Securing UEFI: An Underpinning Technology for Computing

Abstract

Each time you boot up your computer, software called firmware wakes up your computer, and often it remains active in the background, silently supporting the functions of the operating system. Originally, this software, known as the Basic Input/Output System (BIOS), contained a small amount of code without much more responsibility than to ensure that the operating system started up properly. Over decades, this firmware has grown in capability, size, and complexity. Many functions that used to be implemented either directly in hardware or in the operating system are now increasingly implemented in this critical layer of software. Most modern desktops and servers have firmware based on a standard known as the Unified Extensible Firmware Interface (UEFI), which replaces BIOS. A typical UEFI-based firmware is composed of software components from several suppliers, often including code from open-source projects, all knit together by an original equipment manufacturer (OEM), such as a laptop manufacturer. These software components are primarily written in low-level programming languages like C that facilitate direct access to the hardware and physical memory. These software components require high-privilege access to the central processing unit (CPU). The Chain of Trust model in the UEFI standard is designed to enable secure cryptographic verification of these components, establishing assurances that only trusted software is executed during the early boot cycle [Wilkins 2016]. Even after the boot cycle is complete, UEFI still provides an interface to the operating system to enable configuration changes or software updates to the firmware. Unlike the operating system, UEFI software remains invisible to most of us, despite its critical role in the functioning of a modern system. Because of its criticality and invisibility, vulnerabilities in UEFI-related software pose high risks to system security.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 01, 2023
Accession Number
AD1202697

Entities

People

  • Vijay Sarvepalli

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Central Processing Units
  • Computer Programming
  • Computer Programs
  • Computers
  • Department Of Homeland Security
  • Engineering
  • Environment
  • Failure Mode And Effect Analysis
  • Firmware
  • Governments
  • Guarantees
  • Homeland Security
  • Information Security
  • Instruction Set Architecture
  • Materials
  • Operating Systems
  • Programming Languages
  • Security
  • Software Development
  • Standards
  • Supply Chain
  • Universities

Fields of Study

  • Computer science

Readers

  • Computer Science/Computer Engineering/Data Science/Digital Signal Processing.
  • Cybersecurity.
  • Database Systems and Applications