Microsoft takes aim at rootkits, misses

Open Source companies Red Hat and Canonical have highlighted serious concerns about a plan to rid the world of rootkits, arguing that UEFI technology is "buggy".

UEFI is an attempt to address the recent explosion in the number of viruses and other malware targeting low-level system services. Known as rootkits, these attacks are capable of infecting systems at a level that's difficult or impossible to detect with traditional anti-virus software, and often require complete system rebuilds to fix.

One particular weak point has been the PC's BIOS - the basic code that executes when the computer starts. The BIOS is stored on a separate chip rather than a hard disk, so an infected BIOS will stay infected even if everything else on the system is wiped clean. BIOS rootkits have been spotted in the wild as recently as September 2011, prompting Microsoft and Intel to work on a solution.

That solution is UEFI, a complete rewrite of BIOS to make it faster, better, more secure, and standardised across different PCs, tablets and smartphones. The key security feature within it is called Secure Boot, which uses cryptographic signatures to prevent untrusted code from running at the BIOS level.

Microsoft has announced that all Windows 8 certified systems will be required to implement UEFI.

In a presentation to Linux.conf.au, Red Hat mobile Linux developer Matthew Garrett called UEFI "infuriating", "poorly tested" and full of "an incredible number of bugs".

UEFI has ten times more code than BIOS, he noted, none of which has enjoyed the benefit of decades of testing and real-world use.

Garrett is concerned UEFI may actually be less secure until it has matured further. He cited examples of exploitable bugs that permanently prevent the system from starting, among other consequences. Worse still, UEFI's standardisation means that a single bug could compromise a huge range of different devices.

For large desktop deployments, this could lead to significant maintenance issues, he noted. If a particular UEFI implementation is compromised, its permission can be revoked remotely by Microsoft or the hardware vendor, meaning that the computers it runs on won't boot until they are updated. Patch Tuesday could go from being an inconvenience to a complete work stoppage.

A whitepaper [pdf] published by Red Hat and Canonical warned that the specification makes no mention of how to deal with security problems, and places no restrictions on grounds for OEMs to revoke permission. It could be entirely possible that competitors might ban each others' keys.

To address these issues, Microsoft has required that vendors implement Custom Mode, which allows an end-user or administrator to manually control what is allowed and what isn't. A site with custom hardware, for example, might use this to cryptographically sign their own drivers. Users and administrators can even disable UEFI completely, allowing any code to run.

But Garrett is still unsatisfied.

Firstly, although UEFI is standardised, its interface is not, he argues. Each vendor might have their own, different way of configuring these settings, making it difficult to manage or document across heterogenous systems. Secondly, it is not possible to do this unattended; an administrator would need to set up each computer individually. And finally, on ARM systems, such as tablets and some promising future low-powered laptops, Custom Mode is not available.

Canonical and Red Hat want the benefits of UEFI, but are clearly worried that Microsoft is the only authority guaranteed control over any system shipped with a Windows 8 logo.

Representatives from both open source companies also worry that the difficulties involved in key management will lock out smaller Linux distributions, and make it unlikely that all vendors will add Linux to their trusted list.