View The Document

Accession Number:

AD1202697

Title:

Securing UEFI: An Underpinning Technology for Computing

Author(s):

• Sarvepalli, Vijay

Author Organization(s):

• CARNEGIE-MELLON UNIV PITTSBURGH PA

Report Date:

2023-05-01

Abstract:

Each time you boot up your computer, software called firmware wakes up your computer, and often it remains active in the background, silently supporting the functions of the operating system. Originally, this software, known as the Basic Input/Output System (BIOS), contained a small amount of code without much more responsibility than to ensure that the operating system started up properly. Over decades, this firmware has grown in capability, size, and complexity. Many functions that used to be implemented either directly in hardware or in the operating system are now increasingly implemented in this critical layer of software. Most modern desktops and servers have firmware based on a standard known as the Unified Extensible Firmware Interface (UEFI), which replaces BIOS. A typical UEFI-based firmware is composed of software components from several suppliers, often including code from open-source projects, all knit together by an original equipment manufacturer (OEM), such as a laptop manufacturer. These software components are primarily written in low-level programming languages like C that facilitate direct access to the hardware and physical memory. These software components require high-privilege access to the central processing unit (CPU). The Chain of Trust model in the UEFI standard is designed to enable secure cryptographic verification of these components, establishing assurances that only trusted software is executed during the early boot cycle [Wilkins 2016]. Even after the boot cycle is complete, UEFI still provides an interface to the operating system to enable configuration changes or software updates to the firmware. Unlike the operating system, UEFI software remains invisible to most of us, despite its critical role in the functioning of a modern system. Because of its criticality and invisibility, vulnerabilities in UEFI-related software pose high risks to system security.

Document Type:

Conference:

Journal:

Pages:

15

File Size:

0.32MB

Contracts:

Grants:

Descriptors:

• computer programming
• operating systems
• software development
• information security
• instruction set architecture
• computer programs
• central processing units
• computers
• department of homeland security
• failure mode and effect analysis
• supply chain
• engineering
• firmware
• security
• standards
• guarantees
• environment

Identifiers:

• uefi (Unified Extensible Firmware Interface)
• Memory management
• UEFI programming
• root of trust
• DBX (Forbidden Signature Database)
• UEFI Revocation List
• Supply chain confusion
• patching

SubjectCategory:

• Mathematical and Computer Sciences
• Mathematical and Computer Sciences

Communities of Interest:

• Cyber

Distribution Statement:

Approved For Public Release

View The Document