Was hindert mich daran, ein Bootkit zu schreiben, das einen erkannten UEFI-Schlüssel verwendet?

506
user16538

Soweit ich weiß, funktioniert UEFI Secure Boot auf diese Weise (mehr oder weniger): Damit bestimmte Betriebssysteme booten können, müssen sie mit einem Schlüssel signiert werden, der bei jedem Start von UEFI geprüft wird. Wenn ein Bootkit das Betriebssystem ersetzt, schlägt die Überprüfung fehl und das vom Bootkit installierte System wird niemals ausgeführt.

Wenn ich jedoch ein Bootkit schreibe, das auf Windows 8 abzielt, und wenn ich den Windows 8-Schlüssel in das Bootkit stecke, funktioniert das Bootkit? Wenn ja, warum wird Secure Boot als sicher eingestuft? Wenn nein warum?

1

1 Antwort auf die Frage

1
Rod Smith

A malware author (let's call him Mel) can't just copy the keys from an existing boot loader; he has to get his own binary signed with a private key that's held by Microsoft. That said, Microsoft is signing binaries for third parties -- OS developers (Red Hat, Canonical, etc.) and even individuals are getting binaries signed. To do this, you've got to submit paperwork and pay a $99 fee to Verisign. Thereafter, Microsoft will sign the binaries you provide. I have no idea if they do any sort of virus scanning on them, though; if so, it's conceivable that some malware would be caught before it could be distributed.

Let's suppose, though, that Mel gets a malware binary signed and begins distributing it. Eventually, it'll be spotted by security researchers or detected by users, and somebody will notice it's been signed with Microsoft's key. At that point, Microsoft will be notified and will release a Windows update that will add that specific binary to a blacklist so that it will no longer boot on any machine that's received regular security updates. Microsoft will also then know that Mel is the author, since they'll presumably keep a copy of everything they sign in case of such problems. There'll be a paper trail, including things like the credit card number that was used to pay for the services and a snail-mail address used for correspondence. Presumably Microsoft will hand all that over to the authorities, and Mel will end up being visited by the police.

Of course, it's possible to imagine scenarios where a sufficiently motivated individual or criminal organization could avoid suffering such consequences -- they could use a stolen credit card to pay Verisign, use a temporary address that's not easily traced to them, etc. A US national spy agency like the NSA or CIA might also be able to intervene to get spyware or sabotage software like Flame signed. I expect that we'll see both of these things happen in the fullness of time.

The bottom line: Secure Boot puts up a hurdle for malware authors to overcome, but it's not an insurmountable one. It's just one move in a long-standing game between malware authors and OS vendors (primarily Microsoft). It has the potential to improve security, but it remains to be seen how well it will work.