level: advanced
Buying hardware is easy. Buying secure hardware is hard, can be expensive and
you may not even know how secure the hardware really is. The Federal Office
for Information Security (BSI) Germany is using a two-pronged strategy to
solve this problem: Mandatory security requirements for any server and client
hardware as integral part of any Request for Tender, and firmware source code
requirements as well as complete hardware documentation for higher-security
hardware. This talk is about both approaches and their associated
requirements as well as the real-world security improvements resulting from
our work.
With the restructuring of federal procurement in Germany towards one central
agency publishing unified RFTs for large quantities of identical systems,
there was an unique opportunity for establishing mandatory hardware/firmware
security requirements in such RFTs up to classification level "Restricted".
Previously, each federal agency had created their own set of security
requirements for computer purchases, some of them conflicting with each
other, each of them for small quantity purchases. Vendors thus had no
motivation to offer systems fulfilling the requirements, and if they did, the
premium for security featues was substantial. This talk specifically focuses
on the current unified baseline security requirements for clients (desktop
and laptop computers), discussing not just the criteria themselves, but also
the resulting security improvements and possible solutions for fulfilling
future stricter criteria with the help of open source firmware.
Considering the increasing amount of critical security vulnerabilities present
in hardware and firmware, it is wise to require full firmware source code
availability for any component able to control or access processor, RAM or
critical peripherals in any system used for information classified
as "Confidential" or higher. Obviously, being able to reproducibly compile
the firmware source code is essential to ensuring that binary firmware and
supplied source code match. As one of the solutions available in the markt
today, coreboot fits that bill nicely. This talk focuses on why source code
availability helps more than just for analyzing code, especially considering
that removing attack surfaces strongly depends on the ability to modify the
source code and to deploy changed versions of it.
The paper will list the current and future security requirements for federal
requests for public tender as well as the associated justifications and
expected resulting benefits.