When the Stuxnet virus caused centrifuges to malfunction at Iran’s Bushehr nuclear reprocessing facility last year, it put cybersecurity officials around the world on notice that a new, more dangerous strain of Advanced Persistent Threat (APT) had appeared.
Post-analysis indicated the Stuxnet virus had altered the basic-input-output system (BIOS) firmware of the facility’s computer control systems. In essence, it targeted the computers’ pre-boot environments, which made it invisible to all software layers that subsequently came online.
The implications were clear: A virus that can alter the BIOS of a computer could grant control over its operating system (OS) and any software layer above it, including security and encryption applications. It could conceivably permit hackers to silently monitor a user’s keystrokes, invade networked machines or assign remote control over online systems.
This emerging class of APTs prompted the U.S. National Institute of Standards and Testing (NIST) to publish guidelines last year for preventing unauthorized changes to BIOS firmware. The agency is now on the verge of issuing subsequent standards for measuring the health of an endpoint BIOS in real-time.
Both NIST publications tacitly recognise that software solutions are an antiquated defense against attacks that are already active in the pre-boot phase. One alternative they suggest is to shift the line of defence to a computer’s physical hardware, which offers a deeper and incorruptible foundation for preserving the identity and health of a device.
A very persistent threat
Attacks on BIOS firmware are not a particularly new threat. They’re commonly known as rootkit viruses. When they first appeared during the mid-90’s, they simply disabled a targeted computer. The only fix was to wipe the drive clean, and reinstall the OS.
But as Stuxnet illustrates, rootkits have evolved into something far more persistent and insidious. In their emergent form, they can remain intact in the BIOS, even after a hard drive has been reformatted. Further, they can lie dormant for months before being activated remotely or by a certain cue. And, as mentioned, they can exercise invisible control over the entire software stack of a machine, as well as that of networked computers.
Skeptics argue that the threat of such sophisticated attacks is negligible since the diversity of firmware platforms in circulation requires rootkits to be highly tailored to the BIOS of a targeted computer. Yet, again as Stuxnet illustrated, a highly targeted attack can have a very broad impact. Industrial control systems similar to those used at Bushehr are commonly used in gas pipelines, power plants and other key infrastructure, which helps explain why such a “limited” threat became a priority for NIST.
Some of the skepticism surrounding the threat of rootkits may also be fatalism in disguise. In an industry dominated by software security solutions, vulnerabilities in the pre-boot environment can seem like an unpleasant yet inevitable fact of life. They are not, as NIST helped illustrate when it issued Special Publication (SP) 800-147 last year. The document established the first guidelines for ensuring that changes or updates to system BIOS come only from an authorised source.
But SP 800-147 was only the start. NIST recognised that protecting BIOS firmware requires more than passive defenses. Security further demands the ability to monitor those defenses against evolving and persistent threats.
As a result, NIST will soon issue SP 800-155, which outlines methods for actively measuring the health of BIOS firmware in real time, and reporting any unauthorised changes to a remote authority.
The question is: What reporting source can be trusted when the pre-boot environment itself — and any software layer operating above it — is suspect? The most readily available solution is the hardware layer operating below system BIOS. More specifically, it is a piece of hardware called the Trusted Platform Module.
Designed a decade ago to thwart APT attacks, the TPM is a cryptographic chip attached to the motherboard of virtually every corporate-class laptop deployed. Today, activated TPMs are capable of storing and reporting measurements from the pre-boot environment. Plus, because their security functionality is embedded within physical hardware, TPMs cannot be compromised or altered by rootkits or other malicious code.
Measuring BIOS integrity
SP 800-155 establishes guidelines defining how to measure, store and report the integrity of a computer’s BIOS to a remote authority in real-time. NIST’s publication is well-detailed and deserves to be read separately. But, in its simplest form, it establishes three key requirements:
- Provide the hardware support necessary to implement credible Roots of Trust for BIOS integrity measurements;
- Enable endpoint computers to measure multiple stages of the boot up process prior to execution;
- Securely transmit measurements of BIOS integrity from the endpoints to IT management.
Again, TPMs can play a central role in fulfilling these requirements. First, as physical hardware, they provide an unalterable baseline — the so-called Root of Trust — for comparison with expected BIOS measurements. TPMs securely store these measurements and, at any point during or after the boot process, can send encrypted reports of BIOS health to a remote central authority, such as an IT manager in a corporate office.
Thanks to NIST SP 800-155, the industry now has the knowledge and the tools to do what it could not before, and block APTs based on rootkit attacks on BIOS firmware. Even better, BIOS monitoring platforms built on NIST’s specifications are already commercially available from vendors.
Yet, further work remains. NIST’s publications do not provide guidance for attacks targeting computer components, such as the video BIOS on a standard PC video card. Nor do they address attacks on the master boot record, which can cost a user their hard drive. But securing and measuring the integrity of the BIOS environment was an essential first step to making meaningful measurements further up the pre-boot stack. A house is only as strong as its foundation. Thus, NIST was wise to build on a foundation of strong BIOS integrity, and to leverage hardware-based tools, such as TPMs, as the cornerstone.