Back in 2011, the US National Institute of Standards and Technology (NIST) published a set of guidelines for achieving better security in the PC BIOS, the initial firmware executed when the PC begins its boot sequence. An article at Ars Technica reports that the NIST has now issued, in draft form, a similar set of guidelines specifically for servers, BIOS Protection Guidelines for Servers [SP800-147b] [PDF].
The new guidelines mostly parallel those laid out in the 2011 report; the key components are:
- Authenticated Update Modifications to the BIOS code and data areas must be done through a controlled mechanism, which verifies authentic updates by cryptographic signatures.
- Optional Local Update An optional update mechanism may be provided that allows any update (signed or not) to be installed provided that the administrator is physically present at the server (this might employ a keyed switch, for example).
- Firmware Integrity The system must protect its firmware from modification other than by an approved update process.
- No Bypassing Security It should not be possible to bypass any of the protection mechanisms.
The document goes on to discuss examples of how these rules might be implemented.
NIST’s Computer Security Division is requesting comments on the draft guidelines:
NIST requests comments on draft NIST SP 800-147B by September 14th, 2012. Please submit all comments to email@example.com.
As I’ve noted before, attacks that modify the BIOS, although requiring some skill to pull off, are potentially very dangerous, since they can give the attacker complete control of the machine. Even a complete re-installation of the machine’s operating system will typically not remove them. So more attention to security in this area is definitely a good thing.