1 / 26

Host and Application Security

Host and Application Security. Lesson 4: The Win32 Boot Process. Last foundational item. What steps does our machine go through to start running?. First Step: Power On!. This may seem like a trivial step, but a lot is happening A timer kicks off once the MB voltages stabilize

chace
Download Presentation

Host and Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host and Application Security Lesson 4: The Win32 Boot Process

  2. Last foundational item • What steps does our machine go through to start running?

  3. FirstStep: Power On! • This may seem like a trivial step, but a lot is happening • A timer kicks off once the MB voltages stabilize • Execution passes to a location in Read Only Memory (ROM) • Information about the hardware configuration is read from the CMOS

  4. POST • Power On Self Test (POST) • Check CMOS validity • Check for Keyboard etc. • A side note: beep codes

  5. Where next? • Understanding the boot sequence here is important • Can boot from LAN, Floppy, Hard Drive, CD-ROM… • Boot priority typically set in CMOS

  6. But how? • At this point, there is no operating system • System used at the lowest level: Int 13h • Aside: how Intxxh instructions work • Typically, load “program” in the MBR as a single sector

  7. Three Possible Outcomes • Success! First sector is loaded into memory and executed. • A READ ERROR occurs • A DISK I/O ERROR occurs

  8. What does a boot sector look like? • On Win95… • debugl 7c00 0 0 1u 7c00

  9. Two Paths: Fixed and Removable • Not identical • Hard drive provides more options – MBR and PBS

  10. Next… • MBR • PBS • NTLDR • NTOSKRNL.EXE • SMSS • WINLOGON • SCM

  11. NTLDR • The boot code “understands” the underlying file system, and loads NTLDR from the root directory of that disk • NTLDR starts life in “real mode”

  12. And What is “Real Mode” • No Virtual to Physical memory translation (tell me about that…) • Only 1MB of memory available to the machine (why?) • Just like DOS…

  13. Protected Mode • 32-bit memory now available • Paging turned on • Protected mode with paging is “normal” for Win32 Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual

  14. Now we switch to PM • All disk IO still handled by the “old” code • NTLDR now examines BOOT.INI for more information • If more than one selection, display choices…

  15. DOS? • If BOOT.INI refers to a DOS option • BOOTSEC.DOS is loaded and executed as if it were a boot sector, switching back to Real Mode

  16. NTDETECT.COM • Runs in real mode • Reads the BIOS to determine OS basics, such as: • Time and Date • Types of Buses • Number/type of drive • Type of mouse • Parallel Ports…

  17. And then back to NTLDR • Load the Kernel and the HAL • Read the SYSTEM registry hive to determine required boot-time device drivers • Start Value = SERVICE_BOOT_START • Loads the File System Drivers required for boot (e.g. NTFS)

  18. NTLDR Continued • Loads the boot drivers and displayed “Starting Windows” • NB: Drivers only load at this time, they are not run • Prepare CPU registers for the execution of the kernel • Calls main() in NTOSKRNL

  19. NTOSKRNL • Two stage initialization process called… • Phase 0 • Phase 1

  20. Phase 0 • Interrupts Disabled • Build the data structures required by the Phase 1 processes • Calls ExpInitializeExecutive • Finalizes HAL • Initializes Memory Manager • Initializes Object Manager • Initializes Security Reference Monitor, Process Mangler, Plug and Pray Manager

  21. Phase 1 • Control goes to Idle loop… allowing other processes to init • Interrupts turned on • Boot Video Driver On (The Win32 Startup Screen now displays) • SMSS (Session Manager SubSystem) called

  22. SMSS • User-mode process (but trusted part of the OS) • Native application – doesn’t use Win32 APIs but uses Windows 2000 Native APIs • Does lots of things… • But we’re interested in: • Runs any programs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute • Performs delayed file rename operations as directed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations • Starts Winlogon

  23. Security? • So, let’s discuss… how can the Windows boot process be exploited?

  24. Enhancements • UEFI • Intel specifications to replace the BIOS interface that is standard to all PCs • Secure boot, however, is a really interesting discussion • The idea is to lock the hardware to a particular chain of trust • Things must be signed by a particular key… this lead to some interesting debates

  25. Enhancements (cntd) • ELAM • Try and get antimalware loaded much earlier in the boot process • Purpose is to provide white/black listing services only early in the process • Forces load of the AM solution before anything else is loaded

  26. Questions?

More Related