Manageability Security
Transcript of Manageability Security
Manageability Security
James MihmBMC FW Architect/Team LeadIntel Corporation
HW Management
Todays Snapshot
Use Redfish For Manageability
OCP Defined Profiles For Redfish
OpenBMC Now Supports RedfishIncluding OCP Profiles
OpenBMC Security WorkgroupSecurity Architecture SpecificationReporting ProcessIncident Response TeamSecurity Advisory
MANAGEMENT
Motivation
Unified Security Objectives and Requirements for HW & FW
Obligation To Protect & Defend Against AdversariesMake It Personal
Ever Increasing Threat Landscape
Goes Beyond DOS or PDOSEspionageNational SecurityData Protection
MANAGEMENT
Changing LandscapeFrom Obscurity to Headlines
IPMI: Express Train to Hell, by Dan Farmer published in 2013http://www.fish2.com/ipmi/itrain-gz.pdf https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/With a metasploit framework to reference
Bloomberg Article – Hype or Not?Trammel Hudson’s Project: https://trmm.net/Modchips
CVE-2019-6260 Exploit of AST2400/2500 Bare Metal Recovery Features
MANAGEMENT
Evolution of Thought
Host Interface Implicitly TrustedDon’t worry be happyOnce You Have The Host The Game Is Over
Security OwnershipDefense in Depth Strategy
Development of Advanced Features Ultimate OOB OS Access and Control
Contention Between Usability and SecurityExtremely Secure – UnusableExtremely Flexible – Unsecure
MANAGEMENT
Sleepness Nights
Insider ThreatsThe Rogue FW Developer
Nation StatesWho Can You Trust?
Supply ChainMeasurement, Detection, and NotificationAbuse Of Manufacturing Features
MANAGEMENT
Security RecommendationsExpect More From Vendors
Definition Of Security Requirements
Adopt Security Design LifecycleLearn & Embrace SDL For All Ingredients (HW/SW/FW)Own Your Security
Architect For SecurityAvoid ReinventingProvisioning GateEvaluate Access ControlsHardware Protections
MANAGEMENT
Threat Model – Interfaces
MANAGEMENT
MGMNTCNTRLR
LPC/eSPI
Host
MgmtNetwork
SMBus
Add In Cards
FLASH
PCIe NCSI
Network LAN DATA CENTER FACILITIES
Threat Model – High Value Assets
MANAGEMENT
BMC
Host CPU Complex
Host Memory Subsystem
Power Subsystem
BaseboardHardware
MGMNTCNTRLR
StorageSubsystem
Thermal Management
Call To Action
Define Security Requirement & Architecture Specification
Collaborate on PMCI Security Rqmts (next presentation)
Open Source Firmware Meetup @Marriott Salon V & VI
OpenBMC Security Workgroups
Where to find additional informationOpenBMC Security WG: https://github.com/openbmc/openbmc/wiki/Security-working-groupSDL: https://www.microsoft.com/en-us/securityengineering/sdl/
MANAGEMENT