OpenBSD Journal

FOSS, Security and Closed Hardware

Contributed by grey on from the do you trust your microcode dept.

Jason Miller has written on the sad state of affairs when it comes to closed hardware in this article. It's worth a read, and discusses some of the topics we have been dealing with as a communtiy recently, such as wireless chipset vendors. It also raises the question of whether such closed hardware could host security vulnerabilities.

(Comments are closed)


Comments
  1. By grey (207.215.223.2) on

    With the exception of http://opencores.org/ and the proposed open source friendly graphics card, the security question raised is somewhat pervasive in the hardware industry. Even for vendors who do provide documentation and even allow for firmware redistribution, it is a rare occasion when a vendor willingly provides complete access not just to firmware, but even microcode or internal BIOS systems. That's not entirely accurate I should state, since at least in the case of PC BIOS, LinuxBIOS is gaining traction, and even support from larger hardware vendors like Tyan.

    While a completely open system is a lofty and arguably necessary ideal from a security perspective, there is a certain amount of trust that must be given simply due to the environment we currently have. As such, expectations that hardware vendors provide enough documentation and resources so that FOSS can use their hardware is not really asking too much in my opinion.

    Comments
    1. By Anonymous Coward (195.122.29.101) on

      wouldnt be beautifful, if there would be openARCH?
      OpenBSD developers could make ultra-secure processor architecture and make hardware, which would be unltra-supported in openbsd?
      That would be supadupa arch for paranoids and obsd fans :D
      it will be like this in one day.

      Comments
      1. By James (141.154.29.77) on

        it will be like this in one day.

        Really? What's the website address. I wanna peep the specs.

        Comments
        1. By Anonymous Coward (24.201.62.155) on

          That sounds like '640k outta be enough for anyone'.

          Comments
          1. By Brendgard (69.10.194.180) brendgard@yahoo.com on http://websitegurus.us

            I thought I was the only one that read this page that was old enough to remember Billy saying that :O

            Comments
            1. By James (140.247.214.30) on

              Quotes likes that are definitely timeless.

            2. By Sean Brown (204.209.209.129) on

              Oh you remember that? Thats amazing, since he never said that in the first place.

              Comments
              1. By Anonymous Coward (209.52.126.5) on

                I know he says now that he never made that 640k comment, but I'd like to know when he first started denying it. I heard him give a talk in '88 or '89 where he joked about it, but he certainly didn't deny it. Maybe he just thought the rumor was funny back then or something. Alternately, maybe he finds it a little too embarrassing now.

                Comments
                1. By Sean Brown (68.147.170.205) on

                  He has never denied that he's said some really stupid things in the past, so why deny this one? There is no evidence that he ever did, its just something that everyone 'knows.' Urban legends of this type are rarely true, especially when they occur in recent history when there should be ample proof if indeed it happened.

                  I'm sure he did joke about it before, but everyone bashes it over his head now with no proof he ever said it, I'm sure its getting really old now.

  2. By Anonymous Coward (151.188.247.80) on

    I have my own solution to this. I simply vote with my dollars and don't buy such hardware. As a security professional myself, I think that running wireless as it is today (without a *LOT* of supplementary work, like Blowfish or 3DES IPSec on top of it) is not only dangerous, but negligent. WEP? Please. EAP? Same thing. MAC-Address filtering? You gotta be kidding. PEAP? When it works, it's not bad, but there's the rub. We have two CCIE's here that had trouble configuring it on Windows, which, sadly, is still used in most corporations and thus must be accommodated. Thus, "PC techs" with MCPs and MCSEs cannot be expected to be able to do it either.

    I do not run wireless at home. I do not run wireless at work (others do, but I don't). The above, and the requirement of proprietary software in my OS kernel to run them, are the reasons why.

    As for other hardware, like ATI's and nVidia's newer video boards, I refuse to buy them. Period. I'm not a "hard core gamer" who's likely running Windows anyway; I use my computers to do work. I have no problem with ATI's cards that are fully supported by Free Software and will happily buy older cards which do what I need (read: display X11 at a decent resolution with 3D acceleration enabled). I will not purchase an Intel Centrino-based machine for this same reason; they're not fully supported by Free Software and thus provide me with no benefit over, say, an AMD laptop or Pentium III/4 laptop.

    The first thing I check for, in any given piece of hardware, is, "is it supported by Free Software?". If more of us did this before the purchase, and actually stuck by our guns, then we might not have these wireless, video, etc. problems that we have today. Vote with your wallets, folks. My computers, bought and built with exactly this philosophy in mind, are a pleasure to use, so it is possible and really isn't hard.

    Comments
    1. By SH (82.182.103.172) on

      The Prism 2 and 2.5 is well supported by Open Source drivers for hostap mode, and Prism 3 at least as a client. This is what I use at home along with isakmpd and is secure enough for my needs. There are other wireless 802.11b chip sets that are supported by Open Source drivers, but perhaps not yet as hostap (for those chip sets that supports it). So, if one think 802.11b performance is sufficient, there is much to choose among. As for 802.1a/g, OpenBSD (among others) developers are working on it :-)

    2. By Anonymous Coward (213.224.83.135) on

      I'm inclined to agree. Even during all this "intel says NO"-stuff I was still advised to buy an Intel NIC .... Sure, their nics are good, but hey, why should I buy one if they fuck me over with their other hardware?

  3. By reksio (194.29.137.67) on

    I'm not an expert on device drivers, so correct me if I'm wrong.

    Author's fears about security are somewhat exaggerated.
    How sophisticated firmware code should be to pose a security threat?
    Intercepting a ssh session would be extremly difficult if not impossible at all. We're rather talking about relatively simple harware here. Moreover, does an operating system really executes this "closed source component"? I don't think so.

    Comments
    1. By tedu (67.124.88.142) on

      furthermore, if the firmware were embedded into the device's rom, how would you know what it was doing?

    2. By Anonymous Coward (69.138.29.155) on

      You diminish damage what can nasty firmware can do on your computer.
      Let's see. It has access to your computer bus.
      If it is on a same segment as a video card, it can leak all what you see on the monitor. The case of the keybord data going trough the same bus brings nice keybord capture application in mind.

      The sofistication of the board may not seem so big, but don't forget that most of the ICs are programable. They can be reconfigured on the fly.

      On the other sise it would be unfeasable to develop universal hacking instrument working on all boards and system configurations.

      But in turn the possibilities are endless if sufficient information about the system is leaked out and wireless card is approprietly "patched" over the air. This is the before mentioned possibility of the back door.

      sanity check:
      Most mother boards don't route keybord information over the periferial bus. Most MBs also have the video card build in so the data should not go trough the external bus either.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]