-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
First off, I'm by no means a engineer. This message is going out to real engineers that might have interest in bringing the idea I'm about to share with you to reality. This idea came to me after some light reading about rootkits on wikipedia and playing around with the program "rkhunter".
Malware designers are writing code that can infect a system via rootkits. I've even read about the possibility of malware that can infect ROM chips on mother boards as well as ROM chips on PCI cards. Meaning, anything that is rewritable isn't safe from malware. Then it dawned on me that most of these security issues could be minimized at the hardware level at preboot, meaning before the operating system loads.
My brother brought his laptop to me complaning the internet wont work and that it's slow as a whale turd. When I looked at it I found it swarming with viruses. I asked him what happened to the firewall and antivirus that In installed for him and he said he turned them off because the firewall was messing with his internet and he didn't know how to turn it off with out also turning off the antivirus. I think it was Eset Internet Security. I use Linux on my system so I don't touch Windows software all that often. I've come to the conclusion that it doesn't matter what software you put on there or what you do, stupid users (and most users are stupid) will fsck up there system.
That's when I decided that mother boards need to be dramatically redesigned from the ground up with a proactive role in security. Now here's where I will start with my wonderful idea that will save the world. You will either see that world with me or you wont.
I'm sure most of you are aware of the history of the BIOS and the ROM's they're on. Back in the day they really where ROM in every sense of the term that they where READ only. They where embed on the board so you would need a solder iron to remove them. Then they came out with the removable kind with sockets that you can replace with a new chip. Then comes the kind you can flash with software but are embedded. I'm sorry but impeded un-removeable ROM chips are completely asinine. Now on to my idea.
Instead of one ROM chip for the BIOS there should be 3 and use "coreboot" as the BIOS. All 3 will utilize sockets to be removeable for easy replacement. The first chip will have the purpose as a backup of the default BIOS and the chip will be read only. The second chip will house a copy of the primary BIOS which will be rewritable and allow for updates. The third chip I will call the ESP (Emergency Security Protocols) ROM which may or may not be read only, I haven't decided yet. The third chip will have the open source programs rkhunter, clamav and perhaps other programs that might be useful for a preboot.
In the event the other two are corrupted for what ever reason you need only flip a jumper, turn on the computer and the backup BIOS takes control and allows you to wipe the other two chips and restore a rewritable copy of the BIOS to chip 2 and the ESP BIOS to chip 3. The backup BIOS will also have the Linux program "wipe" so in the unlikeliness a rootkit takes control of chips 2 and 3 chip 1 will wipe it out and start from scratch.
This board will also have integrated wifi as well as lan making it easy to get a internet connection. The goal being to be able to update the signatures of rkhunter and clamav as well as update both firmware by direct download before the OS even loads. This entire process will have a liberal use of checksums to make sure at no time is any malware being installed during the preboot process.
I'm still trying to work out the finer details in my head. So my idea may make sense or it may not. Ultimately what I'm trying to do is build a mother board with BIOS backup/security redundancy. The 3 chips act as a triad that protect one another. The board should be designed so it tries to load the second chip with the rewritable BIOS and use the third chip to do a quick self scan for rootkits. If for some reason the first BIOS wont load it will fall back on the backup BIOS restoring the primary. Perhaps some one can share a better way of implimenting my idea. The goal is to make it damn near impossible for malware to alter or change the BIOS or load at preboot. These security meause could also be used to protect rewritable ROM on other hardware.
Please share your thoughts. I would really like to see a board like this see the light of reality.
