BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES
and operating system. The BIOS is stored on non-volatile memory that persists between power cycles.
Malware written into a BIOS could be used to re-infect machines even after new operating systems have
been installed or hard drives replaced. Because the system BIOS runs early in the boot process with very
high privileges on the machine, malware running at the BIOS level may be very difficult to detect.
Because the BIOS loads first, there is no opportunity for anti-malware products to authoritatively scan the
BIOS.
BIOS exploits would likely be highly system-specific—directed at a specific version of a system BIOS or
certain hardware components (e.g., a particular motherboard chipset). In contrast, most malware targets
software executing at or above the operating system kernel, where it is easier to develop and can attack
larger classes of machines. BIOS-level malware may be more likely employed in targeted attacks on
high-value computer systems. The move to UEFI-based BIOS may make it easier for malware to target
the BIOS in a widespread fashion, as these BIOS implementations are based on a common specification.
For the reasons outlined above, there are few known instances of BIOS-level malware. At this time, the
only publicly known malware targeting the system BIOS that has infected a significant number of
computers is the CIH virus, also known as the Chernobyl virus [Sym02], first discovered in 1998. One
element of the payload of this virus attempted to overwrite the BIOS on systems using a specific chipset
that was widely deployed at the time. This malware relied on several vulnerabilities that are not present
in modern machines.
Security researchers have demonstrated other potential attacks on conventional BIOS and EFI/UEFI
firmware. Proof-of-concept attacks have been demonstrated that allow for the insertion of malicious code
into conventional BIOS implementations that permit unsigned updates [SaOr09]. Other researchers have
discovered a buffer-overflow vulnerability in the EFI BIOS on a modern platform. Although this EFI
BIOS write-protects firmware early in the boot process and only flashes signed updates to firmware, the
buffer overflow allowed the researchers to bypass the secure update process by executing an unsigned
portion of the firmware update package before write protections were applied [WoTe09].
Vulnerabilities such as these could allow attackers to create stealthy malware that operate with very high
privileges on a system. The system BIOS loads SMI handlers before passing control of the computer to
the operating system. Malicious code written into a BIOS could modify the SMI handlers to create
malware that would run in SMM [EmSp08]. This would give the malware unrestricted access to physical
memory and peripherals connected to the host machine, and it would be very difficult for software
running on the operating system to detect.
2.5 Threats to the System BIOS
The preceding section established the importance of maintaining the integrity of the system BIOS. This
section describes some of the various ways that the integrity of the system BIOS can be attacked, and
identifies the attacks considered within scope for the security controls and processes specified in Section
3.
The first threat to the integrity of the system BIOS comes while the system moves through the supply
chain. Supply chain security techniques are out of scope for the security controls specified in this
document. Some of the procedures specified in Section 3.2 can, however, be used to identify and remedy
systems that have an unapproved system BIOS.
Assuming that the system arrives with the manufacturer’s intended system BIOS installed, there are a
number of threats to the integrity of the system BIOS during the system’s lifetime:
2-6