Host-based Security: BIOS ChronomancyDecember 23, 2013
In this post I'll talk about some of the groundbreaking PC BIOS (Basic Input/Output System) security work that we've been doing. Our research team includes my colleagues Xeno Kovah, Corey Kallenberg, Sam Cornwell, and Amy Herzog, and together we've been examining and highlighting problems in the BIOS security space. Because there is a steep learning curve in understanding the hardware component and protocols that the BIOS software interacts with, addressing the security aspects have been slow in coming and has led BIOS security to be shrouded in "security through obscurity." We hope to rectify this. Our research team tackled the learning curve, and we've been able to uncover numerous security findings, many of which we have published.
Our first paper, "BIOS Chronomancy," is named after a defensive system we proposed that utilizes an academic technique called Timing-Based Attestation (TBA). That system was proposed as an alternative to the "Static Core Root of Trust for Measurement" (S-CRTM) techniques used to create trusted computing technology because we found the S-CRTM to be untrustworthy. According to the Trusted Computing Group, the S-CRTM component is implicitly trusted at boot time to create a measurement of the BIOS and report that measurement to the Trusted Platform Module (TPM). The intended use is to provide a mechanism for BIOS change detection.
However, there is a clear problem with the S-CRTMs as implemented in every PC today: they are implemented in the BIOS itself, which is mutable, and therefore vulnerable to modification by an attacker. In our paper we showed two such proof-of-concept attacks. One BIOS threat we liken to a parasitic tick because it attaches to the BIOS and hides itself from defenders by forging the TPM-stored measurements. It does this by preventing the S-CRTM from sending measurements to the TPM and instead resends clean S-CRTM measurements. This is a good illustration of why the S-CRTM measurements cannot be trusted: an attacker who has infiltrated the BIOS firmware can take control of the hardware platform. Contrast this to the BIOS Chronomancy system, which is designed to maintain its ability to detect changes in BIOS code should an attacker achieve the same privilege level as the system user.
We also described another blood-sucking BIOS parasite, called a flea, which is able to persist beyond re-flashing the BIOS by hopping between BIOS updates. We explored this type of malware to make a point about the recommendations offered by NIST special publication 800-147: "BIOS Protection Guidelines." It says, "BIOS images shall be signed in conformance with NIST SP 800-89." In order to comply with this, BIOS makers started releasing BIOSes with digital signature checking applied. However, in many cases endpoint system administrators would have to configure the BIOSes to explicitly enable these checks. In our exploration of the flea we wanted to show that even if administrators configure their endpoints to enable the check of the digital signature, it won't eliminate the risk to the BIOS. We showed how an attacker who had already compromised a system could retain a hold on it by forging the TPM-stored measurements of the BIOS, which would give the appearance of a clean and thus trusted system. We should point out that we agree that digital signature checks are a very important component of BIOS security, and we think both NIST 800-147 and 800-155 are very important documents for advancing BIOS security. Our work is intended to show that signatures are a necessary but not sufficient component of BIOS security.
There is more to talk about in the area of BIOS security research. Next up will be Corey Kallenberg, who will discuss additional problems we've found in the digital signature check. Specifically, he'll discuss a BIOS exploit we discovered and responsibly disclosed to the vendor, who quickly patched it; and he'll show how an architectural problem in Intel platforms makes older BIOSes vulnerable to exploit.
If you work for the U.S. government and would like to scan your BIOSes for vulnerabilities and infections, we would like to work with you. You can learn more by reading about our Copernicus technology.
The Timing-Based Attestation (TBA) technology used in BIOS Chronomancy has also been applied to a number of embedded systems as described in academic literature. One group that has spent more time working in the area of TBA is Adrian Perrig's research group at CMU, which has done a lot to popularize the technique.
We are willing to share our lessons learned on what it takes to make this technology practical in real world deployments.