CN107944279A - BIOS vulnerability scanners and scan method based on UEFI - Google Patents

Abstract

The present invention provides the BIOS vulnerability scanners based on UEFI, the device includes：Vulnerability database, for storing the condition code of loophole, is used as condition code matches object, to verify that BIOS to be measured whether there is loophole during vulnerability scanning；UEFI firmwares start information scanning unit, acquisition, processing and the analysis to startup item information are realized, to verify the legitimacy of startup item；BIOS configuration information scanning elements, realize acquisition, analysis to the basic configuration information of BIOS, to judge whether to meet the requirement normally started；Health status scanning element is driven, the driving of various equipment and the state of controller to UEFI BIOS loadings are scanned, and whether detect each driving in normal operating conditions or whether by malicious modification.The device can be used for the scene of various BIOS loopholes of the needs scanning based on UEFI, so as to ensure the safe and reliable of BIOS system.Present invention also offers the BIOS vulnerability scanning methods based on UEFI.

Description

UEFI-based BIOS vulnerability scanning device and scanning method

technical field

The invention relates to the technical field of computers, in particular to a UEFI-based BIOS vulnerability scanning device and scanning method.

Background technique

With the rapid development of computer technology and network informatization, the number of computer virus outbreaks and the speed of new computer viruses are showing a rapid increase year by year. How to find and remove viruses in the first place has become a matter of great concern to the industry. In order to solve the shortcomings of the traditional BIOS, Intel Corporation proposed a new generation of firmware technology EFI, which later developed into UEFI (Unified Extensible Firmware Interface). This technology shields the underlying hardware features by adding a layer of abstraction between the hardware and the operating system. The environment boots the system in a general way, and UEFI also provides a debugging environment that allows users to run certain applications before the operating system starts.

The security loopholes in the firmware layer have become one of the important threat factors in the information security industry, and the attacks carried out by using them have the inherent characteristics of being difficult to remove, difficult to detect, and highly destructive. Therefore, the study of attacks based on the firmware layer provides a strong guarantee for computer security from the bottom layer, which has important application value and research significance.

As an essential firmware program in the firmware layer, BIOS is the first program executed after the computer is started, providing the computer with the lowest and most direct hardware control. UEFI is a new generation of BIOS standard, which defines the interface specification between the operating system and hardware platform firmware. Its appearance not only changed the booting method of the traditional BIOS, solved the problem that the traditional BIOS was difficult to expand, and provided users with a convenient underlying development environment, but it also inevitably brought some security risks. At present, the prior art lacks detection means for BIOS vulnerabilities.

Contents of the invention

In order to solve the above problems, a UEFI-based BIOS vulnerability scanning device and scanning method are provided, which can be used in various scenarios that need to scan UEFI-based BIOS vulnerabilities, thereby ensuring the safety and reliability of the BIOS system.

The embodiment of the present invention provides a UEFI-based BIOS vulnerability scanning device, the device comprising:

The vulnerability library is used to store the signature code of the vulnerability, which is used as the signature matching object during the vulnerability scanning process to verify whether there is a vulnerability in the BIOS to be tested;

The UEFI firmware startup information scanning unit realizes the acquisition, processing and analysis of startup item information to verify the validity of the startup item;

The BIOS configuration information scanning unit realizes the acquisition and analysis of the basic configuration information of the BIOS to determine whether it meets the requirements for normal startup;

The driver health status scanning unit scans the drivers of various devices loaded by the UEFI BIOS and the state of the controller, and detects whether each driver is in a normal working state or whether it has been maliciously modified.

The embodiment of the present invention also provides a UEFI-based BIOS vulnerability scanning method, the method comprising:

S1: loading a UEFI operating environment for running UEFI applications;

S2: The BIOS configuration information scanning unit obtains the BIOS configuration information from the SMBIOS data table;

S3: The BIOS vulnerability scanning device calls a function to obtain UEFI firmware startup information from global variables;

S4: The driver health status scanning unit interfaces with the EFI Driver Health Protocol to obtain the driver health status.

Further, the specific implementation process of step S1 is as follows: first, after powering on, initialize the platform, then load the UEFI image and UEFI boot manager in sequence, and successfully enter the system; then, terminate the boot service and return to the boot menu, and select in the boot menu Enter the UEFI application program, load the temporary operating system, and establish the temporary operating system environment.

Further, the specific implementation process of step S2 is: using the interface for querying SMBIOS records defined by the protocol EFI_SMBIOS_PROTOCOL to obtain corresponding BIOS information.

Further, the specific implementation process of step S3 is:

S31: Call the EFI_GET_VARIABLE() function to obtain the value in Boot Order;

S32: Separate the descriptor in the startup item variable obtained in step S31 into each field, and register each field into the Bds Common Option List structure;

S33: Obtain start-up state information through the attribute information table in the system.

Further, the specific implementation process of step S4 is:

S41: Use the Locate Handle Buffer function provided in the UEFI boot service to retrieve the driver in which the Efi Driver Health Protocol is installed in the platform;

S42: Loop through each retrieved driver handle, and use the HandleProtocol function provided in the UEFI boot service to obtain a Driver Health Protocol instance;

S43: Use the Get Health Status method in the Driver Health Protocol to obtain the health status of the driver and the controller managed by the driver;

S44: Process the returned status, and obtain the name of the driver or controller through COMPONENT_NAME_PROTOCOL.

Further, the step S4 also includes:

S45: If there is a driver in an unhealthy state, output the driver name and driver status, prompting the user to modify.

The effects provided in the summary of the invention are only the effects of the embodiments, rather than all the effects of the invention. One of the above technical solutions has the following advantages or beneficial effects:

1. The device scans BIOS vulnerabilities through BIOS configuration information scanning, startup item information scanning, and driver health status scanning, thereby ensuring the safety and reliability of the BIOS system. At the same time, the device is completely isolated from the operating system, and realizes information interaction with the firmware layer by switching control rights.

2. By establishing the operating environment and calling function docking to realize the acquisition of BIOS configuration information, startup item information and driver health status information, it is possible to quickly realize a comprehensive scan of BIOS vulnerabilities and enhance the security of the hardware architecture.

Description of drawings

Fig. 1 is the schematic diagram of device embodiment of the present invention;

Fig. 2 is the realization schematic diagram of device of the present invention;

Fig. 3 is the flowchart of the method embodiment of the present invention;

Fig. 4 is a schematic diagram of loading of the operating environment of the present invention;

Fig. 5 is a reference diagram of the attribute table of the present invention.

Detailed ways

In order to clearly illustrate the technical features of this solution, the present invention will be described in detail below through specific implementation modes and in conjunction with the accompanying drawings. The following disclosure provides many different embodiments or examples for implementing different structures of the present invention. To simplify the disclosure of the present invention, components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in different instances. This repetition is for the purpose of simplicity and clarity and does not in itself indicate a relationship between the various embodiments and/or arrangements discussed. It should be noted that components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted herein to avoid unnecessarily limiting the present invention.

Example

As shown in FIG. 1 , an embodiment of the present invention provides a UEFI-based BIOS vulnerability scanning device, which includes a vulnerability library, a UEFI firmware startup information scanning unit, a BIOS configuration information scanning unit, and a driver health status scanning unit.

The vulnerability database is used to store the characteristic codes of the vulnerabilities, which are used as the matching objects of the characteristic codes in the vulnerability scanning process to verify whether there are vulnerabilities in the BIOS to be tested.

The UEFI firmware startup information scanning unit implements acquisition, processing and analysis of startup item information to verify the validity of the startup item.

The BIOS configuration information scanning unit realizes the acquisition and analysis of the basic configuration information of the BIOS, so as to judge whether it meets the requirements of normal startup.

The driver health status scanning unit scans the drivers of various devices loaded by the UEFI BIOS and the state of the controller, and detects whether each driver is in a normal working state or whether it has been maliciously modified.

As shown in Figure 2, the device is completely isolated from the operating system, and information interaction with the firmware layer is realized by switching control rights.

As shown in Fig. 3, the embodiment of the present invention also provides a kind of BIOS vulnerability scanning method based on UEFI, and described method comprises:

S1: Load the UEFI operating environment for running the UEFI application program.

UEFI allows extending the architecture firmware by loading UEFI applications and UEFI drivers. When loading UEFI drivers and UEFI applications, the drivers and applications have access to all boot services and runtime services defined by UEFI.

Figure 4 shows the UEFI boot flow chart: After power-on, the first step is platform initialization, after which the UEFI image will be loaded (including loading UEFI drivers and applications), and then the UEFI boot manager will be loaded, and if it successfully enters the system, it will Terminate the boot service to return to the boot menu. And if you choose to enter the UEFI application program in the boot menu, the temporary operating system will be loaded and a temporary operating system environment will be established. And if the temporary operating system is successfully loaded, the corresponding UEFI operating environment is successfully established.

This temporary operating system environment is implemented by UEFI Shell, which is a special UEFI application. UEFIShell provides a console interface for launching applications, loading UEFI protocols and device drivers, and executing simple script files. This interface also provides a command interface to execute corresponding commands or UEFI applications. In fact, the UEFI shell is an operating environment that acts as a shell responsible for receiving user interaction. It accepts user input, passes the user input to the kernel for execution, and displays the execution result to the user. It is similar to cmd in Windows environment or Shell interface in Linux environment.

S2: The BIOS configuration information scanning unit obtains the BIOS configuration information from the SMBIOS data table.

EFI_SMBIOS_PROTOCOL in UEFI defines an interface for adding, deleting or querying SMBIOS records. When UEFI starts, the UEFI driver that installs the protocol will be responsible for creating the SMBIOS data table, and put the pointer to the data table in the EFI system configuration table. In scanning the BIOS configuration information of the UEFI-based virus scanning engine, use the interface defined in the protocol to query SMBIOS records to obtain corresponding BIOS information.

The definition of EFI_SMBIOS_PROTOCOL is as follows:

typedef struct_EFI_SMBIOS_PROTOCOL{

EFI_SMBIOS_ADD Add;

EFI_SMBIOS_UPDATE_STRINGUpdate String;

EFI_SMBIOS_REMOVE Remove;

EFI_SMBIOS_GET_NEXT Get Next;

UINT8MajorVersion;

UINT8MinorVersion;

}EFI_SMBIOS_PROTOCOL;

The Get Next function is used to query all or part of the SMBIOS records, and its function declaration is as follows:

typedef

EFI_STATUS

(EFIAPI*EFI_SMBIOS_GET_NEXT)(

IN CONST EFI_SMBIOS_PROTOCOL*This,

IN OUT EFI_SMBIOS_HANDLE*Smbios Handle,

IN EFI_SMBIOS_TYPE*Type, OPTIONAL

OUT EFI_SMBIOS_TABLE_HEADER**Record,

OUT EFI_HANDLE*Producer Handle, OPTIONAL

)

Among them, the Type parameter indicates the type of SMBIOS record to be queried. More than 40 kinds of SMBIOS records are defined in UEFI. Here, only a few key items are scanned, including BIOS version, CPU model, CPU main frequency, and system memory information.

If the BIOS version is too low, the user is advised to update to the latest version of the BIOS, in case the vulnerabilities found in the low version BIOS are vulnerable to malicious attacks. Or other information is incorrect, such as CPU frequency, system memory, etc. If it does not match the normal situation, it may also be due to malicious tampering, so you should be more vigilant.

S3: The BIOS vulnerability scanning device calls a function to obtain UEFI firmware startup information from global variables.

The runtime services provided in the UEFI kernel can be called when booting and when the operating system is running. This feature of the runtime service brings convenience to the interaction between the underlying resources and the upper-level operating system, but also brings security risks to the entire computer system from the bottom.

The boot item loader can add or change boot items in UEFI BIOS at will. The startup item loading can load the Agent intrusion program with runtime service. The intrusion program pushes its own intrusive service into the operating system by calling the runtime service, so as to realize UEFI BIOS-level operating system control. In addition, the resources of this machine can be accessed through the backdoor opened by the intrusion service.

For this reason, the UEFI-based scanning engine scans the UEFI startup items, and infers the legitimacy of the startup items. The specific implementation method is mainly divided into the following three steps:

The first step is to obtain the startup item information. The boot manager is responsible for starting UEFI applications (including OS Loader), UEFI drivers, etc. The startup item information is stored in the global variable Boot Order. Boot Order contains a UINT16 type vector, which is an ordered list of Boot#### options. The first element in the vector is the value of the first logical boot, the second element is the value of the second logical boot, and so on. The startup sequence of these startup items is the default startup sequence of the startup manager.

The function interface for obtaining global variables is defined in the UEFI runtime service table, and the EFI_GET_VARIABLE() function can obtain the value in the Boot Order.

The second step is to process the startup item information. Each boot variable contains an EFI_LOAD_OPTION descriptor. This descriptor is a variable-length field buffer in bytes.

The fields in the buffer appear in the following order:

UINT16Attributes; //add-in attributes

UINT16File Path List Length; //The length of the File Path List

CHAR16Description[];//User-readable descriptor

EFI_DEVICE_PATH_PROTOCOL File Path List[]; //package array of UEFI device path

UINT8Optional Data[];//binary data buffer

In order to facilitate calling and analyzing the information of each field in the EFI_LOAD_OPTION descriptor. It is usually necessary to separate each field and register each field into the Bds Common Option List structure.

The third step is to analyze the startup item information. The main content of the analysis is information such as the attributes of the startup item and the type of device it belongs to. Determine whether the startup item is a potential threat through the description of each attribute. Various attributes of the startup item are listed in the table of FIG. 5 .

The EFI_DEVICE_PATH_PROTOCOL protocol can be used in any device handle to obtain the general path or location information of the related physical or logical device. An invalid handle means that it cannot be logically mapped to a physical device, that is, the handle does not support the device path protocol. The device path indicates the location of the device related to the handle; the size of the device path is determined by the structure that constitutes the device.

The File Path List field of the startup item stores UEFI device path information, and the device type to which the startup item belongs can be identified through the EFI_DEVICE_PATH_PROTOCOL protocol.

