Jiewen Yao - Building Secure Firmware : Armoring the Foundation of the Platform

Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the books product page, located at www.apress.com/978-1-4842-6105-7 . For more detailed information, please visit http://www.apress.com/source-code .

When Saudi Aramco was attacked in August 2012 by the Shamoon computer virus, it was a wake-up call to the entire industry. Saudi Aramco is one of the largest companies in the world and holds the second largest amount of crude oil reserves. A shutdown of Saudi Aramco for a prolonged amount of time would have had a devastating impact on the oil economy, and this could have plunged the world into an economic recession.

The Shamoon virus was by todays standards a relatively simple virus. It overwrote the master boot record on the hard disk with garbage, rendering the system unbootable. While the infestation was effective reportedly more than 30,000 systems got impacted the much-feared secondary effect of the global oil supply chain hiccup didnt materialize. That was in part because the hard disk is an easy to service component and Aramco was able to replace the hard disks in time to avoid any serious impact.

However, this attack made folks in the industry and intelligence communities around the world wonder: What would have happened if Shamoon went after a non-serviceable component, like the flash chips where the system firmware is stored? This is much harder to repair on-site, and it would have required the systems to be shipped back to the manufacturer. This would have taken a lot more time, and in that case a global oil supply shortage could not have been avoided, potentially even triggering a global recession.

This specification was followed up in 2018 by another NIST publication, Platform Firmware Resiliency Guidelines (NIST SP800-193). This specification extended the previous one by focusing on recovery. Its central tenet was simple: providing protection against unauthorized firmware updates is not enough. The firmware is a complex piece of software, and it will, probabilistically, contain bugs that can be exploited by an attacker. How do you quickly and seamlessly recover if this happens?

Before you consider this problem to be a PC-only threat, think again. With the proliferation of IoT devices in homes and factories, and SCADA devices to control the national grid, firmware security has become a key part of the worlds critical infrastructure protection. Just imagine the harm a malicious attacker could do by taking over the firmware of pipeline controllers in a gas line in Siberia, Russia, during the winter. Youll be hard-pressed to send someone out there to fix the problem.

The Saudi Aramco attack and its resulting NIST secure firmware recommendations solidified the importance of firmware security in the industry. Those recommendations built on years of academic and industrial research in this area. I was personally involved in some of these efforts, ranging from IBMs physical secure coprocessor (IBM 47xx) projects and TCPA/TCG frameworks to secure hypervisor research and working with other industry partners on the foundations of NIST SP800-147.

The authors Jiewen Yao and Vincent Zimmer have bundled together into this book their combined years of experience in developing secure firmware and building resilient systems. Every computer, big or small, starts with firmware, and if thats compromised, all is lost, so following the authors guidance is as relevant today as it was in 2012.

Leendert van Doorn

Redmond, WA, USA