Re: Open Firmware to prevent attacks

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Wed Apr 01 2009 - 16:53:58 CDT

Edward Cherlin wrote:
> This is not yet a solution, but Mitch Bradley's Open Firmware, used by
> Sun, Apple, and One Laptop Per Child instead of a BIOS, is fully
> auditable GPLed software. I can read much of the code, and there are
> experts available who can read all of it, and know what it is supposed
> to do and how it goes about its business. The only mysteries that
> remain are in the initialization values for undocumented proprietary
> hardware, which we don't have to use.
>
>
Using Open Firmware will not, of itself, prevent firmware-based (or
hardware-based) attacks. You still need to create a secure,
publicly-auditable procedure for (at least):

1. Determining whether the Open Firmware loaded into a machine on
election day was honestly compiled from the public source;

2. Determining whether the firmware loader (the non-replaceable portion
of the firmware that most machines use to load third-party firmware into
the firmware flash memory) contains malware;

3. Determining whether there is malware in option-ROM ("plug-in")
firmware (such as video BIOSes, disk controller firmware, etc.); and

4. Determining whether the hardware itself contains malware (e.g., a
firmware "flash memory" chip might include more than just flash memory.
For example http://www.eye.fi/ is an SD card that also includes WiFi for
Youtubing and the like; a sufficiently-motivated attacker with
substantial resources presumably could integrate all of that into a
single chip, then label it identically to a legitimate chip).

And that's putting aside all the usual caveats about the effectiveness
of review of firmware and hardware.

-R

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Thu Apr 30 23:17:02 2009

This archive was generated by hypermail 2.1.8 : Thu Apr 30 2009 - 23:17:06 CDT