NIST Publishes Draft Guidelines For Server BIOS Protection

hypnosec writes "The U.S.'s National Institute of Standards and Technology has come up with a set of proposed guidelines for security of server BIOSes— the mechanism on which most modern day computers rely during boot up. Recently quite a few instances of malware have been known to persistently infect computer systems, and cannot be removed even on OS re-installs. NIST is proposing a set of measures through which the BIOS can be made more secure and resistant to such firmware manipulating attacks. Mebromi is one such Trojan. NIST published the draft guidelines [PDF] earlier this week and has proposed four different features through which the server BIOSes can be made more secure: authenticated update mechanism; secure local update mechanism (optional); firmware integrity protections; and non-bypassability features."

Re:Stupid and wrong

[dgatwood]

Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better. Your "solution" is no better than the status quo.

Allowing a power-user (someone who knows how to hold down the magic keys and isn't afraid of the BIOS UI) to install an unsigned update explicitly and manually is one thing. Such a user can be assumed to know enough about what he or she is doing to understand the risks of downloading a BIOS update from an untrusted source. Allowing unsigned BIOS updates to be installed by average users as a part of their normal day-to-day update process, however, is another thing entirely, and is a very bad idea.