Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

BIOS firmware Rootkit detection method based on behaviour characteristic

A detection method and behavior technology, applied in the field of computer security, can solve the problems of BIOS firmware code analysis and update conflicts, it is difficult to keep up with the rapid growth of malicious code, and the versatility cannot meet the needs, so as to prevent computer system security attack accidents, improve the Versatility and extensibility, resistance to code obfuscation effects

Inactive Publication Date: 2012-07-04
张平
View PDF2 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Currently, there are deficiencies in the detection methods for BIOS rootkits: the dynamic method needs to modify the original target code, and the scalability of the detection ability is poor; the method of using the defect signature library needs to track the changes of different models and versions, and the analysis of the BIOS firmware code There may be conflicts in the updates, and the versatility cannot meet the needs
Its disadvantages are: after the code is obfuscated and transformed, it is easy to erase the binary-level features before the transformation, and the binary features of Trojans with general behavior are completely different after deformation. If you want to accurately detect new Trojan variants, you need to use the variant Constantly adding new features to the feature library
At the same time, professionals are needed to track the vulnerability patches and new function modules released by BIOS manufacturers, and maintain the signature database. The workload is very heavy, and it is difficult to keep up with the rapid growth of malicious code.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • BIOS firmware Rootkit detection method based on behaviour characteristic
  • BIOS firmware Rootkit detection method based on behaviour characteristic
  • BIOS firmware Rootkit detection method based on behaviour characteristic

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0031] Embodiment one: see figure 1 , the specific implementation process of the BIOS firmware Rootkit detection method based on the behavioral characteristics of the present invention is as follows:

[0032] 1. File format analysis

[0033] File format analysis first extracts the firmware model and the version number field of the image file from the BIOS image file, and then reads the structure information, module features and specific compression algorithm of the corresponding image file from the database DB1 according to these information, according to these information to split the image file. Decompresses the compressed module to extract a structural view of the entire image file. For the key modules, through the analysis of the BIOS specification and structural characteristics, the information to guide the reverse analysis and the formalized function description information are established in advance and stored in DB1. The key module is identified through the feature ...

Embodiment 2

[0040] Embodiment two: see figure 1 , figure 2 . The present embodiment is based on the BIOS firmware Rootkit detection method of behavior characteristic, adopts the following steps to carry out Rootkit detection to BIOS image file:

[0041] a. Analyze the BIOS binary image file to be analyzed, according to the feature word of the BIOS image file

[0042] The BIOS model to which the image file belongs and the version number of the image file are read from the database DB1, and the extracted compression module is decompressed according to the compression algorithm and structural features used by the image file. Obtain a complete structural view of the image file to achieve preliminary separation of code and data.

[0043] b. Reverse the extracted binary code module, and make the semantics of the instructions in the code fragment equivalent

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a detection method which aims at computer BIOS firmware Rootkit on the basis of a program behaviour characteristic, belonging to the technical field of computer safety. The detection method is mainly used for replying attack realized by BIOS and possible BIOSRootkit. The BIOSRootkit detection method based on the behaviour characteristic comprises the following steps: a. analyzing a binary system BIOS image file to be analyzed; b. carrying out reversal to a code in the mode of static control flow for an analyzed binary file, equivalently mapping instruction semantics in a code segment to intermediate representation, and building the control flow graph (CFG) of a program; c. simplifying the intermediate representation, extracting the behaviour characteristic according to suspicious BIOSRootkit behaviour stored in a characteristic repository DB2, extracting a candidate behaviour set according to a behaviour template in the behaviour characteristic repository, andadopting a stepwise selection mode to extract the behaviour characteristic; and d. judging the suspicious degree of the malicious behaviour, and outputting a detection result.

Description

technical field [0001] The invention relates to a method for detecting rootkits of computer BIOS firmware based on program behavior characteristics, belongs to the technical field of computer security, and is suitable for detecting rootkits implanted in BIOS firmware. Background technique [0002] The contest for control of the system has penetrated the defense line of the application program and the operating system kernel, and penetrated into the underlying components of the computer. Many underlying hardware devices have become a new battlefield for the two sides to compete. BIOS (Basic In and Out System) firmware mainly executes POST (Power On Self Test) in the computer, which is mainly responsible for hardware detection and initialization of hardware, identification of peripherals during self-test and bootstrap stages, and copying the code in Options ROMs to memory in the implementation. The BIOS directly controls the work of the hardware, and the access to various har...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/00G06F21/56
Inventor 张平李清宝郭致昌
Owner 张平
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com