Liu Gongshen,Meng Kui,Fu Siyuan

DOI: https://doi.org/10.1109/icecc.2012.196

2012-01-01

Abstract:UEFI is an international standard which describes an interface between the OS and the platform firmware. To solve the low-level attack threats to computer system, a malicious software prevention system based on UEFI firmware is proposed in this paper. By using binary signature scanning technology, a malware detecting engine under UEFI environment is implemented, whose functions include malicious code detect, boot option analysis and firmware & OS Kernel backup. It is proved that this system can prevent malicious code attacks before the platform booting into the operating system with small storage size and low performance cost.

Jia-min MA,Li PAN,Jie-wen YAO

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.07.057

2014-01-01

Abstract:With the increase of code vulnerabilities in Unified Extensible Firmware Interface(UEFI) firmware and the lack of effective vulnerability detection systems, this paper develops a fuzzy test system for UEFI firmware. It applies fuzzy test technique to UEFI firmware vulnerability detection. The system reuses test framework of Self Certification Test(SCT) system, generates test data through a special subsystem to ensure the quality and provides APIs for creating test cases. Also, the vulnerability detection capability of the system is revealed through real security vulnerability in UEFI firmware. Experimental results show that, test cases can be written more easily but with 15%higher code coverage than the SCT system based on this system, which ensures the ability to detect deep, high risk security vulnerabilities.

Priyanka Prakash Surve,Oleg Brodt,Mark Yampolskiy,Yuval Elovici,Asaf Shabtai

2023-11-07

Abstract:The Unified Extensible Firmware Interface (UEFI) is a linchpin of modern computing systems, governing secure system initialization and booting. This paper is urgently needed because of the surge in UEFI-related attacks and vulnerabilities in recent years. Motivated by this urgent concern, we undertake an extensive exploration of the UEFI landscape, dissecting its distribution supply chain, booting process, and security features. We carefully study a spectrum of UEFI-targeted attacks and proofs of concept (PoCs) for exploiting UEFI-related vulnerabilities. Building upon these insights, we construct a comprehensive attack threat model encompassing threat actors, attack vectors, attack types, vulnerabilities, attack capabilities, and attacker objectives. Drawing inspiration from the MITRE ATT&CK framework, we present a MITRE ATT&CK-like taxonomy delineating tactics, techniques, and sub-techniques in the context of UEFI attacks. This taxonomy can provide a road map for identifying existing gaps and developing new techniques for rootkit prevention, detection, and removal. Finally, the paper discusses existing countermeasures against UEFI attacks including a variety of technical and operational measures that can be implemented to lower the risk of UEFI attacks to an acceptable level. This paper seeks to clarify the complexities of UEFI and equip the cybersecurity community with the necessary knowledge to strengthen the security of this critical component against a growing threat landscape.

Cryptography and Security

XIE Yong,LAI Xue-jia,DENG Zi-jian

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.08.062

2007-01-01

Abstract:In order to solve the limitations and difficulties of traditional PC BIOS, Intel has proposed Extensible Firmware Interface (EFI) Specifications. As the next generation of BIOS, EFI provides a standard environment for booting an OS. This paper gives a brief introduction of EFI, takes a closer look at some security issues in EFI, and analyzes its security architecture. Moreover, some key factors that have to be taken into account in a secure EFI environment are proposed.

Weihao Huang,Chaoyang Lin,Qiucun Yan,Lu Xiang,Zhiyu Zhang,Guozhu Meng,Kai Chen

DOI: https://doi.org/10.1109/cscwd57460.2023.10151998

2023-01-01

Abstract:In recent years, binary malware detection has attracted extensive attention from industry and academia. However, most of the existing work focuses on determining whether a sample is malicious or not, rather than identifying the malicious essence in malware. Few studies aim at locating malicious code at function granularity and suffer from inaccuracy. In this paper, we solve the problem by dividing malware into Functional Module (FM), which is a better granularity for locating malicious code, as it combines certain functions to express malicious behaviors in malware. We design a tool called FMDiv to automatically unpack and disassemble binary malware and then divide them into FMs based on the function call graph (CG). Meanwhile, one novel feature extraction and embedding method has been adopted to validate the effect of the FM division algorithm and provide one alternative method of characterization for subsequent malicious FM location. We evaluate FMDiv’s performance on 10,440 real-world samples from VIRUSSHARE. The results show that FMDiv can correctly characterize and make FM division of malware, outperforming current state-of-the-art work.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Min-Hao Wu,Fu-Hau Hsu,Jian-Hung Huang,Keyuan Wang,Yan-Ling Hwang,Hao-Jyun Wang,Jian-Xin Chen,Teng-Chuan Hsiao,Hao-Tsung Yang

