What Component Of UEFI Helps To Prevent Malware?
UEFI or Unified Extensible Firmware Interface is a firmware type that helps in the booting of a system. The types of design can be x86, x64, and arm.
Secure Boot is a component of UEFI that helps to prevent Malware. It’s defined by the UEFI forum and implemented by different vendors like apple, dell, hp, etc. UEFI consists of various specifications divided into versions, i.e., UEFI 1.0 to 2.3(latest). Vendor implementation may vary from one another, but the core remains the same throughout.
Various Security Features Of UEFI
UEFI contains various security features which help in preventing, detecting, and recovering from malicious attacks. The list of such qualities is given below,
Secure boot is a process present in UEFI specifications where it ensures that only trusted software is loaded during the booting of the system. This prevents any malware/virus from infecting the boot environment as they are prevented from running during the booting of the system. UEFI Forum has maintained a directory containing digital certificates of different software vendors, which is available at http://UEFIdk.intel.com/
UEFI 2.0 Section 27 contains a secure API for access by EFI drivers and applications. This API helps prevent malware from manipulating or deleting itself after the installation as it prevents the manipulation of executable code in UEFI storage space.
Windows 8 implements this API to prevent self deletion by its anti-malware program, i.e., windows defender(http://www.microsoft.com/en-in/windowsforbusiness/windows-10-enterprise). This also prevents the rootkit from installing itself back after omission or change in the boot order.
UEFI 2.3 section 16 deals with BIOS Lockdown. This feature prevents any modification in UEFI/BIOS by unauthorized people who do not have access to the same through authenticated channels, i.e., USB, Ethernet, etc.
Components Of UEFI
UEFI consists of various components, which are listed below
It holds the entire boot firmware code and data used by UEFI for initialization purposes.
- Boot Services Code
It acts as a bridge between EfiRom and platform firmware. It’s a C++ library that provides an interface to the UEFI driver stack, includes configuration options, and facilitates reading/writing to EfiRom.
- Platform Initialization Manager (PIM)
PIM provides required information about initializing runtime services, i.e., memory map, etc.
- Runtime Drivers
Runtime drivers include service protocols like device interface-based protocol for mass storage devices like flash drives, network controllers etc. User-mode applications can communicate to drivers who use standard interfaces like network controller <> PnP (Plug and play) compatible driver.
- Boot Services
It’s a user-mode program that executes after tooting the system and provides an interface for applications to interact with UEFI components. It determines if the OS is running in UEFI or non-UEFI mode, enumerates devices connected to PC, etc…
Drivers provide the required functionality for device operation under different environments, i.e., mass storage or display drivers. These are loaded by boot services as directed by EfiRom.
Applications are user-mode executables that interact with UEFI components. These are loaded by boot services as directed by EfiRom. These execute in compatibility mode(ring3 <> ring0) due to granular control over privilege levels provided by UEFI architecture.
How Components Of UEFI Helps To Prevent Malware
The malware usually needs low-level access to exploit the system. However, due to granular control over privilege levels provided by UEFI architecture, malicious code is prevented from executing. This also prevents rootkit installation as they cannot modify executable code in UEFI storage space.
It enforces authenticity and integrity of code and data (by) enforces code and data signatures at runtime to protect against malicious modifications.
Following ways, UEFI helps prevent malware
1) Secure Boot
Secure boot is a process present in UEFI specifications where it ensures that only trusted software is loaded during the booting of the system. This prevents any malware/virus from infecting the boot environment as they are prevented from running during the booting of the system. This helps in recognizing any malware or virus in the boot environment by verifying the digital certificate against the one present in the directory maintained by UEFI Forum.
2) Measured Boot
The execution of measured boot is initiated by UEFI, which involves the generation of hash values for each software component executed during the boot process and subsequent comparison with the hash values stored against each software component. This prevents unauthorized changes to these components as the hash value for that particular component will not match if the same has been altered or tampered with.
3) TPM (Trusted Platform Module)
TPM is a physical chip on the motherboard, providing a security process for crucial storage, authentication, and encryption. This restricts the use of PCs to only authorized entities who have cryptographic keys stored on the TPM chip. This prevents unauthorized usage (by) ensuring that the system is running under the control of licensed entities.
4) Secure Shutdown
UEFI specification provides a secure shutdown process that ensures that all the data in volatile storage, i.e., RAM, is flushed to non-volatile storage, i.e., BIOS flash chip, before initiating a shutdown. This prevents any malware present in system memory from persisting even after reboot.
5) Protected Audio And Video Path
UEFI specification provides for protected audio and video path, where audio and video components are installed in protected storage space. Audio/Video drivers cannot write to audio/video components present in protected storage as the same is done with signature check, i.e., these paths can be written by only those audio and video components which have matching digital certificates stored against them. This prevents any unauthorized changes to path components by malware or virus, altering these paths to inject rootkit in the system.
6) System Recovery
The system can be recovered via UEFI boot manager or firmware interface, i.e., BIOS boot services. The recovery process involves loading a fresh copy of the OS separate from the OS installed on other storage devices/partitions (which prevents the virus from spreading across different divisions).
7) Trusted Boot
UEFI specification provides a trusted boot process that protects pre-OS components against malware/virus by verifying digital certificate/hashes of pre-OS components at boot time. This prevents malware from infecting the system before OS loads.
8) Secure Update
A secure update is a process by which updates to UEFI firmware are signed with a cryptographic key and verified by UEFI before installation. Prevent unauthorized changes in firmware for malicious purposes.
UEFI specs talk about an interface between platform firmware and an OS. The interface data is in the form of tables and contains a boot, runtime services calls, and platform-related information available to the OS and OS loader. The primary purpose of UEFI specs is to define an alternative boot environment that reduces these considerations.