Hiding in the Shadows - Towards Understanding Modern UEFI Bootkits

Abstract

Malware is an increasingly big problem in the world. Bootkits are a group of especially advanced and complex malware and are on the rise together with attack on firmware. Despite this, research efforts in modern UEFI bootkits have been scarce. The aim of this thesis is to help fill this hole. The thesis investigates what modern UEFI bootkits are, how they can be analyzed and in what ways security can be improved in order to be better prepared for future. A workflow and lab environment to help debug UEFI and analyze modern bootkits are outlined and evaluated. A case study of two modern UEFI bootkits called MoonBounce and ESPecter is also performed. The results point to hooking and loading of malicious kernel drivers to be two big techniques used by UEFI bootkits. Additionally, it is found that the bootkits analyzed manage to bypass several security measures. In the light of existing research within the field, it is speculated that vulnerabilities in UEFI and a complex supply chain is tightly linked to how bootkits infect systems in the first place. Several areas for further research are identified, and a conclusion is made that all the parts of the UEFI ecosystem has to cooperate more in order to improve. By doing this, the state of security in the boot process can be improved and we can be better prepared for the future.