The three responses I've seen so far were all negative, but also puzzling to me. I'll try to address the key points in the response that is copied below, as well as those in the other two responses.
(1) Why floppies? -- (a) Because they are limited in storage, and non-electronic. The smaller the memory, the harder it is to hide something malicious in it, and the easier to check it. (b) Because they are inexpensive. Any entity wishing to verify voting results needs one memory device for every voting machine.
(2) Aren't floppies unreliable? -- No. Since I started keeping track of my public voting demos in 2002, I have used 992 diskettes without a single failure between starting voting and archiving results. (That's not 992 different new diskettes; each is used over and over again unless a check done at startup reveals possible unreliability.)
(3) Aren't floppy drives obsolete? -- No. USB-connected floppy drives are readily available for about $15, and computers can boot from them.
(4) BIOS averages 8 MB? -- WOW! I still don't know how big OpenBIOS is, but I was hoping for something a bit closer to the 8 KB of the original IBM PC. The capabilities of a 386 computer are sufficient for my voting system. Is OpenBIOS really so huge? Does a BIOS have to be?
(5) Hypervisor? Virtual machine? Address remapping? Infectious native BIOS? -- If a modern computer has no hard drive connected, what happens when it boots from a floppy? There is a boot sector on the diskette (which is verified by hash code); doesn't that control what happens next? Why can't the floppy contents take control of the computer?
Obviously, I'm no BIOS expert. I'd appreciate recommendations of good texts or tutorials to bring me up to speed.
Chuck Gaston
In a message dated 7/19/2013 9:04:29 A.M. Eastern Daylight Time, Nick.Couchman@seakr.com writes:
On 2013/07/19 at 06:01, SAVIOCvs@aol.com wrote:
I developed a voting system (see _www.SAVIOC.com_
that uses ordinary old PCs, yet is more transparent and trustworthy
than
anything else in use today. All software, including the operating
system
(FreeDOS) boots from a floppy that can be verified by hash code. The
PC
never uses the hard drive, and doesn't even need one. Trustworthiness comes from people with different interests being able to prevent each other
from
doing anything fraudulent. I think the only significant potential vulnerability is that someone with physical access to the machines
could
install a malicious BIOS. Learning about the OpenBIOS project gave me hope of overcoming that vulnerability.
(1) Is my hope justified? Can a PC be booted from a floppy that completely replaces the native BIOS in RAM, and then loads FreeDOS?
(Can
the possibility of a malicious BIOS be made a non-issue?)
If all answers are YES, then the remaining very basic questions become important.
Perhaps this is a digression, but why a floppy? If you're using old hardware, that's fine, but at some point you probably want to use modern hardware, and I don't know of a modern hardware system that comes with a floppy drive, anymore. Furthermore, my many years of experience with floppy disks tells me that they are unreliable - very prone to failures of a variety of types (dirty heads, physical damage to the medium, etc.). Many of these types of failures mean mis-reads, which means bad checksums and failures in the security model you're trying to implement. If you're looking for something compatible with very old hardware - hardware that does not support booting from USB flash drives - I'd recommend finding some older IDE flash chips (disk on chip) that you can use, instead. These are probably pretty cheap, now, and should give you the capacity and reliability that you won't get with floppy disks.
(2) Roughly how much space on the floppy would be required?
You can build the OpenBIOS tree and see how large the binary is. I don't remember off the top of my head, so I can't tell you. Many modern BIOS implementations are several MB - I believe 8MB is the average BIOS size (not openBIOS, just BIOS in general), with some as large as 12MB. This presents another problem when using floppies...you'd need multiple ones.
(3) What downloads would I need? OpenBIOS AND OpenFirmware AND
OpenBOOT?
Anything else?
Probably just OpenBIOS.
(4) How are they downloaded? http://www.openfirmware.info/index.php/Downloads displays a page beginning, "This page has been deleted." All other links that imply
the
possibility of downloading reach a page headlined, "The page cannot be displayed".
SVN check-out of the current source tree and build. Decently modern versions are also included with Qemu, IIRC.
-Nick
-------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.
On Tue, Jul 23, 2013 at 07:35:14AM -0400, SAVIOCvs@aol.com wrote:
The three responses I've seen so far were all negative, but also puzzling to me. I'll try to address the key points in the response that is copied below, as well as those in the other two responses.
(1) Why floppies? -- (a) Because they are limited in storage, and non-electronic. The smaller the memory, the harder it is to hide something malicious in it, and the easier to check it. (b) Because they are inexpensive. Any entity wishing to verify voting results needs one memory device for every voting machine.
People used to write very small clever viruses that did stuff and were hard to find. I don't think small disks really help anything there.
