New Rules in Works to Secure Server BIOS

The Holy Grail of network intruders is to gain privileged access to the resources on a net. And what better way to do that than to gain control of a server at its most basic level: its BIOS.

A computer’s BIOS—Basic Input/Output System—kicks in when the machine powers up. It initializes the various hardware components of a server and loads its operating system. Infecting the BIOS allows a hacker to work mischief on a byte box before its defenses are up and running.

Malware targeting a BIOS has been relatively rare. In 1998, for instance, the Chernobyl virus was found attacking BIOS’s in Windows machines, corrupting it and wiping all the data on the computers.

But concern over it has been growing, fed by a demonstration by researchers in 2009 of how to inject code into any unsigned firmware and the discovery last year of Mebromi, a BIOS-infecting rootkit that alters the Master Boot Record in a PC. Those worries have been fanned further by the appearance of super malware programs like Stuxnet, Duqu, Flame and Gauss.

Last year, the United States’ oldest physical science laboratory—the National Institute of Standards and Technology (NIST)—made recommendations to makers of PCs to make their BIOS’s more secure. Now it’s doing the same for servers.

The agency has drafted some guidelines [PDF] for securing the BIOS’s in servers and it’s asking interested parties to comment on them by September 14.

Servers are a different animal than PC’s, according to the author of the proposed guidelines, Andrew Regenscheid, a math researcher and project leader at NIST’s Computer Security Division. “While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS,” he said in a statement.

What’s more, the guidelines point out that many servers contain service processors that perform a variety of management functions that may include BIOS updates. Service processors are specialized microcontrollers that provide administrators with an interface to manage a host server.

They may also implement multiple ways for updating a BIOS. The update process is a juicy target for intruders because it’s a point where the BIOS’s firmware is routinely modified.

The proposed guidelines outline best practices for securing the BIOS updating process in servers. They focus on four areas:

  • Authenticating an update through the use of digital signatures;
  • Creating an optional secure local update mechanism, which requires that an administrator be physically present at the machine in order to install BIOS images without authentication;
  • Deploying firmware integrity protections to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process; and
  •  Incorporating non-bypassability features to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections.

“Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture,” the guidelines noted. “Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence.”

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe


  1. Nena Hernandez · August 30, 2012

    I definitely like this better than the other mentioned techniques in getting rid of spam. Now we have a group of talented people who are more proactive, giving us some of the best practices and guidelines on how to protect the systems. From the sound of it, they are very quite easy to follow or, at the very least, understandable. I’ll be sharing this news to Facebook and Twitter. I have a couple of friends who are system administrators and webmasters, and they’re definitely struggling on how to keep spam at bay. These might be the solutions they’re looking for.

  2. Hannah Dae · August 30, 2012

    I am not an IT personnel, but I’m definitely happy to hear this news. I definitely believe that one of the keys to fight spam is to set up rules that all those in charge of security can follow. I even like this better than using software immediately. The rules help develop discipline and vigilance. And because they are rules, they can be easily passed on and taught to other IT security personnel. I am not sure if our company administrator is aware of this, but this deserves to be forwarded to his e-mail.

  3. Ralph · August 31, 2012

    It was high time to think about more secure BIOS for servers. This was such a whole in security that is it really unbelievable hackers didn’t exploit it more. Yet most of our efforts had been directed to securing applications and we paid less attention to the layers that are closer to hardware and that can cause huge trouble. I hope that firmware vendors will embrace the initiative.

  4. Roberto Rodriguez · August 31, 2012

    Way to go, anti-spam fighters! I know there are a lot of unpleasant news about spam, and I also know a number of people have become sadly victims of it. I for one went through the same problem, and it almost caused me my job and a few friends. But there are also some great stuff out there such as this. It is definitely important to teach anyone who’s using e-mail and managing networks the best practices then develop protocols or processes out of these best practices to ensure everybody does his part to combat spam, especially in the workplace.

Leave A Reply