Computing devices may include a basic input/output system (BIOS). When a computing device is booted, the BIOS may be executed to initialize hardware components of the computing device, and initiate execution of processes such as an operating system (OS) and/or other applications by the computing device. The initialization of hardware components and execution of processes may be based on BIOS variables stored in association with the BIOS itself. The BIOS variables may be altered in order to alter the initialization of hardware and processes when the computing device is booted.
A BIOS of a computing device initializes hardware components of the computing device, as well as boot processes to load an OS or other applications. The BIOS performs such initialization based on BIOS variables stored in association with the BIOS. The BIOS variables may be modified by various mechanisms, including application programming interface (API) calls from the OS executed by the computing device.
Malicious applications executed by the computing device may attempt to modify the BIOS variables, for example to harden malicious processes against removal. Such malicious modifications to the BIOS variables may be prevented by use of a set of filter criteria within the BIOS. Commands to modify the BIOS variables, such as a command to create a new BIOS variable, may be stored in a log for subsequent inspection.
The commands may be compared to the set of filter criteria via execution of the BIOS. The modifications may be accepted or rejected according to the comparison. In some examples, the above-mentioned log may be accessed by a scanning application executed by the computing device. The scanning application may therefore expose the logged BIOS variable modification commands to additional detection functionality beyond that provided by the set of filter criteria within the BIOS.
As used herein, BIOS refers to hardware or hardware and instructions to initialize, control, or operate a computing device prior to execution of an OS of the computing device. Instructions included within a BIOS may be software, firmware, microcode, or other programming that defines or controls functionality or operation of a BIOS. In one example, a BIOS may be implemented using instructions, such as platform firmware of a computing device, executable by a processor. A BIOS may operate or execute prior to the execution of the OS of a computing device. A BIOS may initialize, control, or operate components such as hardware components of a computing device and may load or boot the OS of computing device.
In some examples, a BIOS may provide or establish an interface between hardware devices or platform firmware of the computing device and an OS of the computing device, via which the OS of the computing device may control or operate hardware devices or platform firmware of the computing device. In some examples, a BIOS may implement the Unified Extensible Firmware Interface (UEFI) specification or another specification or standard for initializing, controlling, or operating a computing device.
The storage device 108 contains BIOS instructions 112, also referred to herein as the BIOS 112, that are executable by the controller 104. The BIOS 112 includes instructions executable by the controller 104 to initiate hardware devices of the computing device 100, and to initiate execution of other sets of instructions contained in the storage device 108. An example of such other instructions include an OS of the computing device 100.
The initiation of hardware devices and execution of other sets of instructions may be performed with reference to a set of BIOS variables 116 contained in the storage device 108 in association with the BIOS 112. An example of variables defined in the BIOS variables 116 include a boot order, defining portions of the storage device 108 or other storage devices from which the controller 104 is to attempt to retrieve OS instructions. Other examples of variables defined in the BIOS variables 116 include identifiers of device drivers to be loaded when the computing device 100 boots. Further examples of variables defined in the BIOS variables 116 include secure boot databases containing encryption keys, signatures and the like.
The BIOS variables 116 may be updated, for example to edit or delete an existing BIOS variable, or to create a new BIOS variable. The controller 104 may generate a command 120 to change the BIOS variables 116. The command 120 may be generated, for example, via the execution of another application by the controller 104, and/or in response to input data received via an input device of the computing device 100.
The BIOS instructions 112 also include a set of filter criteria 124. Via execution of the BIOS 112, the controller 104 is to perform certain functions prior to applying the change to the BIOS variables 116 defined in the command 120. For example, the controller 104 may store the command, or a portion thereof, in a log 128 stored in the storage device 108. The controller 104 may also compare the command with the set of filter criteria 124. The set of filter criteria 124 define a condition, or a plurality of conditions, against which the command 120 may be evaluated.
The set of filter criteria 124 may be employed to detect potentially malicious changes to the BIOS variables 116. Therefore, when the command 120 satisfies the set of filter criteria 124, the controller 104 may reject the change to the BIOS variables 116 defined by the command 120. When the command 120 does not satisfy the set of filter criteria 124, however, the controller 104 may accept the change to the BIOS variables 116 defined by the command 120. In other examples, the set of filter criteria 124 may define conditions met by non-malicious changes to the BIOS variables 116, and the controller 104 may therefore reject changes to the BIOS variables 116 that do not meet the set of filter criteria 124 and accept changes to the BIOS variables 116 that meet the set of filter criteria 124.
The set of filter criteria 124 may define various conditions to which the command 120 is compared by the controller 104. An example of a condition defined by the set of filter criteria 124 is a command frequency threshold defining a permissible frequency of changes to the BIOS variables 116. The frequency may be defined according to any suitable time period, e.g. a permissible number of commands 120 per day, or the like. For example, for a frequency threshold of five permissible commands per day, when the command 120 represents the sixth command to change the BIOS variables 116 within a one-day period, the command 120 may be rejected. When the command 120 is rejected, the change to the BIOS variables 116 defined by a payload of the command 120 is not applied to the BIOS variables 116. The command 120 may still be stored in the log 128, however.
Another example condition defined by the set of filter criteria 124 is a payload size threshold. For example, the set of filter criteria 124 may define an upper permissible BIOS variable size threshold, and the controller 104 may reject the command 120 when the command 120 defines a new or updated variable with a size greater than the size threshold.
