=Paper=
{{Paper
|id=Vol-2603/short12
|storemode=property
|title=Trusted Boot Mechanisms in Physical and Virtual Environments
|pdfUrl=https://ceur-ws.org/Vol-2603/short12.pdf
|volume=Vol-2603
|authors=Sergei Mironov,Valentin Tsirlov,Valery Baburin
}}
==Trusted Boot Mechanisms in Physical and Virtual Environments==
https://ceur-ws.org/Vol-2603/short12.pdf
Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0)
Trusted Boot Mechanisms in Physical and Virtual
Environments
Sergei V. Mironov Valentin L. Tsirlov Valery N. Baburin
Institute of Engineering Physics Information Security Department Software Development Department
Training Center Bauman Moscow State Technical NPO Echelon
Serpukhov, Russia University Moscow, Russia
smironovs@yandex.ru Moscow, Russia mail@cnpo.ru
v.tsirlov@bmstu.ru
Abstract. This article discusses computer operating a packed form. Unpacked BIOS boot loader primary initializes
environment safe boot issues. The regulatory framework in the chipset and unpacks the main part of BIOS to a special area
the area of trusted boot of physical and virtual equipment is of RAM (shadow memory) immediately after powering on the
analyzed. Characteristics of three classes of trusted boot tools: computer. Next, BIOS starts testing the system to verify its
the levels of basic input-output system, expansion card and operability (POST-procedures). After completing the self-test
boot record are discussed, examples are given. Special procedure, the part of BIOS code that implements POST
attention is paid to the difference between software and procedures is removed from RAM. The main task of BIOS part,
firmware modules of trusted boot. The scheme of trusted boot left in RAM, is to find the active boot device.
of virtual infrastructure with I and II types hypervisors is The standard procedure of Bootstrap Loader, activated by
offered and explained. the INT 19h interrupt, selects the Initial Program Loader (IPL),
a block device that supports the sectors reading function. A list
Key words - trusted boot, trusted boot tool, trust chain, of bootable devices is stored in computer nonvolatile memory
basic input/output system, boot sector, master boot record, (CMOS), and the order of viewing of this list is one of the
expansion card, rootkit, bootkit, virtual infrastructure, adjustable BIOS parameters. The procedure tries to boot the very
hypervisor. first sector into RAM from this device, and if there is a loader
signature AA55h at the address 0000:7DFE, then the control is
I. INTRODUCTION
transferred to it at the address 0000:7C00h. The 1st sector
There is an opinion that intruders choose BIOS as a located on the 0 side, cylinder 0 of the drive from which the boot
subsystem for infection rarely because of the variety of is made contains the loader, which loads the OS or its core. If
manufacturers and different versions of old basic input/output the boot is performed from the hard disk, then the 1st sector there
systems (BIOS). However, experience shows that an ongoing contains the master boot record (MBR). It is also loaded into the
struggle between antivirus manufacturers and malicious memory at the address 0000:7C00h. Next, if the signature
software developers makes the intruders to develop such AA55h is at the end of the sector, then the control is transferred
programs that will be invisible to any program in the operating to its beginning. The master boot loader copies its code and
system, and therefore they will be implemented at the level of partition table to the address 0000:0600h and continues its
firmware [1, 2]. further execution in a new area. The task of the main loader is to
Apparently, to protect against this type of malicious software find the active partition, load its 1st sector into memory and
we must be sure that neither BIOS, nor the boot loader, nor the transfer control to it, if it has a boot loader signature.
operating system has been modified, besides the actions to verify Expansion cards installed in expansion slots may have
the authenticity of programs that run from the start of computer additional ROM BIOS (additional, or expansion, ROM). They
and until the OS loading shall be consistent. In other words, the are used by EGA/VGA/SVGA graphics adapters, hard disk
administration should not be transmitted to the next firmware controllers, SCSI controllers, network adapters with remote boot
before we make sure that its code has not been modified. The and other peripherals. The C8000h ÷ F4000h area is reserved in
idea for the tools that provide procedures for sequential the memory space for these modules. At the final stage of
verification of the booted code is called a trusted boot [3]. execution (after the pointers loaded the interrupt vectors to their
own handlers), POST scans the extension modules area in search
II. CLASSIC BOOT SCRIPT of additional BIOS modules. The additional BIOS module
“Classic” hardware boot script will be discussed for better should have a header aligned along a 2 Kb boundary, which
understanding of a trusted boot. indicates the signature of the module start (AA55h), its length in
512 byte blocks, the entry point of login procedure with Ret Far,
BIOS is located in ROM chip on the motherboard of the the pointer to PCI data structure and to the extended header
computer (this chip is often called ROM BIOS) and is stored in structure of ISA PnP cards. The initialization procedure
56
�overrides the interrupt vectors serviced by BIOS, including INT Thus, we see that the development of malicious software is
19h (Bootstrap), which allows obtaining boot control, for quite dynamic, so SecureBoot technology should be considered
example from a local network. only as a possible measure from the whole complex of
