Explore the intricacies of EFI-based rootkits in Mac systems through this comprehensive Black Hat USA 2012 conference talk. Delve into the EFI architecture, its functionality, and potential exploitation methods for injecting code into the Mac OS X kernel or launching direct user attacks. Gain insights into kernel payload operations and various rootkit techniques applicable within the XNU kernel. Examine the persistence possibilities offered by EFI for rootkit developers. Suitable for audiences without extensive EFI knowledge, acquire a thorough understanding of EFI's role in modern Mac OS X rootkits. The presentation covers topics such as EFI architecture, kernel attacks, persistence mechanisms, evil maid attacks, and defense strategies, concluding with valuable references for further exploration.
Overview
Syllabus
Intro
INTRODUCTION
WHAT'S AN EFI? AND WHY DO I CARE?
EFI ARCHITECTURE
DOING BAD THINGS WITH EFI
ATTACKING THE KERNEL
PERSISTENCE
EVIL MAID ATTACKS
DEFENCE
IN CONCLUSION...
REFERENCES
Taught by
Black Hat