Win32 Programming

Download Report

Transcript Win32 Programming

Host and Application
Security
Lesson 4: The Win32 Boot Process
Last foundational item

What steps does our machine go through to
start running?
First Step: Power On!




This may seem like a trivial step, but a lot is
happening
A timer kicks off once the MB voltages
stabilize
Execution passes to a location in Read Only
Memory (ROM)
Information about the hardware configuration
is read from the CMOS
POST




Power On Self Test (POST)
Check CMOS validity
Check for Keyboard etc.
A side note: beep codes
Where next?

Understanding the boot sequence here is
important


Can boot from LAN, Floppy, Hard Drive, CDROM…
Boot priority typically set in CMOS
But how?




At this point, there is no operating system
System used at the lowest level: Int 13h
Aside: how Int xxh instructions work
Typically, load “program” in the MBR as a
single sector
Three Possible Outcomes



Success! First sector is loaded into memory
and executed.
A READ ERROR occurs
A DISK I/O ERROR occurs
What does a boot sector look like?


On Win95…
debug
l 7c00 0 0 1
u 7c00
Two Paths: Fixed and Removable


Not identical
Hard drive provides more options – MBR and
PBS
Next…







MBR
PBS
NTLDR
NTOSKRNL.EXE
SMSS
WINLOGON
SCM
NTLDR


The boot code “understands” the underlying
file system, and loads NTLDR from the root
directory of that disk
NTLDR starts life in “real mode”
And What is “Real Mode”



No Virtual to Physical memory translation
(tell me about that…)
Only 1MB of memory available to the
machine (why?)
Just like DOS…
Protected Mode



32-bit memory now available
Paging turned on
Protected mode with paging is “normal” for
Win32
Source: Intel® 64 and IA-32 Architectures Software Developer’s Manual
Now we switch to PM



All disk IO still handled by the “old” code
NTLDR now examines BOOT.INI for more
information
If more than one selection, display choices…
DOS?


If BOOT.INI refers to a DOS option
BOOTSEC.DOS is loaded and executed as if
it were a boot sector, switching back to Real
Mode
NTDETECT.COM


Runs in real mode
Reads the BIOS to determine OS basics, such
as:





Time and Date
Types of Buses
Number/type of drive
Type of mouse
Parallel Ports…
And then back to NTLDR


Load the Kernel and the HAL
Read the SYSTEM registry hive to determine
required boot-time device drivers


Start Value = SERVICE_BOOT_START
Loads the File System Drivers required for
boot (e.g. NTFS)
NTLDR Continued




Loads the boot drivers and displayed “Starting
Windows”
NB: Drivers only load at this time, they are
not run
Prepare CPU registers for the execution of the
kernel
Calls main() in NTOSKRNL
NTOSKRNL

Two stage initialization process called…


Phase 0
Phase 1
Phase 0



Interrupts Disabled
Build the data structures required by the
Phase 1 processes
Calls ExpInitializeExecutive




Finalizes HAL
Initializes Memory Manager
Initializes Object Manager
Initializes Security Reference Monitor, Process
Mangler, Plug and Pray Manager
Phase 1




Control goes to Idle loop… allowing other
processes to init
Interrupts turned on
Boot Video Driver On (The Win32 Startup
Screen now displays)
SMSS (Session Manager SubSystem) called
SMSS




User-mode process (but trusted part of the OS)
Native application – doesn’t use Win32 APIs but
uses Windows 2000 Native APIs
Does lots of things…
But we’re interested in:



Runs any programs in
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute
Performs delayed file rename operations as directed in
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations
Starts Winlogon
Security?

So, let’s discuss… how can the Windows boot
process be exploited?
Enhancements

UEFI



Intel specifications to replace the BIOS interface
that is standard to all PCs
Secure boot, however, is a really interesting
discussion
The idea is to lock the hardware to a particular
chain of trust

Things must be signed by a particular key… this lead
to some interesting debates
Enhancements (cntd)

ELAM



Try and get antimalware loaded much earlier in
the boot process
Purpose is to provide white/black listing services
only early in the process
Forces load of the AM solution before anything
else is loaded
TPM


Of course there is the TPM
Trusted Platform Module

“The proper definition is that a trusted system or
component is one whose failure can break the
security policy, while a trustworthy system or
component is one that won’t fail” (Anderson)
Questions and Assignment



Assignment: 2500 words or more, on
“Security Enhancements to the PC Boot
Process”
Basically, in detail, tell me about UEFI, TPM
etc.
Due, next Thursday, printed out, in class.
PLUS electronic copy to moi!