mechanisms to ensure a safe boot, but not as panacea. One more
III. INVISIBLE N ANTIVIRUS - ROOTKITS AND BOOTKITS mechanism for secure boot should be trusted boot tools.
What can happen if the malicious software interferes with
the boot script described above? IV. TRUSTED BOOT OF PHYSICAL ENVIRONMENTS
So what is a trusted boot and how does it help to fight against
The first attempts to introduce malicious code into the malicious actions?
firmware code became known back in 1999. This is a widely
known virus CIH, or Chernobyl. Its impact on BIOS was According to the requirements of UPD.17 of FSTEC of
destructive and the hardware did not boot at all, that cannot be Russia № 17 dated 11.02.2013, № 21 dated 18.02.2013 and №
called a successful implementation. 31 dated 14.03.2014, trusted boot shall ensure:
In 2006, a prototype of a rootkit called IceLord appeared, it • blocking of attempts of unauthorized boot of abnormal
infected BIOS quite correctly (meaning that after its operating system (environment) or unavailability of information
implementation, the hardware was still working). And in 2011 it resources for reading or modification in case of abnormal
became known about the working rootkit Mebromi that is operating system boot;
capable of modifying BIOS. Mebromi has mechanisms of hiding
from traditional antiviruses, and it is impossible to get rid of it • user access control to the process of operating system
even after replacing the hard disc. boot;
According to the reports on threats and trends of several • control of the integrity of software and hardware
companies over past years [1], bootkits have become one of the components of computer aids.
key technical trends. “Requirements for trusted boot tools” were approved by the
order of FSTEC of Russia № 119 dated 27.09.2013, according
Bootkit has something in common with boot virus, but it
contains components that are introduced into the operating to which this class of tools is divided into three types [6, 7]:
system before it is loaded. At the initial stage of its work, bootkit trusted boot tools of the basic input-output system
replaces the original loader and waits for the computer restart. level;
The main task of bootkit is to intercept the INT 13h interrupt, by
means of which file components of the operating system are read trusted boot tools of extension board level;
from the disk to the memory in order to replace operating system trusted boot tools of boot record level.
files with their components. Thus, bootkit can be unnoticed for
any application system running in modified OS [4]. The first group of tools – of BIOS level - this is usually multi-
component software tools, one module of which is built directly
However, it should be noted that UEFI (Extensible Firmware into the microprogram of the motherboard. Examples of such
Interface) has replaced BIOS in modern computers. A new tools of trusted boot are “MDZ-Eshelon” of CJSC “NPO
specifications complex was developed to replace BIOS due to Echelon” and “Altell Trust” produced by Altell. The PCI/PCI-E
its significant limitations that restrained the development of boards are not required for the operation of such tools, which
computing systems. A key feature of UEFI is the SecureBoot simplifies and speeds up the commissioning of the ISS.
mechanism, which verifies the loaded OS components with
cryptographic methods - using a digital signature mechanism, Trusted boot tools of extension board level are always
the private key of which is written to motherboards chips. software and hardware ones. This is the broadest segment of the
trusted boot market. Examples are the PAC “Sobol” produced
The appearance of a well-unified UEFI simplified the by “Kod bezopasnosty” company, DDO CAD “Accord-
development of legal and malicious software. At the end of AMDZ”, “Maksim-M1 NPO RusBITeh” and others.
