Sunday, November 20th 2011

Windows 8 Secure Boot Feature: Not So Secure?

We have brought you the potential perils of the upcoming UEFI Forum-implemented - www.uefi.org - Windows 8 secure boot feature here, here and here. However, it appears that it may not be so 'secure' after all, since there appears to be a surefire way to circumvent it, at least for the moment, while it's in development.

Softpedia has scored an exclusive interview with security researcher Peter Kleissner, who has created various Windows (XP, Server 2003 etc) "bootkits", which allow OS infection at the highest privilege level, giving unrestricted access to the whole of the PC. His latest one, called Stoned Lite, shows how the Windows 8 secure boot process, still in development, can be subverted, as it stands. He is planning to release details of how the code works at the upcoming International Malware Conference (MalCon) - http://malcon.org - that will take place in India on November 25th. It appears that the real vulnerability exists in the legacy BIOS boot procedure, not in Microsoft's implementation of secure boot, as Kleissner said:
The problem with the legacy startup is that no one verifies the MBR, which makes it the vulnerable point. With UEFI and secure boot, all the boot applications and drivers have to be signed (otherwise they won’t be loaded). You can compare it to TPM, although Arie van der Hoeven from Microsoft announced that the secure boot feature is mandatory for OEMs who want to be UEFI certified. It is a good message that security is not an option.


And as Softpedia put it:
Stoned Lite actually works by infecting the MBR, while storing its components "outside the normal file system." Startup files are "hooked" and "patched" before Windows starts, these files being changed in Windows 7.
Kleissner explained that the basic way Stoned Lite works is by using command line escalation:
As payload I use the command line privilege escalation. Once whoami.exe is launched, it elevates the cmd.exe process rights to SYSTEM by overwriting its security token with a duplicated system process one.

Additionally it will patch the password validation function (MsvpPasswordValidate) so you can use any password for any local user account to log on. You will be able to start Stoned Lite from a USB flash drive or CD where it will be only active in memory.
So, this problem is only present if someone has physical access to the computer and is able to boot off a CD or USB stick. Therefore, this security vulnerability will have no impact in many scenarios where the threat of this kind of attack is very low. Examples include the home environment (usually) and data centres with very good physical security and the other measures they have in place. The most likely place for problems could be in workplaces where someone boots a PC after hours and installs a keylogger or other malware on the system. A significant threat, to be sure. However, despite this vulnerability, secure boot still makes conventional malware attacks useless, such as drive-by downloads from malicious or hacked websites and opening attachments from spam emails, among the many infection vectors around.

Still, it makes Microsoft's bold claim in September, that:
Secured boot stops malware in its tracks and makes Windows 8 significantly more resistant to low-level attacks. Even when a virus has made it onto your PC, Windows will authenticate boot components to prevent any attempt to start malware before the operating system is up and running.
a little less reassuring, doesn't it?

Note that Kleissner will not be at MalCon in person, because he will be attending another conference held on the same day, the European Bitcoin Conference in Prague, where he will show "how to re-direct locally initiated BitCoin transactions, but also show how the BitCoin wallet can be secured better against theft." Therefore, someone else will go in his place to deliver the message, or he may pre-record it.

Finally, while this is a big step forward for PC security, like every other security improvement, there's always a hack to get around it with time somehow, somewhere, which can then be patched and hacked and patched... However, in this case, when the secure boot system goes live and a core vulnerability is found in the UEFI or some other low level component, patching won't be so simple, or maybe even impossible, due to its low level nature. So, once again the suspicion remains that this whole 'initiative' is a backdoor to locking out competing operating systems such as Linux and to DRM your whole PC to 'protect' the profits of big content, in a similar way they already do on games consoles.

There's a lot of big corporate interests riding on secure boot, so do not ever rule out the possibility that it will be subverted to further them.
Add your own comment

35 Comments on Windows 8 Secure Boot Feature: Not So Secure?

#1
Lipton
I honestly have no idea why UEFIs Secure Boot is being brought up here.

"The researcher claims that the real issue exists in legacy boot procedures, not in the Redmond company's new feature." debunks this whole 'article' and the Softpedia headline is sensational driven by speculation.
Posted on Reply
#2
Yellow&Nerdy?
Surprise surprise. Seems like Windows 8 might be another Vista.
Posted on Reply
#3
Lipton
by: Yellow&Nerdy?
Surprise surprise. Seems like Windows 8 might be another Vista.
This exploits the legacy BIOS. Not UEFI and has nothing to do with the Windows 8 support of UEFI Secure Boot.
Posted on Reply
#4
newtekie1
Semi-Retired Folder
by: Damn_Smooth
I would appreciate your list of other OS's implementing this feature. Thanks.
  • Linux
  • Linux
  • Linux
  • Linux
  • Oh and OSX
Here is a statement from a Kernal Developer at Red Hat:
We don't really support secure boot right now, but that's ok because you can't buy any hardware that supports it yet. Adding support is probably about a week's worth of effort at most.
by: Lipton
This exploits the legacy BIOS. Not UEFI and has nothing to do with the Windows 8 support of UEFI Secure Boot.
I'm not sure this exploits the legacy BIOS but rather it exploits the legacy boot method on MBR drives, injecting a signed key before the OS boots, which you are correct in that it has nothing to do with Windows 8. And the simplest fix would just be to require boot drives use GPT when Secure Boot is enabled in UEFI.
Posted on Reply
#5
Damn_Smooth
by: newtekie1
  • Linux
  • Linux
  • Linux
  • Linux
  • Oh and OSX
Here is a statement from a Kernal Developer at Red Hat:




