HP introduces 'self-healing' BIOS protection with SureStart
HP's new SureStart feature detects and 'heals' corrupted BIOS code.
At HP Protect 2013, held in Washington, D.C., earlier this week, Palo Alto, Calif.-based Hewlett-Packard Co. introduced SureStart, an unconventional approach to safeguarding endpoint security. The company said it will incorporate this design feature in its laptops beginning later this year.
Vali Ali, HP's chief technologist for security and software for the Business PC Solutions department, said that what drove the design of SureStart was the increase in malware that, as part of its attack, overwrites the BIOS instructions that must execute in order for a computer to boot. "There have been multiple disclosures, which talked about how the protections offered by different memory controllers were bypassed to be able to write to the BIOS. The bad guys are trying to go to the very bottom level, to the BIOS -- one of the targets for APTs [advanced persistent threats] now is to get to the bottom level so they can stay undetected for an extended period of time."
The problem with BIOS, Ali noted, is that virtually all current systems begin with the assumption that BIOS itself, from the first line on, can be trusted, or at least must be trusted until a Trusted Platform Module (TPM) is consulted when BIOS hands off to the operating system. "As soon as you turn on the computer, the processor starts executing the first line of BIOS code. Then the BIOS itself is responsible for the rest of the BIOS and for forming a chain of trust. That first line of BIOS is protected by chipsets, and those chipsets can be compromised."
SureStart, Ali said, is an independent mechanism that is completely separate from the core processor itself. As power is first turned on, SureStart, rather than BIOS, starts up. Before the CPU performs any processing at all, SureStart first validates cryptographically that the BIOS code that is about to be executed is good.
If the BIOS is correct, the process takes on the order of a few hundred milliseconds. "If everything is fine, which is most of the time," Ali noted, "the processor that transferred control to SureStart then transfers control to the processor, and the processor runs BIOS."
If something about the BIOS code is amiss, SureStart will detect that corruption or compromise. "It has its own electrically isolated golden copy of the BIOS itself," Ali said, "and this copy is also digitally signed. So we go and cryptographically verify that the copy of the BIOS is good, and we then copy over the primary copy of the BIOS. We restart the system and then it boots. From an end-user perspective, they have no idea that anything happened. You won't have to worry about what happened unless you want to worry about what happened." The SureStart system will, however, perform audit logging for organizations that choose to perform forensic analyses to determine what caused the BIOS to be corrupt.
Another, older initiative in the computer world that might seem to have some similarities to SureStart is the TPM, championed by the industry consortium Trusted Computing Group. But while SureStart shares with Trusted Computing Group a desire to create a chain of trust from a very low level in the system boot process, Ali claimed that there's a critical difference: "TPM is a passive model," he said, noting that with TPM, the BIOS boots, then checks in with the TPM module to see if the BIOS seems to be in order. "We come in well before the first line of code in BIOS comes in."