AMI and Colorado State University Joint Security Paper to be presented at the 24th IEEE International Conference on Software Quality, Reliability, and Security

AMI and Colorado State University Joint Security Paper to be presented at the 24th IEEE International Conference on Software Quality, Reliability, and Security

AMI in the News, Firmware Security

Thomas McCarthy

Thomas McCarthy

Product Marketing

In an effort to greatly reduce the threat of device tampering of compute devices that are in transit from manufacturing to their end-user application, AMI and Colorado State University have created a methodology to secure platform firmware in a Cerberus framework.  This process is being presented in a paper entitled, “The PIT-Cerberus Framework: Preventing Device Tampering During Transit” at the 24th IEEE International Conference on Software Quality, Reliability and Security (QRS 2024).

IEEE QRS

The IEEE QRS Conference pulls scientists and engineers in industry and academia together into a single forum to present work related to the best and most efficient techniques for the development of reliable, secure, and trustworthy systems.  Program selection involves a detailed review by 3 committee members across a pool of 209 other papers.  AMI and Colorado State’s methodology for preventing device tampering during transit was one of 50 papers selected to be presented at the conference.

Protection in Transit (PIT)

In order to tamper with or modify device platform firmware in transit, a hacker would need to either write to the firmware’s storage location or physically replace the firmware code. This paper addresses writing to the firmware storage location, which necessitates the device being booted up to a minimal state where firmware memory I/O is enabled.  Therefore, securing platform firmware requires that the first boot of the BIOS/UEFI or BMC following shipping is exclusive to the authorized downstream user.

To achieve this, AMI and Colorado State propose a mechanism where the device manufacturer implements a BIOS or BMC lock post-production that can only be unlocked by a Hardware Root of Trust (HRoT) device during the BIOS/UEFI or BMC boot process.  Unlocking of the BIOS or BMC firmware would only occur after a successful authentication by the HRoT.

Extension of Project Cerberus

This methodology is an extension of the Project Cerberus, open-source initiative that establishes a hardware root of trust for servers.  Adopting the protection in transit (PIT) methodology greatly enhances Cerberus security; where today it focuses on attestation of platform firmware at boot and during runtime, Cerberus does not currently address user authentication.

Efforts by AMI and Colorado State University

In order to ensure the highest level of security for the PIT-Cerberus framework, AMI and Colorado State have leveraged strong data encryption techniques and have implemented the solution within a trusted HRoT microcontroller. These efforts put forth by AMI and Colorado State can be sampled through the PIT-Cerberus framework’s libraries, available on Project Cerberus today.

The presentation of “The PIT-Cerberus Framework:  Preventing Device Tampering During Transit” paper can be seen July 1st through the 5th at the IEEE QRS, Churchill College, University of Cambridge, UK. 

This paper will be available to read in the IEEE Xplore digital library upon approval.

About AMI

AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration, and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. 

You May Also Like…