5

The BIOS operates at a lower level than the OS, so antivirus software cannot scan it.

Is there any other security software that we should use to protect the BIOS?

Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
Arjun Verma
  • 61
  • 1
  • 2

2 Answers2

5

I would suggest that you look into the direction of Trusted Computing. It won't "defend" you, but it might help you ensure that you are booting in a known/secure environment.

There is a load of information available here, just search for TXT and trusted computing.

But for starters, you can ensure this by using a platform with a TPM and Intel TXT, then go a step further by protecting yourself from evil-maid attacks using something like tboot.

You can also run chipsec on your platform, to run an assessment of your platform. Chipsec is well presented in those 2 presentations:

Jean-François Rioux
  • 589
  • 5
  • 10
1

Not true exactly - bios can be overwritten. This is how bios upgrade tools work.

Another minor correction: the BIOS doesn't operate on a lower level than the OS, at least on modern systems. That would mean that the OS uses BIOS API calls to handle the hardware. But it is not so, the OSes have a nearly bios-independent software stack. The last well-known OS which interacted with BIOS, was WindowsME. The last well-known OS which used its nearly whole functionality through BIOS calls was DOS. (Although a minimal interaction between BIOS and the OSes survives until now.)

BIOS is practically a firmware, which loads into the (yet real-mode) memory at the beginning of the boot process. Its code is on a flash memory chip soldered onto the mainboard.

This flash ROM can be overwritten, although only a non-trivial, undocumented, and deeply vendor-dependent way. In most cases there is also encryption-based protection on it. These are the "defensive lines" of the hardware (motherboard) vendors, which protects against the exact kinds of malware that you are asking about.

Thus, in my opinion, the possibility that a random hacker writes a malware (or extend an already existing one) with a bios-hacking functionality, is practically negligible - assuming that we are talking from independent nice tries without government support.

The situation is much worse if we consider also the power of governments. They don't need to crack the encryption of BIOS and the undocumented overwriting protocol, in many cases they can "solve" their problem with the cooperation of the motherboard vendor. This is especially true if the vendor is in their country, or in an allied country, and they have the resources to implement software which requires the yearlong cooperation of hundreds of programmers.

For example, the well-known Stuxnet malware used these business secrets of multiple hardware vendors, although it overwrote not the BIOS flash, but a network card firmware - somehow exactly that type of NIC firmware which was used on the computers of the Iranian nuclear project (and then also the firmware of some uranium-enriching centrifuges).

Similar malware could also be developed for BIOS overwrites, but it is very highly vendor-dependent and requires the (intentional or unintentional) cooperation of the motherboard vendor.

Against an active governmental BIOS-overwriting attack probably you can't defend yourself. Against a less pervasive attack, maybe you can protect yourself through the extended usage of firewalls, virtualization and other high-resource security measurements.

Against the "common" malwares distributed everywhere on the net, there is no need for extra measurements (assuming that your motherboard vendor doesn't any standard security measures).

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
peterh
  • 2,938
  • 6
  • 25
  • 31