Why We Need Guardians of the BIOS

In my previous blog post about my upcoming Black Hat USA talk, we discussed some of the details about Intel Boot Guard technology. It was good to see Dell last week, who also shared some details about their implementation.

In this blog, I want to continue to focus on BIOS protection technologies and discuss the importance of this research. For example, I’d like to share why it’s important to protect the platform boot process properly, right from its early steps. I’d also like to discuss what the real needs are for Secure Boot improvements (in case of operating system loaders), and how they are covered by the latest boot stages of UEFI firmware.

In this blog, I will provide some interesting facts about the importance of my Black Hat research.

The Evolution of Modern Rootkits

Nowadays, it’s rare for us to catch an interesting rootkit or bootkit in-the-wild. Most malware threats have migrated to user-mode. This fact is directly connected to the evolution of security technologies of modern operating systems.

As an example, Microsoft Windows has, in the past few years, introduced a lot of security changes into their kernel for the kernel-mode drivers. Now, the kernel can’t load unsigned drivers because of the Code Signed Policy. The Patch Guard created a lot of limitations on kernel-mode code modifications. The Virtual Secure Mode (VSM) and Device Guard on MS Windows 10 raise the threshold of complexity for kernel-mode rootkit development.

Figure 1

The move to UEFI and the spread of the Secure Boot scheme changed the bootkit landscape, drawing more attention to BIOS firmware from security researchers. Also, these changes increase the cost of development for kernel-mode rootkits and bootkits. Now, this has already happened previously, mostly because of Code Signing Policy. The bootkit development process was much cheaper (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Previous Contributor. Read the original post at: Cylance Blog