BootKeeper: Validating Software Integrity Properties on Boot Firmware Images
This addresses security vulnerabilities in boot firmware for computer systems, offering a solution to ensure integrity, though it appears incremental as it builds on existing static analysis methods.
The paper tackles the problem of attackers bypassing measured boot mechanisms in boot firmware by introducing BootKeeper, a static analysis approach that verifies key security properties on firmware images before deployment, and demonstrates its applicability against several attacks on common implementations.
Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware's loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.