Copernicus: Question Your Assumptions about BIOS Security

July 30, 2013
CND Tools: Post by John Butterworth

During the course of MITRE's Trusted Firmware Measurement research project, we determined the exact methods by which computers' firmware (BIOS) protects itself from modification. Subsequent experiments revealed that many older BIOSes still in use today, do not adequately protect themselves. What's at stake? Writable BIOS can lead to the installation of a backdoor that avoids detection because there are very few products that can check the integrity of the BIOS; worse, by writing junk to a BIOS, a system can be bricked (rendered un-bootable).

Research Leads to Development of CND Tool

As a result of this research, the MITRE team, consisting of Sam Cornwell, Corey Kallenberg, Xeno Kovah, and myself, contributed to the creation of a tool we have dubbed Copernicus. Copernicus dumps the BIOS so inspection (such as comparing against a clean copy) is possible, and also checks the status of the configuration to determine if the BIOS can be modified.

How does it work? The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer's System Management RAM (where some code loaded by BIOS continues running after boot).

Call for Research Partners

MITRE is currently looking for partners interested in exploring the extent of BIOS writability in their deployed systems. In particular, we are looking for organizations with tens of thousands of Windows 7 systems.

If you are interested, MITRE would support a deployment of Copernicus in your environment provided that there is agreement that the aggregate vulnerability data collected will be shared and combined with other similarly collected data as part of a research paper on the prevalence of this vulnerability in the wild. We are looking to report on the percent of machines that were determined to be vulnerable, the number of machines that could be fixed through BIOS updates, and other data findings.

Technology Transfer Opportunities

At this stage in our research, we offer for incorporation into GOTS or COTS the Copernicus code, which dumps BIOSes and a Python script that analyzes the dumps for differences and inspects BIOS writability configuration.

Way Forward

Our intent is to develop Copernicus to the point where it can suggest non-vulnerable BIOS revisions to the organization so that vulnerable systems can be updated when possible. Also, we intend to work with vendors in developing patches if they currently do not offer one and to work with sponsors to patch mission-critical systems.

To discuss licensing or collaboration activities, contact MITRE's Technology Transfer Office.

NOTE: MITRE continues to research security risks associated with UEFI and firmware. However, development and feature enhancements on the proof-of-concept known as Copernicus is no longer active. Many of the emerging commercial offerings coming to the market show promise similar to what had been demonstrated in Copernicus as an off-the-shelf option.