Forensic BIOS/UEFI

Art der Arbeit:

Bachelor Thesis

Betreuer:

Latzo, Tobias
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Telefon +49 9131 85 69911, Fax +49 9131 85 69919, E-Mail: tobias.latzo@fau.de

Beschreibung der Arbeit:

The System Management Mode (SMM) [1] is the most privileged operation mode of an x86 CPU. Often it is also referenced as ring -2, i.e., it has more priviliges than the kernel (ring 0) or the hypervisor (ring -1). Actually, the SMM is used for energy mangement, e.g. fan control or sleep states, memory error handling, emulating nonexistent hardware, etc. However, past experience has shown that it can be exploited for malicious issues [2, 3, 4]. Nevertheless, it would also be possible to leverage the power of the SMM for incident response, i.e., as a reliable memory dumper. Basically, the SMM code is written by the BIOS/UEFI. Afterwards, it should be locked that it is not possible to tamper SMM code from the kernel.
Goal of this work is to extend TianoCore (an open-source implementation of UEFI) by a forensic component. That forensic component should be used to setup and configure an SMM memory dumper.
1 (http://wiki.osdev.org/System_Management_Mode) 2 (http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html) 3 (https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf) 4 (https://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf) 5 (http://www.tianocore.org/)

Vorausgesetzte Vorlesungen bzw. Kenntnisse:

Interest in low level programming on x86. Basic Knowledge about the BIOS/UEFI. Willingness to incorporate into existing code projects like the Linux kernel.

Schlagwörter:

Forensics

Bearbeitungszustand:

Die Arbeit ist bereits abgeschlossen.