host and application security
DESCRIPTION
Host and Application Security. Lesson 4: The Win32 Boot Process. Last foundational item. What steps does our machine go through to start running?. First Step: Power On!. This may seem like a trivial step, but a lot is happening A timer kicks off once the MB voltages stabilize - PowerPoint PPT PresentationTRANSCRIPT
Host and Application SecurityLesson 4: The Win32 Boot Process
Last foundational item What steps does our machine go through to
start running?
First Step: Power On! This may seem like a trivial step, but a lot is
happening A timer kicks off once the MB voltages
stabilize Execution passes to a location in Read Only
Memory (ROM) Information about the hardware configuration
is read from the CMOS
POST Power On Self Test (POST) Check CMOS validity Check for Keyboard etc. A side note: beep codes
Where next? Understanding the boot sequence here is
important Can boot from LAN, Floppy, Hard Drive, CD-
ROM… Boot priority typically set in CMOS
But how? At this point, there is no operating system System used at the lowest level: Int 13h Aside: how Int xxh instructions work Typically, load “program” in the MBR as a
single sector
Three Possible Outcomes Success! First sector is loaded into memory
and executed. A READ ERROR occurs A DISK I/O ERROR occurs
What does a boot sector look like? On Win95… debug
l 7c00 0 0 1u 7c00
Two Paths: Fixed and Removable Not identical Hard drive provides more options – MBR and
PBS
Next… MBR PBS NTLDR NTOSKRNL.EXE SMSS WINLOGON SCM
NTLDR The boot code “understands” the underlying
file system, and loads NTLDR from the root directory of that disk
NTLDR starts life in “real mode”
And What is “Real Mode” No Virtual to Physical memory translation
(tell me about that…) Only 1MB of memory available to the
machine (why?) Just like DOS…
Protected Mode
Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual
32-bit memory now available Paging turned on Protected mode with paging is “normal” for
Win32
Now we switch to PM All disk IO still handled by the “old” code NTLDR now examines BOOT.INI for more
information If more than one selection, display choices…
DOS? If BOOT.INI refers to a DOS option BOOTSEC.DOS is loaded and executed as if
it were a boot sector, switching back to Real Mode
NTDETECT.COM Runs in real mode Reads the BIOS to determine OS basics, such
as: Time and Date Types of Buses Number/type of drive Type of mouse Parallel Ports…
And then back to NTLDR Load the Kernel and the HAL Read the SYSTEM registry hive to determine
required boot-time device drivers Start Value = SERVICE_BOOT_START
Loads the File System Drivers required for boot (e.g. NTFS)
NTLDR Continued Loads the boot drivers and displayed
“Starting Windows” NB: Drivers only load at this time, they are
not run Prepare CPU registers for the execution of the
kernel Calls main() in NTOSKRNL
NTOSKRNL Two stage initialization process called…
Phase 0 Phase 1
Phase 0 Interrupts Disabled Build the data structures required by the
Phase 1 processes Calls ExpInitializeExecutive
Finalizes HAL Initializes Memory Manager Initializes Object Manager Initializes Security Reference Monitor, Process
Mangler, Plug and Pray Manager
Phase 1 Control goes to Idle loop… allowing other
processes to init Interrupts turned on Boot Video Driver On (The Win32 Startup
Screen now displays) SMSS (Session Manager SubSystem) called
SMSS User-mode process (but trusted part of the OS) Native application – doesn’t use Win32 APIs but uses
Windows 2000 Native APIs Does lots of things… But we’re interested in:
Runs any programs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
Performs delayed file rename operations as directed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Starts Winlogon
Security? So, let’s discuss… how can the Windows boot
process be exploited?
Enhancements UEFI
Intel specifications to replace the BIOS interface that is standard to all PCs
Secure boot, however, is a really interesting discussion
The idea is to lock the hardware to a particular chain of trust Things must be signed by a particular key… this lead
to some interesting debates
Enhancements (cntd) ELAM
Try and get antimalware loaded much earlier in the boot process
Purpose is to provide white/black listing services only early in the process
Forces load of the AM solution before anything else is loaded
TPM Of course there is the TPM Trusted Platform Module
“The proper definition is that a trusted system or component is one whose failure can break the security policy, while a trustworthy system or component is one that won’t fail” (Anderson)
Questions and Assignment Assignment: 2500 words or more, on
“Security Enhancements to the PC Boot Process”
Basically, in detail, tell me about UEFI, TPM etc.
Due, next Thursday, printed out, in class. PLUS electronic copy to moi!