Apr 9, 2012

Basic Input/Output System (BIOS)

Basic input/output system (BIOS), also known as the System BIOS or ROM BIOS is a de facto standard defining a firmware interface. The name originated in earlier computers running CP/M and other operating systems, where the BIOS was loaded from disc rather than stored as firmware (EPROMs were not yet available).
The BIOS software is built into the PC, and is the first code run by a PC when powered on ('boot firmware'). When the PC starts up, the first job for the BIOS is the power-on self-test, which initializes and identifies system devices such as the CPU, RAM, video display card, keyboard and mouse, hard disk drive, optical disc drive and other hardware. The BIOS then locates boot loader software held on a peripheral device (designated as a 'boot device'), such as a hard disk or a CD/DVD, and loads and executes that software, giving it control of the PC. This process is known as booting, or booting up, which is short for bootstrapping.
BIOS software is stored on a non-volatile ROM chip on the motherboard. It is specifically designed to work with each particular model of computer, interfacing with various devices that make up the complementary chipset of the system. In modern computer systems the BIOS chip's contents can be rewritten without removing it from the motherboard, allowing BIOS software to be upgraded in place.
A BIOS has a user interface (UI), typically a menu system accessed by pressing a certain key on the keyboard when the PC starts. In the BIOS UI, a user can:
  • configure hardware
  • set the system clock
  • enable or disable system components
  • select which devices are eligible to be a potential boot device
  • set various password prompts, such as a password for securing access to the BIOS UI functions itself and preventing malicious users from booting the system from unauthorized peripheral devices.
The BIOS provides a small library of basic input/output functions used to operate and control the peripherals (such as the keyboard, text display functions and so forth), and these software library functions are callable by external software. Operating systems and executive software, designed to supersede this basic firmware functionality, will provide replacement software interfaces to applications.
The role of the BIOS has changed over time. As of 2011, the BIOS is being replaced by the more complex Extensible Firmware Interface (EFI) in many new machines, but BIOS remains in widespread use. However, the distinction between BIOS and EFI is rarely made in terminology by the average computer user, making BIOS a catch-all term for both systems.
 

Terminology

 
The term BIOS (Basic Input/Output System) was invented by Gary Kildall and first appeared in the CP/M operating system in 1975, describing the machine-specific part of CP/M loaded during boot time that interfaced directly with the hardware (CP/M machines usually had only a simple boot loader in their ROM). Later versions of CP/M (as well as Concurrent CP/M, Concurrent DOS, DOS Plus, Multiuser DOS, System Manager and REAL/32) came with an XIOS (Extended Input/Output System) instead of the BIOS. Most versions of DOS have a file called "IO.SYS", "IBMBIO.COM", "IBMBIO.SYS" or "DRBIOS.SYS", called the DOS BIOS, that is analogous to the CP/M BIOS. Among other classes of computers, the generic terms boot monitor, boot loader or boot ROM were commonly used. Some Sun and PowerPC-based computers use Open Firmware for this purpose. There are a few alternatives for Legacy BIOS in the x86 world: Extensible Firmware Interface, Open Firmware (used on the OLPC XO-1) and coreboot.
 

Flashing the BIOS

 
In modern PCs the BIOS is stored in rewritable memory, allowing the contents to be replaced or 'rewritten'. This rewriting of the contents is sometimes termed flashing. This can be done by a special program, usually provided by the system's manufacturer, or at POST, with a BIOS image in a hard drive or USB flash drive. A file containing such contents is sometimes termed 'a BIOS image'. A BIOS might be reflashed in order to upgrade to a newer version to fix bugs or provide improved performance or to support newer hardware, or a reflashing operation might be needed to fix a damaged BIOS. A BIOS may also be "flashed" by putting the file on the root of a USB drive and booting.
 

BIOS chip vulnerabilities

 
EEPROM chips are advantageous because they can be easily updated by the user; hardware manufacturers frequently issue BIOS updates to upgrade their products, improve compatibility and remove bugs. However, this advantage had the risk that an improperly executed or aborted BIOS update could render the computer or device unusable. To avoid these situations, more recent BIOSes use a "boot block"; a portion of the BIOS which runs first and must be updated separately. This code verifies if the rest of the BIOS is intact (using hash checksums or other methods) before transferring control to it. If the boot block detects any corruption in the main BIOS, it will typically warn the user that a recovery process must be initiated by booting from removable media (floppy, CD or USB memory) so the user can try flashing the BIOS again. Some motherboards have a backup BIOS (sometimes referred to as DualBIOS boards) to recover from BIOS corruptions.
 

