Reply to post: Re: Downgrade attack?

CTS who? AMD brushes off chipset security bugs with firmware patches

stuff and nonesense

Re: Downgrade attack?

How are you verifying that the microcode zero days were not on the machine before you acquired it?

One method?

Donkeys years ago I worked in a company that made mission critical hardware. We used a checksum on the software/firmware code at compilation time.

The checksum values were stored on hard copy (paper) and elsewhere, corrections to any errors were signed (on the sheet of paper). An altered entry with no signature was deemed invalid : that software release was checked against the version controlled code library.

The binaries generated were then stored on a server and loaded onto the EPROM devices as required.

When programmed the EPROM was interrogated to verify that the checksum was correct. Verification was against the paper copy checksum.

The devices were not connected to any external networks and could not be interfered with (exception : physical modification).

There has to be a point where trust can be established. If not what remains is the belief that the manufacturers are deliberately compromising their firmware.

The weak point is the initial compilation, mitigated with a code comparison by a third party.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019