Researchers Peter Bosch and Trammell Hudson presented a Time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week.
Boot Guard is a technology that was added in Haswell and was supposed to check that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts.
Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in the cache, it later re-read modules from the original text located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code.
The system should only rely on the verified copy after the cryptographic checks are passed and this made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory.
Trammell Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy.
The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent.
The attack requires opening the laptop case to attach clip-on connectors to the chip and there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. I
Hudson has come up with an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it.
In its chip-swapping variant, Hudson's and Bosch's attack acts as a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system, and it's tough to detect without opening the device and closely inspecting its motherboard.
The physical compromise could occur in different ways and is not that difficult. All you need to do to replace the SPI memory chip with a rogue one designed in 15 to 20 minutes alone with the machine.
Other possibilities are supply chain attacks or the so-called "interdiction" techniques where computer shipments are intercepted in transit, for example by an intelligence agency, are backdoored and then resealed to hide any tampering. The documents leaked by Edward Snowden showed that the NSA uses such techniques, and it is likely not the only intelligence agency to do so.
Some devices do have tamper-evident seals or mechanisms, but someone with the right resources and knowledge can easily bypass those defences, said Bosch.
The two researchers notified Intel of their findings in January and apparently the chipmaker treated the issue seriously and assigned a high severity to it. The company already has patches available for its reference UEFI implementation -- known as Tianocore -- that it shares with BIOS vendors and PC manufacturers. The researchers haven't yet tested the fixes, but at least based on the description, they seem comprehensive and should prevent similar attacks in the future.