Re: Open Firmware to prevent attacks

From: Edward Cherlin <echerlin_at_gmail_dot_com>
Date: Wed Apr 01 2009 - 20:23:35 CDT

Objections noted. I said it isn't a solution yet. I just think that
it's way better than trying to secure a proprietary BIOS.

On Wed, Apr 1, 2009 at 2:53 PM, Ronald Crane <voting@lastland.net> wrote:
> Edward Cherlin wrote:
>>
>> This is not yet a solution, but Mitch Bradley's Open Firmware, used by
>> Sun, Apple, and One Laptop Per Child instead of a BIOS, is fully
>> auditable GPLed software. I can read much of the code, and there are
>> experts available who can read all of it, and know what it is supposed
>> to do and how it goes about its business. The only mysteries that
>> remain are in the initialization values for undocumented proprietary
>> hardware, which we don't have to use.
>>
>>
>
> Using Open Firmware will not, of itself, prevent firmware-based (or
> hardware-based) attacks. You still need to create a secure,
> publicly-auditable procedure for (at least):
>
> 1. Determining whether the Open Firmware loaded into a machine on election
> day was honestly compiled from the public source;
>
> 2. Determining whether the firmware loader (the non-replaceable portion of
> the firmware that most machines use to load third-party firmware into the
> firmware flash memory) contains malware;
>
> 3. Determining whether there is malware in option-ROM ("plug-in") firmware
> (such as video BIOSes, disk controller firmware, etc.); and
>
> 4. Determining whether the hardware itself contains malware (e.g., a
> firmware "flash memory" chip might include more than just flash memory. For
> example http://www.eye.fi/ is an SD card that also includes WiFi for
> Youtubing and the like; a sufficiently-motivated attacker with substantial
> resources presumably could integrate all of that into a single chip, then
> label it identically to a legitimate chip).
>
> And that's putting aside all the usual caveats about the effectiveness of
> review of firmware and hardware.
>
> -R
>
> _______________________________________________
> OVC-discuss mailing list
> OVC-discuss@listman.sonic.net
> http://lists.sonic.net/mailman/listinfo/ovc-discuss
> By sending email to the OVC-discuss  list, you thereby agree to release the
> content of your posts to the Public Domain--with the exception of
> copyrighted material quoted according to fair use, including publicly
> archiving at  http://gnosis.python-hosting.com/voting-project/
>

-- 
Silent Thunder (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) is my name
And Children are my nation.
The Cosmos is my dwelling place, The Truth my destination.
http://earthtreasury.net/ (Edward Mokurai Cherlin)
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at  http://gnosis.python-hosting.com/voting-project/
Received on Thu Apr 30 23:17:02 2009

This archive was generated by hypermail 2.1.8 : Thu Apr 30 2009 - 23:17:06 CDT