bit-tech.net

NIST proposes BIOS protection measures

NIST proposes BIOS protection measures

NIST's proposal would help protect systems against BIOS-resident malware, but could also prevent the installation of legitimate but third-party updates.

The US National Institute of Standards and Technology (NIST) has published guidelines in response to the growing threat of BIOS-resident malware which can survive a system being reformatted and re-installed.

Persistent, BIOS-resident rootkits - a form of malware which is designed to allow ne'er-do-wells unlimited access to a target machine - have been doing the rounds in recent years, both as proof of concept designs and as in-the-wild examples like Mebroni.

The idea of BIOS-resident malware isn't exactly new: the CIH virus dates back to 1999, and used the same techniques for attacking target systems. As BIOS storage becomes more capacious, and the BIOS itself more capable of performing more complex tasks - thanks in no small part to technologies like EFI - the risk grows ever greater.

NIST's response is a draft proposal, initially aimed at servers, dubbed the BIOS Protection Guidelines for Servers. Authored by Andrew Regenscheid, a member of NIST's computer security division, the document outlines a series of suggested mechanisms by which BIOS infection can be prevented.

The first suggestion is to introduce an authenticated update mechanism, which would prevent an unauthorised source distributing Trojan BIOS updates containing malicious code. It's not a new concept - software updates frequently rely on cryptographic signatures to ensure they haven't been tampered with - but has rarely been applied to the BIOS.

Regenscheid's second suggestion is to add integrity protection to the BIOS itself though a Root of Trust for Update (RTU) - a combination of hardware and firmware which is inherently trusted, and given the responsibility of actually verifying the update's legitimacy and overwriting the old BIOS.

The use of an RTU does have one drawback for tinkerers, however: should Regenscheid's suggestions be accepted in the industry, it would become impossible to install third-party BIOS updates - to fix unpatched bugs, or unlock hidden features of the hardware - as they would be seen as untrusted by the RTU. While not much of a concern for NIST's target audience of government server farms, if the technology trickled down to the desktop it could have serious repercussions for consumer hardware.

The guideline document can be downloaded as a PDF from NIST's website, with industry types asked to provide comment on the proposals by the 14th of September.

6 Comments

Discuss in the forums Reply
towelie 24th August 2012, 14:02 Quote
This is going to be one for Burnout21 to read, after he spent a very long time fighting a UEFI/Bios virus which even survived BIOS Flashing, very worrying stuff,read the thread for more Information.

http://forums.bit-tech.net/showthread.php?t=233635
schmidtbag 24th August 2012, 16:22 Quote
I had a BIOS virus once, a pretty nasty one too. It would infect every hard drive by corrupting NTLDR, even after reinstalling windows. While updating and resetting BIOS's settings (even using the jumpers) didn't seem to do anything, I bought a new motherboard. Unfortunately, even with a fresh new install of windows, the virus was still in the hard drive and infected the new motherboard. At that point I was getting a bit worried because I'd basically have to lose my personal data, the hard drive, and 2 motherboards. As a last ditch effort, I was able to boot up a Knoppix (linux live CD) and I managed to copy my personal files while formatting the drive completely. I shut down the computer, removed the hard drive, and found out I that removing the CMOS battery had a further effect that the jumpers don't do. So, I removed it and the virus was gone. By the time I found out about that, I already trashed my old board, but oh well. I was probably 16 years old at the time.
SlowMotionSuicide 25th August 2012, 14:42 Quote
I might've been living under a rock, but I don't think I have yet seen any third-party BIOS updates worth of notice. Maybe it's got more to do with motherboards I've used. I think it (Regenscheid's second suggestion) would be a fair trade-off for increased BIOS security, seeing how even pretty computer adept people get their machines infected every now and then.
Alecto 25th August 2012, 20:51 Quote
Quote:
Originally Posted by schmidtbag
I had a BIOS virus once, a pretty nasty one too. It would infect every hard drive by corrupting NTLDR, even after reinstalling windows. While updating and resetting BIOS's settings (even using the jumpers) didn't seem to do anything, I bought a new motherboard. Unfortunately, even with a fresh new install of windows, the virus was still in the hard drive and infected the new motherboard. At that point I was getting a bit worried because I'd basically have to lose my personal data, the hard drive, and 2 motherboards. As a last ditch effort, I was able to boot up a Knoppix (linux live CD) and I managed to copy my personal files while formatting the drive completely. I shut down the computer, removed the hard drive, and found out I that removing the CMOS battery had a further effect that the jumpers don't do. So, I removed it and the virus was gone. By the time I found out about that, I already trashed my old board, but oh well. I was probably 16 years old at the time.

So many things in this story are totally disconnected with reality.
schmidtbag 25th August 2012, 21:01 Quote
Quote:
Originally Posted by Alecto
So many things in this story are totally disconnected with reality.

...mind explaining? That's a pretty harsh accusation with nothing to back that up. This article was discussing ways to protect BIOS from malware. BIOS viruses are, IMO, about as common as getting a virus on a Mac, so I thought I'd share my story to show what to do in case someone else gets the same problem I did. I'm not sure how that disconnects me from reality in any way.
azrael- 27th August 2012, 09:32 Quote
Quote:
Originally Posted by towelie
This is going to be one for Burnout21 to read, after he spent a very long time fighting a UEFI/Bios virus which even survived BIOS Flashing, very worrying stuff,read the thread for more Information.

http://forums.bit-tech.net/showthread.php?t=233635
The virus/malware that Burnout21 fought against didn't hijack or modify the BIOS/UEFI. It "merely" abused some legitimate functionality therein (Computrace; although that may count as a virus in itself :p). The virus itself most probably has hidden itself in the HPA of the HDD.

The proposal from NIST is a two-edged sword. It's what lies at the foundation for Microsoft's Secure Boot feature/requirement. It'll most certainly be implemented only for UEFI as that is where the main problem lies. UEFI is almost like a tiny OS unto itself. It's quite powerful, yet not very protected against tampering, which makes potential UEFI malware so dangerous.

Standard BIOSes are full of exploitable holes as well, but the code is so esoteric and there is such a myriad of different versions that it doesn't make sense to target any BIOS with malware.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums