BIOS Chronomancy: Fixing the Core Root of Trust for Measurement

Abstract

In this paper we look at the implementation of the Core Root of Trust for Measurement (CRTM) from a Dell Latitude E6400 laptop. We describe how the implementation of the CRTM on this system doesn't meet the requirements set forth by either the Trusted Platform Module (TPM) PC client specification [12] or NIST 800-155[20] guidance. We show how novel tick malware, a 51 byte patch to the CRTM, can replay a forged measurement to the TPM, falsely indicating that the BIOS is pristine. This attack is broadly applicable, because all CRTMs we have seen to date are rooted in mutable firmware. We also show how flea malware can survive attempts to reach infected firmware with a clean image. To fix the un-trustworthy CRTM we ported an open source \TPM-timing-based attestation" implementation [17] from running in the Windows kernel, to running in an OEM's BIOS and SMRAM. This created a new, stronger CRTM that detects tick, flea, and other malware embedded in the BIOS. We call our system\BIOS Chronomancy", and we will show that it works in a real vendor BIOS, with all the associated complexity, rather than in a simplified research environment.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2013
Accession Number
AD1107242

Entities

People

  • Amy Herzog
  • Corey Kallenberg
  • John Butterworth
  • Xeno Kovah

Organizations

  • MITRE Corporation

Tags

DTIC Thesaurus Topics

  • Accumulators
  • Change Detection
  • Computer Access Control
  • Computer Programming
  • Computers
  • Construction
  • Corporations
  • Detection
  • Environment
  • Firmware
  • Guidance
  • Instructions
  • Intrusion Detection
  • Iterations
  • Latitude
  • Malware
  • Measurement
  • Operating Systems
  • Platforms
  • Rootkit
  • Security
  • Specifications

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Educational Psychology
  • Parallel and Distributed Computing.

Technology Areas

  • Cyber