The BIOS and Rootkits

  • Graham HiliEmail author
  • Keith Mayes
  • Konstantinos Markantonakis


There exist many documents, guidelines and application-level programs attempting to secure various operating systems (OS), but there is much less documentation and software for protecting lower levels subsystems such as the Basic Input Output System (BIOS). Security professionals are well aware that the security on any system is as strong as its weakest link as an attacker will seek to break into a system with the least amount of effort. In this chapter we will focus on the BIOS, and describe its main functions as well as the potential for attacks and countermeasures. After discussing the BIOS and analysing how it might be compromised, we will go on to consider rootkits. Installing a rootkit is often the next stage of an attack once the BIOS has been compromised, allowing the attack to take full control of the target system. We will discuss what rootkits actually are, how to identify that a system has been infected with a rootkit, and how to try and prevent such attacks in the first place. It should be note that the issues raised in this chapter have also provided justification for specialist hardware security measures such as the Trusted Platform Module (TPM) [1, 2, 3] described in Chap.  4.


Virtual Machine Random Access Memory Trusted Platform Module Integrity Check Target Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Mitchell, Chris, ed. "Trusted computing." Institution of Electrical Engineers, 2005.Google Scholar
  2. 2.
    Pearson, Siani, and Boris Balacheff. Trusted computing platforms: TCPA technology in context. Prentice Hall PTR, 2003.Google Scholar
  3. 3.
    Grawrock, David. "The Intel safer, computing initiative." ISBN-10976483262 (2005).Google Scholar
  4. 4.
    An Inside Look at MS-DOS, Tim Paterson,
  5. 5.
    Intel Web Site, Defining the interface between the operating system and platform firmware,
  6. 6.
    Hu, Yin, and Haoyong Lv. "Design of Trusted BIOS in UEFI Base on USBKEY." Intelligence Science and Information Engineering (ISIE), 2011 International Conference on. IEEE, 2011.Google Scholar
  7. 7.
    ZHOU, Zhen-liu, et al. "Research and Implementation of Trusted BIOS Based on UEFI." Computer Engineering 8 (2008): 062.Google Scholar
  8. 8.
  9. 9.
  10. 10.
    Ghaleh, Hossein Rezaei, and Shahin Norouzi. "A new approach to protect the OS from off-line attacks using the smart card." Emerging Security Information, Systems and Technologies, 2009. SECURWARE’09. Third International Conference on. IEEE, 2009.Google Scholar
  11. 11.
    Hendricks, James, and Leendert Van Doorn. "Secure bootstrap is not enough: Shoring up the trusted computing base." Proceedings of the 11th workshop on ACM SIGOPS European workshop. ACM, 2004.Google Scholar
  12. 12.
    System Administration, Networking, and Security Institute,
  13. 13.
    MPac Article, By Robert Lemos, SecurityFocus,
  14. 14.
    System Administration, Networking, and Security Institute, What is t0rn rootkit?, Paolo Craviero,
  15. 15.
  16. 16.
    Rutkowska, Joanna, and Rafa Wojtczuk. "Preventing and detecting Xen hypervisor subversions." Blackhat Briefings USA (2008).Google Scholar
  17. 17.
    Gavrilovska, Ada, et al. "High-performance hypervisor architectures: Virtualization in hpc systems." Workshop on System-level Virtualization for HPC (HPCVirt). 2007.Google Scholar
  18. 18.
    Leinenbach, Dirk, and Thomas Santen. "Verifying the microsoft hyper-v hypervisor with vcc." FM 2009: Formal Methods (2009): 806–809.Google Scholar
  19. 19.
    Microsoft, Introduction to the Hypervisor in Windows Server 2008,
  20. 20.
    Stone-Gross, Brett, et al. "Your botnet is my botnet: analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009.Google Scholar
  21. 21.
    Mavrommatis, Niels Provos Panayiotis, and Moheeb Abu Rajab Fabian Monrose. "All your iframes point to us." (2008).Google Scholar
  22. 22.
  23. 23.
    Levine, John, Julian Grizzard, and Henry Owen. "A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table." Information Assurance Workshop, 2004. Proceedings. Second IEEE International. IEEE, 2004.Google Scholar
  24. 24.
    Kruegel, Christopher, William Robertson, and Giovanni Vigna. "Detecting kernel-level rootkits through binary analysis." Computer Security Applications Conference, 2004. 20th Annual. IEEE, 2004.Google Scholar
  25. 25.
    System Administration, Networking, and Security Institute, RootKit Investigation Procedures, Sans Reading Room,
  26. 26.
    BackTrack, Linux Security Distribution, Offensive Security,
  27. 27.
    Sophos Ltd official website,
  28. 28.
    A study of MD5 Attacks: Insight and Improvements, J. Black, M. Cochran, T. Highland,
  29. 29.
    TripWire (Community Version) official website:
  30. 30.
    AIDE official website:
  31. 31.
  32. 32.
    OllyDbg Debugger, Official Website
  33. 33.

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Graham Hili
    • 1
    Email author
  • Keith Mayes
    • 1
  • Konstantinos Markantonakis
    • 1
  1. 1.Information Security Group, Smart Card Centre, Royal HollowayUniversity of LondonLondonUnited Kingdom

Personalised recommendations