DOI: https://doi.org/10.3390/electronics13173569

IF: 2.9

2024-09-09

Electronics

Abstract:In the late 20th century, computer viruses emerged as powerful malware that resides permanently in target hosts. For a virus to function, it must load into memory from persistent storage, such as a file on a hard drive. Due to the significant destructive potential of viruses, numerous defense measures have been developed to protect computer systems. Among these, antivirus software is one of the most recognized and widely used. Typically, antivirus solutions rely on static analysis (signature-based) technologies to detect infections in files stored on permanent storage devices, such as hard drives or USB (Universal Serial Bus) flash drives. However, a new breed of malware, fileless malware, has been designed to evade detection and enhance durability. Fileless malware resides solely in the memory of the target hosts, circumventing traditional antivirus software, which cannot access or analyze processes executed directly from memory. This study proposes the Check-on-Execution (CoE) kernel-based approach to detect fileless malware on Linux systems. CoE intervenes by suspending code execution before a program executes code from a process's writable and executable memory area. To prevent the execution of fileless malware, CoE extracts the code from memory, packages it with an ELF (Executable and Linkable Format) header to create an ELF file, and uses VirusTotal for analysis. Experimental results demonstrate that CoE significantly enhances a Linux system's ability to defend against fileless malware. Additionally, CoE effectively protects against shell code injection attacks, including buffer and memory overflows, and can handle packed malware. However, it is important to note that this study focuses exclusively on fileless malware, and further research is needed to address other types of malware.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ronny Chevalier,Stefano Cristalli,Christophe Hauser,Yan Shoshitaishvili,Ruoyu Wang,Christopher Kruegel,Giovanni Vigna,Danilo Bruschi,Andrea Lanzi

DOI: https://doi.org/10.1145/3292006.3300026

2019-03-29

Abstract:Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware's loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.

Cryptography and Security

Md Shafiuzzaman,Achintya Desai,Laboni Sarker,Tevfik Bultan

2024-07-17

Abstract:Since its major release in 2006, the Unified Extensible Firmware Interface (UEFI) has become the industry standard for interfacing a computer's hardware and operating system, replacing BIOS. UEFI has higher privileged security access to system resources than any other software component, including the system kernel. Hence, identifying and characterizing vulnerabilities in UEFI is extremely important for computer security. However, automated detection and characterization of UEFI vulnerabilities is a challenging problem. Static vulnerability analysis techniques are scalable but lack precision (reporting many false positives), whereas symbolic analysis techniques are precise but are hampered by scalability issues due to path explosion and the cost of constraint solving. In this paper, we introduce a technique called STatic Analysis guided Symbolic Execution (STASE), which integrates both analysis approaches to leverage their strengths and minimize their weaknesses. We begin with a rule-based static vulnerability analysis on LLVM bitcode to identify potential vulnerability targets for symbolic execution. We then focus symbolic execution on each target to achieve precise vulnerability detection and signature generation. STASE relies on the manual specification of reusable vulnerability rules and attacker-controlled inputs. However, it automates the generation of harnesses that guide the symbolic execution process, addressing the usability and scalability of symbolic execution, which typically requires manual harness generation to reduce the state space. We implemented and applied STASE to the implementations of UEFI code base. STASE detects and generates vulnerability signatures for 5 out of 9 recently reported PixieFail vulnerabilities and 13 new vulnerabilities in Tianocore's EDKII codebase.

Cryptography and Security,Software Engineering

Mahsa Farahani,Ghazal Shenavar,Ali Hosseinghorban,Alireza Ejlali

2024-09-22

Abstract:Firmware serves as a foundational software layer in modern computers, initiating as the first code executed on platform hardware, similar in function to a minimal operating system. Defined as a software interface between an operating system and platform firmware, the Unified Extensible Firmware Interface (UEFI) standardizes system initialization and management. A prominent open-source implementation of UEFI, the EFI Development Kit II (EDK2), plays a crucial role in shaping firmware architecture. Despite its widespread adoption, the architecture faces challenges such as limited system resources at early stages and a lack of standard security features. Furthermore, the scarcity of open-source tools specifically designed for firmware analysis emphasizes the need for adaptable, innovative solutions. In this paper, we explore the application of general code audit tools to firmware, with a particular focus on EDK2. Although these tools were not originally designed for firmware analysis, they have proven effective in identifying critical areas for enhancement in firmware security. Our findings, derived from deploying key audit tools on EDK2, categorize these tools based on their methodologies and illustrate their capability to uncover unique firmware attributes, significantly contributing to the understanding and improvement of firmware security.

Cryptography and Security,Hardware Architecture,Software Engineering

Ronny Chevalier,Maugan Villatel,David Plaquin,Guillaume Hiet

DOI: https://doi.org/10.1145/3134600.3134622

2018-03-07

Abstract:Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 $\mu$s threshold defined by Intel).

