The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers. This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will not require a detailed understanding of EFI, and will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.
Once upon a time, snare was a code-monkey, cranking out everything from pre-press automation apps to firmware for Big F***ing Laser Machines. Upon discovering that "information security" was actually a somewhat legitimate industry, and not just hacking stuff for fun, he got himself a job as a penetration tester. He now works as the Principal Consultant for Assurance in Melbourne, Australia. Having been a Mac fanboy since around 1987, snare spends most of his free time messing with Mac OS X -from firmware to kernel rootkits to writing actual useful applications. When he's not playing with computers he enjoys hoppy pale ales, guitars, metal \m/, and building robots.