Wide Gap Between Attackers, BIOS Forensics Research

Advanced attackers are ahead of researchers when it comes to understanding firmware vulnerabilities and BIOS forensics, experts from MITRE and Intel said during last week’s CanSecWest.

Vendors have made important strides in locking down operating systems, patching memory-related vulnerabilities and other bugs that could lead to remote code execution or give hackers a stealthy presence on a machine. As the hurdles get higher for the bad guys, the better ones will certainly look for other means onto a system.

In some cases, that involves attacking hardware, specifically BIOS and other firmware that loads during boot-up. Successful exploits at that level can give an attacker not only root-level access to a computer, but persistence that survives most mitigation attempts.

Admittedly, experts concede attackers are ahead of the research curve but there is a steady increase in security researchers looking at BIOS forensics with more than a passing curiosity.

“I think we are seeing a renewed interest in this area as it’s becoming obvious that sophisticated adversaries (such as nation states) have the technical prowess to develop agents that live in this domain,” said Corey T. Kallenberg, a researcher with MITRE.

Kallenberg, along with MITRE colleagues Xeno Kovah and John Butterworth, and Intel researchers Yuriy Bulygin and John Loucaides, spent close to four hours at the CanSecWest conference explaining the risks present in this security discipline and some of the tools—such as MITRE’s Copernicus—available to analyze BIOS and its successor UEFI to learn where the weak spots may be and what attackers are doing about it.

BIOS, Kallenberg said, presented a large barrier to entry with regard to research and reverse engineering because it is closed source and extremely complex. Vendors, for example, each had their own flavor, meaning researchers would have to do significant legwork just to understand how one system’s BIOS worked, Kallenberg said. That knowledge, he said, would not always transfer to the next system’s BIOS.

“UEFI has made BIOS reverse engineering somewhat easier, as significant portions of the platform firmware are now standardized,” Kallenberg said. “Despite this, one of the largest difficulties in operating in this domain is debugging.

“BIOS debugging requires expensive equipment and significant electrical engineering know-how,” Kallenberg said. “Also unlike conventional software research, it is entirely possible to permanently break, or ‘brick’, your computer due to an experiment gone-awry. These compounding issues make it non-trivial to start doing firmware research.”

Attackers, meanwhile, have used bootkits, or kernel-level rootkits, to attack code that launches at startup such as the Master Boot Record. These attacks aren’t limited to nation state use either; crimeware kits include some dangerous bootkits such as Rustock and TDSS. Once malware has a grip at this level of a system, it often passes pre-defined checks in order to attack further up the firmware chain and write code to the hard drive as they wish.

“Attackers are significantly ahead of defenders in this area. This is because the information security industry is rarely driven by inherent flaws in their architectures, but instead driven by whatever is biting them the worst currently,” Kallenberg said. “There’s also the problem that it takes a lot of deep system knowledge to build detectors, and such people are in short supply, but if the commercial industry was sufficiently motivated they would be able to work with OEMs to perform BIOS security inspection.”

With the launch of Windows 8 in 2012, Microsoft required that the Trusted Platform Module chip be installed on all Windows machines going forward. TPM measures BIOS and UEFI activity and if any changes are present—changes that could have been introduced by malware—a clean version of the firmware is used instead. MITRE, however, demonstrated that TPM is vulnerable to replay attacks where an attacker could replay hashes known to be good, allowing him to install a bootkit yet still tell the TPM that all is well, Kallenberg said.

Here’s another area where significant gaps exist in research and forensics capabilities. Since the TPM cannot determine whether changes are good or bad, a knowledgeable analyst would still need a forensics tool to dump the flash contents and investigate the changes made to the firmware and determine whether they’re malicious, Kallenberg said.

“This problem with interpreting [TPM Platform Configuration Register] values is further compounded by the fact that OEMs are not supplying consumers with ‘golden PCR values,’” Kallenberg said. “In short, consumers have no idea what their PCRs should be. These issues make using a TPM-supported ‘Measured Boot’ to detect adversaries very difficult.”

Suggested articles