Log in

No account? Create an account
Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-03-11 03:27
  Subject:   Automated BIOS flashing considered harmful.
There's a story up on Slashdot about VM based viruses. (Nice work from the MS Research team that discovered this vulnerability, BTW.) Basically, the virus takes over the boot-up up process, and makes sure it loads before the real operating system does. That way, it can cloak itself arbitrarily well by setting up the CPU's "virtual processor" features to intercept all memory and I/O access, and make the system appear totally clean no matter how the OS tries to check. It's like the cops not being allowing to enter your house when they have a search warrant. Instead, they have to ask you to bring them the things they want to look at. There's no way for them to know if you're coming back with the genuine article or not.

The simple solution to this is easy: when you want to run a really paranoid virus scan, get into the BIOS menu and tell your computer to try and boot off any CD-ROM in the CD drive before it tries to boot off the hard drive. Then keep your OS install CD, and boot off that. Since the OS CD is known clean (almost always, anyway) you can boot off it, run your virus scan, and no code on the hard disk can set up the VM stuff since the hard disk was never touched.

However, a really clever virus could write itself into your computer's BIOS, which is the low-level code that runs the memory check when you turn your computer on. The BIOS gets going before the CD-ROM drive is ever touched. Another security arms race has begun! A few mobo manufacturers have taken to putting two BIOS chips on the motherboard, so that presumably one of them will be clean at any time. However, if both chips are writeable, then you really haven't bought yourself anything. Any virus smart enough to figure out how to write one BIOS is going to be able to write the other. (We are assuming that mobo makers aren't smart enough to ground down the "write enable" line on the second chip in hardware, which I believe as of yet they aren't.)

Anyway, if you ask me, the fact that a program running on your computer can reprogram the BIOS is just a bad idea, period. It's like a car design that puts the engine in the passenger compartment, and makes it easy for you to disconnect the high pressure fuel injector hoses while it's running. About three seconds reflection tells you this is just not very smart.

Assuming that mobo manufacturers aren't going to put a "BIOS write disable" option in their BIOS menus. Or - god forbid - put a jumper on the mobo that must be moved to allow BIOS writes. (Because, you know, we wouldn't want our users to have to be tech-savvy enough to move a jumper in order to completely gut and reburn the most basic functionality of their computer. Because you know, a mistake during that process will so throughly lobotomize their computer that it won't even turn on when you press the power button on the front. So, you know, we wouldn't want to have to make people actually remove a screw or two in order to do it.) Well, I think I know a better way. Thus my comment here:

Automated BIOS flashing considered harmful.

There are certain things only trained people should do. You have to remove several bolts to get to the timing belt in your car's engine. Because if you screw that up, you'll at a minimum make your car unrunnable, and at worst completely destroy the engine. Allowing programs to rewrite a computer's BIOS without human intervention, or at the very least human permission, is way across the line and should not be allowed.
Post A Comment | 8 Comments | | Link

Ben Cantrick
  User: mackys
  Date: 2006-03-11 08:12 (UTC)
  Subject:   Someone asked me...
"How, exactly, does the hardware implementation of this secure BIOS checker work?"

A fair question. Here is the outline of one way:

Reply | Thread | Link

Alex Belits: iskra
  User: abelits
  Date: 2006-03-12 04:46 (UTC)
  Subject:   Re: Someone asked me...
I don't see any flaws in it, other than that it's hard to sell to manufacturers (OMG, WE HAVE TO ADD ONE MORE CHIP, AND USERS WON'T SEE SOME GAUDY GUI THING THAT VALIDATES ITS PRESENCE!!!).
Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-03-12 05:25 (UTC)
  Subject:   Re: Someone asked me...
I don't see any flaws in it, other than that it's hard to sell to manufacturers (OMG, WE HAVE TO ADD ONE MORE CHIP,

Well, some of them are already throwing two full-blown BIOS chips on the board, so hopefully they won't complain too much about making one of them a slightly smaller, cheaper chip. Or maybe they would...
Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-03-11 08:50 (UTC)
  Subject:   Also, this guy...
...has the right idea:


Only problem, of course, is that if the "no BIOS update" flag can be written and/or erased from a software BIOS updater program, as it apparently can, you're not really gaining much.

Again, with some supporting hardware, it is possible to make a region of memory that can only be written to when code between certain memory addresses is being executed. But again, what's to stop the trojan from JMPing to that code?

You pretty much have to resort to some kind of "set flag to disable hardware" thing again. The key ability that enables everything else, is code that can cause a change in the hardware that no code, not even itself, can undo. In this case, setting a bit in a register somewhere that can't be cleared until a hard reboot happens.
Reply | Thread | Link

Alex Belits: iskra
  User: abelits
  Date: 2006-03-12 04:46 (UTC)
  Subject:   Two words:
PXE virus.
Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-03-12 05:23 (UTC)
  Subject:   Ho boy...
I sure hope future high-end ethernet hardware comes with enough capability to drop all PXE ethernet frames...
Reply | Parent | Thread | Link

Jon: Solla Sollew
  User: j_b
  Date: 2006-03-13 05:08 (UTC)
  Subject:   heee
Keyword:Solla Sollew
Hash: SHA1

See http://www.woodmann.com/crackz/Tutorials/Protect.htm and others, I think
a polymorphic detection program would have reasonable success at nabbing
whether or not it was running in a stealth virus enabled VM ...  (Of course
that's like assuming that your opponent knows his drink has Iocane Powder in
it so he switched it ... )

IIRC the STOP OS for the XTS-400 ( http://google.com/search?q=xts-400 ) even
goes as far as making sure that programs can't communicate with each other
clandestinely across security levels with timed resource-exhaustion
techniques.  'course the spooks prolly have working stealth bios viruses.
Version: GnuPG v1.4.1 (GNU/Linux)

Reply | Thread | Link

May 2015