Pre-OS Level Security

  • Thread starter Thread starter SMN
  • Start date Start date

SMN

SMN

SMN

Soldato
Joined
2 Nov 2008
Posts
2,502
Location
The ether
Stay with me on this one. I've been watching an episode of Criminal Minds (1x01) and in it they demonstrate a piece of software (presumably made up) which sits beetween the BIOS and the OS and asks for a password; if the wrong password is entered X times, or a "hot password" (someone trying an obvious one you've left lying around) is entered, it flattens all the OS.

Is there anything like this around? Its more out of technical curiosity more than anything. Thres the obvious BIOS password stuff that can be subverted, and any OS level password is childs play; so this is quite interesting if possible.

Cheers all.
 
The usual method for this would be to have an encrypted OS, and then what you're talking about in the bootloader. So you enter you password in the bootloader and it gets used to decrypt & boot the main OS. LUKS/dmcrypt can do this on Linux, think Truecrypt can to (defiantly on Windows).

In terms of data destruction on wrong passwords, ive not seen it in any programs mostly because its a non-desirable feature (risky data loss)! It would be perfectly easy to do, but anyone serious would image the drive first making it useless, and if it's encrypted it's as good as deleted anyway if the passwords arnt known.
 
If you're after that level of security, the best solution is probably a virtual machine running on a Ironkey, they're pretty awesome, and includes physical anti tampering capability and on chip encryption, they're about £70 for the smaller ones.

If you wanted to implement some sort of BIOS <-> OS password protection all you really need is to get the BIOS to store the entered password somewhere in the main memory and for it to provide an interface to find that password to the OS. You could probably mimic how the how the BIOS provides the memory map to the OS during the first part of the OS launch.

Editing Linux source code to check that password on launch would be straight forward. If you have the source a relatively recent kernel you can edit init/main.c and just add a routine like (pseudo code)

Code: 
if(password matches){
  continue booting
}else{
  delete encrypted partition
}

The really tricky bit would be modifying the BIOS itself to capture and store the password in some secure way, and unfortunately I wouldn't even know where to start on that :p
 
You must log in or register to reply here.
Back
Top Bottom