Additional example conditions defined by the set of filter criteria 124 include a whitelisted variable owner identifier, a blacklisted variable owner identifier, or a combination thereof. Each variable in the BIOS variables 116 may include an owner identifier, a variable name, and a variable value. The owner identifier of a given BIOS variable may indicate the identity of an entity responsible for the current value of the BIOS variable. An examples owner identifier includes an identifier of a manufacturer of the computing device 100. The set of filter criteria 124 may define conditions specifying owner identifiers that are permitted to write to the BIOS variables 116 (e.g. a whitelist). The set of filter criteria 124 may also define conditions specifying owner identifiers that are not permitted to write to the BIOS variables 116 (e.g. a blacklist).
The set of filter criteria 124 may include combinations of the example conditions mentioned above.
At block 205, a command to change the BIOS variables 116, such as the command 120, is detected by the controller 104, via execution of the BIOS 112. The command 120 detected at block 205 may be generated by the controller 104 via the execution of an application. The application may, in some instances, be a malicious application.
At block 210, the command 120 is stored in the log 128. The entire command 120 may be stored in the log 128 at block 210. In other examples, a portion of the command 120 may be stored in the log 128 at block 210. At block 210 the controller 104 may also store metadata associated with the command 120 in the log 128, such as a date and/or time of detection of the command 120, an indication of an application whose execution led to generation of the command 120, and the like.
At block 215, the controller 104 compares a payload of the command 120 with the set of filter criteria 124. The payload of the command includes the owner identifier, the variable name and the variable value to be written to the BIOS variables 116. When the set of filter criteria 124 define a plurality of conditions, each condition may be evaluated at block 215 in comparison to the corresponding portion of the command payload. For example, the owner identifier in the command payload may be compared to a whitelist defined in the set of filter criteria 124, and a size of the value defined in the command 120 may be compared to a size threshold defined in the set of filter criteria 124.
At block 220, the controller 104 selects a handling action for the command 120, according to the comparison from block 215. As noted earlier, the controller 104 is to accept or reject the change defined in the command 120 according to whether the command 120 satisfies, or does not satisfy, the set of filter criteria 124. In the above example, in which the set of filter criteria 124 define a variable owner whitelist and a variable size threshold, at block 220 the controller 104 may select the rejection handling action if the variable size in the command 120 exceeds the threshold, or if the variable owner identifier is not on the whitelist, or both. If the variable owner identifier in the command 120 is on the whitelist and the size of the value in the command 120 is below the threshold, the controller 104 may select the acceptance handling action.
When the controller 104 selects the rejection handling action, performance of the method 200 proceeds to block 225. At block 225, the controller 104 may reject the change to the BIOS variables 116 defined by the command 120. As a result of the performance of block 225, the BIOS variables 116 remain unchanged, and performance of the method 200 may end.
When the controller 104 selects the acceptance handling action, performance of the method 200 proceeds to block 230. At block 230, the controller 104 may accept the change to the BIOS variables 116 defined by the command 120. As a result of the performance of block 230, the BIOS variables 116 are therefore updated to include a newly created variable, an edited variable, to omit a deleted variable, or a combination thereof. Performance of the method 200 may then end.
Turning to
The computing device 300 may, in response to detection of the command 120, compare the command 120 to the set of filter criteria 124 and accept or reject changes to the BIOS variables 116 via communication with the BIOS storage device 304. The controller 104 may also communicate with the log storage device 308 to store the command 120 in the log 128.
Referring to
The computing device 400 also includes a second controller 412. The second controller 412 may implement BIOS security functions, such as BIOS validation to determine whether the BIOS instructions 112 have been tampered with. The second controller 412 may therefore also be referred to as an embedded security controller 412. The second controller 412 may, when such tampering is detected, refresh the BIOS instructions 112 from a backup copy stored within the second controller 412.
In the computing device 400, the controller 104 may also be referred to as the first controller 104. While the first controller 104 may execute the instructions in the BIOS storage device 304 (e.g. the BIOS 112) and the memory 404 (e.g. the scanning application 408), the first controller 104 may not have direct access to the log storage device 308. Instead, the second controller 412 is connected with the log storage device 308.
To store the command 120 in the log 128, e.g. as described in connection with block 210 of the method 200, the controller 104 may pass the command 120 to the second controller 412. The second controller 412 may then store the command 120 in the log 128. The first controller 104 may also execute the instructions of the scanning application 408 to scan files, executable instructions and the like in the memory 404 for malicious content. The first controller 104 can also obtain logged commands, such as the command 120, from the log storage device 308 in order to scan the logged commands for malicious content.
In the example shown in
The performance of blocks 205, 210, 215, 220, 225 and 230 in the method 500 is as described above in connection with the method 200. Following the performance of block 225 or 230, at block 535 the controller 104 may execute the scanning application 408 to obtain a command payload from the log 128. As noted above, the first controller 104 can obtain the command payload from the log 128 by requesting a portion of the log 128 from the second controller 412. In other examples, such as the computing device 300 shown in
At block 540, the controller 104 may scan the retrieved command(s) for malicious content via execution of the scanning application 408. Scanning the retrieved command(s) may include comparing the commands, e.g. the payload of a command, to a predefined list of previously detected malicious payloads. The controller 104 may also, e.g. via execution of the scanning application 408, transmit the contents of the log 128 to another computing device such as a centralized monitoring server to collect logs from a plurality of computing devices. Such a monitoring server may update malicious payload definitions for use by the scanning application 408 and transmit the updated definitions to the computing device 100 for use in subsequent scans. The monitoring server may also provide the computing device 100 with updated blacklisted and/or whitelisted variable owner identifiers, to update the set of filter criteria 124.
It should be recognized that features and aspects of the various examples provided above can be combined into further examples that also fall within the scope of the present disclosure. In addition, the figures are not to scale and may have size and shape exaggerated for illustrative purposes.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2020/016219 | 1/31/2020 | WO |