HP Enhances SureStart Tech to Protect Users From BIOS Attacks

SureStart promises a self-healing PC BIOS and an "AirGap" technology, which is separated from the rest of the system to provide improved security.

Hewlett-Packard is evolving its SureStart technology in a move to provide more security capabilities to its users. SureStart, which HP unveiled in September 2013, offers the promise of a self-healing PC BIOS (Basic Input/Output System) that can protect users from attacks.

"BIOS is an area of security HP identified early on as being a potential risk," HP Distinguished Technologist Vali Ali told eWEEK. "If an attack is able to get into the BIOS, really bad things can happen."

A BIOS virus can potentially remain undetected for a long time, and even if it is detected, it's not easy to recover from an attack, Ali said. In recent years, there have been public disclosures of low-level attacks, including the Membromi BIOS rootkit, he added. (Membromi includes a keylogger in the BIOS that allows an attacker to track all keystrokes on an infected system.)

The promise of SureStart is to help users protect, detect and recover from BIOS attacks, Ali said. The technology doesn't necessarily know how an attacker was able to get into a system, but SureStart will find a way to detect that malware of some form is present in the BIOS, he added.

SureStart represents a form of an intrusion-detection system that is independent of the underlying chip or operating system.

"We had to design it that way, such that if there are vulnerabilities in the chip or the operating system, we can still detect if something bad has happened," Ali said.

In recent years, the need for secure systems and authentication at boot time has also been addressed though the use of UEFI (Unified Extensible Firmware Interface) Secure Boot, which is a mechanism for validating the integrity of an operating system.

Without SureStart, traditionally the first time you power on a system, what happens is the processor and system chipset will start to execute the very first line of the BIOS code, and the BIOS piece is then able to perform a Secure Boot mechanism for the operating system, Ali explained.

"SureStart takes a step back to consider what if someone were able to compromise the very first line of code in the BIOS itself," Ali said. "So before the very first line of code gets executed, with SureStart, we have different hardware and firmware, which is our own hardware root of trust, that is completely isolated from the rest of the system."

The SureStart isolation helps ensure that no other entity on a system can touch anything that is running on the separated hardware root of trust. The SureStart hardware root of trust will, in effect, hold the system processor to verify that the first line of code in the BIOS has not been altered or tampered with. SureStart will repair the first line of BIOS code if it does find that it has been altered.

"UEFI Secure Boot comes after SureStart is finished," Ali explained. "So before anything else executes, SureStart has already done its work."

In addition to helping identify potential BIOS security issues, the recovery piece of SureStart will also help repair a system. SureStart can be considered an "AirGap" solution, a technology that is separated from the rest of the system, in order to provide improved security. From a recovery perspective, SureStart needs to have a known good source in order to repair a system.

"The good source is coming from a different location in the platform that is completely air-gapped from the rest of the system," Ali said. "We electrically isolate the particular part of the system where we keep a good BIOS that we can use for recovery."

HP is now taking the SureStart idea to the next level, he said, adding that different types of system firmware need to be recovered from attacks, and HP wants to be able to enable self-healing in a broader way for systems.

To date, HP has provided SureStart in some of its PCs, and the industry should stay tuned for future announcements on the technology, Ali said.

"SureStart is processor-independent, so there are lots of other ideas we can pursue, different types of processors, x86 and non-x86 platforms and devices," Ali said. "We hope to one day soon have this deployed across all types of devices, not just PCs, so every device that boots, whether it's a printer, a phone or a tablet or anything else."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.