Analysis And Research Based On UEFI Firmware Vulnerability

With the continuous development of computer technology,UEFI has occupied more and more proportions in the firmware of the computer.The research of UEFI firmware vulnerability has become an important aspect of computer security.Compared with traditional BIOS,UEFI has the characteristics of convenient setup and good scalability,but its own features also bring more security risks to the firmware layer.In order to ensure the security of computer firmware,it is an important task for computer security research to analyze and research UEFI and find out its hidden security risks.This dissertation firstly researches the function and principle of the SPI range protection register mechanism put forward by Intel to protect the firmware security.Based on the UEFI FrameWork startup process,combined with the UEFI boot script's role during the normal boot path and the S3 recovery boot path,it is found that the UEFI firmware exists.Security issues.Then study the principle and function of SMM,through the analysis of SMI and SMRAM,design a backdoor program that can obtain SMRAM information.The main research contents of the paper are as follows:(1)Analysis and study of the UEFI FrameWork's normal boot path and S3 recovery boot path,summarizing the respective characteristics of the two boot paths,and propose the idea of destroying the SPI range protection register value in the S3 recovery boot path.(2)Study the function and principle of the UEFI boot script,analyze its role and principle in the normal boot path and the S3 resume boot path,through the reverse engineering of the SMMLockBox driver,get the SMRAM related information from its reverse source,and finally use this The information finds the address of the UEFI boot script.(3)Study the function and principle of the SPI range protection register mechanism,analyze the setting mode of the SPI range protection register,and find out the possible problems in the setting mode.The platform can save the configuration information before entering the S3 sleep mode to the UEFI boot.The characteristics of the script table propose to use the trigger S3 sleep mode suspend-restore action to modify the value of the SPI range protection register.(4)Code implementation and comparison verification of the method to falsify the SPI range protection register value.The verification result shows that the SPI range protection register mechanism is destroyed and the destruction task is successfully completed.(5)Analyze SMM principle and SMI principle,study how to infect the target mirror driver,and write the infected driver into the normal mirror.A backdoor program design method is proposed to enable the use of the backdoor to obtain information in the SMRAM.