Overclocking

 
Some BIOS chips allow overclocking, an action in which the CPU is adjusted to a higher clock rate than its factory preset. Overclocking may, however, seriously compromise system reliability in insufficiently cooled computers and generally shorten component lifespan. Overclocking, incorrectly performed, may also cause component temperatures to rise so quickly that they destroy themselves.
 

Virus Attacks

 
There are at least four known BIOS attack viruses, two of which were for demonstration purposes. The first one found in the wild was Mebromi, targeting Chinese users.
 

CIH

The first BIOS virus was CIH, whose name matches the initials of its creator, Chen Ing Hua. CIH was also called the "Chernobyl Virus," because its payload date was 1999-04-26, the 13th anniversary of the Chernobyl accident. CIH appeared in mid-1998 and became active in April 1999. It was able to erase flash ROM BIOS content. Often, infected computers could no longer boot, and people had to remove the flash ROM IC from the motherboard and reprogram it. There is also extra protection from accidental BIOS rewrites in the form of boot blocks which are protected from accidental overwrite or dual and quad BIOS equipped systems which may, in the event of a crash, use a backup BIOS. As a result, as of 2008, CIH has become essentially harmless, at worst causing annoyance by infecting executable files and triggering alerts from antivirus software.
 

Black hat 2006

The second BIOS virus was a technique presented by John Heasman, principal security consultant for UK-based Next-Generation Security Software. In 2006, at the Black Hat Security Conference, he showed how to elevate privileges and read physical memory, using malicious procedures that replaced normal ACPI functions stored in flash memory.
 

Presistent BIOS infection

The third BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers Anibal Sacco and Alfredo Ortega, from Core Security Technologies, demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at every start-up, even before the operating system is booted. The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal BIOS flashing procedures. Thus, it requires physical access to the machine, or for the user to be root. Despite these requirements, Ortega underlined the profound implications of his and Sacco's discovery: “We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus.
 

Mebromi

Mebromi is a trojan which targets computers with AwardBIOS, and antivirus software from two Chinese companies. Mebromi installs a rootkit which infects the master boot record.
 

Firmware on adapter cards

 
A computer system can contain several BIOS firmware chips. The motherboard BIOS typically contains code to access hardware components absolutely necessary for bootstrapping the system, such as the keyboard (either PS/2 or on a USB human interface device), and storage (floppy drives, if available, and PATA or SATA hard disk controllers). In addition, plug-in adapter cards such as SCSI, RAID, network interface cards, and video boards often include their own BIOS (e.g. Video BIOS), complementing or replacing the system BIOS code for the given component. (This code is generally referred to as an option ROM). Even devices built into the motherboard can behave in this way; their option ROMs can be stored as separate code on the main BIOS flash chip, and upgraded either in tandem with, or separately from, the main BIOS.
An add-in card usually only requires an option ROM if it:
  • Needs to be used before the operating system can be loaded (usually this means it is required in the bootstrapping process), and
  • Is too sophisticated or specific a device to be handled by the main BIOS
Older PC operating systems, such as MS-DOS, and early-stage bootloaders, may continue to use the BIOS for input and output. However, the restrictions of the BIOS environment means that modern OSes will almost always use their own device drivers to directly control the hardware. Generally, these device drivers only use BIOS and option ROM calls for very specific (non-performance-critical) tasks, such as preliminary device initialization.
In order to discover memory-mapped ISA option ROMs during the boot process, PC BIOS implementations scan real memory from 0xC0000 to 0xF0000 on 2 KiB boundaries, looking for a ROM signature: 0xAA55 (0x55 followed by 0xAA, since the x86 architecture is little-endian). In a valid expansion ROM, this signature is immediately followed by a single byte indicating the number of 512-byte blocks it occupies in real memory. The next byte contains an offset describing the option ROM's entry point, to which the BIOS immediately transfers control. At this point, the expansion ROM code takes over, using BIOS services to register interrupt vectors for use by post-boot applications, provide a user configuration interface, or display diagnostic information.
 

