基于UEFI BIOS攻击方式的研究

发布时间：2018-04-03 11:56

本文选题：UEFI攻击方式　切入点：安全隐患　出处：《北京工业大学》2014年硕士论文

【摘要】：固件层存在的安全漏洞已成为信息安全业界重要的威胁因素之一，利用其实施的攻击具有不易清除、难以检测、破坏性强等固有特点。因此研究基于固件层的攻击，从底层为计算机安全提供了有力的保障，具有重要的应用价值和研究意义。 BIOS作为固件层必不可少的固件程序，是计算机启动后首先执行的程序，为计算机提供最底层、最直接的硬件控制。UEFI是新一代的BIOS标准，定义了操作系统与硬件平台固件之间的接口规范。它的出现不仅仅改变了传统BIOS的启动方式，解决了传统BIOS难以扩展等问题，并给用户提供了便利的底层开发环境，但同时也不可避免地带来了一些安全隐患。目前针对UEFI的研究已经成为信息安全领域的热门课题。本文旨在研究基于UEFI的攻击方式，分析了UEFI的总体架构及其安全性，研究了现有的一些典型的固件层攻击方式，并分别从UEFI自身存在的安全隐患和UEFI启动过程存在的安全隐患两方面入手，提出了两种不同的攻击方式，即基于UEFI攻击存储设备和基于UEFI劫持操作系统内核。基于UEFI攻击存储设备的核心思想是在UEFI中完成存储设备的初始化并且UEFI提供了对存储设备的数据访问接口功能，使得用户在不进入操作系统的环境下就能够实现对存储设备的操作。同时，结合UEFI Option ROM具有可扩展性，用户可以根据自身的需要刷写Option ROM的映像文件，也为攻击者提供了可利用的机会。因此，通过BDS阶段枚举PCI设备加载Option ROM时注册对存储设备操作的函数，并以此实现在特定协议安装时完成对存储设备的攻击，该攻击方式主要分为UEFI文件操作、Option ROM协议依赖、ROM文件生成三个模块来实现。本文还对该攻击方式实行了实验验证，表明这种攻击是可行的。基于UEFI劫持操作系统内核的核心思想是以UEFI启动过程中没有对启动组件进行校验的漏洞为依据，通过篡改OS Loader的启动路径，，加载恶意程序并Hook启动时服务退出函数，完成操作系统启动后劫持系统内核并感染操作系统引导文件的功能。本文以Win7系统为例，分析了UEFI OS Loader及其映像文件的格式，研究了Hook技术和寄生感染的方法，最终设计并实现EFI分区定位模块、内核劫持模块来完成基于UEFI劫持操作系统内核的攻击。
[Abstract]:The security vulnerabilities in firmware layer have become one of the important threat factors in the information security industry. The attacks implemented by firmware layer are difficult to clear, difficult to detect and destructive.Therefore, the research of firmware layer attack provides a powerful guarantee for computer security from the bottom layer, which has important application value and research significance.As a necessary firmware program in firmware layer, BIOS is the first program to execute after the computer starts. It provides the lowest and most direct hardware control for the computer. UEFI is a new generation of BIOS standard.The interface specification between the operating system and the firmware of the hardware platform is defined.Its appearance not only changes the traditional BIOS startup mode, solves the traditional BIOS difficult to extend and so on, and provides the user with the convenient bottom development environment, but also inevitably brings some security hidden trouble at the same time.At present, the research on UEFI has become a hot topic in the field of information security.The purpose of this paper is to study the attack mode based on UEFI, analyze the overall architecture and security of UEFI, and study some typical firmware layer attacks.From the two aspects of the security hidden danger of UEFI itself and the UEFI startup process, two different attack methods are put forward, that is, attacking storage device based on UEFI and hijacking kernel based on UEFI.The core idea of attacking storage device based on UEFI is to initialize storage device in UEFI and UEFI provides the function of data access interface to storage device.It enables the user to operate the storage device without entering the operating system.At the same time, combined with the extensibility of UEFI Option ROM, users can write the image files of Option ROM according to their own needs, which also provides an opportunity for attackers to exploit.Therefore, enumerating the functions of storage device operation when Option ROM is loaded by PCI device through BDS stage, and realizing the attack on storage device when a specific protocol is installed.This attack is mainly divided into three modules: UEFI file operation option ROM protocol dependency ROM file generation module.The experimental results show that this attack is feasible.The core idea of hijack operating system kernel based on UEFI is based on the loophole that does not verify the boot component in the process of UEFI startup. By tampering with the startup path of OS Loader, the malicious program is loaded and the service exit function when Hook starts.Complete the function of hijacking the system kernel and infecting the operating system boot file after operating system startup.Taking Win7 system as an example, this paper analyzes the format of UEFI OS Loader and its image file, studies the Hook technology and the method of parasitic infection, and finally designs and implements the EFI partition location module.Kernel hijack module to complete the attack based on UEFI hijack operating system kernel.
【学位授予单位】：北京工业大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】