New NIST Standard Tackles Latest Attack Vector for Servers
Posted 11/07/2018 by Shyam Chandra
There is an emerging, though not widely known attack vector for hacking a server: firmware. Last month, researchers at ESET published a report on Lojax, a rootkit (firmware hacking tool) believed to have been developed by Sednit, the notorious cyberespionage group linked to Russian military intelligence. Lojax is designed to exploit vulnerabilities in UEFI, a firmware specification that allows computer hardware to interact with an operating system. Once installed, it is nearly impossible for antivirus software to detect. It also has the availability to remain active even after a clean reinstallation of the operating system or swapping out the computer’s hard drive.
In a 2016 survey conducted by ISACA, over half of respondents that self-described as seeing hardware security as a priority for their organization “reported at least one incident of malware-infected firmware being introduced into a company system,” and 17 percent “revealed that the incident had a material impacti.”
Firmware is the bootable software code executed immediately after a server component (i.e. CPUs, network controllers, RAID-on-chip solutions, etc.) is first powered up. Typically, a component’s processor assumes the firmware is a valid starting point, boots from it and uses it to verify and load higher-level functionality in stages depending on the server’s configuration. In some cases, the processing component uses the firmware to perform required functions throughout its entire operating life.
As systems are shipped with an installed firmware, they are vulnerable to attacks through the system supply chain: a manufacturing site, while the system is in transit, or during the system integration, bug-fix or feature enhancement operations. As it is difficult to detect the malware embedded in firmware after booting from it, the malware tends to persist through system updates and upgrades. Fortunately, the tech industry is responding to the challenge of securing firmware. Earlier this year, the National Institute of Standards and Technology (NIST) released the NIST SP 800 193 specification, which defines a uniform firmware security mechanism known as Platform Firmware Resilience (PFR). Support for PFR comprehensively prevents attacks on all firmware in a computer. The specification is based on three guiding principles:
- Protecting firmware against attack while the system is operational
- Detecting compromised firmware stored in SPI flash
- Recovering from a compromised firmware into a known good firmware
The NIST SP 800 193 standard stipulates that Platform Firmware Resiliency (PFR) be implemented in hardware using a compliant root-of-trust device. A revolutionary approach based on a Root-of-trust FPGA makes NIST compliant PFR implementation simple and rugged. This approach is comprehensive to cover all firmware in a server system.
Learn more