I'd just like to point out some flaws in your proposal:
1. If Chip 1 is read only, and something happens, chips 2 and 3 are restored to whatever version they were originally, leaving chips 2 and 3 open to the same vulnerability, should it not be eradicated from the hard drive or fixed by an update. 2. Without some sort of extremely efficient compression algorithm, Chip 1 would have to be as large as Chip 2 + 3. I'm guessing it would probably end up being 4 chips, all the same size. 3. How is Chip 3 to determine what network to connect to? Can you really fit a networking stack, dhcp client, and secure ftp client into 1 or 2MB or less? How much time would be added to the boot time for Chip 3 to identify a network, connect to it, get an IP, and then check the versioning and potentially download an update and apply it? 4. What happens if the download server is compromised? Or if the download location is forced to move? Do you really like the idea of writing down 75 character web addresses so you can type them in to a BIOS (or rather, payload) configuration menu, to change an update path? What happens if Chip 3 needs to get restored? 5. How does this protect against malicious/infected PCI roms? 6. Do you honestly believe your brother's type of ignorance can be fixed by a more secure BIOS? Seriously, the type of people who have those kinds of problems, viruses and malware running amuck, would never realize their BIOS had a problem, wouldn't open their case to realize there's a switch on the board, and probably wouldn't even read the manual to find out it was there or what it did. Proper antivirus software, malware protection, and a decent firewall, combined with reflashing the BIOS every once in a while, can give exactly the same result. I know several people who had me work on their computers, back when windows 98 and ME were the current versions, they were having horrible problems with their computers running slow, this file or that was missing/damaged, etc. Come to find out, in at least half a dozen cases, they were canceling scandisk every time the computer started. Let it run, and in every case, problem solved. What happens when your rootkit detection program realizes the BIOS is messed up, and asks the user to get down on their hands and knees, dig the computer out of the desk they so lovingly hid it in, open the case, flip a switch, get it all back together so they can restart it, wait 5 minutes, and repeat?
I'm not an engineer either, yet, working on my degree, I'm just trying to give you some things to consider. You should also consider that vendors don't like spending any more money then they absolutely have to, so adding 2 or 3 redundant chips is not cool. Also, most current hardware only supports one flash chip, or else 2 flash chips but on 2 different interfaces (SPI and LPC, for example).
-Corey
On Thu, Jun 12, 2008 at 2:42 AM, Nathaniel Dube njdube@gmail.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
First off, I'm by no means a engineer. This message is going out to real engineers that might have interest in bringing the idea I'm about to share with you to reality. This idea came to me after some light reading about rootkits on wikipedia and playing around with the program "rkhunter".
Malware designers are writing code that can infect a system via rootkits. I've even read about the possibility of malware that can infect ROM chips on mother boards as well as ROM chips on PCI cards. Meaning, anything that is rewritable isn't safe from malware. Then it dawned on me that most of these security issues could be minimized at the hardware level at preboot, meaning before the operating system loads.
My brother brought his laptop to me complaning the internet wont work and that it's slow as a whale turd. When I looked at it I found it swarming with viruses. I asked him what happened to the firewall and antivirus that In installed for him and he said he turned them off because the firewall was messing with his internet and he didn't know how to turn it off with out also turning off the antivirus. I think it was Eset Internet Security. I use Linux on my system so I don't touch Windows software all that often. I've come to the conclusion that it doesn't matter what software you put on there or what you do, stupid users (and most users are stupid) will fsck up there system.
That's when I decided that mother boards need to be dramatically redesigned from the ground up with a proactive role in security. Now here's where I will start with my wonderful idea that will save the world. You will either see that world with me or you wont.
I'm sure most of you are aware of the history of the BIOS and the ROM's they're on. Back in the day they really where ROM in every sense of the term that they where READ only. They where embed on the board so you would need a solder iron to remove them. Then they came out with the removable kind with sockets that you can replace with a new chip. Then comes the kind you can flash with software but are embedded. I'm sorry but impeded un-removeable ROM chips are completely asinine. Now on to my idea.
Instead of one ROM chip for the BIOS there should be 3 and use "coreboot" as the BIOS. All 3 will utilize sockets to be removeable for easy replacement. The first chip will have the purpose as a backup of the default BIOS and the chip will be read only. The second chip will house a copy of the primary BIOS which will be rewritable and allow for updates. The third chip I will call the ESP (Emergency Security Protocols) ROM which may or may not be read only, I haven't decided yet. The third chip will have the open source programs rkhunter, clamav and perhaps other programs that might be useful for a preboot.
In the event the other two are corrupted for what ever reason you need only flip a jumper, turn on the computer and the backup BIOS takes control and allows you to wipe the other two chips and restore a rewritable copy of the BIOS to chip 2 and the ESP BIOS to chip 3. The backup BIOS will also have the Linux program "wipe" so in the unlikeliness a rootkit takes control of chips 2 and 3 chip 1 will wipe it out and start from scratch.
