Hardware.Next: Diving deeper into the stack—understanding the dangers of hardware and firmware vulnerabilities

The security industry has, for years, been developing technologies to secure our applications and operating systems. 2015 was the year, however, I feel hardware vulnerabilities truly became real. We saw multiple instances of attackers using hardware, firmware, and BIOS as an element of their attack, from Rowhammer exploiting DRAM to the Equation Group showcasing vulnerabilities in HDDs/SDDs. Despite our extraordinary efforts, attackers can effectively render what we do at the upper layers of the stack moot if the underlying hardware or firmware is vulnerable. Significant value lies below, if the adversaries have the patience and the intelligence to exploit it. As attackers move deeper into the compute stack, they are discovering significant benefits, including denying access to a machine permanently, surviving even a complete reimaging, and escalating into higher privilege levels. This has triggered serious discussions about hardware and firmware security.

 

The good news is that operating systems do continue to improve their compute security. For example, Windows 10 delivers tremendous new capabilities, offering much better protection for operating system secrets even if there is an admin or kernel level compromise, keeping secrets in a separate partition. Microsoft has also integrated regular updates to BIOS and other firmware via Windows Update to keep them current. However, vulnerable firmware could undermine these new capabilities, allowing attackers to work their way up the stack and into the entire physical platform, regardless of logical partitions, if system vendors are not careful. McAfee continues to partner with Microsoft and the PC ecosystem to address BIOS vulnerabilities, but many persist on deployed platforms if systems go unpatched.

 

With these new threats, we need to expand our view of what needs to be secured beyond the operating systems and applications. Customers need tools with visibility into the lower levels of the platform so they can detect and correct systems before becoming compromised. For example, endpoint detection and response (EDR) tools could leverage capabilities such as McAfee  low-level CHIPSEC analysis toolkit, to find machines that are vulnerable and take faster, more effective action against attacks in progress. CHIPSEC could scan for BIOS that isn’t write protected, System Management Mode RAM that is unlocked, and Secure Boot Keys with insufficient access control. Feeding this information to EDR solutions could provide incident response teams a clearer picture of low-level system vulnerabilities, along with immediate response options if or when any of those vulnerabilities are detected in the future. Potential reactions include killing a malicious process or quarantining a vulnerable machine until it can be updated. Customers can personalize their own solutions, leveraging McAfee’s customer-ready Software Development Kit (SDK), to add their own customized collectors, reactions, and workflows, using native OS commands and familiar languages such as Python, to hunt for and remediate vulnerabilities in their ecosystems.

 

The good news is that attackers are not the only ones who can take advantage of hardware and firmware. Hardware and firmware also give us new capabilities that are not possible with software alone. For example, McAfee has added support for Software Guard Extensions to DXL 2.0 to protect the signing of keys, so that we have a high level of confidence that DXL data was sent by the machine we thought it was. This mitigates attack vectors that spoof or simulate DXL messages, increasing the integrity of the exchange layer. Protecting hardware and firmware, detecting low-level attacks, and correcting incidents before they become compromises are examples of how McAfee is empowering responders with the adaptive capabilities they need to address the threats of tomorrow.

Leave a Comment

seventeen + 12 =