are discussed in [Young], including zero-knowledge proofs that could be used to
allow an attacker to prove that he or she is in possession of the decryption key
without actually exposing it.
BIOS/Firmware Malware
The basic premise of most malware defense strategies is to leverage the fact
that there is always some kind of trusted element in the system. After all, how
can an antivirus program detect malicious program if it can’t trust the under-
lying system? For instance, consider an antivirus program that scans the hard
drive for infected files and simply uses high-level file-system services in order
to read files from the hard drive and determine whether they are infected or
not. A clever malicious program could relatively easily install itself as a file-
system filter that would intercept the antivirus program’s file system calls and
present it with fake versions of the files on disk (these would usually be the
original, uninfected versions of those files). It would simply hide the fact that
it has infected numerous files on the hard drive from the antivirus program!
That is why most security and antivirus programs enter deep into the oper-
ating system kernel; they must reside at a low enough level so that malicious
programs can’t distort their view of the system by implementing file-system
filtering or a similar approach.
Here is where things could get nasty. What would happen if a malicious pro-
gram altered an extremely low-level component? This would be problematic
because the antivirus programs would be running on top of this infected compo-
nent and would have no way of knowing whether they are seeing an authentic
picture of the system, or an artificial one painted by a malicious program that
doesn’t want to be found. Let’s take a quick look at how this could be possible.
The lowest level at which a malicious program could theoretically infect a
program is the CPU or other hardware devices that use upgradeable firmware.
Most modern CPUs actually run a very low-level code that implements each
and every supported assembly language instruction using low-level instruc-
tion called micro-ops (μ-ops). The μ-op code that runs inside the processor is
called firmware, and can usually be updated at the customer site using a special
firmware-updating program. This is a sensible design decision since it enables
software-level bug fixes that would otherwise require physically replacing the
processor. The same goes for many hardware devices such as network and stor-
age adapters. They are often based on programmable microcontrollers that sup-
port user-upgradeable firmware.
It is not exactly clear what a malicious program could do at the firmware
level, if anything, but the prospects are quite chilling. Malicious firmware
would theoretically be included as a part of a larger malicious program and
could be used to hide the existence of the malicious program from security and
antivirus programs. It would compromise the integrity of the only trustworthy
Reversing Malware 279