This board will also have integrated wifi as well as lan making it easy to get a internet connection. The goal being to be able to update the signatures of rkhunter and clamav as well as update both firmware by direct download before the OS even loads. This entire process will have a liberal use of checksums to make sure at no time is any malware being installed during the preboot process.
I'm still trying to work out the finer details in my head. So my idea may make sense or it may not. Ultimately what I'm trying to do is build a mother board with BIOS backup/security redundancy. The 3 chips act as a triad that protect one another. The board should be designed so it tries to load the second chip with the rewritable BIOS and use the third chip to do a quick self scan for rootkits. If for some reason the first BIOS wont load it will fall back on the backup BIOS restoring the primary. Perhaps some one can share a better way of implimenting my idea. The goal is to make it damn near impossible for malware to alter or change the BIOS or load at preboot. These security meause could also be used to protect rewritable ROM on other hardware.
Please share your thoughts. I would really like to see a board like this see the light of reality. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIUMVWvsn/sQCIOqQRAnqwAJ9lYdjiBqnaVArQvHZIcIIaD8A0gQCfSKn1 YYOUf33mToJpZ7N/HI6Q7jY= =VeHI -----END PGP SIGNATURE-----
-- coreboot mailing list coreboot@coreboot.org http://www.coreboot.org/mailman/listinfo/coreboot
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 12 June 2008 02:46:19 am you wrote:
- If Chip 1 is read only, and something happens, chips 2 and 3 are
restored to whatever version they were originally, leaving chips 2 and 3 open to the same vulnerability, should it not be eradicated from the hard drive or fixed by an update.
Having the read only Backup-BIOS wipe the writable BIOS is simply a last case scenario. It's a last line of defense incase your primary BIOS becomes foobar. Keep in mind you would also have a software antivirus and firewall running on your operating system. So if the malware happens to get through that it would then have to deal with the hardware rootkit protection in the mother board. When ever you boot, the BIOS would use a checksum to check it self for modifications. I could be wrong but I believe there are similar security protocols in SELinux and similar technologies to detect if the Linux kernel has been screwed with.
- Without some sort of extremely efficient compression algorithm,
Chip 1 would have to be as large as Chip 2 + 3. I'm guessing it would probably end up being 4 chips, all the same size.
I suppose I could make it little more simple and just have 2 chips. One would be a backup and one for primary use. I have a little flash drive in my pocket right now, it's 8 GB. I'm sure we can design a sufficiently big enough chip to store the necessary software.
- How is Chip 3 to determine what network to connect to? Can you
really fit a networking stack, dhcp client, and secure ftp client into 1 or 2MB or less? How much time would be added to the boot time for Chip 3 to identify a network, connect to it, get an IP, and then check the versioning and potentially download an update and apply it?
Sure, why not. If you want 100% guarantee, then don't ever use the internet. If we can figure out how to buy stuff offline with strong enough encryption with a big enough margin of safety, I'm sure we can figure out something on how to download updates.
- What happens if the download server is compromised? Or if the
download location is forced to move? Do you really like the idea of writing down 75 character web addresses so you can type them in to a BIOS (or rather, payload) configuration menu, to change an update path? What happens if Chip 3 needs to get restored?
I really don't see that happening. I don't remember ever having any issues with download patches for openSUSE. Now that I mention it, the people at Novell have their main update domain bounce you to random mirrors. So when you download updates, you're not allways getting them from the same system. Just incase one goes down it'll bounce you to a different mirror. Which means you don't have to waste time changing URLs for your updates. Also, the RPM packages are signed with GPG keys from the people who manage the repositories you're downloading from. It's to help protect you incase the servers are compromised. ;-)
- How does this protect against malicious/infected PCI roms?
It would be possible in theory that when you install new hardware that have writable ROMs (video card maybe I'm not sure there are any that are writable) that your mother board makes a checksum of that ROM's firmware. So on a next reboot your mother board does a quick check to see if there where any changes and alert you if there is. Now if we could make this board really clever we could give it enough room to make backups as well as checksums of all the firmware off all your hardware. Then if something is changed it could either ask you if you want to restore from backup or incase of stupid users have it set to do it automatically.