2014, at the “31st World Hackers Congress”, Rafal Wojtczuk
and Corey Kallenberg demonstrated an attack on UEFI, called Finally, the mechanism of operation of trusted boot tools of
Speed Race, associated with vulnerability in the implementation boot record level is based on the modification of boot sectors of
of UEFI. Among hardware platforms that are vulnerable were logical partitions of hard disks. The contents of the boot sectors
Dell Latitude and HP EliteBook [5] laptops. are encoded, this allows hiding information about logical
partitions when the computer boot is unauthorized. Example is
In July 2015, after a scandalous leakage of source codes of “Trusted Boot Loader” produced by “Kod bezopasnosty”
spyware, developed by the Italian company “Hacking Team”, it company.
became known about the first UEFI-rootkit. “Hacking Team”
employees developed a malicious software specially for Insyde, It also should be noted that the mandatory strengthening 1
a UEFI company, which is very popular in laptops, but this (for the second class/security level of ISPD) and 2 (for the first
software successfully operates on platforms with AMI BIOS. class/security level of the ISPD) to UPD.17 measure indicates
The peculiarity of malicious software, as well as Mebromi the need for trusted boot tools application of basic input/output
rootkit, is that reinstalling the OS, or formatting the hard disk, or system or expansion board level, i.e. the insufficiency of trusted
even its replacement, will not help to free the computer from its boot tools application of the boot record level for the above
impact [4, 5]. classes/security levels.
57
� The selection of trusted boot tools should be highlighted. introduction of software bugs and malicious software, in
There is an unreasonable opinion in the Internet that “hardware particular rootkits and bootkits, designed to mask objects, to
modules of trusted boot have significant advantages over pure control events in the system and to collect data.
software tools” [8, 9]. Let's address to the mechanism of
functioning of trusted boot tools (TBT) of BIOS level and Thus, on the one hand, the hypervisor that performs the
expansion board level. To do this, let us recall the first part of functions of virtual machine monitor increases the service
this article about computer boot script. As it was mentioned capabilities of computer and reduces its operational costs. But,
above, when the POST procedures are completed, the extension on the other hand, the hypervisor can privately implement a
module area is scanned for additional BIOS modules. At this software bug with uncontrolled capabilities that are the threat to
stage, both types of TBT gain control redefining the Bootstrap information security.
(INT 19h) vector to themselves. Since TBT has gained control, In witness of this, the nature of the threat of a “thin
regardless of the priority of the selection of the boot devices in hypervisor”, which has the imaginative name Blue Pill [10] will
BIOS Setup, trusted boot module will gain control. The be briefly discussed. The concept of Blue Pill is to capture a
difference is that the TBT loader of expansion board level is running instance of the operating system (the capture is
identified by the program written in the nonvolatile memory of performed when the OS starts) by a “thin” hypervisor and it
the controller, and TBT loader of basic input/output system level virtualizes the rest of the computer. The operating system will
is identified by the module built into BIOS microprogram. still support the existing references to all devices and files, but
Figure 1 shows the main stages of computer boot, where the almost everything, including hardware interrupts, data requests
arrow marks the point at which the TBT of basic input-output and even system time will be intercepted by hypervisor, which
system level and expansion board level start working. will send fake responses.
Due to the existence of virtual environment threats like those
described earlier, the requirement to a trusted boot in the above-
BIOS Additional mentioned FSTEC orders refers not only to physical equipment,
unpacking to Operability modules
Power on but also to virtualization environment (protective measure
RAM shadow- testing (POST) initialization
area in ROM ZSV.5):
• trusted boot of virtualization servers, virtual machines
Search for (containers) and virtualization control servers should be
Loading of a signatures on Initial boot provided in the information system according to protection
OS loading
boot-sector loading (INT 19h) measure “Provision of computer aids trusted boot”.
devices
• trusted boot shall provide blocking of attempts to
unauthorized boot of hypervisor, host and guest operating
systems.
Figure 1 ― Main stages of computer boot with BIOS • trusted boot of hypervisors is provided with trusted boot
microprogram tools that function on virtualization servers.
• trusted boot of virtual machines (containers) is provided
According to anti-virus reports of several companies more with the use of multi-component trusted boot tools, individual
bootkits attack mobile platforms. It can be predicted that the components of which function in hypervisors.
popularity of software tools of trusted boot will only grow Let's consider the stages of a trusted virtual environment
because PCI slots are missing there. boot using the TBT of basic input/output system level [3, 11]. In
this case we have a hypervisor of the first type, which is installed
V. TRUSTED BOOT OF VIRTUAL ENVIRONMENTS directly to the virtualization server as the system software. The
It's no secret that today the placement of users' workstations module for trusted boot of basic input/output system level can
in virtualization systems becomes more popular. This allows be installed to the platform before the hypervisor is installed, and
creating a single point of control, establishing and this component (that is, the component installed in the physical
administration of workstations. Let's address the issue of server chip) will control the security of hypervisor. Virtual trust
security of virtual environments and consider some typical module is built into virtual BIOS in each virtual machine, its
actions of an intruder and the threats to which they lead: work is aimed to control the integrity of virtual equipment, guest
operating systems and files in them.
