BIOS Susceptible to Attacks

Friday, August 3, 2012 @ 01:08 PM gHale

With a new backdoor malware out that can take over the Basic Input/Output System (BIOS) of a system and make it appear as though it is running fine, brings a whole new genre of threat possibilities to the industry.

In short, the BIOS facilitates the hardware initialization process of a computer and hands off control to the operating system, giving it a trusted status. A new malware called Rakshasa just came out that replace a computer’s BIOS and can compromise the operating system at boot time without leaving traces on the hard drive.

BIOS Malware Almost Invisible
New Morto Worm More Potent
Chem Co. Halts USB Stick Attack
Exploit Determines OS, then Attacks

While Rakshasa is not the first malware to target the BIOS, which is the low-level motherboard firmware that initializes other hardware components, it does differentiate itself from similar threats by using new tricks to achieve persistency and evade detection,

News of the malware is timely because the National Institute of Standards and Technology (NIST) just released new BIOS security guidelines for government.

“Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’ unique and privileged position within modern computer system architectures,” said the authors of the guidelines. “Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization — either a permanent denial of service or a persistent malware presence.”

An initial draft of Special Publication 800-147B, “BIOS Protection Guidelines for Servers,” includes requirements for mitigating the execution of malicious or corrupt BIOS code on servers. They apply to firmware stored in the BIOS flash, including the code, the cryptographic keys that are part of the root of trust for updating the code, as well as static BIOS data.

Firmware often undergoes updates by vendors to fix problems, patch vulnerabilities and support new hardware. This document focuses on the threat of BIOS corruption through update mechanisms and does not address supply-chain tampering or physical replacement of the BIOS chip.

This document is the second in a series from NIST on BIOS protections. The first publication went out last year and covers laptop and desktop PCs. The current draft covers protections for managed and blade servers, specifically those with multiple BIOS update mechanisms.

Three core principles of BIOS protection were in SP 800-147 for client systems, and these also apply to server-class machines.

“However, the architectural and operational complexity in servers due to the need to remotely manage them makes it more difficult to implement BIOS security protections in the same manner as clients,” the authors wrote in the current draft. “The core reason for the increased difficulty is that servers typically possess multiple BIOS update mechanisms,” and often service processors that also can update BIOS must be protected.

The core requirements BIOS security are:
• Authenticated BIOS update mechanisms, using digital signatures to prevent the installation of counterfeited BIOS update images.
• Firmware integrity protections, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
• Non-bypassability features, to ensure there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections.

NIST plans to develop a new publication providing an overview of BIOS protections for IT security professionals.

Leave a Reply

You must be logged in to post a comment.