The US National Institute of Standards and Technology (NIST) has published guidelines in response to the growing threat of BIOS-resident malware which can survive a system being reformatted and re-installed.
Persistent, BIOS-resident rootkits - a form of malware which is designed to allow ne'er-do-wells unlimited access to a target machine - have been doing the rounds in recent years, both as proof of concept designs and as in-the-wild examples like Mebroni
The idea of BIOS-resident malware isn't exactly new: the CIH virus dates back to 1999, and used the same techniques for attacking target systems. As BIOS storage becomes more capacious, and the BIOS itself more capable of performing more complex tasks - thanks in no small part to technologies like EFI
- the risk grows ever greater.
NIST's response is a draft proposal, initially aimed at servers, dubbed the BIOS Protection Guidelines for Servers. Authored by Andrew Regenscheid, a member of NIST's computer security division, the document outlines a series of suggested mechanisms by which BIOS infection can be prevented.
The first suggestion is to introduce an authenticated update mechanism, which would prevent an unauthorised source distributing Trojan BIOS updates containing malicious code. It's not a new concept - software updates frequently rely on cryptographic signatures to ensure they haven't been tampered with - but has rarely been applied to the BIOS.
Regenscheid's second suggestion is to add integrity protection to the BIOS itself though a Root of Trust for Update (RTU) - a combination of hardware and firmware which is inherently trusted, and given the responsibility of actually verifying the update's legitimacy and overwriting the old BIOS.
The use of an RTU does have one drawback for tinkerers, however: should Regenscheid's suggestions be accepted in the industry, it would become impossible to install third-party BIOS updates - to fix unpatched bugs, or unlock hidden features of the hardware - as they would be seen as untrusted by the RTU. While not much of a concern for NIST's target audience of government server farms, if the technology trickled down to the desktop it could have serious repercussions for consumer hardware.
The guideline document can be downloaded as a PDF from NIST's website
, with industry types asked to provide comment on the proposals by the 14th of September.