unauthorized reading and modification of data processed in
CA leads to integrity and confidentiality thread of information In the case of the second type hypervisor, its integrity and
processed in AS; integrity of basic operating system is controlled by the trusted
boot module built into BIOS code of virtualization server. The
unauthorized modification of authentication information,
same trusted boot module, but installed to the virtual machine
namely, substitution of certificates, password hashes and other
instead of the virtualization server can perform trusted boot of
key data may result in the addition of new privileged accounts
virtual equipment and guest operating systems.
to the system or in compromising existing ones;
58
� VI. CONCLUSIONS International Conference on Soft Computing and Measurements (24-26
May 2017, St. Petersburg, Russia). SCM 2017, 2017, pp 299 - 300. DOI:
The variety of malicious software operating at BIOS/UEFI https://www.doi.org/10.1109/SCM.2017.7970566.
level indicates a serious need for protection from them. [3] Wojtczuk R., Kallenberg C. Attacking UEFI Boot Script. 2015. URL:
Moreover, an intruder can damage the system without using https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.p
malicious software (for example, by booting from an external df.
media). The task of trusted boot tools is to permit access only for [4] C.Kallenberg, R.Wojtczuk. Speed Racer: Exploiting an Intel Flash
authorized users, control the integrity of partitions and files, Protection Race Condition: Komposter 2.0. 2015. – URL:
http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_
perform a trusted boot. Three types of trusted boot and the Condition.pdf
scheme of trusted boot of virtual environments using CA BIOS [5] P.Lin. Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in
level are discussed in the article. Target Systems: TrendLabs Security Intelligence Blog. 2015. URL:
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-
Nowadays most of the tools are software and hardware ones. team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems
The average price of trusted boot hardware module is dozens of [6] Barabanov A., Markov A. Modern trends in the regulatory framework of
thousands of dollars. However, the use of a hardware card is not the information security compliance assessment in Russia based on
always possible: a necessary slot on the motherboard can be Common Criteria. In: ACM International Conference Proceeding Series
missing or the board may be incompatible with BIOS version of 8. Ser. "Proceedings of the 8th International Conference on Security of
the motherboard. Moreover, the installation of hardware part to Information and Networks, SIN 2015". 2015. P. 30-33. DOI:
10.1145/2799979.2799980.
a large number of platforms requires significant time resources.
[7] Barabanov A., Markov A., Tsirlov V. Procedure for Substantiated
These reasons, together with the growing number of threats to Development of Measures to Design Secure Software for Automated
mobile platforms, allow predicting that the CA of basic Process Control Systems. In Proceedings of the 12th International
input/output system level will become more popular. Siberian Conference on Control and Communications (Moscow, Russia,
May 12-14, 2016). SIBCON 2016. IEEE, 7491660, 1-4. DOI:
A number of patents have been obtained for the proposed 10.1109/SIBCON.2016.7491660.
solutions for information protection, including the protection in [8] Wojtczuk R., Rutkowska J. Attacking SMM Memory via Intel® CPU
virtualization environment. This confirms the innovativeness, Cache Poisoning. URL:
practical value and reliability of the study. http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
[9] Hackers find a new place to hide rootkits. URL:
REFERENCES http://www.infoworld.com/article/2653209/security/hackers-find-a-new-
place-to-hide-rootkits.html
[1] Barabanov A.V., Grishin M.I., Kubarev A.V. Modelirovanie ugroz
bezopasnosti informatsii, svyazannykh s funktsionirovaniem skrytykh [10] Rutkowska J. Subverting Vista Kernel for Fun and Profit. Black Hat,
vredonosnykh komp'yuternykh program. Voprosy kiberbezopasnosti 2006. 52 p.
[Cybersecurity issues]. 2014. N 4 (7). P. 41-48. (In Russ.) [11] Avezova Ya.E., Fadin A.A. Voprosy obespecheniya doverennoy zagruzki
[2] Vorobiev, E.G., Petrenko, S.A., Kovaleva, I.V., Abrosimov, I.K. v fizicheskikh i virtual'nykh sredakh. Voprosy kiberbezopasnosti
Organization of the entrusted calculations in crucial objects of [Cybersecurity issues]. 2016. N 1(14). P. 24-30. (In Russ.)
informatization under uncertainty. In Proceedings of the 20th IEEE
59
