Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Publishes Draft Guidelines For Server BIOS Protection

Posted by timothy on from the why-stop-with-servers? dept.

hypnosec writes "The U.S.'s National Institute of Standards and Technology has come up with a set of proposed guidelines for security of server BIOSes— the mechanism on which most modern day computers rely during boot up. Recently quite a few instances of malware have been known to persistently infect computer systems, and cannot be removed even on OS re-installs. NIST is proposing a set of measures through which the BIOS can be made more secure and resistant to such firmware manipulating attacks. Mebromi is one such Trojan. NIST published the draft guidelines [PDF] earlier this week and has proposed four different features through which the server BIOSes can be made more secure: authenticated update mechanism; secure local update mechanism (optional); firmware integrity protections; and non-bypassability features."

3 of 141 comments (clear)

  1. Easy solve by Anonymous Coward · · Score: 0, Informative

    Physical jumper to stop writing to the BIOS flash if it isn't set, and code in the rom to disallow bpoting beyond the post aside from the update if it is set. Impossible for any kind of automated attack, and servers should never get a deep update like that without being closely supervised anyway

  2. Re:Stupid and wrong by dgatwood · · Score: 5, Informative

    Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better. Your "solution" is no better than the status quo.

    Allowing a power-user (someone who knows how to hold down the magic keys and isn't afraid of the BIOS UI) to install an unsigned update explicitly and manually is one thing. Such a user can be assumed to know enough about what he or she is doing to understand the risks of downloading a BIOS update from an untrusted source. Allowing unsigned BIOS updates to be installed by average users as a part of their normal day-to-day update process, however, is another thing entirely, and is a very bad idea.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Re:Step one? by Aryeh+Goretsky · · Score: 3, Informative

    Hello,

    A list of OS software developers who are members of UEFI:

    • Apple
    • Canonical
    • Cisco
    • Cray
    • Fujitsu
    • Hewlett-Packard
    • IBM
    • Microsoft
    • NEC
    • Novell
    • Oracle
    • Red Flag
    • Red Hat

    And there are also other companies who work in the same neighborhood (CPU manufacturers, firmware developers, etc.). Source: UEFI Membership List.

    While I understand (and, to some extent, sympathize with) the desire to hold Microsoft solely responsible for every activity in the computing industry, this is clearly a joint effort across the industry to replace a two decade-old invention whose time has come. And as far as I know, the largest installed base of UEFI firmware—albeit an older version of the standard—is Apple, a company not precisely known for having a cordial relationship with Microsoft.

    Regards,

    Aryeh Goretsky

    --
    Dexter is a good dog.