- Do you honestly believe your brother's type of ignorance can be
fixed by a more secure BIOS?
There is no simple fix for stupidity but to go for a car metaphore for a moment. You have locks and keys for your house and car. Sure, if some people wanted to bad enough they can just break the window hot wire your car and drive off or pick the lock on your house and steal your TV. Then you can install a car alarm and a GPS for the cops and install a security system in your house. It's a cat and mouse game. Persistant people will find ways around almost any locked door. But that's no excuse not to lock your door. While security may not keep every one out, it'll keep more people out then if you use nothing at all. ;-)
Seriously, the type of people who have those kinds of problems, viruses and malware running amuck, would never realize their BIOS had a problem, wouldn't open their case to realize there's a switch on the board, and probably wouldn't even read the manual to find out it was there or what it did.
Instead of a jumper I suppose you can design it to be automatic in the instance the writable BIOS failed a cheksum. The system would then reboot it self, restore from backups after wiping the infected BIOS, download updates for rkhunter and clamav. Then the BIOS would force clamav to scan the system for infection. Most of this can be done automatically in a clever way in the same way scandisk runs on windows if you shut it down wrong. Something similar hapens on Linux.
Now I'm not suggesting a really long boot process every time you turn on the system. On every boot it would only check the BIOS for modification and maybe the MBR then continue on it's marry way. All this it meant to do is help protect against rootkits. This could also help serve as a protection measure against failed BIOS flashes to update the BIOS. Which has happened to me before. I ordered a board for my dad and noticed the BIOS was out of date. I followed the directions to the letter. Downloaded the updates from the companies site attempted to flash the system. Everything appeared to work. But when I rebooted the damn thing all I got was a black screen.
Now if mother boards had been built with a second read only chip as a backup to restore from I wouldn't have waisted days sending it back in the mail telling them it was DOA so I can get another one.
Proper antivirus software, malware protection, and a decent firewall,
combined with reflashing the BIOS every once in a while, can give exactly the same result.
This might work for people like you and me but this wont work for the average person.
I know several people who had me work on their computers, back when windows 98 and ME were the current versions, they were having horrible problems with their computers running slow, this file or that was missing/damaged, etc. Come to find out, in at least half a dozen cases, they were canceling scandisk every time the computer started.
I find most people do that with everything that seems to be a boundary between them and what they really feal like doing on the computer. If it comes to taking maybe 10 seconds to read a security alert from their antivirus or firewall or spending that 10 seconds on myspace they'll choose myspace every time and just click what every to make the window go away. Which is what my brother did with his firewall and ended up blocking all traffic. He couldn't figure out what magical beast broke his internet so he managed to uninstall the firwall all together which took the antivirus with it. Which is how he ended up infected with more viruses then a Nigerian hooker. I had to tell him to stop using limewire and if he insisted on downloading stuff to learn how to use bittorrent.
Let it run, and in every case, problem solved. What happens when your rootkit detection program realizes the BIOS is messed up, and asks the user to get down on their hands and knees, dig the computer out of the desk they so lovingly hid it in, open the case, flip a switch, get it all back together so they can restart it, wait 5 minutes, and repeat?
As I said above, a more clever system will do it all automatically. If you shut down most operating systems improperly they're smart enough to run software to scan the file system for damage on the next reboot. Perhaps my idea is overly complicated, but the point I was trying to make still stands. This is the 21st century, mother boards need to be taking a more active role in protecting them selves from the crap that's out there. Because stupid users isn't going to do it for them.
I'm not an engineer either, yet, working on my degree, I'm just trying to give you some things to consider. You should also consider that vendors don't like spending any more money then they absolutely have to, so adding 2 or 3 redundant chips is not cool. Also, most current hardware only supports one flash chip, or else 2 flash chips but on 2 different interfaces (SPI and LPC, for example).
Hardware manufactories need to get off their lazy a$$es and start innovating. Oh well, there's always the technological singularity to look forward to. Then machines can fix them selves and not rely on stupid users. Some times I wish the Matrix was reality. A lot of people out there deserve to be turned into batteries. ;-)
-
Corey Osgood -
Nathaniel Dube