NIST SP 800-193 Platform Firmware Resiliency Guidelines

The U.S. Federal Government operates the National Institute of Standards and Technology (NIST). NIST’s mission is to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”  Of special interest to BIOS programmers is NIST’s 800 series of "Special Publications" covering information technology.  I've published previous articles on NIST SP 800-147: BIOS Protection Guidelines and NIST SP 800-155: BIOS Integrity Measurement Guidelines.

There is a relatively new NIST special publication of note:  NIST SP 800-193 Platform Firmware Resiliency Guidelines.  From the abstract:

Abstract

This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks.  The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users.  The technical guidelines in this document promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms.  System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems.

SP 800-193 was first published on 4 May 2018.

What is SP 800-193 about?

The document provides technical guidelines intended to make computer systems resilient to cyber attacks.  Resiliency is defined as the “ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”  The document revolves around three principles:

1. Protection: Mechanisms for ensuring that platform firmware code and critical data remain in a state of integrity and are protected from corruption, such as the process for ensuring the authenticity and integrity of firmware updates.
2. Detection: Mechanisms for detecting when platform firmware code and critical data have been corrupted.
3. Recovery: Mechanisms for restoring platform firmware code and critical data to a state of integrity in the event that any such firmware code or critical data are detected to have been corrupted, or when forced to recover through an authorized mechanism. Recovery is limited to the ability to recover firmware code and critical data.

By the term "platform firmware", the document includes the BIOS plus all other firmware images for motherboard devices found in modern systems; for example, the Embedded Controller (EC), Baseboard Management Controller (BMC), Intel ME, and add-in option ROMs of all types—video OROM, NIC OROM, etc.  All these various components need to work together to provide the three principles of Protection / Detection / Recovery, and the system as a whole is only as strong as its weakest link.

Naturally, ensuring a platform’s firmware code and critical data are always in a state of integrity is critical to ensure that the system can be operated free from malware.  Once the BIOS or other platform firmware is compromised, an attacker can install a firmware-based rootkit which can be indistinguishable to a hypervisor or operating system, and can survive hard drive wipes.  Check out these recent Blackhat presentations:

• Firmware is the new Black – Analyzing Past 3 years of BIOS/UEFI Security Vulnerabilities
• Winning the Race to Bare Metal ~ UEFI Hypervisors
• Remotely Attacking System Firmware

Topics Covered

In the context of Protection / Detection / Recovery, the document discusses:

• Roots of Trust and Chains of Trust
• Firmware update mechanisms done right
• Run-time protection of firmware
• Protection of both code and data that is critical to system operation
• Secure recovery of known-valid firmware images

The document uses the "shall/should/may" taxonomy when describing the various requirements.

Download

The content of SP 800-193 should be considered required reading for professional BIOS/firmware engineers.  The document is available free of charge by NIST.  Link to SP 800-193 at NIST:

https://csrc.nist.gov/publications/detail/sp/800-193/final