Going Deep into the BIOS with MITRE Firmware Security ResearchMarch 2014
At the 2009 BlackHat USA security conference, a sophisticated attack demonstration by Polish researchers showed vulnerabilities in the latest defense of a computer's BIOS. Previously, computer professionals believed that digital signatures prevented BIOS modifications by unauthorized users. However, researchers at the conference demonstrated that an attacker could manipulate the way the BIOS displayed images in order to defeat the system's security.
While cyber attacks against a computer's operating system are not new, the potential for lower-level firmware attacks led MITRE to create a Trusted Firmware Measurement (TFM) team to focus their cybersecurity research on firmware vulnerabilities. Led by Xeno Kovah, the team also includes John Butterworth, Corey Kallenberg, and Sam Cornwell.
"Attackers have been targeting operating system internal functions inside Windows and Linux for years," says Kovah. "But in response to the 2009 presentation and work by other French, Russian, and Argentinian researchers, we built on our experience in integrity checking the memory of a running Windows system to develop a system for PC firmware integrity checking."
Timing Shows Evidence of Tampering
Butterworth undertook the first phase of the project. His task was to bring down to the BIOS level the Checkmate technology that Kovah and Kallenberg developed for Windows kernel protection. This technology uses a special academic software construction to provide tamper evidence.
"Essentially the software is made to check itself," Butterworth says. "While an attacker can force the software to lie about its own self-measurement, the act of lying will cause the software to take longer to run. As a result, either an incorrect self-measurement or a discrepancy in the runtime of the software indicates the presence of an attacker."
The application of this timing-based attestation technology at the BIOS level was dubbed "BIOS Chronomancy" because the trust is derived from timing. To show the practicality of the technology, the team implemented it by modifying the BIOS from a Dell Latitude E6400 laptop.
Further analysis yielded many insights. For example, it showed that some vendor implementations of a different BIOS self-measurement system as specified by the Trusted Computing Group (TCG), an industry standards body, were flawed because they didn't measure many pieces of the BIOS.
The work also showed at a fundamental level that TCG-recommended systems can't work unless they start from a non-writable BIOS. Because vendors are unwilling to make BIOS non-updatable, in case they need to fix bugs, they need a special construction like the BIOS Chronomancy system. To drive this point home, MITRE's TFM research group demonstrated proof-of-concept attackers called "the tick" and "the flea," which could attach themselves to the BIOS and forge TCG measurements and "hop" between BIOS updates, respectively.
From there Kallenberg used Butterworth's knowledge of the Dell E6400 to find and disclose to Dell the second-ever BIOS exploit that bypassed the requirement for digitally signed updates. "With this discovery, our MITRE team achieved parity with the BIOS attack work published in 2009," Kallenberg says.
Due to code reuse, which is common in the computer software industry, the vulnerability Kallenberg discovered ultimately affected 22 Dell models. "We notified Dell of this vulnerability, and they released a BIOS update, which was subsequently deployed to MITRE," he says. "We also notified our government sponsors of the vulnerability so it could be patched in their enterprises.
"All Dell customers became more secure against stealthy BIOS attacks as a result of this research, and BIOS makers are currently fixing the new vulnerabilities we discovered. We even had Rick Martinez, a BIOS architect from Dell, come on stage with us and offer his contact information to other researchers at BlackHat," says Kallenberg.
Copernicus: A Firmware Integrity Checking Tool
As more discoveries about vulnerabilities in firmware came to light, MITRE's TFM team began developing another defensive tool called Copernicus, which provides BIOS configuration management and integrity checking capabilities. A vulnerable BIOS can lead to an attack that avoids detection because there are very few products that can check the integrity of the BIOS.
"Unfortunately, too many organizations treat firmware as 'out of sight, out of mind,'" Cornwell says. "They think that because they don't hear about BIOS attacks in the press frequently, that the BIOS isn't vulnerable—an assumption we know is false."
Copernicus works by allowing users to verify the security of their firmware. It runs on the endpoints of the BIOS and sends information about it back to a central server. This information provides situational awareness about whether the enterprise's BIOS is vulnerable to attack. Copies of the BIOS contents that are sent back to the server can also be used to perform integrity checks. This can indicate whether attackers have already installed themselves into a system's BIOS.
MITRE successfully tested Copernicus on all the corporation's Windows 7 systems. "We're currently piloting this software tool on thousands of computers at sponsor sites and will transfer the technology into commercial-off-the-shelf tools when the pilot is complete," says Kovah.
Although MITRE's TFM team has made significant progress in creating defensive tools for firmware, there are still many potential areas for attack. "There has been a lot of international research on infecting firmware for peripherals such as network cards, graphic cards, and hard drives," says Kovah. "But no tools yet exist to determine whether these peripherals' firmware has been compromised. We're committed to continuing to shine a spotlight on firmware vulnerability issues and find innovative new ways to defend against them."
—by Kay M. Upham