The BIOS and Rootkits
- 2.7k Downloads
There exist many documents, guidelines and application-level programs attempting to secure various operating systems (OS), but there is much less documentation and software for protecting lower levels subsystems such as the Basic Input Output System (BIOS). Security professionals are well aware that the security on any system is as strong as its weakest link as an attacker will seek to break into a system with the least amount of effort. In this chapter we will focus on the BIOS, and describe its main functions as well as the potential for attacks and countermeasures. After discussing the BIOS and analysing how it might be compromised, we will go on to consider rootkits. Installing a rootkit is often the next stage of an attack once the BIOS has been compromised, allowing the attack to take full control of the target system. We will discuss what rootkits actually are, how to identify that a system has been infected with a rootkit, and how to try and prevent such attacks in the first place. It should be note that the issues raised in this chapter have also provided justification for specialist hardware security measures such as the Trusted Platform Module (TPM) [1, 2, 3] described in Chap. 4.
KeywordsVirtual Machine Random Access Memory Trusted Platform Module Integrity Check Target Machine
- 1.Mitchell, Chris, ed. "Trusted computing." Institution of Electrical Engineers, 2005.Google Scholar
- 2.Pearson, Siani, and Boris Balacheff. Trusted computing platforms: TCPA technology in context. Prentice Hall PTR, 2003.Google Scholar
- 3.Grawrock, David. "The Intel safer, computing initiative." ISBN-10976483262 (2005).Google Scholar
- 4.An Inside Look at MS-DOS, Tim Paterson, http://www.patersontech.com/Dos/Byte/InsideDos.htm.
- 5.Intel Web Site, Defining the interface between the operating system and platform firmware, http://www.intel.com/technology/efi/.
- 6.Hu, Yin, and Haoyong Lv. "Design of Trusted BIOS in UEFI Base on USBKEY." Intelligence Science and Information Engineering (ISIE), 2011 International Conference on. IEEE, 2011.Google Scholar
- 7.ZHOU, Zhen-liu, et al. "Research and Implementation of Trusted BIOS Based on UEFI." Computer Engineering 8 (2008): 062.Google Scholar
- 8.CmosPwd Website, http://www.cgsecurity.org/wiki/CmosPwd.
- 9.Bios320 download site, http://www.technibble.com/downloads/misc/BIOS320.exe.
- 10.Ghaleh, Hossein Rezaei, and Shahin Norouzi. "A new approach to protect the OS from off-line attacks using the smart card." Emerging Security Information, Systems and Technologies, 2009. SECURWARE’09. Third International Conference on. IEEE, 2009.Google Scholar
- 11.Hendricks, James, and Leendert Van Doorn. "Secure bootstrap is not enough: Shoring up the trusted computing base." Proceedings of the 11th workshop on ACM SIGOPS European workshop. ACM, 2004.Google Scholar
- 12.System Administration, Networking, and Security Institute, http://www.sans.org/.
- 13.MPac Article, By Robert Lemos, SecurityFocus, http://www.theregister.co.uk/2007/07/23/mpack_developer_interview/.
- 14.System Administration, Networking, and Security Institute, What is t0rn rootkit?, Paolo Craviero, http://www.sans.org/security-resources/malwarefaq/t0rn_rootkit.php.
- 15.What Is Linux: Overview of the Linux Operating System, http://www.linux.com/learn/new-user-guides/376-linux-is-everywhere-an-overview-of-the-linux-operating-system.
- 16.Rutkowska, Joanna, and Rafa Wojtczuk. "Preventing and detecting Xen hypervisor subversions." Blackhat Briefings USA (2008).Google Scholar
- 17.Gavrilovska, Ada, et al. "High-performance hypervisor architectures: Virtualization in hpc systems." Workshop on System-level Virtualization for HPC (HPCVirt). 2007.Google Scholar
- 18.Leinenbach, Dirk, and Thomas Santen. "Verifying the microsoft hyper-v hypervisor with vcc." FM 2009: Formal Methods (2009): 806–809.Google Scholar
- 19.Microsoft, Introduction to the Hypervisor in Windows Server 2008, http://www.microsoft.com/en-us/server-cloud/hyper-v-server/overview.aspx.
- 20.Stone-Gross, Brett, et al. "Your botnet is my botnet: analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.Google Scholar
- 21.Mavrommatis, Niels Provos Panayiotis, and Moheeb Abu Rajab Fabian Monrose. "All your iframes point to us." (2008).Google Scholar
- 22.Adobe Systems, Adobe Security Bulletin, http://www.adobe.com/support/security/advisories/apsa09-01.html.
- 23.Levine, John, Julian Grizzard, and Henry Owen. "A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table." Information Assurance Workshop, 2004. Proceedings. Second IEEE International. IEEE, 2004.Google Scholar
- 24.Kruegel, Christopher, William Robertson, and Giovanni Vigna. "Detecting kernel-level rootkits through binary analysis." Computer Security Applications Conference, 2004. 20th Annual. IEEE, 2004.Google Scholar
- 25.System Administration, Networking, and Security Institute, RootKit Investigation Procedures, Sans Reading Room, http://www.sans.org/score/checklists/rootkits_investigation_procedures.pdf.
- 26.BackTrack, Linux Security Distribution, Offensive Security, http://www.backtrack-linux.org/.
- 27.Sophos Ltd official website, http://www.sophos.com/.
- 28.A study of MD5 Attacks: Insight and Improvements, J. Black, M. Cochran, T. Highland, http://www.cs.colorado.edu/~jrblack/papers/md5e-full.pdf.
- 29.TripWire (Community Version) official website: http://www.tripwire.org/.
- 30.AIDE official website: http://aide.sourceforge.net/.
- 31.Microsoft, Debug Diagnostic Tools version 1.1, http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24370.
- 32.OllyDbg Debugger, Official Website http://www.ollydbg.de/.
- 33.Sophos Anti root kit personal edition, http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx.