Research On Key Technologies Of BIOS Trapdoor

BIOS is mainly responsible for the connection of hardware and operating system as animportant part of computer system. If special logic can be implanted in BIOS to form BIOStrapdoor which is difficult to detect and clear out, special functions including control of thesystem capturing, information obtaining and status monitoring can be achieved. Therefore, theresearch on key technologies of BIOS trapdoor not only has a positive practical significance, butalso has an important military significance.Taking the research on Future Development Foundation of PLA Information EngineeringUniversity Project (No.1201) as background, this thesis focuses on implantation technology andhiding technology of BIOS trapdoor, based on analyzing internal structure, code obfuscationtechnology and security mechanisms of representative BIOS binary file. Three BIOS trapdoorsare designed and realized, and the performance of these BIOS trapdoors is tested.Major contributions and innovations endeavored in this thesis are as follows:1. BIOS internal security mechanism is researched. Aiming at the issue that BIOS codeobfuscation problem encountered in the process of reversely analyzing BIOS file, common BIOScode obfuscation methods are analyzed and summarized with examples. On this basis, withcontrasting the changes of BIOS file which is modified, BIOS internal security mechanism isgrasped by reversely analyzing BIOS file and official BIOS tool.2. The implantation method of module-level trapdoor based on forging executablemodule and the implantation method of instruction-level trapdoor based on modifying jumpinstruction target address are presented. The former can achieve the implantation of module-leveltrapdoor by forging trapdoor code into BIOS recognizable executable module and implantingthis forged module in BIOS file internal spare area between modules. The latter can achieve theimplantation of instruction-level trapdoor by implanting trapdoor code in executable moduleinternal spare area and changing host module internal jump instruction target address into entryaddress of trapdoor code.3. According to analyze operating mechanism and security risks of UEFI BIOS, theimplantation method of UEFI BIOS trapdoor based on hijacking the OS loader is presented. Inthis method, UEFI BIOS trapdoors are written to UEFI system partition in the disk as UEFIimage files, and the implantation of UEFI BIOS trapdoors are achieved by hijacking the OSloader in UEFI system partition.4. Aiming at the UEFI BIOS trapdoor which can reside in computer disks, a data hidingmethod based on disk slack space was presented. Based on analyzing disk partitioning scheme and file management mechanism of cluster-based file system, dispersed file-cluster slack spaceswere made organic combination to store sensitive data, and information which was used torestore the original data was saved by using data structure which was stored inpartitioning-scheme slack spaces. Experimental results show that data hiding method based ondisk slack space has characteristics of high concealment, low system overhead and not taking upthe file system effective space.5. According to research results of key technologies of BIOS trapdoor, and combinedwith the actual demand, Three BIOS trapdoors are designed and realized. These BIOS trapdoorshave been applied in Future Development Foundation of PLA Information EngineeringUniversity Project (No.1201). The actual test results verify the correctness and effectiveness ofthe research on key technologies of BIOS trapdoor.