Joanna Rutkowska's blog points to recent paper on a survey of the various problems and attacks presented against the x86 platform over the last 10 years. The paper does not present new exploits but does cover: the BIOS (UEFI) and booting; peripherals; the Intel Management Engine; and several other aspects of x86 insecurity. Some of the problems appear insurmountable as described.
(Score: 5, Insightful) by tangomargarine on Friday October 30 2015, @03:46PM
But one aspect still presents a serious security challenge on x86 platform: the
boot security. Intel has introduced many competing and/or complementary
technologies which are supposed to solve the problem of boot security: support
for TPM and TXT, support for SMM sandboxing, finally Boot Guard and UEFI
Secure Boot. Unfortunately, as we have seen in the first chapter, none of these
technologies seem satisfactory, each introducing more potential problems than it
might be solving.
How would one go about "solving the boot security problem?" It seems like a chicken-and-egg situation to me. Either you accept some amount of risk that if somebody gets their physical hands on your machine, you're boned, but it's easier for you, the customer, to use; or you add crazy anal probes like Secure Boot (I rather doubt the version now is their endgame...hardware whitelists and TPM, anyone?) that make it much harder for you, the customer, to tinker with your stuff, but secure it for...somebody else.
Can somebody give an example of boot security done "right"?
Security, especially in this situation, boils down to fail-secure or fail-usable.
1) OS security can be avoided by booting something else on the same machine and then just reading the hard drive to ignore permissions.
2) So make it so you can't boot anything but the installed OS by locking the BIOS.
3) But you can reset the BIOS by pulling the cell battery.
4) So do something else so that you can't do that.
If you make it impossible to circumvent, then of course you're boned if you forget your own password.
Just talking out of my ass here.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Saturday October 31 2015, @10:59AM
3) But you can reset the BIOS by pulling the cell battery
The coin cell on your motherboard keeps your CMOS from losing its marbles.
BIOS is a completely different chip.
-- gewg_
(Score: 2) by tangomargarine on Sunday November 01 2015, @04:35AM
Complementary metal-oxide semiconductor, or CMOS, typically refers to a battery-powered memory chip in your computer that stores startup information. Your computer's basic input/output system (BIOS) uses this information when starting your computer.
You may notice on the initial start up screen, called the POST screen, an option is available to enter the BIOS or CMOS setup. When you enter this setup area, you are entering the CMOS setup, not the BIOS setup. The BIOS chip and program cannot be updated directly by a user. The only way to update the BIOS is using a BIOS flash program called a BIOS update, which updates the BIOS to a different version.
So it's where your BIOS settings are stored, not the BIOS itself? Which in this case is exactly what we care about--the password.
I guess I don't follow your point. Other than perhaps being technically correct.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"