Malicious Code Detection for Open Firmware Frank Adelstein, Matt Stillerman Dexter Kozen ATC-NY Department of Computer Science 33 Thornwood Drive, Suite 500 Cornell University Ithaca, NY 14850-1250, USA Ithaca, New York 14853-7501, USA {fadelstein,matt}@atc-nycorp.com
[email protected] Abstract • It could prevent the computer from booting, thus ef- fecting a denial of service. Malicious boot firmware is a largely unrecognized but • It could operate devices maliciously, thereby damaging significant security risk to our global information infra- them or causing other harm. structure. Since boot firmware executes before the operat- ing system is loaded, it can easily circumvent any operating • It could corrupt the operating system as it is loaded. system-based security mechanism. Boot firmware programs This last form of attack is perhaps the most serious, since are typically written by third-party device manufacturers most other security measures depend on operating system and may come from various suppliers of unknown origin. In integrity. Even the most carefully crafted security mecha- this paper we describe an approach to this problem based nisms implemented at the operating system, protocol, ap- on load-time verification of onboard device drivers against plication, or enterprise levels can be circumvented in this a standard security policy designed to limit access to system manner. resources. We also describe our ongoing effort to construct On a typical computing platform, the boot firmware is a prototype of this technique for Open Firmware boot plat- composed of many interacting modules. There is usually forms. a boot kernel, which governs the bootup process, as well as boot-time device drivers supplied by the manufacturers of various components.