics in the connection between hardware and software we need this I’m trying to make the case with many vendors or at least Apple we need to trust the hardware if we don’t trust the hardware if I don’t know if my computer hardware has been tampered with and every more more and more and more you have more chips in the in your computers for example the chip in the trackpad is an arm 32 chip which is very powerful these days so you can put a rootkit there imagine the trackpad is connected to to some buzz that others interesting stuff goes there you can do a lot of things from the trackpad this doesn’t make any sense so many people for example AV I’m a bit guilty because I’m next-gen AV I’m trying to solve software problems when I cannot guarantee that the hardware is first of all this is a big problem and we need to start thinking in different terms when it start building the security from hardware to software instead of trying to do do like now from software to artwork one of the flu solution is to put physical protections if you are from the old times there was a physical switch where you put you when you wanted to update you wait to put the flash to writable we lost that we have no switches for cameras for example we have no switches for the make in your computer all my machines have physically disabled the meek I have to open the Machine and disable the connection I do the same for the cameras this shouldn’t be like this we should have some kind of solution to disable this this is a computer very fast this is a Chromebook that it contains that solution that solution there’s a screw here that you can I think lock and the machine will not be able to write to the bias so it’s a solution hardware solution to not let the machine do not like the bills be attacked huh hola so hopefully over time super over time hopefully I have convinced you that firmware security is very critical we need two more people to research on these we need vendors to start thinking about this I had some vendors some people in in China where I present these last year wanting to think about this interested in this topic which is good I hopefully there are people here that are interested into this and we’ll go back to their companies and try to start some thread to start thinking about that firmware that’s how important it is to guarantee the quality of their computers if you need to contact me you have the blog you have the email you have the get up where I publish all kinds of code feel free to contact me I will try to help you as much as I can and that’s it you have no sound and you get a very much that Korea whatever stay hold it attracted notice with a co co taki taki taki mug