I'm not sure this exploits the legacy BIOS but rather it exploits the legacy boot method on MBR drives, injecting a signed key before the OS boots, which you are correct in that it has nothing to do with Windows 8. And the simplest fix would just be to require boot drives use GPT when Secure Boot is enabled in UEFI.
So Linux is switching to secure boot also? Or they have to because of UEFI?
Posted on Reply
#6
newtekie1
Semi-Retired Folder
by: Damn_Smooth
So Linux is switching to secure boot also? Or they have to because of UEFI?
They don't have to, as Secure Boot is supposed to have the option to be disabled in the UEFI interface. Most of the free distros probably won't see Secure Boot support. However, enterprise supported version of linux, such as Red Hat and the others that see heavy use in the enterprise world, will be using Secure Boot for sure.
Posted on Reply
#7
scaminatrix
by: Sihastru
I must give him the benefit of the doubt since he seems to be hating on the entire IT industry, not just the two or three companies.
:laugh: well, at least you can't say he's biased!
Posted on Reply
#8
qubit
Overclocked quantum bit
by: Sihastru
Calm down people, everyone is wrong, especially me.

While qubit might be bringing a Charlie Demerjian vibe to TPU, I must give him the benefit of the doubt since he seems to be hating on the entire IT industry, not just the two or three companies. The "Secure Boot" feature seems to be misunderstood as we don't all know exactly what it is.

We browsed the "reports" (not just the TPU versions) and since all of them are heavily biased they try to make Windows 8 (and Microsoft) the bad guy here. It wouldn't be news if it wasn't about a new, shiny (unreleased) product.

The attack described in this article seems to not be geared towards Windows 8 to be fair. Since the attack patches the MBR and then uses an inherent OS problem to obtain elevated rights it looks like Vista, Windows 7, Windows Server 2008 (R1/R2) and possibly others that support UEFI (or any hybrid UEFI version) can be attacked in the exact same way, and I don't see it now how it is related to UEFI or the secure boot feature.

To this looks to be nothing more then a puny OS vulnerability (like hundreds before it and hundreds after it) made to look like UEFI/Microsoft are the bad guys here. It will get patched, before or after the OS ships. Even more it is a vulnerability that first attacks the legacy part of the OS, and I thought that UEFI is the step away from legacy.

So it looks to me like UEFI and Microsoft should make the secure boot feature even more closed and draconic in nature in order to protect their customers. And in this way the reports are contradicting in nature, since half of them complain about the feature locking out Linux and other fluffy things like that while the other half complain about it letting in governments and other not-so-fluffy things.

I remember the same reaction when Microsoft introduced the driver signature enforcement in Vista, everyone automatically switched to panic mode, but in the end all was good.

Like then, everyone is now overreacting, trying desperately for their 15 minutes in the spotlight, and in a way, "Windoze 8 is the D3vil" articles will bring in many visitors to any site, visitors that will translate into add revenue.
Great post. :toast:

But sheesh, I didn't think I hated the whole IT industry? :eek: :)

The vulnerability isn't in the OS itself. From the looks of it, the UEFI still contains legacy BIOS code that's causing the problem, as the MBR isn't checked. Once that code is updated, this vulnerability will be fixed. Therefore, it's fair to say that any OS, Linux etc at this point would be vulnerable to Stoned Lite.

Hopefully you're right about all this being an overreaction. Only time will tell for sure, but in the meantime, the previous stories I linked to explain why it's a potential problem and people shouldn't be complacent about it.

Secure boot also sounds like it will make security software redundant, doesn't it? I suspect that it won't in practice, though.
Posted on Reply
#9
[H]@RD5TUFF
I really hope this is true, as I don't want to have to give up linux.
Posted on Reply
#10
newtekie1
Semi-Retired Folder
by: [H]@RD5TUFF
I really hope this is true, as I don't want to have to give up linux.
You won't have to anyway, secure boot can be disabled by the user in UEFI. That is in the spec for Secure Boot. However, the option isn't required, so we will probably see some OEM machines that have that option missing from UEFI. So just build your own machines and you won't have that problem.:)
Posted on Reply