Use of personal computing devices such as personal computers, laptop computers and netbook computers, among other devices continues to grow. Such systems are used for entertainment, business, maintaining financial records, among numerous other purposes. Such systems are also targets for attacks by malicious actors. For instance, such attacks may include placing malicious software on a computing system. Such malicious software (malware) may compromise the security of the computing system by collecting personal information from the computing system, such as from memory or by using programs such as key-loggers, to collect passwords and other information entered into the computing system, as some examples. In other instances, the malware may be a computer virus or other malicious code.
Such attacks can be accomplished in a number of ways. For example, a malicious actor may gain access to a user's system in a public setting, such as at a conference, or a coffee shop. In other situations, a malicious actor may deliver malware over a network connection, such as via a website, for example.
One way to accomplish such malicious acts is to modify a “boot path” of a computing system to include malware in the boot path or to place the computing system in a vulnerable state where it can be accessed or attached remotely. In such a situation, a malicious actor may corrupt or replace instructions that are used to boot, or startup, a computing system with malicious instructions. For instance, instructions in firmware of a computing system may be modified and/or replaced with malware.
In many computer architectures, firmware is the lowest level of software that is executed on a computing system. The firmware may include instructions that initialize a main processor, random access memory and chipsets, among other system components. Typically, the firmware is read-write and can be modified in the field, such as to allow for updates that may correct defects or address security vulnerabilities. However, because such firmware is writeable, it can be modified, which makes associated computing systems subject to attack.
In such a system, the system may “boot” or startup by first executing instructions of the firmware and then executing instructions of an operating system kernel (which may be stored on a hard-disk or other mass storage device, such as a flash disk). This sequence of instructions may be referred to as a “boot path” for the system. Malicious acts may be accomplished, for example, by corrupting/modifying one or more portions of the boot path.
For a given system, updates may be made to elements of the boot path (e.g., firmware and/or operating system kernel). Such updates may be made to address known security concerns with previous versions. This, however, provides another way to accomplish malicious acts, such as by reverting elements of the boot path of a system to a previous version, where that previous version has a known security issue that can be readily exploited by the malicious actor.