Security basics: Start within the BIOS
- By William Jackson
- Dec 12, 2011
The National Institute of Standards and Technology is offering guidance for developing tools to help ensure the integrity of firmware that initializes a computer’s hardware when it boots up.
Because the Basic Input/Output System operates at a foundation level in establishing the configuration and operation of computer hardware, unauthorized changes to the code or its configuration can compromise the security of the computer and make it vulnerable to additional attacks. The ability to monitor and measure the integrity of the BIOS is important to a system’s security.
The public comment draft of Special Publication 800-155, BIOS Integrity Measurement Guidelines, outlines the security components and guidelines needed to establish a secure BIOS integrity measurement and reporting chain.
New SCAP testing requirements cover Windows 7, IE 8
Options expand for online authentication
“Unauthorized modification of BIOS firmware constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture,” the authors of the report write. “Changes to the system BIOS code could allow malicious software to run during the boot process.”
The mechanisms described in the report are intended to detect changes to the code and configuration that could create insecurities and leave the systems vulnerable to attack.
SP 800-155 is part of a broader effort to enable the automated monitoring and remediation of the security status of IT systems. To further this, NIST is developing standards and specifications for security requirements and common language for expressing them, such as the Common Remediation Enumeration, a scheme for identifying and describing remediation activities. A draft of the first version of the Common Remediation Enumeration has been released in NIST Interagency Report 7831.
The CRE gives a common description and name, and assigns a unique identifier to each remediation activity identified. The document describes the core concepts of CRE, the technical components of an entry in the list and outlines how the entries are created. The report is a companion of IR 7670, Proposed Open Specifications for an Enterprise Remediation Framework.
Comments on the initial draft of the CRE should be sent by Jan. 6, 2012 to firstname.lastname@example.org.
The BIOS Integrity Management Guidelines are intended to help the development of products to detect problems with the BIOS so that appropriate remedial action can be taken. The controls and procedures specified in the publication are for desktops and laptops deployed in an enterprise environment. The basic requirements for vendor tools supporting BIOS integrity measurement are:
• Provide the hardware support necessary to implement credible Roots of Trust for BIOS integrity measurements. Roots of trust are hardware and software components that provide unconditionally trusted functions and information. BIOS integrity measurement requires agents to measure, store and report on this information.
• Enable endpoints to measure the integrity of all BIOS executable components and configuration data components at boot time. This establishes a baseline of attributes and measurements.
• Securely transmit measurements of BIOS integrity from endpoints to the Measurement Assessment Authority. The Measurement Assessment Authority determines the state of BIOS configuration security on each endpoint. The measurements must be transmitted securely to provide the needed integrity.
Comments on draft SP 800-155 should be sent by Jan. 20, 2012 to email@example.com, with "Comments SP 800-155" in the subject line.
William Jackson is freelance writer and the author of the CyberEye blog.