| The security vulnerabilities in firmware layer has become one of the importantthreats to the information security industry, and the attacks using the securityvulnerabilities in firmware layer is difficult to be removed, as well as detected.Meanwhile, the consequences could also be devastating. Therefore, the research ofattacks based on firmware layer can help to protect the rock-bottom safety ofcomputer and has important application value and research significance.BIOS, as the essential firmware of firmware layer, is executed firstly once thecomputer has booted, as well as provides the most rock-bottom and most directcontrol of hardware. UEFI is the next generation of BIOS standard and defines a newinterface specification between operating system and hardware platform firmware.The occurrence of UEFI not just changes the traditional boot mode, and solves thedifficulty of extensions of the traditional BIOS and other issues, and provides aconvenient underlying development environment for users, but also it brings somesecurity risks inevitably. Currently, the study of UEFI has become a hot topic ofinformation security filed.The aims of this thesis is to research attack based Unified Extensible FirmwareInterface, and analyze the overall architecture and security of UEFI, as well as studythe existing attacks. This thesis proposes two different attacks. Firstly, from theUEFI’s own security risks, this paper puts forward attack that attacks storage devicesUEFI-based; secondly, from security risks of UEFI boot process, this paper presentsattack that hijacking operation system kernel UEFI-based.The core idea of attacking storage devices based on UEFI is that UEFI completesthe initialization of storage devices and provides the interface for users to access andoperate storage devices without entering the operating system. Meanwhile, the imagein UEFI Option ROM is scalable and can be brushed to write according to users’needs, attackers can make use of this feature to attack computer. So the attack tostorage device through UEFI Option ROM is possible, we can achieve the attack tostorage device while a particular protocol is installed by registering function tooperate the storage device when UEFI enumerate PCI devices and load Option ROMin Boot Device Selection. In order to achieve the attack, three modules are included,the operations to file of storage device in UEFI, the dependence of protocol in OptionROM, the generation of ROM files. The article also implements experimental verification to the attack and indicates that the attack is feasible.The core idea of hijacking operating system kernel based on UEFI is that there isno verification of components in UEFI boot process, so we can tamper path of OSLoader, load malicious programs and Hook ExitBootServices to hijack operatingsystem kernel and infect boot files. Win7as an instance, this paper analyses the OSLoader and the format of images in UEFI, and research Hook technology and parasiticinfections. Finally, this paper design an EFI partition positioning module, hijackingthe kernel module to implement the attack. |
PDF Full Text Request