Home  /  Endpoint SecurityEndpoint Security CloudEnterprise Security  /  Cybersecurity below the kernel
What are some of the attacks that can happen on below-kernel components in endpoints?

Cybersecurity below the kernel

Written by Seqrite
Seqrite
Endpoint Security, Endpoint Security Cloud, Enterprise Security
Estimated reading time: 2 minutes

Security of a computing endpoint is traditionally viewed with respect to Firewall, HIPS, AV Products, etc. This perspective though misses out on “Below Kernel” aspects of cyber threats, which may target Hypervisor, Firmware or Hardware itself. Here are some attacks that are targeted on “Below Kernel” components

DMA attack -> In this the attacker gets into the system through Direct Memory Access capable Ports. This is a physical attack where a customized PCI, or USB, or FireWire device can be used to get access of whole physical memory. The attacker can then get access to encryption keys and in turn, compromise the firmware or hardware. The attacker may even alter OS behaviour by modifying page properties!

MBR Rootkits -> On systems where OS is loaded through MBR, the attackers have been known to compromise MBR and execute arbitrary code on system start. With this mechanism, they can remain hidden from security solutions. In some cases, attackers have also compromised Volume Boot Record (VBR) and perform rootkit injection. Some Ransomware have also used this technique to encrypt the machine

UEFI rootkits -> In recent past, researchers have proven the possibility of UEFI Rootkits where the firmware can be compromised and infected during the BIOS Update. UEFI secure boot can be bypassed by fake signing and modification of UEFI key table

As you can see, “Below Kernel” landscape provides a malicious actor with numerous opportunities to attack a system. To protect against such attacks, Intel and AMD have equipped their processors with several inbuilt security features. An example is the Trusted Platform Module, which provides hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. Recent platforms use this chip for Secure Boot

Intel processors have SGX (Software Guard Extensions) enabled, which can be used to define private regions of Physical Memory, thereby controlling access to the data in memory. AMD processors come with a feature known as SME (Secure Memory Encryption), which encrypts the contents of physical memory. Both the manufacturers have also introduced AES NI (AES New Instruction) in their processors. This feature enables processors to run the AES Encryption

To read more on Security and Below Kernel architecture, go through the whitepaper CyberSecurity Below the Kernel.

Seqrite
About Seqrite

Follow us for the latest updates and insights related to security for enterprise networks. Subscribe to our newsletter to stay...

Articles by Seqrite »

Related Posts

No Comments

Leave a Reply.Your email address will not be published.

CAPTCHA Image