This document discusses the differences between BIOS and UEFI firmware interfaces that initialize hardware and boot operating systems on computers. BIOS has been used for over 25 years but has limitations. UEFI was created in 2005 to replace BIOS and overcome its limitations. UEFI supports larger disk sizes and partitions, a graphical interface, and can be programmed in C/C++, while BIOS is programmed in hex/assembly and has a non-graphical interface. The document recommends writing a program to test if a computer is booted using the legacy BIOS or newer UEFI firmware interface.
“Computer is an electronic machine that can store, recall and process data. It can perform
tasks or complex calculation according to a set of instructions or programs. The terms and
definitions used in computer system
“Computer is an electronic machine that can store, recall and process data. It can perform
tasks or complex calculation according to a set of instructions or programs. The terms and
definitions used in computer system
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
4. BIOS and UEFI are two firmware
interfaces for computers which
work as an interpreter between the
operating system and the computer
firmware.
Both of these interfaces are used
at the startup of the computer to
initialize the hardware components
and start the operating system.
6. Installed with a computer in a non-volatile location
(PROM/EEPROM)
Initializes low level hardware
Initializes memory controller timings, powers on critical boot devices.
Hands off control to operating system loader
Operating system loader uses firmware interfaces to initialize the
operating system.
Referred to as pre-boot firmware
Examples: BIOS and UEFI.
7. What is Extensible Firmware Interface (EFI)
The Extensible Firmware Interface (EFI) is a
specification that defines a software interface between
an operating system and platform firmware.
EFI is a replacement for older BIOS firmware interface
present in all IBM PC – compatible personal
computers.
7
9. Transition from EFI to UEFI
The emergence of x64 architecture provides an inflection
point to begin industry wide transition to EFI
To encourage transition, the UEFI Forum was created in
2005, which is now responsible for EFI development
UEFI version 2.3 published in May 2009.
10. BIOS firmware
Mechanism used to boot PCs for the last 25+ years
All x86/x64 architecture machines in the market support
BIOS firmware.
In early systems (16-bit era) BIOS was used for hardware
access
Operating systems would call the BIOS rather than directly
accessing the hardware (ex. MS-DOS).
In 32-bit era OSs instead generally directly accessed the
hardware using their own device drivers
11. BIOS limitations
BIOS showing its age
Over 25 years old.
Documentation is scattered.
Non – graphical interface
Programmed in hex/assembly code
Regarded as legacy firmware
11
12. Overcoming BIOS limitations
EFI adds support for a new partition scheme : GUID Partition
Table(GPT)
Unlimited partitions can be created (W-128).
Maximum disk and partition size of 9.4 ZB.
UEFI processor mode can be either 32-bit or 64-bit (long
mode)
Architecture is modular and extensible
Graphical user interface
Can be programmed in C/C++
EFI interfaces are object oriented