Host and Application Security
description
Transcript of Host and Application Security
![Page 1: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/1.jpg)
Host and Application SecurityLesson 4: The Win32 Boot Process
![Page 2: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/2.jpg)
Last foundational item What steps does our machine go through to
start running?
![Page 3: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/3.jpg)
First Step: Power On! This may seem like a trivial step, but a lot is
happening A timer kicks off once the MB voltages
stabilize Execution passes to a location in Read Only
Memory (ROM) Information about the hardware configuration
is read from the CMOS
![Page 4: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/4.jpg)
POST Power On Self Test (POST) Check CMOS validity Check for Keyboard etc. A side note: beep codes
![Page 5: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/5.jpg)
Where next? Understanding the boot sequence here is
important Can boot from LAN, Floppy, Hard Drive, CD-
ROM… Boot priority typically set in CMOS
![Page 6: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/6.jpg)
But how? At this point, there is no operating system System used at the lowest level: Int 13h Aside: how Int xxh instructions work Typically, load “program” in the MBR as a
single sector
![Page 7: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/7.jpg)
Three Possible Outcomes Success! First sector is loaded into memory
and executed. A READ ERROR occurs A DISK I/O ERROR occurs
![Page 8: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/8.jpg)
What does a boot sector look like? On Win95… debug
l 7c00 0 0 1u 7c00
![Page 9: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/9.jpg)
Two Paths: Fixed and Removable Not identical Hard drive provides more options – MBR and
PBS
![Page 10: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/10.jpg)
Next… MBR PBS NTLDR NTOSKRNL.EXE SMSS WINLOGON SCM
![Page 11: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/11.jpg)
NTLDR The boot code “understands” the underlying
file system, and loads NTLDR from the root directory of that disk
NTLDR starts life in “real mode”
![Page 12: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/12.jpg)
And What is “Real Mode” No Virtual to Physical memory translation
(tell me about that…) Only 1MB of memory available to the
machine (why?) Just like DOS…
![Page 13: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/13.jpg)
Protected Mode
Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual
32-bit memory now available Paging turned on Protected mode with paging is “normal” for
Win32
![Page 14: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/14.jpg)
Now we switch to PM All disk IO still handled by the “old” code NTLDR now examines BOOT.INI for more
information If more than one selection, display choices…
![Page 15: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/15.jpg)
DOS? If BOOT.INI refers to a DOS option BOOTSEC.DOS is loaded and executed as if
it were a boot sector, switching back to Real Mode
![Page 16: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/16.jpg)
NTDETECT.COM Runs in real mode Reads the BIOS to determine OS basics, such
as: Time and Date Types of Buses Number/type of drive Type of mouse Parallel Ports…
![Page 17: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/17.jpg)
And then back to NTLDR Load the Kernel and the HAL Read the SYSTEM registry hive to determine
required boot-time device drivers Start Value = SERVICE_BOOT_START
Loads the File System Drivers required for boot (e.g. NTFS)
![Page 18: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/18.jpg)
NTLDR Continued Loads the boot drivers and displayed
“Starting Windows” NB: Drivers only load at this time, they are
not run Prepare CPU registers for the execution of the
kernel Calls main() in NTOSKRNL
![Page 19: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/19.jpg)
NTOSKRNL Two stage initialization process called…
Phase 0 Phase 1
![Page 20: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/20.jpg)
Phase 0 Interrupts Disabled Build the data structures required by the
Phase 1 processes Calls ExpInitializeExecutive
Finalizes HAL Initializes Memory Manager Initializes Object Manager Initializes Security Reference Monitor, Process
Mangler, Plug and Pray Manager
![Page 21: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/21.jpg)
Phase 1 Control goes to Idle loop… allowing other
processes to init Interrupts turned on Boot Video Driver On (The Win32 Startup
Screen now displays) SMSS (Session Manager SubSystem) called
![Page 22: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/22.jpg)
SMSS User-mode process (but trusted part of the OS) Native application – doesn’t use Win32 APIs but uses
Windows 2000 Native APIs Does lots of things… But we’re interested in:
Runs any programs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
Performs delayed file rename operations as directed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Starts Winlogon
![Page 23: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/23.jpg)
Security? So, let’s discuss… how can the Windows boot
process be exploited?
![Page 24: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/24.jpg)
Enhancements UEFI
Intel specifications to replace the BIOS interface that is standard to all PCs
Secure boot, however, is a really interesting discussion
The idea is to lock the hardware to a particular chain of trust Things must be signed by a particular key… this lead
to some interesting debates
![Page 25: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/25.jpg)
Enhancements (cntd) ELAM
Try and get antimalware loaded much earlier in the boot process
Purpose is to provide white/black listing services only early in the process
Forces load of the AM solution before anything else is loaded
![Page 26: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/26.jpg)
TPM Of course there is the TPM Trusted Platform Module
“The proper definition is that a trusted system or component is one whose failure can break the security policy, while a trustworthy system or component is one that won’t fail” (Anderson)
![Page 27: Host and Application Security](https://reader036.fdocuments.in/reader036/viewer/2022062815/56816935550346895de08fd4/html5/thumbnails/27.jpg)
Questions and Assignment Assignment: 2500 words or more, on
“Security Enhancements to the PC Boot Process”
Basically, in detail, tell me about UEFI, TPM etc.
Due, next Thursday, printed out, in class. PLUS electronic copy to moi!