The ‘bootkit’ menace is a paper threat

Is Windows 8’s security compromised from the start? Two recent papers laying out the groundwork for next-generation rootkits seem to argue the point, but a significant caveat makes all the difference.

Last week, security researchers at ITSec, a security and reverse engineering firm, published an analysis of the Windows 8 boot process and the possibilities for creating a boot-level rootkit, or bootkit, by utilizing features of the UEFI (Unified Extensible Firmware Interface), a replacement for the venerable BIOS (Basic Input/Output System) on which most computers run. Microsoft has made UEFI mandatory for all systems shipping with Windows 8.

The ITSec researchers concluded that creating a bootkit under UEFI is a simpler process than using the more limited features of your typical BIOS. Some media outlets declared Windows 8 to be threatened by the new bootkit techniques.

“In the brief analysis we made, we have seen that hitting an UEFI system is still a quite easy task,” researcher Andrea Allievi wrote in the analysis. “Sky is the limit.”

The conclusions resembled research presented at the Black Hat on creating rootkits for the Mac OS X using the Extensible Firmware Interface. (Apple is part of the United EFI Forum but uses its own EFI hybrid, not the latest UEFI standard.)

While both research efforts are interesting because they help establish a foundation for bootkits under the more feature-rich Extensible Firmware Interfaces, neither one takes into account a major push in platform security known as Secure Boot. While UEFI was born of a 1998 Intel initiative to replace the BIOS, Secure Boot comes from Microsoft’s Palladium efforts of more than a decade ago to make Windows and the PC platform more secure for digital media and the subsequent efforts to create a Trusted Computing Platform.

Secure Boot uses cryptographic keys and a combination of white and black lists to only allow authenticated software to run. It’s basically a way to extend trust up the software stack: If you trust the hardware, firmware, and operating system at the time of installation, then unsanctioned code — such as a rootkit — should not be able to run at a lower level than the operating system kernel.

So how do the new Windows 8 and Mac OS X rootkits get around Secure Boot? They don’t.

Secure Boot will “increase whole platform’s security, though the biggest drawback is that it will render entire architecture (more closed), decreasing user freedom’s (sic) of choice,” ITSec’s Allievi wrote. “The discussion whether or not Secure Boot is the right technology is outside the scope of current analysis.”

A paper on the Mac OS X rootkit (PDF) is even more clear: “A successful implementation of (a Secure Boot-like) process would mitigate the risk of many attacks described herein.”

Apple has not yet adopted Secure Boot on the Mac OS X, but it undoubtedly will use a similar technology because it already uses a secured boot chain on its mobile platform, iOS (PDF). The company has already duplicated many of the security strategies from its iOS platform for mobile devices on the Mac OS X, namely a closed software ecosystem with signed code and sandboxing applications so they cannot access each other’s data. Secure Boot, or a similar system, will likely make its way in as well.

So nothing to worry about? Not so fast.

Users could turn off Secure Boot, just as they jailbreak their smartphones, a practice that undermines the security of the operating system. About 10 percent of smartphone users use a rootkit on their phone to disable protections put in place by the manufacturers and carriers. Jailbreaking allows users to choose a different carrier, use non-sanctioned applications, and have features disallowed by the carriers, or manufacturers. Similarly, many Linux users have complained that Secure Boot on Windows could limit their choice. While Red Hat, Ubuntu, and Suse have all announced ways of supporting — or at least, dealing — with Secure Boot, dual booting a computer is still problematic.

Yet, Linux users only make up 1 percent of the desktop OS user base. Even if that is doubled by Mac users running Windows 8 in Bootcamp, some 98 percent of Windows users will not have to worry about EFI bootkits.

The real threat is a rootkit that exploits a vulnerability in the Unified Extensible Firmware Interface. UEFI is much more complex than BIOS, and software complexity means bugs. If security researchers find a flaw in the software, then all the research into the creation of bootkits will pay off. While such flaws will be hard to find, similar vulnerabilities have been found to allow smartphones to be jailbroken, so the security issues are undoubtedly there.

This story, “The ‘bootkit’ menace is a paper threat,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.