计算机科学

计算机科学 ›› 2016, Vol. 43 ›› Issue (9): 188-191.doi: 10.11896/j.issn.1002-137X.2016.09.037

• 信息安全 • 上一篇    下一篇

EFI OS Loader安全加固技术的研究与实现

吴伟民,陈东新,赖文鑫,苏庆   

  1. 广东工业大学计算机学院 广州510006,广东工业大学计算机学院 广州510006,广东工业大学计算机学院 广州510006,广东工业大学计算机学院 广州510006
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受广州市科技计划项目(2012Y2-00046,2013Y2-00043)资助

Research and Implementation of EFI OS Loader Security Reinforcement Technology

WU Wei-min, CHEN Dong-xin, LAI Wen-xin and SU Qing   

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

1046

摘要: 对统一可扩展固件接口(UEFI)的体系架构和执行流程进行安全性分析,发现Windows启动过程中EFI OS Loader的可信性校验存在安全漏洞,其可导致Windows启动流程被劫持。针对该安全漏洞,从文件分离保护、开机身份认证和系统关键区域防护3个层次出发,提出了一种基于USB Key启动、动态口令手机令牌和EFI安全防护软件的三层安全加固的方案。将EFI OS Loader文件存放在USB Key中并加密,实现对文件的保护;把动态口令认证服务端置于USB Key中,两者的有机结合实现了高强度的开机身份认证;设计并开发了遵循UEFI规范的EFI应用程序型安全防护软件,实现了对系统关键区域的保护。实验结果表明,该方案的双认证与安全防护机制弥补了相关安全漏洞,增强了计算机系统启动过程的安全性。

关键词: EFI OS Loader,可信性校验,安全加固,身份认证

Abstract: By analyzing the safety of architecture and boot procedure of unified extensible firmware interface (UEFI),it is found that the credibility verification of EFI OS Loader has security risks,which can lead to the hijack of Windows startup process.To avoid the security risks,considering from the three layers of file isolation protection,boot authentication and system critical region protection,a three-layer security reinforcement plan based on USB Key,the dynamic password cell phone token and EFI antivirus software was proposed.Storing the EFI OS Loader file in the USB Key and encrypting it can achieve the file protection.The dynamic password authentication server is placed in the USB Key,and the combination of both mechanism can achieve a high intensity boot authentication.Designing and developing an EFI application security software following the UEFI specification can achieve the protection of the key region of system.The results show that the dual authentication and security mechanism of the program make up the relevant security vulnerabilities,and enhance the security of computer systems during startup.

Key words: EFI OS loader,Credibility verification,Security reinforcement,Identity authentication

[1] UEFI Forum.Unified Extensible Firmware Interface Specification V2.3.1 [EB/OL].[2012-07-27].http://www.uefi.org
[2] Bashun V,Sergeev A,Minchenkov V,et al.Too young to be secure:Analysis of UEFI threats and vulnerabilities[C]∥Confe-rence of Open Innovations Association.IEEE,2013:16-24
[3] Tang Wen-bin,Zhu Yue-fei,Chen Jia-yong.Research on Attack Method of Unified Extensible Firmware Interface [J].Computer Engineering,2012,38(13):99-101(in Chinese) 唐文彬,祝跃飞,陈嘉勇.统一可扩展固件接口攻击方法研究[J].计算机工程,2012,38(13):99-101
[4] Chi Ya-ping,Wang Quan-min,Wu Li-jun.A Scheme of streng-thening the security of the root of trust for measurement based on USBKey [J].Information Security and Communications Privacy,2007(12):114-117(in Chinese) 池亚平,王全民,吴丽军.一种基于USBKey的可信测量根安全增强设计方案[J].信息安全与通信保密,2007(12):114-117
[5] Yang Shao-qian.Design and Implementation of Strengthing the EFI BIOS Security [D].Xi’an:Xidian University,2009(in Chinese) 杨少谦.EFI BIOS安全增强方案设计与实现[D].西安:西安电子科技大学,2009
[6] Shi Jie.Key Technology of EFI BIOS Research and DesignBased on Fingerprint Encryption [D].Tianjin:Tianjin University,2010(in Chinese) 史杰.基于指纹加密的EFI BIOS关键技术研究及设计[D].天津:天津大学,2010
[7] Zimmer V,Rothman M,Marisetty S.Beyond BIOS:developing with the unified extensible firmware interface [M].Intel Press,2010
[8] Nikkel B J.Forensic analysis of GPT disks and GUID partition tables [J].Digital Investigation,2009,6(1/2):39-47
[9] Microsoft Corporation.Microsoft PE and COFF Specification[EB/OL].https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
[10] Egale.The IDA Pro Book:The Unofficial Guide to the World’s Most Popular Disassembler [M].Beijing:Posts & T elecom Press,2010(in Chinese) 伊格尔.IDA Pro权威指南[M].北京:人民邮电出版社,2010
[11] Arium Corporation.ECM-XDP3 Intel JTAG Debugger[EB/OL].[2012].http://www.arium.com/product/55/ECM-XDP3-Intel-JTAG-Debugger.html
[12] Dai Zheng-hua.UEFI Principles and Programming [M].China Machine Press,2015(in Chinese) 戴正华.UEFI原理与编程[M].机械工业出版社,2015
[13] Chen Li-zhi, Li Feng-hua.User Authentication MechanismBased on Dynamic Password and Its Security Analysis [J].Computer Engineering,2002,28(10):48-49(in Chinese) 陈立志,李凤华.基于动态口令的身份认证机制及其安全性分析[J].计算机工程,2002,28(10):48-49
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发