An article at the Science Daily site reports that the National Institute of Science and Technology has issued a new report on guidelines for achieving better security in the PC BIOS, the initial firmware executed when the PC begins its boot sequence. (I have talked a bit about what the BIOS does here.) The report, BIOS Protection Guidelines [NIST SP 800-147] [PDF], presents and discusses a set of guidelines for getting a secure BIOS implementation. The key points are:
- An approved BIOS Update mechanism. All updates to the BIOS code must be via an authenticated update mechanism, or a physically-secure local update mechanism.
- BIOS updates should be signed using a secure cryptographic protocol.
- An optional provision may be made for a physically secure local update mechanism, for emergency use.
- The BIOS code stored in the machine’s non-volatile memory should be protected against modification or corruption.
- It should not be possible to bypass any of the protection mechanisms.
This is a new area of security attention for the NIST, and a welcome one. I have often smiled to myself when examining purportedly secure PC workstations, which in too many cases have access to the BIOS settings (often called “Setup”, or something similar) completely unprotected, even though modern BIOS installations generally provide at least password protection. If an attacker can access the Setup routine, he can typically boot from a device of choice (such as a USB flash drive or a CD-ROM). If he can then go further, and modify the BIOS code, he can give himself a wide menu of malicious possibilities.
Without appropriate protections, attackers could disable systems or hide malicious software by modifying the BIOS. This guide is focused on reducing the risk of unauthorized changes to the BIOS.
As Ken Thompson pointed out in his 1984 Turing Award lecture, Reflections on Trusting Trust, malicious code at this level can be very difficult to find.
In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
The report is timely, because many manufacturers are at the point of using new BIOS implementations, including those using the new Unified Extensible Firmware Interface [UEFI] specification.
The NIST report also makes suggestions for system management practices to complement improved BIOS security.
The publication also suggests management best practices that are tightly coupled with the security guidelines for manufacturers. These practices will help computer administrators take advantage of the BIOS protection features as they become available.
It also contains a very good summary of how the boot process works, both for conventional and UEFI implementations.