The 'bootkit' menace is a paper threat

New research papers on next-generation Windows 8 and Mac OS X rootkits suggest a new wave of vulnerabilities. But most users are going to be more secure, not less

Is Windows 8's security compromised from the start? Two recent papers laying out the groundwork for next-generation rootkits seem to argue the point, but a significant caveat makes all the difference.

Last week, security researchers at ITSec, a security and reverse engineering firm, published an analysis of the Windows 8 boot process and the possibilities for creating a boot-level rootkit, or bootkit, by utilizing features of the UEFI (Unified Extensible Firmware Interface), a replacement for the venerable BIOS (Basic Input/Output System) on which most computers run. Microsoft has made UEFI mandatory for all systems shipping with Windows 8.

The ITSec researchers concluded that creating a bootkit under UEFI is a simpler process than using the more limited features of your typical BIOS. Some media outlets declared Windows 8 to be threatened by the new bootkit techniques.

"In the brief analysis we made, we have seen that hitting an UEFI system is still a quite easy task," researcher Andrea Allievi wrote in the analysis. "Sky is the limit."

The conclusions resembled research presented at the Black Hat on creating rootkits for the Mac OS X using the Extensible Firmware Interface. (Apple is part of the United EFI Forum but uses its own EFI hybrid, not the latest UEFI standard.)

While both research efforts are interesting because they help establish a foundation for bootkits under the more feature-rich Extensible Firmware Interfaces, neither one takes into account a major push in platform security known as Secure Boot. While UEFI was born of a 1998 Intel initiative to replace the BIOS, Secure Boot comes from Microsoft's Palladium efforts of more than a decade ago to make Windows and the PC platform more secure for digital media and the subsequent efforts to create a Trusted Computing Platform.

Secure Boot uses cryptographic keys and a combination of white and black lists to only allow authenticated software to run. It's basically a way to extend trust up the software stack: If you trust the hardware, firmware, and operating system at the time of installation, then unsanctioned code -- such as a rootkit -- should not be able to run at a lower level than the operating system kernel.

So how do the new Windows 8 and Mac OS X rootkits get around Secure Boot? They don't.

Secure Boot will "increase whole platform's security, though the biggest drawback is that it will render entire architecture (more closed), decreasing user freedom's (sic) of choice," ITSec's Allievi wrote. "The discussion whether or not Secure Boot is the right technology is outside the scope of current analysis."

1 2 Page 1
From CIO: 8 Free Online Courses to Grow Your Tech Skills