Tool mini-review: bios_diff.py

I recently became of a tool that I didn’t know worked on Linux: bios_diff.py, included with Copernicus. The MITRE Corporation’s Copernicus is a very powerful firmware security tool. I’ve been focusing more on non-Windows tools and open source tools, so I’ve not been giving Copernicus tools enough emphasis, something I’ll correct in future posts. I’ll start with this post, on bios_diff.py, which is distributed with Copernicus. This tool is not Copernicus-centric, nor Windows-centric.

If you’ve a dump of a BIOS ROM image, created by CHIPSEC or Copernicus or Coreboot’s FlashROM, you can use bios_diff.py to help determine what has changed. The tool parses the EFI Firmware Filesystem, to break out the files. It can also do smart diff’ing based on GUIDs in case files were added/removed, and will provide additional semantically relevant things like the file name, PE sections, and size of differences found (where each is applicable.)

This tool is a very useful addition to your open source firmware security toolbox.

This free tool does have some limits, EFIPWN is not as good as the newer UEFITool w/r/t some parsing. Perhaps someone has time to integrate UEFTool into a newer version of this tool? 🙂

Usage:

  bios_diff.py [-crs] [-i IGNORE] [-d [-a [-p]] [-n [-u UNIQUE]] [-l SIZELIMIT] [-m NUMBYTES]] [-o OUT] [-e EFIPWN] <file1> [<file2>]
  bios_diff.py (-h | –help)

The files are BIOS dumps to be compared.  <file2> may be a single file, or it may be a directory which contains several BIOS dumps against which we will diff <file1>.  Also, <file1> can be a directory by itself.  In this case, the first file found in this directory will be compared against all of the others.

Options:
  -c            delete the directories when the diff is complete
  -r            reuse parsed directories previously generated by EFIPWN if they appear to exist
  -s            print out all sha1 hashes of files in BIOS dump
  -i IGNORE     file containing list of regular expressions (one per line) for filenames we should ignore
  -d            do hash diffing of extracted files
  -a            print all unique ranges per file
  -n            print number of unique bytes per file
  -u UNIQUE     exclude diffs which have less than UNIQUE unique bytes for both files
  -l SIZELIMIT  dont compute unique ranges or bytes on files which exceed this size
  -p            print the PE information about diffs if the files are PE files
  -m NUMBYTES   merge regions which are within NUMBYTES of eachother
  -o OUT        output directory [default: temp]
  -e EFIPWN     the location of EFIPWN files [default: EFIPWN]

More information:

https://www.blackhat.com/docs/us-13/US-13-Butterworth-BIOS-Security-Code.zip