LOGIN   :::   RECOVER PASS   :::   GET ACCOUNT    
Browse
  • Projects
  • Code (CVS)
  • Forums
  • News
  • Articles
  • Polls
    •  
    OpenCores
  • FAQ
  • CVS HowTo
  • Mission
  • Media
  • Tools
  • Sponsors
  • Mirrors
  • Logos
  • Contact us

    •  
    Tools
  • Search
      
  • Download Cores (CVSGet)
    •  
    More
  • Wishbone
  • Perlilog
  • EDA tools
  • OpenTech CD
    •  
    Navigation: All forums > Cores > Message List > Message Post

    Message

    Reply | Reply all
    Date Prev | Date Next | Thread Prev | Thread Next Date Index | Thread Index

    From: Nathaniel Dube<njdube@g...>
    Date: Thu Jun 12 08:34:18 CEST 2008
    Subject: [oc] (no subject)
    Top
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    First off, I'm by no means a engineer. This message is going out to real
    engineers that might have interest in bringing the idea I'm about to share
    with you to reality. This idea came to me after some light reading about
    rootkits on wikipedia and playing around with the program "rkhunter".

    Malware designers are writing code that can infect a system via rootkits.
    I've even read about the possibility of malware that can infect ROM chips on
    mother boards as well as ROM chips on PCI cards. Meaning, anything that is
    rewritable isn't safe from malware. Then it dawned on me that most of these
    security issues could be minimized at the hardware level at preboot, meaning
    before the operating system loads.

    My brother brought his laptop to me complaning the internet wont work and that
    it's slow as a whale turd. When I looked at it I found it swarming with
    viruses. I asked him what happened to the firewall and antivirus that In
    installed for him and he said he turned them off because the firewall was
    messing with his internet and he didn't know how to turn it off with out also
    turning off the antivirus. I think it was Eset Internet Security. I use
    Linux on my system so I don't touch Windows software all that often. I've
    come to the conclusion that it doesn't matter what software you put on there
    or what you do, stupid users (and most users are stupid) will fsck up there
    system.

    That's when I decided that mother boards need to be dramatically redesigned
    from the ground up with a proactive role in security. Now here's where I
    will start with my wonderful idea that will save the world. You will either
    see that world with me or you wont.

    I'm sure most of you are aware of the history of the BIOS and the ROM's
    they're on. Back in the day they really where ROM in every sense of the term
    that they where READ only. They where embed on the board so you would need a
    solder iron to remove them. Then they came out with the removable kind with
    sockets that you can replace with a new chip. Then comes the kind you can
    flash with software but are embedded. I'm sorry but impeded un-removeable ROM
    chips are completely asinine. Now on to my idea.

    Instead of one ROM chip for the BIOS there should be 3 and use "coreboot" as
    the BIOS. All 3 will utilize sockets to be removeable for easy replacement.
    The first chip will have the purpose as a backup of the default BIOS and the
    chip will be read only. The second chip will house a copy of the primary
    BIOS which will be rewritable and allow for updates. The third chip I will
    call the ESP (Emergency Security Protocols) ROM which may or may not be read
    only, I haven't decided yet. The third chip will have the open source
    programs rkhunter, clamav and perhaps other programs that might be useful for
    a preboot.

    In the event the other two are corrupted for what ever reason you need only
    flip a jumper, turn on the computer and the backup BIOS takes control and
    allows you to wipe the other two chips and restore a rewritable copy of the
    BIOS to chip 2 and the ESP BIOS to chip 3. The backup BIOS will also have
    the Linux program "wipe" so in the unlikeliness a rootkit takes control of
    chips 2 and 3 chip 1 will wipe it out and start from scratch.

    This board will also have integrated wifi as well as lan making it easy to get
    a internet connection. The goal being to be able to update the signatures of
    rkhunter and clamav as well as update both firmware by direct download before
    the OS even loads. This entire process will have a liberal use of checksums
    to make sure at no time is any malware being installed during the preboot
    process.

    I'm still trying to work out the finer details in my head. So my idea may
    make sense or it may not. Ultimately what I'm trying to do is build a mother
    board with BIOS backup/security redundancy. The 3 chips act as a triad that
    protect one another. The board should be designed so it tries to load the
    second chip with the rewritable BIOS and use the third chip to do a quick
    self scan for rootkits. If for some reason the first BIOS wont load it will
    fall back on the backup BIOS restoring the primary. Perhaps some one can
    share a better way of implimenting my idea. The goal is to make it damn near
    impossible for malware to alter or change the BIOS or load at preboot. These
    security meause could also be used to protect rewritable ROM on other
    hardware.

    Please share your thoughts. I would really like to see a board like this see
    the light of reality.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQFIUMNzvsn/sQCIOqQRAqG+AJ9t1W14EgBRJQrOmvdpaNK5edMeNACggq+G
    ij2koHbQDzhTVXpv+AQbEHE=
    =V7L3
    -----END PGP SIGNATURE-----

    Follow upAuthor
    [oc] Re: [coreboot] (no subject)Nathaniel Dube

     
    Copyright (c) 1999 OPENCORES.ORG. All rights reserved.