BIOS boot spesification

 
If the expansion ROM wishes to change the way the system boots (such as from a network device or a SCSI adapter for which the BIOS has no driver code), it can use the BIOS Boot Specification (BBS) API to register its ability to do so. Once the expansion ROMs have registered using the BBS APIs, the user can select among the available boot options from within the BIOS's user interface. This is why most BBS compliant PC BIOS implementations will not allow the user to enter the BIOS's user interface until the expansion ROMs have finished executing and registering themselves with the BBS API.
 

Changing role of the BIOS

 
Some operating systems, for example MS-DOS, rely on the BIOS to carry out most input/output tasks within the PC. A variety of technical reasons makes it inefficient for some recent operating systems written for CPUs with a word length of 32-bits or more. Larger, more powerful, servers and workstations using PowerPC or SPARC CPUs by several manufacturers developed a platform-independent Open Firmware, based on the Forth programming language. Later BIOS took on more complex functions, by way of interfaces such as ACPI; these functions include power management, hot swapping, thermal management. To quote Linus Torvalds, the task of BIOS is "just load the OS and get the hell out of there". However BIOS limitations (16-bit processor mode, only 1 MiB addressable space, PC AT hardware dependencies, etc.) were seen as clearly unacceptable for the newer computer platforms. Extensible Firmware Interface (EFI) is a specification which replaces the runtime interface of the legacy BIOS. Initially written for the Itanium architecture, EFI is now available for x86 and x86-64 platforms; the specification development is driven by The Unified EFI Forum, an industry Special Interest Group. Linux supports EFI via the elilo and GNU GRUB boot loaders. The open source community increased their effort to develop a replacement for proprietary BIOSes and their future incarnations with an open sourced counterpart through the coreboot and OpenBIOS/Open Firmware projects.
 

Slic

Some BIOSes contain a "SLIC" (software licensing description table), a digital signature placed inside the BIOS by the manufacturer. This SLIC is inserted in the ACPI table and contains no active code. Systems having a SLIC can be preactivated with an OEM product key, and they verify an XML formatted OEM certificate against the SLIC in the BIOS as a means of self-activating.
 

Reprogrammable microcode

The BIOS may contain patches to the processor code to allow errors in the initial processor code to be fixed, updating the processor microcode each time the system is powered up. Otherwise, an expensive processor swap would be required.

References

  1. The PC Guide - System BIOS
  2. HowStuffWorks: What BIOS Does.
  3. Windows and GPT FAQ
  4. Extensible Firmware Interface (EFI) and Unified EFI (UEFI)
  5. "Decoding RAM & ROM." Smart Computing.  June 1997.  Volume 8, Issue 6.
  6. "Upgrading Your Flash BIOS For Plug And Play." Smart Computing.  March 1996.  Volume 7, Issue 3.
  7. "Time To Check BIOS." Smart Computing.  April 1999.  Volume 7, Issue 4.
  8. New BIOS Virus Withstands HDD Wipes, March 27, 2009 by Marcus Yam - Tom's Hardware US
  9. Sacco, Anibal; Alfredo Ortéga. "Persistent BIOS Infection". Exploiting Stuff. Retrieved 2010-02-06.
  10. Fisher, Dennis. "Researchers unveil persistent BIOS attack methods". Threat Post. Retrieved 2010-02-06.
  11. Giuliani, Marco. "Mebromi: the first BIOS rootkit in the wild". blog. Retrieved 2011-09-19.
  12. "360发布"BMW病毒"技术分析报告". blog. Retrieved 2011-09-19.
  13. Yuan, Liang. "Trojan.Mebromi". Threat Response. Retrieved 2011-09-19.
  14. http://www.acpica.org/documentation/related_documents.php BIOS Boot Specification (Version 1.01, 11 January 1996)
  15. Smart Computing Article - What Is The BIOS? - Computing Basics July 1994 • Vol.5 Issue 7
  16. Scott Mueller, Upgrading and repairing PCs 15th edition, Que Publishing, 2003 ISBN 0789729741, pages 109-110

0 comments:

Favorite Blogs