By performing the above three steps, you can obtain information such as the value, attribute, and device type of all startup items, so as to judge whether the startup item is a normal startup device and whether it has potential security threats, and use this information as the basis for selecting the startup method. in accordance with.

The following situations are considered threatening:

1) Compare the obtained startup item information with the startup menu of the startup manager, and the two are inconsistent.

2) The device type information of the startup item can be identified, but the attribute of the startup item is not LOAD_OPTION_ACTIVE.

3) The attribute of the startup item is LOAD_OPTION_HIDDEN, but it appears in the startup menu.

S4: The driver health status scanning unit interfaces with the EFI Driver Health Protocol to obtain the driver health status.

The specific implementation process of step S4 is:

S41: Use the Locate Handle Buffer function provided in the UEFI boot service to retrieve the driver in which the Efi Driver Health Protocol is installed in the platform. Driver Health Handles is the driver handle that has installed EfiDriver Health Protocol, and Num Handles is the number of the above drivers.

S42: Loop through each retrieved driver handle, and use the HandleProtocol function provided in the UEFI boot service to obtain a Driver Health Protocol instance;

S43: Use the Get Health Status method in the Driver Health Protocol to obtain the health status of the driver and the controller managed by the driver;

S44: Process the returned status, and obtain the name of the driver or controller through COMPONENT_NAME_PROTOCOL.

Described step S4 also includes:

S45: If there is a driver in an unhealthy state, output the driver name and driver status, prompting the user to modify.

Although the specification, drawings and embodiments have described the invention in detail, those skilled in the art should understand that the invention can still be modified or replaced in an equivalent manner; and everything that does not depart from the spirit and scope of the invention The technical solutions and their improvements are all included in the scope of protection of the invention patent.

Claims (7)

1. a kind of BIOS vulnerability scanners based on UEFI, it is characterized in that：The device includes：

Vulnerability database, for storing the condition code of loophole, is used as condition code matches object during vulnerability scanning, with verification BIOS to be measured whether there is loophole；

UEFI firmwares start information scanning unit, acquisition, processing and the analysis to startup item information are realized, to verify startup item Legitimacy；

BIOS configuration information scanning elements, realize acquisition, analysis to the basic configuration information of BIOS, to judge whether to meet just The requirement often started；

Health status scanning element is driven, the state of driving and controller to the various equipment of UEFI BIOS loadings carries out Whether scanning, detect each driving in normal operating conditions or whether by malicious modification.

2. a kind of BIOS vulnerability scanning methods based on UEFI, it is characterized in that：The method includes：

S1：Loading is used for the UEFI running environment for running UEFI application programs；

S2：BIOS configuration informations scanning element obtains BIOS configuration informations from SMBIOS tables of data；

S3：BIOS vulnerability scanner call functions obtain UEFI firmwares from global variable and start information；

S4：Driving health status scanning element is docked with EFI Driver Health Protocol, obtains driving health status.

3. a kind of BIOS vulnerability scanning methods based on UEFI according to claim 2, it is characterized in that：Step S1's is specific The process of realization is：First, after power-up, by platform initialization, UEFI images and UEFI startup managers, success are loaded successively afterwards Into system；Then, termination starts service return and starts menu, selects to enter UEFI application programs in menu is started, is loaded into Interim operating system, and establish interim operating system environment.

4. a kind of BIOS vulnerability scanning methods based on UEFI according to claim 2, it is characterized in that：Step S2's is specific The process of realization is：The interface of the inquiry SMBIOS records defined using agreement EFI_SMBIOS_PROTOCOL is corresponding to obtain BIOS information.

5. a kind of BIOS vulnerability scanning methods based on UEFI according to claim 2, it is characterized in that：Step S3's is specific The process of realization is：

S31：EFI_GET_VARIABLE () function is called to obtain the value in Boot Order；

S32：Descriptor in the startup item variable obtained in step S31 is separated into each field, and each field is registered to Bds In Common Option List structures；

S33：The status information of startability is obtained by the attribute information table in system.

6. a kind of BIOS vulnerability scanning methods based on UEFI according to claim 2, it is characterized in that：Step S4's is specific The process of realization is：

S41：To be mounted with Efi in searching platform using the Locate Handle Buffer functions provided in UEFI guide services The driving of Driver Health Protocol；

S42：Each driver handle retrieved is circulated, the HandleProtocol functions provided in UEFI guide services are provided To obtain a Driver Health Protocol example；

S43：The driving and drive are obtained using the Get Health Status methods in Driver Health Protocol The health status of dynamic managed controller；

S44：The state of return is handled, the driving or controller are obtained by COMPONENT_NAME_PROTOCOL Title.

7. a kind of BIOS vulnerability scanning methods based on UEFI according to claim 6, it is characterized in that：The step S4 Further include：

S45：If the driving under unhealthy status, then title and driving condition output will be driven, prompts user to need Change.