Protecting Servers from Remote AttacksNew NIST Guidance Addresses BIOS Vulnerabilities
When IBM unveiled BIOS - Basic Input/Output System - in 1981 with the introduction of its personal computer, few perceived it as a security vulnerability.
See Also: Data Security Risk: A CISO's Perspective
Fast-forward more than three decades, and security researchers have identified vulnerabilities to servers posed by BIOS. So the National Institute of Standards and Technologies has published new guidance to mitigate the threat.
NIST's Special Publication 800-147B: BIOS Protection Guidelines for Servers is aimed at mitigating unauthorized modification of BIOS firmware by malware. Corrupting BIOS is seen as a significant threat because of its privileged position on the computer architecture.
The protections offered in the guidance are designed to help mitigate remote attacks but wouldn't necessarily stop dedicated attackers who try to tamper with BIOS in systems they have "unfettered physical access to," says Andrew Regenscheid, a NIST mathematician who authored the guidance.
"In practice, depending on how the manufacturer implements BIOS protections, these mechanisms would provide some protection against certain attacks," he says, "but wouldn't necessarily stop an attacker willing and able to pull and replace chips on the motherboard."
De Facto Standard
BIOS is a de facto standard defining a firmware interface built into IBM-compatible PCs and servers; it's the first software run when a computer based on IBM PC technology is turned on. Essentially, BIOS initializes and tests the system hardware components and boots up the operating system from mass memory.
"Historically, BIOS has not been the primary target of attackers; however, in recent years we've seen more activity focusing on lower-level attacks," Regenscheid says.
As the security of operating systems improved, Regenscheid says attackers began looking for entry into systems by going lower in the computer systems stack, creating what some cybersecurity researchers have coined as "a race to bare metal" between attackers and security professionals, with each group trying to gain or maintain control of the system before the other side does. "You can't really get any closer to bare metal than the BIOS," he says.
History of BIOS Vulnerabilities
Regenscheid provides a brief history of BIOS vulnerabilities: In the late 1990s, malware known as the CIH virus attempted to erase BIOS on infected systems. When successful, the computer would not start. In 2011, the Mebromi rootkit attempted to insert malware in the BIOS that would continue to re-infect systems, even after clearing the malicious code with anti-virus software, reinstalling the operating system or replacing the hard drive.
"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, given the fact that even if an anti-virus detects and cleans the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again," ethical hacker Marco Giuliani wrote in 2011, when he was a threat research analyst at Webroot Software.
MBR, or master boot record, is a special type of boot sector at the very beginning of partitioned computer mass storage devices, such as fixed disks or removable drives, intended for use with IBM PC-compatible systems
"Developing an anti-virus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all," Giuliani said.
Role of BIOS in Security
Regenscheid says the attacks against BIOS have led the security community to recognize the important role BIOS plays in maintaining security on computer systems. "Attacks on BIOS could allow very powerful and very stealthy attacks on computer systems," he says, "But, if BIOS can be strongly protected, it could be used as the foundation from which to build greater trust in computer systems."
One such protection might be found in what's known as unified extensible firmware interface, or UEFI, a possible replacement for conventional BIOS that is becoming widely deployed in new PC-compatible computers.
This isn't NIST's first guidance regarding BIOS. In 2011, NIST issued SP 800-147, BIOS Protection Guidelines, primarily aimed at desktops and laptops, not servers.
The guidance for servers uses the same principles identified in the publication aimed at personal computers. Regenscheid points out that servers have different architectures than PC client systems, and the specific ways to update BIOS vary between client systems and servers. "In many cases, the differences between the documents are rather subtle, but they were important to accommodate the differences between server and PC client systems," he says.
Regenscheid says the most significant threat vector for SP 800-147B is remote attackers attempting to perform a malicious BIOS update on a computer system, which could occur after the attacker gains a foothold on the computer system being attacked or by taking control of some part of the infrastructure that pushes BIOS updates to computer systems. "We identified these as the most compelling threats because attacks of this nature can scale to large number of machines," he says.
The guidelines in the NIST publication apply to BIOS firmware stored in the BIOS flash, including the BIOS code, the cryptographic keys that are part of the root of trust for update and static BIOS data. This guide is intended to provide server platform vendors with recommendations and guidelines for a secure BIOS update process.