Computing devices, personal computers, workstations, and servers (hereinafter “computer” or “computers”) typically include a basic input and output system (BIOS) as an interface between computer hardware (e.g., a processor, chipsets, memory, etc.) and an operating system (OS). The BIOS includes firmware and/or software code to initialize and enable low-level hardware services of the computer, such as basic keyboard, video, disk drive, input/output (I/O) port(s), and chipset drivers (e.g., memory controllers) associated with a computer motherboard.
The initialization and configuration of a computer system by firmware, such as Basic Input/Output System (BIOS), occur during a pre-boot phase. After a reset, a processor refers to a predetermined address which is mapped to a non-volatile storage device storing BIOS firmware. The processor sequentially fetches BIOS instructions. These instructions typically cause the computer to initialize its electronic hardware, initialize its peripheral devices, and boot an operating system. Unified Extensible Firmware Interface (UEFI) is a modern BIOS firmware architecture that includes several phases, e.g., security phase (SEC), platform environmental initialization (PEI), driver execution environment (DXE) phase, and boot device select (BDS) phase.
Methods of compromising platform firmware are continually being developed. Compromising platform firmware enables an arsenal of tools to attack a system. Unlike software attacks, compromised firmware is hard to detect and recovery is difficult. Compromised firmware is generally invisible to the software layer of a system, including most anti-virus and spyware tools. The invisible and persistent nature of firmware makes it ideal for malicious rootkits. Rootkits are compact and dormant malicious hooks in the platform that attain highest possible privilege and lowest visibility to running software. Their primary function is to deliver an attack or provide an API to other viruses and worms on an infected system.
BIOS is typically stored in flash memory to allow re-programmability. Programming may then be performed without jumper changes for form factor and end-user convenience reasons. This re-programmability results in a vulnerability to attack by unauthorized persons and/or malware. Vulnerabilities in BIOS may also be exploited. Through access to the system BIOS, a rootkit may be installed that survives system reboot. Anti-virus software may be unable to reliably detect this “persistent” rootkit.
In some situations, BIOS may be stored in true ROM, preventing re-programmability. However, BIOS updates and other legitimate modifications may be necessary that may be implemented only through physical access to the system and the ROM that stores the BIOS.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.