A computer’s BIOS—Basic Input/Output System—kicks in when the machine powers up. It initializes the various hardware components of a server and loads its operating system. Infecting the BIOS allows a hacker to work mischief on a byte box before its defenses are up and running.
Malware targeting a BIOS has been relatively rare. In 1998, for instance, the Chernobyl virus was found attacking BIOS’s in Windows machines, corrupting it and wiping all the data on the computers.
But concern over it has been growing, fed by a demonstration by researchers in 2009 of how to inject code into any unsigned firmware and the discovery last year of Mebromi, a BIOS-infecting rootkit that alters the Master Boot Record in a PC. Those worries have been fanned further by the appearance of super malware programs like Stuxnet, Duqu, Flame and Gauss.
Last year, the United States’ oldest physical science laboratory—the National Institute of Standards and Technology (NIST)—made recommendations to makers of PCs to make their BIOS’s more secure. Now it’s doing the same for servers.
The agency has drafted some guidelines [PDF] for securing the BIOS’s in servers and it’s asking interested parties to comment on them by September 14.
Servers are a different animal than PC’s, according to the author of the proposed guidelines, Andrew Regenscheid, a math researcher and project leader at NIST’s Computer Security Division. “While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS,” he said in a statement.
What’s more, the guidelines point out that many servers contain service processors that perform a variety of management functions that may include BIOS updates. Service processors are specialized microcontrollers that provide administrators with an interface to manage a host server.
They may also implement multiple ways for updating a BIOS. The update process is a juicy target for intruders because it’s a point where the BIOS’s firmware is routinely modified.
The proposed guidelines outline best practices for securing the BIOS updating process in servers. They focus on four areas:
- Authenticating an update through the use of digital signatures;
- Creating an optional secure local update mechanism, which requires that an administrator be physically present at the machine in order to install BIOS images without authentication;
- Deploying firmware integrity protections to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process; and
- Incorporating non-bypassability features to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections.
“Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture,” the guidelines noted. “Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence.”