DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS presented at Ruxcon 2012

by Snare ,

Tags: EFI Bootkit Apple FileVault

Summary : The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers. This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will not require a detailed understanding of EFI, and will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.