Re: Bios programming...

[Valdis.Kletnieks () vt edu]

On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said:

> 1. I would like the program to be "un-installable".  I've heard of a

Did you mean "un-installable", as in "an inability to be installed", or
"non-uninstallable", as in "not removable"? :)

In any case, some time with Google will probably find you an Agobot or spyware
that will give you lots of hints on how to create a hard-to-remove program. ;)

> couple of hardware security tracking services that can load a very small
> setup package in the CMOS and if a computer is stolen, and the hard
> drive is replaced, the app reloads itself and the next time the computer
> is on the internet, it sends out a beacon.  Does anyone have any insight
> about how to do something like this?  I want the CMOS program to run on
> boot, and check to see if the monitoring software is still installed.
> If it is not, the boot process reloads it.

Note that this would almost certainly require an additional PROM chip, and
hooks into the BIOS to invoke it at the right points.  Note that about all
it can probably do is "If the disk is different, toss a crafted packet out
the Ethernet and hope for the best".  Note that you're probably screwed if
they either reboot while not on the net, or re-flash the BIOS with the
original vendor BIOS (which implies further hardware hacks to make the box
not bootable with the original vendor BIOS image).

If you want it to additionally run a program in the "background", you'll have
to get the operating system to cooperate.

> 2. obviously, the program does not need to be very large, so I want it
> to run in the background and not be visible to the computer's user. This
> is easy, I know, but I want the process to be completely invisible.
> (even to super-geeks)

Remember that in general, the BIOS is in control before boot, but after boot,
the BIOS is not in any meaningful control anymore.

Ask yourself what happens if your problem user boots a Knoppix CD that doesn't
want to play nice with your CMOS?
 
> 3. I would like to figure out a way to monitor traffic for multiple
> protocols (HTTP, FTP, File Sharing, Chat, etc.) .  I'm wondering if
> there is a way to figure out "bad" requests on a packet level.

Take a look at Snort or other similar IDS, that tries to do that - particularly
in terms of the size of the binary, and the system load impact.  And then ask
yourself if something that big is easily hidden inside the BIOS functionality
(and consider carefully how many vendors ship totally borked ACPI DSDT's or
just broken BIOSes)....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html