As security defenses have advanced and become more adaptive in the last decade, malware authors and attackers have had to respond, looking for new ways to get their malicious software onto PCs or exploit previously unknown vulnerabilities. One target is the system BIOS, the low-level instruction set that loads when the computer boots, and now the U.S. government has released some draft specifications for helping to secure BIOS implementations.

As security defenses have advanced and become more adaptive in the last decade, malware authors and attackers have had to respond, looking for new ways to get their malicious software onto PCs or exploit previously unknown vulnerabilities. One target is the system BIOS, the low-level instruction set that loads when the computer boots, and now the U.S. government has released some draft specifications for helping to secure BIOS implementations.

The idea behind BIOS attacks is to get malicious code onto the lowest level of the machine’s instruction set as possible so that it will evade detection. Some of the attack methods that researchers have unveiled in recent years have shown that malware can persist on a machine even after reboots and fresh operating system installation. In 2009, researchers from Core Security demonstrated a method that enabled them to get malicious code onto a machine by patching the BIOS, and their code would survive attempts to re-flash the BIOS.

The new draft guidelines from the National Institute of Standards and Technology, a federal agency that develops standards for a number of applications, including encryption and security certifications, lay out some recommended methods and practical steps that organizations can take to prevent malicious modifications of the BIOS on their machines. NIST’s guidelines say that while known threats to BIOS implementations are scarce, that doesn’t mean that they should be ignored.

“One of the most difficult threats to prevent is a user-initiated installation of a malicious system BIOS. User-initiated BIOS update utilities are often the primary method for updating the system BIOS. The guidelines included in this document will not prevent users from installing unapproved BIOS images if they have physical access to the computer system. As with supply chain threats, security processes may be able to detect and remediate the unapproved system BIOS, such as initiating a recovery process to restore to an approved BIOS,” an early draft of the guidelines say.

“Malware could leverage weak BIOS security controls or exploit vulnerabilities in the system BIOS itself to reflash or modify the system BIOS. General-purpose malicious software is unlikely to include this functionality, but a targeted attack on an organization could be directed towards an organization’s standard system BIOS. The malicious BIOS can be delivered to the system either over a network, or using media. The guidelines presented in this document are designed to prevent these kinds of attack.”

NIST identifies four key security properties of BIOS:

• Authenticated BIOS update mechanisms, where digital signatures prevent the installation of BIOS update images that are not authentic.

• An optional secure local update mechanism, which requires that an administrator be physically present at the machine in order to install BIOS images without authentication.

• Firmware integrity protections, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.

• Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections.

As NIST’s guidelines point out, BIOS attacks could be a key method for attackers in the coming years.

“Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence,” the draft says.