Going Deep into the BIOS with MITRE Firmware Security Research

March 11, 2014
Host-based Security: Post by Corey Kallenberg

In the last post on host-based security, John Butterworth gave an overview of our PC BIOS (Basic Input/Output System) security work. In this post, I'll describe our in-depth evaluation of the access control mechanisms protecting the BIOS.

What's Signed BIOS?

Many modern computers enforce the requirement that the OEM signs all updates to the platform’s firmware. This is in keeping with the most recent NIST 800-147 recommendations. This requirement was developed to prevent attackers from writing directly to the firmware. If an attacker was successful, he could install a BIOS rootkit. The installation of a BIOS rootkit puts every application on the system at risk of compromise because the BIOS rootkit can survive operating system reinstallations and the BIOS is the first code to execute on a system.

The Thin Line of BIOS Defense

Our research team, which includes my colleagues Xeno Kovah, John Butterworth, and Sam Cornwell, closely examined the robustness of signed BIOS enforcement because it’s the only barrier between the platform and the threat of BIOS rootkits. Our examination of the access control mechanism uncovered several problems, which we responsibly disclosed and are working with vendors to fix.

The implementation of signed BIOS enforcement is complex. Intel Corporation provides a number of BIOS flash protection mechanisms via registers located on the platform chipset. OEMs then program their own BIOS update routines to utilize the Intel-provided chipset protection mechanisms in a coherent way.

Generally this process breaks down as follows:

  1. A firmware update is staged in RAM by the operating system.
  2. The operating system does a soft reboot of the system, resetting the BIOS protections.
  3. The BIOS notices the pending BIOS update, parses the BIOS update, and checks its signature.
  4. If the signature checks out, the update is written to the flash chip.
  5. The Intel flash lockdown mechanisms are configured to prevent any further writes to the flash chip.

Research Uncovers Weaknesses in Signed BIOS Enforcement

Our research identified two primary attack vectors in the update process: the OEM implementation of the BIOS update routine (memory corruption vulnerabilities in the parsing of the pending BIOS update) and the Intel-provided flash lockdown mechanisms. In the first case, we found a bug in a Dell BIOS update routine running in System Management Mode (SMM) that affected a number of models. In the latter case, we found that contrary to what was indicated by Invisible Things Labs in their well-known BIOS attack presentation (see slide 84), an attacker who takes over SMM (e.g., using the architectural flaw of SMM cache poisoning), can in fact take control of the BIOS in many system implementations.

You can learn more about our research by reading our Defeating Signed BIOS Enforcement presentation from EkoParty, Hack in the Box Malaysia, and PacSec and Defeating Signed BIOS Enforcement whitepaper presented at Hack in the Box Malaysia.

Protecting your BIOS

These examples were just some of the first attacks against BIOS that we have found, fixed, and disclosed. We recommend that you apply the latest BIOS updates to your endpoints if you believe your systems are affected. If you are unsure, feel free to contact us and we can help you determine how to do this check.

Ongoing Research and Disclosure of Vulnerabilities

Beyond the vulnerabilities outlined here, we have found other weaknesses that could undercut signed BIOS protection. We are currently in the process of responsible disclosure with affected vendors, and working with them on resolution.

Overall our research has led us to conclude that there are potentially many more problems at the BIOS level due to the ever-increasing code base, for which there are few evaluators.

Outreach

If you are a BIOS maker who believes you may be affected by our research, or if you would like an evaluation of the security of your BIOS and its corresponding update routines, please contact us.

If you are with the US government and would like to scan your BIOSes for known vulnerabilities and infections, we would like to work with you. Check out our Copernicus technology.