After IBM SoftLayer fails to scrub bare-metal box firmware of any lurking spies, alarm raised over cloud server security Cloud providers renting out bare-metal servers must make sure they scrub every last byte of writable storage on their boxes between deployments, infosec outfit Eclypsium has urged. Otherwise, malicious customers could stash spyware and other malware in motherboard flash memory that secretly activates when the next user of a …
Cloud providers cannot trust third party hardware unless it is open hardware with open firmware, nor can anybody else.
Cloud providers offer full access to proprietary hardware with proprietary firmware, nobody knows what the thing is doing, and their customers can break out of their garden if they can get their mits on 0wned firmware for the device.
"I only trust firmware I doctored myself."
Not only that, say, $CLOUD uses open hardware and firmware, they can trust that .... AND, unless they provide that to their clients as well and allow their clients to edit and flash firmware, the clients still cannot trust.
That is the whole point of open hardware and firmware -> at any given time, I know EXACTLY what that piece of hardware is doing.
.. and having access to the skillsets to properly review this for vulnerabilities. The Obfuscated C Contest is but a hint of what depth of competency you need to catch questionable aspects, ditto for the hardware. That translates directly into money.
It isn't easy to avoid having to invest trust somewhere in your supply chain. Unless your budget is paid for by the taxpayer, you will have to make choices at some point.
You might want to read Reflections on Trusting Trust by Ken Thompson. Even if your hardware, firmware and software is open you do -not- know what the hardware is actually doing. As soon as you introduce a third party you cannot trust the compiler or the manufacturer to do precisely what you asked without adding something else. And even if you bootstrap the entire system yourself from logic gates up there is still a chance that malware could infect your compiler and introduce an extra payload (as has happened in real cases).
Are you going to download and disassemble it, and compare it with source? If you want to check hashes only, you can do it with proprietary firmware as well. If you reflash firmware, it doesn't matter if it is open or not.
Unless you don't trust the OEM, but that's another matter. You can ban Huawei, for example <G>
Are you going to download and disassemble it, and compare it with source?
Ever heard of "build from source" ?
Huawei ? They traded with Iran and are now a USian target. Not that I would trust their hardware, neither more nor less than any other thing non-open out there, mind ... if I cannot doctor the firmware from the source, then I cannot trust.
On hardware you don't fully control? In any given instant there's nothing to ensure the system is running the firmware you built.
While it is true you should not blindly trust anybody, if you don't trust anything and anybody, you'll end up not trusting yourself too.
Good luck, anyway - you'll have to collect your silicon from a trusted soruce, ensure it wasn't tampered with, check the "open" foundry equipment, than check your photolithography equipment has not been hacked (good luck in finding an "open" one, since very few make them...), etc. etc.
On hardware you don't fully control?
I am not advocating for $_CLOUD. I am merely saying $_CLOUD is folly, because you do not know what is running where, where your data is stored, if and where it is copied to ... granting customers full access is dangerous, because they can get firmware that can bork the system .... only a matter of time until that happens.....
While it is true you should not blindly trust anybody, if you don't trust anything and anybody, you'll end up not trusting yourself too.
Now, one moment, logical fallacy, here, sir. I trust myself. I know I will never be 100% certain that a certain piece of hardware in my data center, manufactured to open designs, running open firmware that I compiled and flashed onto it will run exactly as intended, sure.
But compare that to closed hardware, with closed firmware, I even grant you running a partially open OS (GNU/Linux with binary blob drivers), running on a third party system somewhere, where others may have access to the underlying hardware, because multiple customers happen to use instances on one same physical system to which we are all given full access to the OS running ( in our instance ) ... folly, I tell you, folly. Ever heard of break out of sandbox vulns ?
Even closed hardware, with closed firmware in my data center cannot be trusted not to leak data. Sure, no other choice now, but the minute open hardware that is shipped with open firmware and that performs reasonably well, I will jump ship in no-time, as any sensible person would.
We should always strive for perfection.
In short:
1. $_CLOUD is utter folly
2. Closed hardware/firmware/software is folly*
3. Closed hardware/firmware with partially open OS (GNU/Linux with binary blobs) is better
4. Open hardware, running open firmware and software (free of binary blobs) in your data center is as close as you can get to perfection. You can vet, or have vetted, each and every line of code that gets compiled and run.
You can say compiler could be 0wned, sure, but that could potentially happen to any and all.
You can say manufacturer could add a backdoor with some hidden ROM firmware somewhere, but that could potentially happen to any or all as well. And you can check the chips on the board, if need be.
Why you are preferring a far less trusted system is beyond me. You can say what you want, open stuff is better than closed stuff - like Democracy, with freedom.of information act, is better than USSR.
* Cf article on this site about Dutch authorities kicking Microsoft who REPEATEDLY denied copying sensitive data to servers in the US, even when faced with the evidence. Even MS does not know what Windows and Office are doing.
* Intel ME, anyone ?
What good does reflashing the BMC's firmware do? The only (supported) way of doing that is from the BMC itself, and if it had been compromised, then it could just ignore the new firmware and report a successful reflash. I really doubt they're removing the EEPROM/flash from the motherboard and flashing it and resoldering it.
This post has been deleted by its author
Perhaps we should go back to hardware that doesn't let you flash it unless a jumper is set one way. That would make it impossible for a remote user to "maintain" the system because they don't have physical access. I can see that being able to download a program that flashes your BIOS is convenient if the system has been sold to the great unwashed (ie, me) but the trade-offs of security and convenience are exactly reversed if the system owner is a VM provider.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
