Security Research And Malicious Code Detection Based On UEFI

Computer firmware intends to run before the startup of operation system to take charge of initializing hardware and preparing the startup environment of operation system. UEFI is a new firmware standard that defines the interface specifications between operation system and firmware platform. The development of computer attacks has brought some malicious codes aiming to computer firmware. Hidden in the underlying system of computer and featured with great imperceptibility and destructiveness, malicious codes always run as early as before the startup of operation system. As UEFI is widely used at present, the study on security technology of UEFI firmware is necessary.So far, people have not paid much attention to the study on malicious code testing of UEFI firmware. The thesis will be focused on the study on shortcomings of conventional testing methods. As for conventional testing methods, the testing, as making detection in the computer application layer only, fails to detect and clear the malicious codes in firmware layer. The existing security mechanism of UEFI firmware is mainly based on digital authentication to provide protection for firmware by inhibiting unauthorized codes, but on this occasion the application and expansion of UEFI would be restricted due to lack of flexibility.To overcome the shortcomings of existing testing method, in line with UEFI firmware technology and conventional testing methods of malicious codes, a new testing system of malicious codes, in which the firmware file malicious code characteristics, information feature extraction of startup items, pattern matching in testing process and drive loading problems are solved, will be designed to protect UEFI firmware. Main studies in the thesis include:1) To design a testing method meeting the requirements of UEFI firmware testing according to the study on malicious codes testing principle and objective conditions UEFI firmware environment.2) To propose firmware file malicious characteristics and information feature extraction method of startup items, put forward the concept of startup vector, and formulate the security discrimination rules of start items serving as the detection basis of start items.3) To analyze the possible problems that hinder realizing pattern matching algorithm of UEFI firmware, and then make improvements: combining the pattern matching of finite state machine with single-pattern matching algorithm, and judging malicious codes through calculation of thresholds.4) To research UEFI firmware drive loading method and protocol logon process. The testing system will be realized in a character of UEFI DXE derive, and it will finish loading in the firmware system and perform testing to firmware before startup of operation system, thus the difficulties for testing and clearing of firmware malicious codes would be overcome.At last, the basic functions of malicious codes testing system UDS of UEFI firmware will be realized and the performance test will be carried out. The test result proves that UDS system is equipped with firmware file scanning, start item information scanning and security disposal functions, making the purposes favorably realized.