The U.S. Federal Government operates the National Institute of Standards and Technology (NIST). NIST’s mission is to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Of special interest to BIOS programmers is NIST’s 800 series of reports covering information technology:
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
Why is all this important? Because the U.S. Federal government follows the standards set by NIST, and in order for companies to sell computers to the U.S. Federal Government, a huge customer, they must meet these standards!
Enter NIST 800-147
Which brings us to NIST publication 800-147. 800-147 is meant to provide security guidelines for preventing the unauthorized modification of BIOS firmware.
While BIOS threats are not necessarily new, consider CIH, the transition to UEFI BIOS from Legacy BIOS especially motivated the creation of 800-147. Now, more than ever before, BIOS is a tempting target because all its interfaces are standardized. In Legacy BIOS, trying to write malware that exploited both Dell, Compaq, and IBM (et al.) BIOS implementations was impractical since there was little standardization as to how these vendors’ systems worked. (don’t believe me? then check out Ralf’s Brown’s famous list and see how much vendor-specific variation there is between “standard” software interrupts!) UEFI provides the standardization that makes the job of malware authors easier—write once, infect everywhere.
Moreover, the system BIOS is an especially attractive target for attack. Malicious code running at the BIOS level has a great deal of control over the computer. It could be used to compromise components loaded later in the boot process, including SMM code, the boot loader, hypervisor, and operating system. Since BIOS is stored in NVRAM, malware written into a BIOS could be used to re-infect machines even after new operating systems have been installed or hard drives replaced. Because the system BIOS runs early in the boot process with very high privileges on the machine, malware running at the BIOS level may be very difficult to detect. Because the BIOS loads first, there is no opportunity for anti-malware products to authoritatively scan the BIOS. Therefore, NIST is interested in protecting BIOS as much as possible.
Recommendations of 800-147
The 800-147 report is all about specifying a secure BIOS update mechanism. A secure BIOS update mechanism includes:
- a process for verifying the authenticity and integrity of BIOS updates
- a mechanism for ensuring that the BIOS is protected from modification outside of the secure update process.
The recommendations of 800-147 discuss the following four recommendations:
- An authenticated BIOS update mechanism, where digital signatures prevent the installation of BIOS update images that are not authentic.
- The authenticated BIOS update mechanism employs digital signatures to ensure the authenticity of the BIOS update image. To update the BIOS using the authenticated BIOS update mechanism, there shall be a Root of Trust for Update (RTU) that contains a signature verification algorithm and a key store that includes the public key needed to verify the signature on the BIOS update image.
- The authenticated update mechanism should prevent the unauthorized rollback of the BIOS to an earlier authentic version that has a known security weakness.
- Integrity protection features, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
- To prevent unintended or malicious modification of the system BIOS outside the authenticated BIOS update process, the RTU and the system BIOS shall be protected from unintended or malicious modification with a mechanism that cannot be overridden outside of an authenticated BIOS update.
- The authenticated BIOS update mechanism shall be protected from unintended or malicious modification by a mechanism that is at least as strong as that protecting the RTU and the system BIOS.
- Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the authenticated update mechanism.
- The authenticated BIOS update mechanism shall be the exclusive mechanism for modifying the system BIOS, absent physical intervention through the secure local update mechanism. (below)
- An optional “secure local update” mechanism, where physical presence authorizes installation of BIOS update images outside the authenticated update mechanism.
- BIOS implementations may optionally include a secure local update mechanism that updates the system BIOS without using the authenticated update mechanism.
- A secure local update mechanism shall ensure the authenticity and integrity of the BIOS update image by requiring physical presence.
The NIST 800-147 recommendations are on-target and needed by our industry. BIOS engineers working on security or the flash update process need to be familiar with 800-147. Appendix A, Summary of Guidelines for System BIOS Implementations is an especially good reference for the recommendations. Please read the (relatively short) document to see complete details. Download from NIST here: