Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Publishes Draft Guidelines For Server BIOS Protection

Posted by timothy on from the why-stop-with-servers? dept.

hypnosec writes "The U.S.'s National Institute of Standards and Technology has come up with a set of proposed guidelines for security of server BIOSes— the mechanism on which most modern day computers rely during boot up. Recently quite a few instances of malware have been known to persistently infect computer systems, and cannot be removed even on OS re-installs. NIST is proposing a set of measures through which the BIOS can be made more secure and resistant to such firmware manipulating attacks. Mebromi is one such Trojan. NIST published the draft guidelines [PDF] earlier this week and has proposed four different features through which the server BIOSes can be made more secure: authenticated update mechanism; secure local update mechanism (optional); firmware integrity protections; and non-bypassability features."

2 of 141 comments (clear)

  1. Re:Stupid and wrong by dgatwood · · Score: 5, Informative

    Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better. Your "solution" is no better than the status quo.

    Allowing a power-user (someone who knows how to hold down the magic keys and isn't afraid of the BIOS UI) to install an unsigned update explicitly and manually is one thing. Such a user can be assumed to know enough about what he or she is doing to understand the risks of downloading a BIOS update from an untrusted source. Allowing unsigned BIOS updates to be installed by average users as a part of their normal day-to-day update process, however, is another thing entirely, and is a very bad idea.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:Step one? by Aryeh+Goretsky · · Score: 3, Informative

    Hello,

    A list of OS software developers who are members of UEFI:

    • Apple
    • Canonical
    • Cisco
    • Cray
    • Fujitsu
    • Hewlett-Packard
    • IBM
    • Microsoft
    • NEC
    • Novell
    • Oracle
    • Red Flag
    • Red Hat

    And there are also other companies who work in the same neighborhood (CPU manufacturers, firmware developers, etc.). Source: UEFI Membership List.

    While I understand (and, to some extent, sympathize with) the desire to hold Microsoft solely responsible for every activity in the computing industry, this is clearly a joint effort across the industry to replace a two decade-old invention whose time has come. And as far as I know, the largest installed base of UEFI firmware—albeit an older version of the standard—is Apple, a company not precisely known for having a cordial relationship with Microsoft.

    Regards,

    Aryeh Goretsky

    --
    Dexter is a good dog.