0

I understand the difference between a Ring-0 rootkit and a Ring-3 rootkit, in terms of their hierarchical depth in computational models. That is kernel mode and usermode, respectively.

I am confused as to whether there is a difference between a bootkit and ring-0?

It appears that a bootkit would store itself in the master boot record (MBR) which then starts before the computer, and grants itself higher privileges. However, if these privilages are kernel mode then the only difference I see is the persistence of a bootkit being it gets stored in the MBR, and that bootkits would get kernel-mode privileges much more quickly.

questioner
  • 171
  • 2
  • 11
  • 1
    Modern processors have more rings than just ring0 and ring3. I.E; something that starts before the kernel is typically in a lower ring than ring0, Intel Management engine is a good example - and therefore it has more privilege over the rest of the system. – J-- Jun 02 '22 at 18:34
  • @J-- Sure, there are the unused rings 1 and 2, and the -1 for the hypervisor. "Recent CPUs from Intel and AMD offer x86 virtualization instructions for a hypervisor to control Ring 0 hardware access. Although they are mutually incompatible, both Intel VT-x (codenamed "Vanderpool") and AMD-V (codenamed "Pacifica") create a new "Ring −1" so that a guest operating system can run Ring 0 operations natively without affecting other guests or the host OS." However, that has not clarified the difference between a boot-kit and a ring-0 rootkit :p. – questioner Jun 02 '22 at 22:58
  • 1
    > I.E; something that starts before the kernel is typically in a lower ring than ring0, Intel Management engine is a good example - and therefore it has more privilege over the rest of the system – J-- Jun 03 '22 at 09:06

1 Answers1

1

Is there a difference between a bootkit and a ring-0 rootkit?

Yes, there is a difference, given the typical usage of those words.

For example, the concept of "root" or of a supremely-privileged user typically occurs in the context of a multi-user operating system. In this typical sense, a "rootkit" would give you "root" or root-like privileges in an operating system environment.

Your description of a "boot" kit is fairly typical and involves the malicious code executing before the operating system has even loaded (e.g., as part of some malicious code in the MBR). The code in the MBR starts being executed very shortly after the code in the BIOS chip on the motherboard has executed (and before the operating system has loaded) and so you can say that a "bootkit" starts operating before a "rootkit," in this sense. But, of course, if you already have "root" you can certainly modify the MBR to your heart's content. So a rootkit could be used to actuate a bootkit, etc.

But, given the typical meaning, there is a difference between a bootkit and a rootkit.

hft
  • 4,910
  • 17
  • 32
  • Makes sense. I guess one way of installing a bootkit would be to first use a ring-0 rootkit which can write a bootkit to the MBR. – questioner Jun 03 '22 at 01:35
  • 1
    Yes, that seems like the most reasonable way, since the only other way I can think of to write to sector zero directly would involve having physical access to the disk. – hft Jun 03 '22 at 01:46
  • 1
    OP is asking for the difference between a Ring-0 Rootkit vs Bootkit. Whereas you provided a usermode rootkit definition. Ring-0 Rootkits operate at the kernel level; similar to device drivers. – phbits Jun 03 '22 at 01:56
  • 1
    A ring-0 rootkit still operates in the context of an operating system. It true that executing at "ring-0" and operating as "root" are not identically equivalent, but in this case (in this context) I don't think the difference is super important. For example, if I have Admin on a Windows box I can run whatever I want as SYSTEM, I can install drivers, etc. The main difference I indicated (that the MBR executes first) is still relevant. – hft Jun 03 '22 at 16:25
  • 1
    If you would like to offer a supplementary answer, I will upvote if it is good. But I don't plan on editing this answer since the OP already accepted it. – hft Jun 03 '22 at 16:26
  • I could unaccept it :-P. – questioner Jun 05 '22 at 18:26
  • 1
    @questioner Not really worth it, in my opinion. The comments already address any relevant difference, which is just that "ring-0" implies some "kernel mode" component such as a kernel mode driver. A bit of a nit in my opinion given this is just what "ring-0" means. – hft Jun 06 '22 at 16:59