BIOS-Maker Phoenix Enhances Laptop Security, Recoverability
"Pre-OS environment" can launch security and recovery applications that boot before Windows
Phoenix Technologies Ltd. announced the release of Core Managed Environment (cME), an always-on, always-secure environment for running software before the operating system of a computer boots. Though the release is aimed at hardware manufacturers and resellers who would build the technology into PCs, servers and appliances, users ultimately stand to benefit from improved device security and disaster recovery.
Gartner research fellow Martin Reynolds terms cME a “pre-OS environment,” since it’s triggered by the BIOS and runs before the operating system. If you can do a pre-authorization before you do the Windows boot, he says, then systems can be much more secure. Given the need to secure mobile devices, the technology could be especially useful on notebook PCs, says Reynolds. “Of course the notebooks are where we have the biggest security problems, so anything that can help with authentication before you log in is good.”
“We call this an operating environment, not an operating system,” says Edward Soo Hoo, vice president of marketing strategy for Phoenix Technologies Ltd. in San Jose, Calif.
Today there are too few attractive options for properly securing laptops. “You can use smart cards before Windows logs on, but that's not great,” says Reynolds, since it requires external devices. Administrators can require users input a PIN or password at the BIOS start-up, before the rest of the computer boots, but there’s still a problem. “Of course they have all those problems with users remembering user names, so you get all those Post-It notes,” he says.
Regular BIOS—about 32K of code—and the chip it’s stored on doesn’t have enough extra memory to run newer biometric technology, such as fingerprint or iris scanners. Since cME merely piggybacks off the BIOS, additional parts of the hard drive can be partitioned—in what’s called a host-partitioned area (HPA)—and that space set aside strictly for cME access.
For example, biometrics could run before Windows ever gets loaded. With cME, “I like the idea of facial recognition. It's not the greatest solution there is, but when you couple it with a PIN or password, it gets pretty effective,” says Reynolds. With something such as Phoenix, he adds, “you could fully encrypt the hard drive,” before Windows boots, and only decrypt it if proper authentication gets entered. Even if someone stole the hard drive, accessing information would be extremely difficult.
Other useful pre-OS applications might include diagnostics tools. “If you have to run diagnostics in Windows , sometimes you can't get as close to the hardware as you'd like,” says Reynolds. In addition, administrators could enforce connection policies by making the connection before Windows boots and then asserting control over any attempts to use the connection.
For example, if a user logged into a VPN in the pre-OS boot, the laptop could disable wireless access so the user’s laptop didn’t provide a convenient way for someone to listen in or piggyback off the laptop and get an easy bridge into the corporate network. Even in the event of a catastrophic system crash, users could still access diagnostics, the Internet, and self-healing tools, so IT could do a CD-free remote rebuild using a copy of the Windows installation CD tucked away in the HPA. “What we want to do is give users the option of a lifeline capability in a tamper-proof environment,” says Soo Hoo.
Phoenix claims its device would save companies money since approximately 80% of computers returned for repair don’t actually have hardware problems, but system problems. A system restore could fix many of them.
Phoenix is probably best known for reverse-engineering the IBM PC’s proprietary BIOS in the mid-1980s by using a clean room approach—studying what the BIOS did, then writing their own code to emulate it. Instead of copying IBM’s code, Phoenix had code that was different but functioned identically. Thus ended IBM’s monopoly on PC hardware production, as Phoenix’s new BIOS helped spawn the first IBM-compatible PCs. (Note that if today’s Digital Millennium Copyright Act was in effect then, what Phoenix did would probably have put the company in hot water.) Today the Phoenix BIOS resides on approximately 85% of desktop computers and 45% of laptops, the company says.
Should Microsoft’s Palladium become a standard, Phoenix would work with that. “It would actually be a compliment to Palladium, to ensure the integrity of the system before it boots,” says Reynolds. Palladium is a web-of-trust approach to securing networks and computers where any malicious code simply gets rejected.
Of course with today’s IT budget crunch, purchasing managers might hesitate paying for more than one operating system per machine. Phoenix’s Soo Hoo responds: “Yes, you’re already paying for it, and you’re paying for it in more ways than one.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.