Research And Implementation Of UEFI BIOS Malware Detection System

UEFI and computer technology have achieved rapid development.However,at the same time as technology development,malicious code is also looking for new targets and attacks are constantly being refurbished.At present,events that use firmware as an attacker are in an endless stream,and once the BIOS is attacked,it is very dangerous.The loading time of the firmware malicious code is earlier than that of the operating system and is not easily identified by the anti-virus software installed in the operating system.Therefore,the detection and protection of malicious code against the firmware is extremely important,especially in the technical departments with high security requirements.Research on the malicious code detection technology for UEFI BIOS can provide the most basic security guarantee for computer systems.Therefore,this paper studies the existence and implantation mechanism of malicious firmware code.Combined with the current popular malicious code detection technology,the UEFI BIOS malicious code detection model is constructed and the UEFI BIOS malicious code detection system used by the security technology department is implemented.Through this system,the terminal computer's firmware file can be safely detected and safety protection work can be done.The main work of this paper is as follows:(1)This article studies and analyzes the organization and storage of BIOS files defined in the UEFI specification,and implements the resolution of firmware files according to the definitions in the specifications.Then according to the built BIOS standard code base,the message digest algorithm is used to implement the integrity measurement of the BIOS image file and the parsed module file.Finally,this paper adopts the integrated classifier technology to construct the detection model,and uses the BIOS sample data to verify the model.The results show that the detection model constructed using the feature selection method of this paper is more accurate than the detection model constructed using the feature selection method of information gain.The rate is higher.(2)In this paper,the principle of feature extraction of N-gram model in malicious code detection is studied,and a variable-length N-gram model is used to extract byte-level features of BIOS standard code and BIOS malicious code.Then a feature selection method based on the combination of information gain(IG)and genetic algorithm(GA)with frequency weight factor is proposed for the high dimensionality problem of extracted features.Finally,using the integrated classifier technology,a detection model was constructed.(3)This article analyzes the functional and non-functional requirements of the UEFI BIOS malicious code detection system,and designs the functional modules and the overall architecture of the system.Then the core functional modules include the image acquisition module,the mirror analysis module,and the integrity measurement module.The most important test model was designed and implemented in detail.Finally,system functions were tested.