本文選題：UEFI攻擊方式　切入點：安全隱患　出處：《北京工業(yè)大學》2014年碩士論文

【摘要】：固件層存在的安全漏洞已成為信息安全業(yè)界重要的威脅因素之一，利用其實施的攻擊具有不易清除、難以檢測、破壞性強等固有特點。因此研究基于固件層的攻擊，從底層為計算機安全提供了有力的保障，具有重要的應用價值和研究意義。 BIOS作為固件層必不可少的固件程序，是計算機啟動后首先執(zhí)行的程序，為計算機提供最底層、最直接的硬件控制。UEFI是新一代的BIOS標準，定義了操作系統(tǒng)與硬件平臺固件之間的接口規(guī)范。它的出現(xiàn)不僅僅改變了傳統(tǒng)BIOS的啟動方式，解決了傳統(tǒng)BIOS難以擴展等問題，并給用戶提供了便利的底層開發(fā)環(huán)境，但同時也不可避免地帶來了一些安全隱患。目前針對UEFI的研究已經成為信息安全領域的熱門課題。 本文旨在研究基于UEFI的攻擊方式，分析了UEFI的總體架構及其安全性，研究了現(xiàn)有的一些典型的固件層攻擊方式，并分別從UEFI自身存在的安全隱患和UEFI啟動過程存在的安全隱患兩方面入手，提出了兩種不同的攻擊方式，即基于UEFI攻擊存儲設備和基于UEFI劫持操作系統(tǒng)內核。 基于UEFI攻擊存儲設備的核心思想是在UEFI中完成存儲設備的初始化并且UEFI提供了對存儲設備的數據訪問接口功能，使得用戶在不進入操作系統(tǒng)的環(huán)境下就能夠實現(xiàn)對存儲設備的操作。同時，結合UEFI Option ROM具有可擴展性，用戶可以根據自身的需要刷寫Option ROM的映像文件，也為攻擊者提供了可利用的機會。因此，通過BDS階段枚舉PCI設備加載Option ROM時注冊對存儲設備操作的函數，并以此實現(xiàn)在特定協(xié)議安裝時完成對存儲設備的攻擊，該攻擊方式主要分為UEFI文件操作、Option ROM協(xié)議依賴、ROM文件生成三個模塊來實現(xiàn)。本文還對該攻擊方式實行了實驗驗證，表明這種攻擊是可行的。 基于UEFI劫持操作系統(tǒng)內核的核心思想是以UEFI啟動過程中沒有對啟動組件進行校驗的漏洞為依據，通過篡改OS Loader的啟動路徑，，加載惡意程序并Hook啟動時服務退出函數，完成操作系統(tǒng)啟動后劫持系統(tǒng)內核并感染操作系統(tǒng)引導文件的功能。本文以Win7系統(tǒng)為例，分析了UEFI OS Loader及其映像文件的格式，研究了Hook技術和寄生感染的方法，最終設計并實現(xiàn)EFI分區(qū)定位模塊、內核劫持模塊來完成基于UEFI劫持操作系統(tǒng)內核的攻擊。
[Abstract]:The security vulnerabilities in firmware layer have become one of the important threat factors in the information security industry. The attacks implemented by firmware layer are difficult to clear, difficult to detect and destructive.Therefore, the research of firmware layer attack provides a powerful guarantee for computer security from the bottom layer, which has important application value and research significance.As a necessary firmware program in firmware layer, BIOS is the first program to execute after the computer starts. It provides the lowest and most direct hardware control for the computer. UEFI is a new generation of BIOS standard.The interface specification between the operating system and the firmware of the hardware platform is defined.Its appearance not only changes the traditional BIOS startup mode, solves the traditional BIOS difficult to extend and so on, and provides the user with the convenient bottom development environment, but also inevitably brings some security hidden trouble at the same time.At present, the research on UEFI has become a hot topic in the field of information security.The purpose of this paper is to study the attack mode based on UEFI, analyze the overall architecture and security of UEFI, and study some typical firmware layer attacks.From the two aspects of the security hidden danger of UEFI itself and the UEFI startup process, two different attack methods are put forward, that is, attacking storage device based on UEFI and hijacking kernel based on UEFI.The core idea of attacking storage device based on UEFI is to initialize storage device in UEFI and UEFI provides the function of data access interface to storage device.It enables the user to operate the storage device without entering the operating system.At the same time, combined with the extensibility of UEFI Option ROM, users can write the image files of Option ROM according to their own needs, which also provides an opportunity for attackers to exploit.Therefore, enumerating the functions of storage device operation when Option ROM is loaded by PCI device through BDS stage, and realizing the attack on storage device when a specific protocol is installed.This attack is mainly divided into three modules: UEFI file operation option ROM protocol dependency ROM file generation module.The experimental results show that this attack is feasible.The core idea of hijack operating system kernel based on UEFI is based on the loophole that does not verify the boot component in the process of UEFI startup. By tampering with the startup path of OS Loader, the malicious program is loaded and the service exit function when Hook starts.Complete the function of hijacking the system kernel and infecting the operating system boot file after operating system startup.Taking Win7 system as an example, this paper analyzes the format of UEFI OS Loader and its image file, studies the Hook technology and the method of parasitic infection, and finally designs and implements the EFI partition location module.Kernel hijack module to complete the attack based on UEFI hijack operating system kernel.
【學位授予單位】：北京工業(yè)大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前2條

1 唐文彬;陳熹;陳嘉勇;祝躍飛;;UEFI Bootkit模型與分析[J];計算機科學;2012年10期

2 周偉東;池亞平;方勇;吳麗軍;;一種基于信任根加強EFI BIOS自身安全的方案[J];信息安全與通信保密;2007年07期

本文編號：1705107