Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode

Julian Rauchberger; Robert Luh; Sebastian Schrittwieser

doi:10.5220/0006165603460353

Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode

Julian Rauchberger, Robert Luh, Sebastian Schrittwieser

2017

Abstract

The theoretical threat of malware inside the BIOS or UEFI of a computer has been known for almost a decade. It has been demonstrated multiple times that exploiting the System Management Mode (SMM), an operating mode implemented in the x86 architecture and executed with high privileges, is an extremely powerful method for implanting persistent malware on computer systems. However, previous BIOS/UEFI malware concepts described in the literature often focused on proof-of-concept implementations and did not have the goal of demonstrating the full range of threats stemming from SMM malware. In this paper, we present Longkit, a novel framework for BIOS/UEFI malware in the SMM. Longkit is universal in nature, meaning it is fully written in position-independent assembly and thus also runs on other BIOS/UEFI implementations with minimal modifications. The framework fully supports the 64-bit Intel architecture and is memory-layout aware, enabling targeted interaction with the operating system's kernel. With Longkit we are able to demonstrate the full potential of malicious code in the SMM and provide researchers of novel SMM malware detection strategies with an easily adaptable rootkit to help evaluate their methods.

Download

Paper Citation

in Harvard Style

Rauchberger J., Luh R. and Schrittwieser S. (2017). Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 346-353. DOI: 10.5220/0006165603460353

in Bibtex Style

@conference{icissp17,
author={Julian Rauchberger and Robert Luh and Sebastian Schrittwieser},
title={Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={346-353},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006165603460353},
isbn={978-989-758-209-7},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Longkit - A Universal Framework for BIOS/UEFI Rootkits in System Management Mode
SN - 978-989-758-209-7
AU - Rauchberger J.
AU - Luh R.
AU - Schrittwieser S.
PY - 2017
SP - 346
EP - 353
DO - 10.5220/0006165603460353