Cryptography and Security

Yilin Zhou,Guojun Peng,Zichuan Li,Side Liu

DOI: https://doi.org/10.23919/jcc.ja.2022-0409

2024-02-13

China Communications

Abstract:According to the boot process of modern computer systems, whoever boots first will gain control first. Taking advantage of this feature, a malicious code called bootkit can hijack the control before the OS bootloader and bypass security mechanisms in boot process. That makes bootkits difficult to detect or clean up thoroughly. With the improvement of security mechanisms and the emergence of UEFI, the attack and defense techniques for bootkits have constantly been evolving. We first introduce two boot modes of modern computer systems and present an attack model of bootkits by some sophistical samples. Then we discuss some classic attack techniques used by bootkits from their initial appearance to the present on two axes, including boot mode axis and attack phase axis. Next, we evaluate the race to the bottom of the system and the evolution process between bootkits and security mechanisms. At last, we present the possible future direction for bootkits in the context of continuous improvement of OS and firmware security mechanisms.

telecommunications

Xizhe Zhang,Yong Xie,Xuejia Lai,Shensheng Zhang,Zijian Deng

DOI: https://doi.org/10.1007/978-3-540-76843-2_39

2007-01-01

Abstract:This paper presents a unique multi-core security architecture based on EFI. This architecture combines secure EFI environment with insecure OS so that it supports secure and reliable bootstrap, hardware partition, encryption service, as well as real-time security monitoring and inspection. With this architecture, secure EFI environment provides users with a management console to authenticate, monitor and audit insecure OS. Here, an insecure OS is a general purpose OS such as Linux or Windows in which a user can perform ordinary jobs without obvious limitation and performance degradation. This architecture also has a unique capability to protect authentication rules and secure information such as encrypted data even if the security ability of an OS is compromised. A prototype was designed and implemented. Experiment and test results show great performance merits for this new architecture.

谢勇,来学嘉,张熙哲

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.061

2008-01-01

Abstract:The Extensible Firmware Interface(EFI)specification provides a standard environment for the program before booting an OS.This paper proposes a Dual-core EFI-based Security Architecture(DESA).EFI is a secure domain that is physically and logically separate,and performs several security components services such as real-time monitoring,co-processing and auditing.A prototype for virtual disk's secure access and real-time monitor is designed and implemented.Experimental results show that DESA can enhance performance and security improvements,and provide security services for OS with low performance cost.

Zijian Deng,Xuejia Lai

DOI: https://doi.org/10.1109/sitis.2007.38

2008-01-01

Abstract:How to protect the sensitive information from unauthorized disclosure is one of the problems in computer security. In this paper we present a new method for preventing the sensitive file from unauthorized disclosure, Security File Management (SFM). SFM relies on Dual-Core technology, Extensible Firmware Interface and Trusted computing to provide a much high level of security than current solutions. All operations of sensitive files are run in Trusted Boundary. In this paper, we present the architecture of SFM, the initial designer and the security analysis.

Yifei Xu,Ting Liu,Pengfei Liu,Hong Sun

DOI: https://doi.org/10.1109/CNS.2018.8433163

2018-01-01

Abstract:The firmware vulnerability is one of the most serious threats for Internet-of-Things (IoT) security. However, it is hard to investigate firmware, due to the lack of source code and the complicated structure. In this paper, a searchbased firmware code analysis method is proposed to associate the program functionalities with the assembly code. In the experiment, the firmware of Siemens PAC4200 power meter is selected to demonstrate how to search the assembly code of device information interface. Moreover, one vulnerability of this interface is shown, which would be exploited to manipulate the data of device.

LI Hua,LIU Zhi,QIN Zheng,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.094

2011-01-01

Abstract:This paper proposed a new approach that could effectively detect and restrict(unknown) malware,and implemented a prototype system.First,used support vector machine to build classifier,which could judge whether a program was malicious or not,and extracted the malware's signature.Agents running in host could detect malware and stop its execution.To analyze precise behaviors,put samples in virtual machines for executions.Experiment results show compared with naive Bayes and decision tree,our system yields low false positives as well false negatives,and the distributed architecture accelerates restriction.

Ge Jin,Zhi Xue,Yijun Wang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.06.013

2015-01-01

Abstract:Bootkit,a novel malicious code,grabs the right of execution by infecting MBR or VBR so that greatly advances the loading time thus disables the effective detection on it by the conventional security software based on dynamic behaviour analysis[1].We propose a novel static detection method in this paper aiming at such a difficulty of Bootkit detection,design and implement correlated MBR matching algo-rithm.Moreover,the experiment is carried out against the Bootkit malicious code sample well-known at home and abroad.Experimental re-sults show that this method can effectively detect today’s mainstream Bootkit malicious codes,and further proves the feasibility of static detec-tion idea.

Wei Hu,Tianzhou Chen,Zhenjie He,Qingsong Shi

2007-01-01

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:Information security, which covers a wide scope in application and research, has become a mainstream issue to protect the sensitive data. Meanwhile, firmware technology is experiencing a revolution, as the newly emerged EFI is replacing legacy BIOS. This paper gives an introduction to the challenges involved in securing EFI/Tiano framework, and discusses a set of principles as well as a method to design an efficient scalable cryptographic library for cryptographic protocols.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.