How is the uefi secure boot security standard designed to combat bios attacks?

On February 4th, Dell announced the availability of a new post-boot BIOS verification solution, as part of its Endpoint Security Suite Enterprise. Unveiling this cloud-based security tool was a good reason to look at different ways enterprises use to protect BIOS, a privileged piece of software.

The Basic Input/Output System (BIOS) that is invented by Gary Kildall, appeared in IBM compatible PCs in 1975. Henceforth, this low-level software is initially responsible for hardware initialization during the boot process before handing over control to the boot loader. Since BIOS executes before operating system and loading of the security software, detecting attacks against it is not easy. The malwares which infect BIOS usually remain there even after system reinstallation’s and rebooting. NSA, Equation Group, Lenovo and Hacking Team all infected BIOS firmware to extract information for their distinct purposes.

Intel Platform Protection Technology with BIOS Guard & Boot Guard

Intel as the world’s largest chip maker has implemented number of security features in its 4th and later generations of possessors. These features which are described in Microarchitecture for 4th Gen include:

• Intel® BIOS Guard that protects the BIOS lash from modification without platform manufacturer authorization, helps defend the platform against low-level DOS (denial of service) attacks, and restores BIOS to a known good state after an attack.
• Intel® Boot Guard is a hardware-assisted authentication and protection against BIOS recovery attacks.

Intel also released CHIPSEC, an open source framework for platform security assessment, in 2014. It is available on github.

UEFI Secure Boot

Unified Extensible Firmware Interface (UEFI) is a standard firmware interface that is designed to be the BIOS’ successor. This standard was created by Unified EFI Forum, a consortium comprised of several leading technology companies to modernize the booting process.

UEFI Secure Boot is a protocol that the system’s firmware checks the signature of each piece of boot software, when the PC starts. According to Microsoft, the OEM uses instructions from the firmware manufacturer to create Secure Boot keys and to store them in the PC firmware. If the signatures match with the authorized cryptographic keys, the PC boots, and the firmware gives control to the operating system.

Microsoft, the world’s biggest software maker, applied Secure Boot into Windows 8 and Windows Server 2012 and subsequent versions. Secure Boot is a security standard developed by members of the PC industry.

As arstechnica reported, “Microsoft also mandated that every system must have a user-accessible switch to turn Secure Boot off, thereby ensuring that computers would be compatible with other operating systems. Microsoft’s rules also required that users be able to add their own signatures and cryptographic certificates to the firmware, so that they could still have the protection that Secure Boot provides, while still having the freedom to compile their own software.”

HP and Dell are among the manufacturers that uses Secure Boot tools in their PCs.

Google’s VirusTotal

VirusTotal is a free online service owned by Google that analyses files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. VirusTotal aggregates 54 antivirus products and 61 online scan engines and datasets to provide its service.

As of January 2016, VirusTotal launched a new tool that characterizes firmware images with the aim of declaring them as either legit or malicious. The new tool can extract firmware-based certificates along with their executable files, in addition to labelling firmware images. It also extracts portable executables that are found within the image. In a blog post, some of the basic tasks that the new tool can perform are described as:

• Apple Mac BIOS detection and reporting
• Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image
• SMBIOS characteristics reporting
• Strings-based brand heuristic detection, to identify target systems
• Extraction of certificates both from the firmware image and from executable files contained in it
• PCI class code enumeration, allowing device class identification
• ACPI tables tags extraction
• NVAR variable names enumeration.
• Option ROM extraction, entry point decompilation and PCI feature listing

The company suggests users to remove private information before performing BIOS dumps and uploading to VirusTotal. The company says that private information could be saved by certain vendors such as Wi-Fi passwords in BIOS variables in order to remember certain settings across system reinstalls.

Dell’s BIOS verification

In February 2016, Dell announced the availability of a new post-boot BIOS verification solution for Dell commercial PCs with the purchase of the Dell Data Protection | Endpoint Security Suite Enterprise license.

Dell’s BIOS verification method involves comparing the BIOS image against the official measurements held in the Dell BIOS lab. By conducting this test in a secure cloud environment, rather than on a potentially infected device, Dell assures that the post-boot image is not compromised. Dell claims the verification helps extend security throughout the entire device lifecycle and provides greater visibility for administrators wanting to stop malicious BIOS attacks.

Unlike Secure Boot, Dell’s different approach to entirely remove the local host from the verification process does not actually stop the device from booting, or even alert the end user.

How does UEFI mitigate BIOS attacks?

How does UEFI Secure Boot work?

What is Secure Boot in UEFI BIOS?

How is UEFI more secure?