ORLANDO – In light of emerging attacks against system BIOS, the government’s top IT standards organization is promoting guidelines for securely building and maintaining the key firmware component of client computers.
Tuesday at the NSA Trusted Computing Conference & Exposition, Andrew Regenscheid, a mathematician with the computer security division of the National Institute of Standards and Technology (NIST), detailed Special Publication 800-147 (.pdf), recommendations released in April outlining how computer manufacturers and enterprises should build, update and manage BIOS securely to limit the potential for exploits.
BIOS, which stands for basic input/output system, is the fundamental firmware used to boot or initialize nearly all computers. Legacy machines use BIOS to as the go-between to help hardware and software communicate, but Regenscheid noted today’s systems use BIOS strictly as a means to boot the operating system.
Despite its limited role in contemporary computing, Regenscheid said BIOS represents an increasingly worrisome threat vector for enterprises. Improvements in operating system security have forced attackers to move "up the stack" in search of vulnerable applications, he said, but BIOS has long been forgotten from a security perspective, meaning creative attackers could easily find success exploiting vulnerable firmware.
In fact, BIOS attacks are already happening. Just this month, Chinese researchers discovered the Mebromi rootkit, the first instance of malware in the wild that attempts to plant itself inside BIOS. Once installed, Mebromi uses BIOS to corrupt the system’s master boot record (MBR) and make the target system inoperable.
“If you can get in and modify the BIOS,” Regenscheid said, “you can bring down a system, prevent it from booting, or get malware running at very high privilege levels on a system.”
BIOS 2.0: UEFI BIOS
Complicating the BIOS security threats landscape further is the recent emergence of the Unified Extensible Firmware Interface, or UEFI BIOS, a next-generation system BIOS specification with added features, most notably the ability to boot from multi-terabyte hard drives.
Unlike the limited role of traditional BIOS, UEFI BIOS handles more than just the boot process. Regenscheid said it includes a set of runtime services that might be called upon even when the OS has control of the system. These and other UEFI BIOS features, he said, serve to enlarge the attack surface.
Additionally, Regenscheid said the UEFI BIOS standard is more documented than the previous BIOS specifications, and when combined with the likelihood that it will need to be updated more frequently, it sets the stage for malicious exploits.
“NIST saw an opportunity to influence products before [UEFI BIOS] attacks became widespread,” Regenscheid said.
NIST SP 800-147: Advice for enterprises
The NIST guidelines, which Regenscheid co-authored, address security for what’s called system BIOS, the type used to boot client computers. Regenscheid said future NIST guidance will address other types of BIOS that have their own, more complex intricacies, such as those on controller cards and on servers.
The document has two parts: guidelines on BIOS implementations for computer manufacturers, and recommended practices for managing BIOS for system administrators.
Key among the specifications for computer makers is protections to lock down BIOS. This is done via authenticated BIOS updates using digital signatures to verify that new versions of BIOS are authentic before allowing them to be flashed. In addition, integrity protections thwart unauthorized modifications to BIOS already installed on client systems. Safeguards to ensure BIOS protections can’t be circumvented, Regenscheid said.
For enterprises, the key NIST recommendation is to ensure newly purchased computers adhere to SP 800-147 guidelines, which he said computer makers and other hardware vendors have already begun supporting.
“Once you have such a system, NIST would like you to treat the BIOS like any other system component,” he said. “Just as your OS and applications have a platform lifecycle, you should think about managing BIOS in the same way.”
More specifically, Regenscheid said that means tracking BIOS changes along with other system changes, and maintaining a known good BIOS backup repository. Prior to deployment, the system BIOS version should be verified and approved. During operation and maintenance, apply existing change management practices to BIOS so updates are managed similarly to software patches. NIST also recommends continuous monitoring to spot attempted BIOS exploits or unauthorized updates.
In reference to the Mebromi rootkit, Regenscheid said if the SP 800-147 guidelines had been in place, they would have thwarted the attack.
“The attack attached malware to BIOS by including a malicious option ROM into the BIOS itself,” Regenscheid said. “If only authorized BIOS updates were allowed to be implemented, protecting the integrity of the flash memory, they wouldn’t have been able to do that attack.”
Rian Quinn, an attendee with the Air Force Research Lab in Rome, N.Y., said while today it’s unlikely an attacker would seek to exploit a vulnerable system BIOS, the issue of BIOS security is important because a successful attack it could essentially make an entire system or network vulnerable.
“BIOS plays a huge, key role in security because if it ever gets exploited, your whole house comes down,” Quinn said. “If you’re trying to build a computer based on Trusted Computing principles, you have to have BIOS secured.”