(2) Aren't floppies unreliable? -- No. Since I started keeping track of my public voting demos in 2002, I have used 992 diskettes without a single failure between starting voting and archiving results. (That's not 992 different new diskettes; each is used over and over again unless a check done at startup reveals possible unreliability.)
Relative to most media choices, floppies are the most unreliable of them. Certainly how you handle them makes a big difference. Now for some uses they are more reliable than harddisks, but certainly not flash.
(3) Aren't floppy drives obsolete? -- No. USB-connected floppy drives are readily available for about $15, and computers can boot from them.
While I can still find stores selling floppy drives, no one seems to sell the media anymore (the office supply store has them available online, but certainly not in stores). For practical purposes, they really don't exist anymore.
(4) BIOS averages 8 MB? -- WOW! I still don't know how big OpenBIOS is, but I was hoping for something a bit closer to the 8 KB of the original IBM PC. The capabilities of a 386 computer are sufficient for my voting system. Is OpenBIOS really so huge? Does a BIOS have to be?
Rememer that these days they include PCI device enumeration, disk detection, USB support, network booting, sometimes even graphical interfaces to the setup.
The original IBM had no setup at all. It had some jumpers perhaps, but the disk geometry was managed by the controller, not the BIOS.
I don't think I believe the 8MB value however. They are certainly bigger than they used to be and often a chunk of it is compressed and only decompressed when you run the setup.
(5) Hypervisor? Virtual machine? Address remapping? Infectious native BIOS? -- If a modern computer has no hard drive connected, what happens when it boots from a floppy? There is a boot sector on the diskette (which is verified by hash code); doesn't that control what happens next? Why can't the floppy contents take control of the computer?
I can boot a virtual machine from that floppy too. How would the code on your floppy tell the difference? The virtual machine looks just like the real one to your code.
Obviously, I'm no BIOS expert. I'd appreciate recommendations of good texts or tutorials to bring me up to speed.
If you can't trust the hardware you are running on, then you can't trust anything. Your software will not be able to do anything to restore that trust.
Lennart Sorensen wrote:
(3) Aren't floppy drives obsolete? -- No. USB-connected floppy drives are readily available for about $15, and computers can boot from them.
(4) BIOS averages 8 MB? -- WOW! I still don't know how big OpenBIOS is, but I was hoping for something a bit closer to the 8 KB of the original IBM PC. The capabilities of a 386 computer are sufficient for my voting system. Is OpenBIOS really so huge? Does a BIOS have to be?
Rememer that these days they include PCI device enumeration, disk detection, USB support, network booting, sometimes even graphical interfaces to the setup.
And it has to have things like USB support because of people who insist on trying to boot from USB-connected floppies without considering the implications :-)
Obviously, I'm no BIOS expert. I'd appreciate recommendations of good texts or tutorials to bring me up to speed.
Read every source of security advisories you can find, learn to disassemble and analyse other peoples' low-level code, and get a job with somebody who write BIOSes.
If you can't trust the hardware you are running on, then you can't trust anything. Your software will not be able to do anything to restore that trust.
Seconded. Geohot's Sony Playstation hack was a textbook case.
On Tue, Jul 23, 2013 at 03:08:54PM +0000, Mark Morgan Lloyd wrote:
And it has to have things like USB support because of people who insist on trying to boot from USB-connected floppies without considering the implications :-)
And having the USB keyboard work (which means USB HID support, USB hub support, USB controller support, PCI support, etc).
Read every source of security advisories you can find, learn to disassemble and analyse other peoples' low-level code, and get a job with somebody who write BIOSes.
Seconded. Geohot's Sony Playstation hack was a textbook case.
Once the control of the hardware has been taken over, there is no way to take it back.
Lennart Sorensen wrote:
On Tue, Jul 23, 2013 at 03:08:54PM +0000, Mark Morgan Lloyd wrote:
And it has to have things like USB support because of people who insist on trying to boot from USB-connected floppies without considering the implications :-)
And having the USB keyboard work (which means USB HID support, USB hub support, USB controller support, PCI support, etc).
Although IIRC there's a simplified protocol for the keyboard, specifically for BIOS support. I've seen people discussing that in the context of devices such as the Parallax Propeller which don't really have USB support.
Read every source of security advisories you can find, learn to disassemble and analyse other peoples' low-level code, and get a job with somebody who write BIOSes.
Seconded. Geohot's Sony Playstation hack was a textbook case.
Once the control of the hardware has been taken over, there is no way to take it back.
Or put another way, you might /think/ you've regained full control, but you can never /know/ :-)
On 2013-Jul-23 16:15 , Mark Morgan Lloyd wrote:
And having the USB keyboard work (which means USB HID support, USB hub support, USB controller support, PCI support, etc).
Although IIRC there's a simplified protocol for the keyboard, specifically for BIOS support. I've seen people discussing that in the context of devices such as the Parallax Propeller which don't really have USB support.
