BootKeeper: Validating Software Integrity Properties on Boot Firmware Images

Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware's loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.

[1]  Mattia Monga,et al.  Replay attack in TCG specification and solution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[2]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[3]  Tibor Gyimóthy,et al.  Interprocedural static slicing of binary executables , 2003, Proceedings Third IEEE International Workshop on Source Code Analysis and Manipulation.

[4]  Vincent Zimmer,et al.  Beyond BIOS - Developing with the Unified Extensible Firmware Interface, Third Edition , 2017, Beyond BIOS, 3rd Edition.

[5]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[6]  Xiaoyu Ruan,et al.  Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine , 2014 .

[7]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[8]  Mark R. Tuttle,et al.  Symbolic Execution for BIOS Security , 2015, WOOT.

[9]  Saumya Debray,et al.  Symbolic Execution of Obfuscated Code , 2015, CCS.

[10]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[11]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[12]  Bart Preneel,et al.  Remote attestation on legacy operating systems with trusted platform modules , 2008, Sci. Comput. Program..

[13]  Tudor Dumitras,et al.  Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI , 2017, CCS.

[14]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[15]  George Candea,et al.  Testing Closed-Source Binary Device Drivers with DDT , 2010, USENIX Annual Technical Conference.

[16]  J. Heasman Implementing and Detecting a PCI Rootkit , 2006 .

[17]  John Heasman Rootkits: Rootkit threats , 2006 .

[18]  Xiaoyu Ruan,et al.  Platform Embedded Security Technology Revealed , 2014, Apress.

[19]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[20]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[21]  Xeno Kovah,et al.  BIOS chronomancy: fixing the core root of trust for measurement , 2013, CCS.

[22]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  Pierre-Alain Fouque,et al.  Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism , 2015, AsiaCCS.

[24]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[25]  Vincent J. Zimmer,et al.  Trusted Platforms UEFI, PI and TCG-based firmware , 2009 .

[26]  R. Weisberg A-N-D , 2011 .