BIOS and Firmware Security

Developing efficient testing techniques to quickly identify vulnerabilities at the bios/firmware level

Modern-day BIOS and other device firmware are complex pieces of code that can suffer from similar types of security vulnerabilities as application-level software. BIOS/firmware level vulnerabilities are often particularly destructive since exploiting them can potentially affect the entire compute stack rendering a system inoperable, perhaps permanently. Recovering from such attacks may even require reprogramming the device by the original manufacturer, potentially resulting in significant disruptions to users. In this project we aim to develop efficient testing techniques to quickly identify vulnerabilities at the bios/firmware level. We employ a two-pronged approach to analyzing firmware for security vulnerabilities – static analysis of code for memory safety related weaknesses and vulnerabilities, and model checking via symbolic execution of firmware code also for memory safety related weaknesses. By itself, each of these techniques result in significant false positives as well as false negatives. We believe that a combination of the two techniques will provide better security guarantees.

Developing robust protocols based on code signing and verification and using Trusted Platform Modules to initialize hardware components, boot the system, provide runtime services implemented by hardware components and, in general, protect the platform against unauthorized changes.

Modern hardware devices are complex systems. There is a complex supply chain involved in their manufacturing process that consists of a set of upstream component originators that are transferred to a set of downstream component users to produce more complex sub-devices and assembled by the final vendor. As a hardware device moves in this supply chain, there is a potential threat of tampering. This is of significant concern since there is an increased emphasis on using trusted hardware devices to provide security services. Even if the software is trusted and bug-free, if it is run on an untrusted device, not many security guarantees can be expected from it. The project assumes that the manufacturer of a product is trusted not to have tampered with the product before sending it downstream. Thus, the protection in transit problem is reduced to the problem of ensuring that the first-time use of a product after it has left the vendor is only by the rightful/authorized immediate downstream user. This is achieved by having the manufacturer of the product lock it down after production and introducing a mechanism by which the product can authenticate the rightful user and self-unlock to allow the use of the product. For a proof-of-concept, we are investigating the problem in the context of a complex product such as a workstation or laptop being shipped to a human end user. We are using hardware trusted root of trust to perform authentication, locking, and unlocking of devices. The locking of the device is performed at the BIOS/BMC level by the vendor. Authentication is based on sharing secrets. We use a mesh of trusted agents for the secure sharing of secrets.