As far as modern cyber security has come, it’s still tricky to protect a system before it boots up. The UEFI (Unified Extensible Firmware Interface, still commonly referred to as a BIOS) that launches before the OS is vulnerable to malware, too, and often reinstalling the OS or even replacing the hard drive won’t rid the system of infection. Dell has a new plan to protect that essential part of any system called , and it’s actually pretty simple, according to PCWorld.
During the bootup process, the system grabs a snapshot of the UEFI using a method called SHA (Secure Hash Algorithm.) The algorithm converts the entire image of the UEFI into a long code, or hash, which can be compared to other hashes without exposing the actual data inside. This hash is stored temporarily in the SRAM of the machine, a part of the CPU cache not normally accessible to software, and sent securely to Dell’s servers, where it’s checked against a hash of the verified UEFI. If the two codes match, the system boots normally without sending an error report.
If a discrepancy between the two versions is found, however, the system automatically reports back to Dell, and in turn Dell alerts the IT company associated with the affected machine. It doesn’t actually plug the hole or stop the device from booting, as it doesn’t match the data until after the OS launches, but raising a red flag allows an IT professional to come resolve the issue. Unfortunately, that still involves shutting the system down and flashing clean firmware by hand, but Dell is working towards the automation of that process as well.
There’s already one system in place on enterprise computers for protecting the UEFI, called Microsoft Measured Boot, that uses a Trusted Platform Module. The TPM is built into some systems and smartphones, with its own microprocessor that verifies the system’s BIOS settings to only launch verified firmware. This method requires actual hardware to be installed inside the system, however, to create an isolated layer, so it has to be included from the start.
BIOS verification is more important in enterprise situations than in personal use, although it’s a feature that Dell will make available on Precision, OptiPlex, and XPS PCs, as well as Venue Pro tablets. BIOS verification will join a number of other features in Dell’s Endpoint suite, which provides spyware removal, anti-virus, firewall, and browser security from end to end in enterprise setups. It will cost extra to protect a system’s UEFI from malware, and there’s no word yet on exactly how much or when the feature will actually roll out.
