OSDev.org

Many of us rely on the BIOS functions, and everyone of us rely on him to load the boot code. But there are some people in the net who are talking about infected BIOS with malicious code.

To what extent is that possible and, is an infected BIOS something to worry to?

If something manages to flash the BIOS, then you have a serious problem.

People that don't recognise phishing and allow viruses to reach their computer are a much, much bigger problem.

Pardon the insistence but the reason to put me to program my OS from zero is to can say safely that I have not mall-ware.

So, its possible to merge some kind of rootkit code with the BIOS or some code that is capable to initialize a socket for example? I imagine that even if such thing is possible, the mall-ware will can not spy an unknown OS with unknown APIs.
As an OS designer, is there something I need to do in order to protect me? I mean that I wrote all the code from the boot-loader to the pretty end of the OS. Its not like using an windows or linux and having millions of lines of code behind an simple notepad program. I know my code and if something unexpected or out of order happen, I thing I should figure out an malicious BIOS.

You missed the point - from a security viewpoint BIOS rootkits are no difference to any other piece of malware. It's just much more difficult to get rid of.

The BIOS is typically stored on EEPROM/Flash memory, reprogramming is possible.. indeed most vendors release periodical firmware updates.

Coreboot+flashrom/LinuxBIOS is one legitimate project that overwrites that firmware (..perhaps with an open source replacement), fortunately, there is no "standardized" flashing procedure.. it's a chipset specific process.

Physical security isn't the job of an OS.. anyone who had access to this system had the chance to compromise the firmware.

You have no guarantee that the firmware is safe, it may have been compromised due to insufficient physical security policies, or software security policies.. i.e: running untrusted applications with elevated permissions.

I have some old PCs that I'm thinking to use with my OS once completed. So if I have the firmware infected, how can know it? I guess flashing the BIOS with an original actualized BIOS from the page of the fabricator can resolve the problem or can not. But even with physical and software security, I can not guarantee the hardware is clean. There are much people buying PC, browsing the net with them, then devolving it to the shop probably infected with something. Then in the shop they are reselling it to others.
I hope this kind of mall-ware are not frequent, and hope that an sniffer can detect unusual net packets.

But isn't the whole problem with BIOS rootkits that they allow a certain type of attack on a certain OS? Why would you even have to worry about the small possibility of one when you're using an OS on it that is guaranteed to be unknown to any sort of attacker? Why do you even care? Are you storing confidential information on your test boxes?

I don't know much about viruses, but this thread seems kind of paranoid.

NickJohnson wrote:Why would you even have to worry about the small possibility of one when you're using an OS on it that is guaranteed to be unknown to any sort of attacker?

You have right. The possibility appears to be small. But at the other hand, an virus no necessary attack the confidential data, first thing that it make is reducing the performance. And even if an socket based mall-ware is not trying to touch my secrets, it can convert the machine in an bot for DDoS or convert it in an proxy to do misdeeds in the net.

NickJohnson wrote:I don't know much about viruses, but this thread seems kind of paranoid.

Here you have the right one more time, I am a little bit paranoiac with the security.

nikito wrote:

NickJohnson wrote:Why would you even have to worry about the small possibility of one when you're using an OS on it that is guaranteed to be unknown to any sort of attacker?

You have right. The possibility appears to be small. But at the other hand, an virus no necessary attack the confidential data, first thing that it make is reducing the performance. And even if an socket based mall-ware is not trying to touch my secrets, it can convert the machine in an bot for DDoS or convert it in an proxy to do misdeeds in the net.

Without an awareness of how your OS works, it is unlikely a BIOS rootkit would be able to do any of these things and run your OS at the same time. The only exception that comes to mind is SMBIOS / SMX bios code which can interrupt your code at certain points (its normally used for things like TPMs and legacy PS/2 port emulation) or if the virus is very sophisticated and runs you OS in a virtual machine while it does its dirty deeds. Both of these seem unlikely, and unless a malware driver was installed on that computer at some point, it doesn't seem possible that you would have a BIOS rootkit.

I can imagine a BIOS virus loading servercode into the SMM area so that it can peek and push packets onto the network card without needing intervention from the OS. Voila: virtually invisible OS-agnostic botnet.

As for the paranoia: if people want to hack you, they will. If you want your system to be secure, you'll have to account for bad attention or you just end up getting security through obscurity.

I do happen to know something about programming viruses so I'll say this: I BIOS Virus is rare. However, they can infect any BIOS computer, regardless of OS. It doesn't matter whether it's Linux or Windows or Your OS. However, it would have to be programmed for the OS , but standard security features like the "root" system in Linux wouldn't apply.

Furthermore, once a BIOS virus is there, regardless of OS, it can have total control over your PC.

However, these can be removed by restoring the BIOS to it's motherboard image. Simple. And plus, I doubt anyone would write one for your OS. (Maybe Linux, MS Win, etc)

David

Hi,

Worst case would be a "virus" in firmware that uses SMM and/or virtualisation to do things. For example, a sufficiently advanced version could (in theory) monitor the keyboard and ethernet card and send your keypresses to an IP address without the OS knowing. It could even hide it's network traffic by buffering keypresses and only sending a packet of immediately after something else has sent a packet (so you don't see the ethernet card's LED flashing for no reason). Also note that something like this could work fine regardless of which OS is installed.

However, something like this would be insanely complex, and because it'd need to be customised for each specific motherboard it wouldn't make sense as an actual virus. More likely would be a trojan - something that mimics a normal/official BIOS upgrade, that was uploaded onto some sort of "BIOS upgrade" site for unsuspecting people to download and install, that is incapable of replicating itself.

Also, there's much easier ways of effecting a much larger number of computers. Something like a ethernet driver for an OS like Windows would make a lot more sense for a potential trojan developer; and I have a feeling that if anyone actually does get half way they'd abandon their original plans and turn it into a commercial "bare-metal" hypervisor (like VMware Server ESXi) instead.


Cheers,

Brendan

Okay, the serious bit first:

Flash the BIOS on the machine with a 'known-good' image from a trusted source (the motherboard manufacturer, usually), this is the only way to be certain that the BIOS image is safe (at least in the sense of not being maliciously defective). If you're asking about the possibility of an end-user other than you having a machine where the BIOS image has been compromised, then you have to accept that this could be possible and there is virtually nothing you could or should try to do about it. It is, however, vanishingly unlikely for a variety of reasons.

Less seriously:

Never mind the BIOS... what about the use of radiation beams from, say, a satellite, to dynamically manipulate the memory image? Complete, on-the-fly hacking which you cannot protect against since the memory access is physically accomplished without the knowledge, consent or intervention of the software or even the hardware on the PC. I think you'd need a lead (or similarly dense material) box an inch or two thick to properly protect against this. Pricy and awkward, but what price peace-of-mind and security, eh? ;¬)

What proof do you have that your BIOS flash actually flashed the BIOS? If the machine is compromised, then it can only be fixed by removing the chip and flashing it elsewhere...

As for the "radiation beams from space", you're making it quite obvious that you don't have the faintest clue about the involved physics, so please stop talking like you think you do.

No, it's possible and has already been done. If you like and can't find it yourself, I can spend a little time to look for the paper...