Security of a computing endpoint is traditionally viewed with respect to Firewall, HIPS, AV Products, etc. This perspective though misses out on “Below Kernel” aspects of cyber threats, which may target Hypervisor, Firmware or Hardware itself. Here are some attacks that are targeted on “Below Kernel” components
DMA attack -> In this the attacker gets into the system through Direct Memory Access capable Ports. This is a physical attack where a customized PCI, or USB, or FireWire device can be used to get access of whole physical memory. The attacker can then get access to encryption keys and in turn, compromise the firmware or hardware. The attacker may even alter OS behaviour by modifying page properties!
MBR Rootkits -> On systems where OS is loaded through MBR, the attackers have been known to compromise MBR and execute arbitrary code on system start. With this mechanism, they can remain hidden from security solutions. In some cases, attackers have also compromised Volume Boot Record (VBR) and perform rootkit injection. Some Ransomware have also used this technique to encrypt the machine
UEFI rootkits -> In recent past, researchers have proven the possibility of UEFI Rootkits where the firmware can be compromised and infected during the BIOS Update. UEFI secure boot can be bypassed by fake signing and modification of UEFI key table
As you can see, “Below Kernel” landscape provides a malicious actor with numerous opportunities to attack a system. To protect against such attacks, Intel and AMD have equipped their processors with several inbuilt security features. An example is the Trusted Platform Module, which provides hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. Recent platforms use this chip for Secure Boot
Intel processors have SGX (Software Guard Extensions) enabled, which can be used to define private regions of Physical Memory, thereby controlling access to the data in memory. AMD processors come with a feature known as SME (Secure Memory Encryption), which encrypts the contents of physical memory. Both the manufacturers have also introduced AES NI (AES New Instruction) in their processors. This feature enables processors to run the AES Encryption
To read more on Security and Below Kernel architecture, go through the whitepaper CyberSecurity Below the Kernel.
No Comments