Wave Systems Corp. (NASDAQ:WAVX), the Trusted Computing Company, announced plans to integrate The MITRE Corporation’s new timing-based attestation technique into Wave Endpoint Monitor (WEM), the industry’s first solution to leverage industry standard hardware to detect and remediate malware that can surreptitiously mount attacks before the operating system loads. MITRE is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government.
With this enhancement, Wave will integrate MITRE’s technique that doubly verifies that the core BIOS hasn’t been corrupted. The BIOS is the first software run by the PC when powered-on and is responsible for initializing hardware and getting the operating system running. It also contains the “core root of trust measurement” (CRTM) software, the first software in the boot trust chain that ends in the assurance that the computer booted safely.
“MITRE has made a significant contribution to the body of research by identifying a scenario in which malicious code could be introduced to the BIOS that would cause it to provide a false reading and allow the malicious BIOS to indicate the system had not been corrupted,” said Dr. Robert Thibadeau, Wave’s Chief Scientist. “MITRE’s technique offers a second control for determining the CRTM does not lie about itself and any of the rest of the trust chain.”
Dr. Thibadeau added, “While BIOS attacks are still fairly rare today—less than one percent by many accounts—they represent a new and dangerous attack vector, and we’re bound to see more in future years as the more popular preboot targets are secured by our existing WEM technology.”
The management of CRTM detection will be incorporated in a module for WEM, which Wave expects will be production-ready in early 2014 to meet the expected increase of these attacks. Wave Endpoint Monitor captures verifiable PC health and security by utilizing information stored within the TPM. If anomalies are detected, the attack is controlled, and IT is alerted immediately with real-time analytics.
MITRE research presented at Black Hat 2013
MITRE researchers John Butterworth, Corey Kallenberg, and Xeno Kovah presented their research on this vulnerability and technique, “BIOS Chronomancy: Fixing the Core Root of Trust for Measurement,” at Black Hat 2013.
The team’s research highlights a vulnerability in which a firmware rootkit tricks an endpoint’s Trusted Platform Module (TPM) chip into reporting a clean BIOS firmware, when in fact it has been compromised. MITRE’s research shows the importance of using timing-based attestation systems, which can defend against attackers who obtain the same privilege levels as the defender. John Butterworth, a Senior Infosec Engineer at MITRE, adds, “additional complexities are imposed on an attacker who tries to conceal a rootkit in the presence of timing-based attestation; even concealing the modification of a single byte will trigger a measurable change.”
The team’s findings come as vendors work to implement BIOS protection specifications as outlined by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011.