Contents

Chapter 15 Going Out-of-Band ..... .......... .. . . .... .725

Ways to Jump Out-of-Band 726

15.1 Additional Processor Modes 726

System Management Mode 727

Rogue Hypervisors 732

White Hat Countermeasures 736

Rogue Hypervisors Versus SMM Rootkits 737

15.2 Firmware 738

Mobo BIOS 738

ACPI Components 741

Expansion ROM 742

UEFI Firmware 744

15.3 Lights-Out Management Facilities ..... 745

15.4 Less Obvious Alternatives 745

Onboard Flash Storage 746

Circuit-Level Tomfoolery . 746

15.5 Conclusions 748

Chapter 16 The Tao of Rootkits 753

The Dancing Wu Li Masters 753

When a Postmortem Isn't Enough 755

The Battlefield Shifts Again 757

16.1 Core Stratagems 757

Respect Your Opponent 758

Five Point Palm Exploding Heart Technique 758

Resist the Urge to Smash and Grab 759

Study Your Target 760

16.2 Identifying Hidden Doors 760

On Dealing with Proprietary Systems 761

Staking Out the Kernel 761

Kingpin: Hardware Is the New Software 762

Leverage Existing Research 762

16.3 Architectural Precepts . 763

Load First, Load Deep 763

Strive for Autonomy 764

Butler Lampson: Separate Mechanism from Policy 764

xviii