Hacking the extensible Firmware Interface presented at BlackHatDC 2007

by John Heasman,

URL : https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf

Summary : "Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries."
Quote taken from http://www.apple.com/macosx/bootcamp/
The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits.
We start by discussing the limitations of the traditional BIOS and the growing need for an extensible pre-boot environment. We also cover the key components of the EFI Framework and take a look at the fundamental design decisions affecting EFI and their consequences. Next we consider the entry points that an EFI system exposesjust how an attacker may set about getting their code into the EFI environmenttaking the Apple Macbook as our reference implementation.
After demonstrating several means of achieving the above, we turn our attention to subverting the operating system from below, drawing parallels wherever possible to attacks against systems running a traditional BIOS.
The final part of this presentation discusses the evolution of EFI into the Unified Extensible Firmware Interface (UEFI), soon to be supported by Windows Server (Longhorn) and discusses the application of the previously discussed attacks to UEFI.