Not for USB. Whatever they may be talking about, they aren't getting USB - there's no real way to enable EHCI/OHCI/UHCI/XHCI without implementing the entire shebang.
Once the control of the hardware has been taken over, there is no way to take it back.
Or put another way, you might /think/ you've regained full control, but you can never /know/ :-)
The problem of secure execution is fairly well understood. Google "Verified Boot" or "Trusted Boot". The implementations that take it seriously do verification of their PROM, sign it, and the hardware won't let you start unless the PROM is good. Then the PROM verifies the signature of each component as it's brought in (I was recently involved in implementing public key verification for such).
It doesn't guarantee bug-free code, but it verifies that the code you are running is what you think it is.
On Tue, Jul 23, 2013 at 04:28:23PM -0400, Tarl Neustaedter wrote:
The problem of secure execution is fairly well understood. Google "Verified Boot" or "Trusted Boot". The implementations that take it seriously do verification of their PROM, sign it, and the hardware won't let you start unless the PROM is good. Then the PROM verifies the signature of each component as it's brought in (I was recently involved in implementing public key verification for such).
It doesn't guarantee bug-free code, but it verifies that the code you are running is what you think it is.
And the PROM is inside the CPU so you can't swap it in some cases, perhaps even encrypted.
Tarl Neustaedter wrote:
On 2013-Jul-23 16:15 , Mark Morgan Lloyd wrote:
And having the USB keyboard work (which means USB HID support, USB hub support, USB controller support, PCI support, etc).
Although IIRC there's a simplified protocol for the keyboard, specifically for BIOS support. I've seen people discussing that in the context of devices such as the Parallax Propeller which don't really have USB support.
Not for USB. Whatever they may be talking about, they aren't getting USB
- there's no real way to enable EHCI/OHCI/UHCI/XHCI without implementing
the entire shebang.
I was thinking of HIDBP, which on checking I find requires a controller chip like the MAX3421E. I was wrong to imply the bus could be handled directly.
On 2013-Jul-23 17:12 , Mark Morgan Lloyd wrote:
Not for USB. Whatever they may be talking about, they aren't getting USB - there's no real way to enable EHCI/OHCI/UHCI/XHCI without implementing the entire shebang.
I was thinking of HIDBP, which on checking I find requires a controller chip like the MAX3421E. I was wrong to imply the bus could be handled directly.
From what I can tell with some google searches, it looks like HIDBP requires a working controller driver (which is what I was contending can't be stripped down), but skips over a lot of the bells and whistles in the HID layers in the device drivers for keyboard & mice. So it saves you some of the implementation cost.
On 2013-Jul-23 10:42 , Lennart Sorensen wrote:
I don't think I believe the 8MB value however. They are certainly bigger than they used to be and often a chunk of it is compressed and only decompressed when you run the setup.
8MB is the size of some of the EFI proms (with all debug turned on). Most BIOS are under 1MB. Openboot is usually under 512kb, I presume OpenBios would be the same.
Tarl Neustaedter wrote:
On 2013-Jul-23 10:42 , Lennart Sorensen wrote:
I don't think I believe the 8MB value however. They are certainly bigger than they used to be and often a chunk of it is compressed and only decompressed when you run the setup.
8MB is the size of some of the EFI proms (with all debug turned on). Most BIOS are under 1MB. Openboot is usually under 512kb, I presume OpenBios would be the same.
Somebody contracting for one of the BIOS vendors (I forget who) told me that not only did a mainboard manufacturer choose from a "kit of parts" when building a BIOS (i.e. a Flash image or whatever), but that various components were included/excluded dynamically when the system booted. I don't know whether that implies that (in the case of that vendor) the Flash image was effectively a filesystem or if blocks of code were just moved around and merged as required, but it's a fair bet that the size of the Flash device has very little relation to the amount of memory occupied by the BIOS when control is transferred to the OS or second-stage loader.
Tarl- I don't like to impose, but could I ask one question about Openboot's Forth, either here or by mail?
On 2013-Jul-23 16:10 , Mark Morgan Lloyd wrote:
Tarl- I don't like to impose, but could I ask one question about Openboot's Forth, either here or by mail?
Feel free. If you think it's of general interest, on the list, otherwise email me privately.
Tarl Neustaedter wrote:
On 2013-Jul-23 16:10 , Mark Morgan Lloyd wrote:
Tarl- I don't like to impose, but could I ask one question about Openboot's Forth, either here or by mail?
Feel free. If you think it's of general interest, on the list, otherwise email me privately.
I'll email, so that if I'm asking for info which shouldn't be given out you can tell me to get knotted privately :-)
-
Lennart Sorensen -
Mark Morgan Lloyd -
SAVIOCvs@aol.com -
Tarl Neustaedter