Mitigating firmware threats without losing functionality
Firmware attacks continue to grow exponentially around the world, with at least 80% of businesses experiencing one or more within the last year. Thorsten Stremlau, Co-chair of Trusted Computing Group's Marketing Work Group discusses the firmware security options on offer.
As information technology continues to evolve and diversify, so too does the complexity of the threats these devices face on a daily basis. On top of this, targeted firmware attacks on some networked devices can lead to severe consequences. Threats which aim to damage or remove platform firmware can quickly lead to systems becoming permanently damaged, incurring substantial costs and reputational damage for businesses.
It is therefore vital to secure the firmware that each device relies on, from employees’ laptops to network equipment and servers that connect an entire business. The protection of the application and operating system levels alone isn’t enough: such security needs to extend all the way down to the firmware and hardware levels so often targeted by ransomware attacks. Firmware resiliency is key, but one question remains: how can one implement this, without burning through the memory on a device to store a backup?
Resiliency, but at what cost?
When it comes to firmware resiliency, there are three core elements that must be considered. Firstly, the ability to protect – stopping an unauthorised user from being able to modify the firmware. Should anyone manage to bypass the protection mechanism, there must be a mechanism to detect any potential modifications. Finally, there must be a way to recover any of the data lost as a failure or successful attack.
Within a typical personal computing device, there will be at least 15 to 20 critical firmware components. Each of these subcomponents will have critical firmware already in-built; however, adding further functionality – namely the functionality needed to allow a backup memory of the firmware – will add unnecessary complexity and cost. To successfully recover systems in the case of a failure double the amount of existing space on the device is likely to be required.
BIOS (basic input output system) memory has now reached a size of around 64 megabytes. The memory that would be required for recovery on one BIOS alone would cost around 3 to 10 dollars. For a business aiming to add functionality to each component, this would equate to an outlay of around $60 for each device even in a best-case scenario. True resiliency may be accomplished, but there is no doubt this would be a costly venture for a network made up of multiple devices.
Utilising innovative hardware solutions
The most effective and cost-efficient solution lies in having root of trust (RoT) hardware installed on the device, like the Device Identifier Composition Engine (DICE). The RoT should be the foundation of all security components, as it provides a set of functions that are inherently trusted by a user’s device and are used as the ‘building blocks’ to ensure a secured system. Users can leverage this technology for the attestation, authentication and certification of software.
DICE operates in a similar way to most devices, with the boot sequence being organised into layers or stages. The hardware uses the unique device secret (UDS) from early in boot, in combination with measurements of the next layer in order to anchor the device’s trust chain.
The trust chain is then extended using measurements relating to each layer. Boot layers each receive a DICE secret derived by combining the preceding DICE secret with the measurement of the current layer. This means that any time there is a variation in a layer – a successful exploit – the measurements and secrets for that layer will be different. This approach has two important implications: device firmware that uses a DICE secret will secure its data and protect itself from data disclosure, given that successfully modifying a layer means that that layer does not receive the same DICE secret.
This also means that if a flaw is discovered in device firmware, an update will automatically re-key the device. The DICE architecture offers strong attestation of firmware and security, device identity, and the secure deployment of updates, making it a great tool for discovering vulnerabilities in software updates that are required throughout the lifecycle of the device.
DICE can protect and detect any potential firmware tampering, but the ability to reboot securely from memory is equally essential. Implementing non-volatile memory express (NVMe) technology and a persistent storage solution is the best option for businesses – not just in terms of performance but also for cost. This will allow the recovery portions of each firmware device to be stored externally, therefore allowing a smaller amount of on-board memory required on the computers.
No longer does memory have to be saved on each subcomponent, but instead can be stored on hard disk drives, which, in this day and age, is no longer an expensive consideration. Businesses who aim to leverage NVMe and persistent storage leaves users with a device that is free to operate at its full capability, and is also able to protect, detect, and recover with optimal functionality.
A secured system
Firmware security should be top of the agenda for all businesses, and when it comes to adding resiliency there are two clear approaches available. The ones who leverage RoT hardware and persistent memory solutions will be able to successfully protect themselves against firmware attacks, not having to compromise on the functionality and memory of their existing devices – all while saving a small fortune in the process.