Open Stack

On 2013-05-27 11:29:31 +1200 (+1200), Robert Collins wrote:
> On 27 May 2013 11:02, Chris Bartels <chris at christopherbartels.com> wrote:
> [...]
> > Couldn't I re-flash the BIOS between each tenant to be sure
> > there isn't any problem with it?
> 
> Unless you flash the BIOS with separate hardware (not by running
> the flasher on the potentially compromised hardware itself), no.
> And even then you'll need to be sure you flash every single
> EEPROM, not just the system board BIOS, and you'll need to make
> sure you catch any that have been toggled into readonly mode by an
> attacker and pull and replace them. Note that a simple examination
> of device drivers / system firmware won't necessarily cover every
> power on EEPROM in the system :).
[...]

Note that this is a not-often-talked-about security risk throughout
the industry, it's not just an OpenStack baremetal issue.

Many (most? all?) data center hosting companies reuse servers
between short-term dedicated hardware tenants without doing much
more than a disk wipe and typical BIOS upgrade. For that matter,
there's a similar risk when purchasing used or refurbished
hardware... or even new hardware, depending on how much you trust
the procurement chain (but in that case there's at least readily
available legal recourse if you find out the
manufacturer/distributor/carrier intentionally engaged in
compromising the hardware).

Some companies are aware of these possibilities and may have simply
decided their risk analysis shows it's not worth mitigating in their
situations, but many are not aware that this attack surface even
exists to begin with. Now, whether can you trust that the computer
manufacturing and software industries can solve this problem
(Trusted Computing and so on) is another question entirely.
-- 
Jeremy Stanley