User manual
Etherboot User Manual
hand, it also enables some attacks that are not possible against machines that boot from local mass
storage devices (floppy, harddisk, ...). As a general rule, you can assume that it is impossible to protect
your system from all conceivable attacks, but you can try to minimize the chance of an attack, try to
minimize the seriousness of the damage caused and try to help in detecting attacks at the earliest possible
moment. This text discusses some of the issues involved and tries to raise awareness of security
problems; it cannot provide generic solutions to all of these problems, but should help you in
appreciating the need for proper administration and regular security updates.
C.3. PC ARCHITECTURE
The PC architecture was never designed with security considerations in mind. Running an operating
system such as DOS or Windows, allows the user full control over the hardware. There are no effective
measures for preventing him from modifying data on local mass storage devices, reading confidential
data that is stored locally, installing trojan horses and programs that intercept user input, monitoring all
data packets that are sent on the local ethernet segment, sending ethernet packages with faked
authorization information, and a whole lot of other potentially dangerous actions.
Modern operating systems and suitable hardware extensions make these attacks more difficult, but as
long as the user can still launch arbitrary programs that have full hardware access, there is not much
protection that can be achieved in this way. Therefore, the most important security measures are those
that prevent a malicious user from executing programs from arbitrary external sources.
The PC must be physically protected, so that there is no way of replacing the harddrive (either for
reading its contents or for installing compromised software), installing a modified system BIOS (if your
system has a Flash BIOS, then make sure that it is always write protected and that write protection
actually works!), connecting it to a different network, removing extra hardware that offers security
features, or performing some other hardware modification.
If the PC offers exchangeable mass storage devices (floppy, ZIP drive, CD-ROM, ...), the system must be
configured to never boot from these devices.
This is not as easy as it might sound. Most motherboards come with a system BIOS which offers
back-doors to their password. So configuring the BIOS to never boot from exchangeable devices, will not
prevent any determined hacker from modifying this setting. These generically accepted passwords might
not be known to your average users, but you can assume that even a poorly informed hacker will know
about them. Besides, if your system allows for reading the contents of the CMOS memory chip (e.g. by
starting a suitable DOS program such the debugger which ships with DOS), then the password can be
computed from this data. While you should still make sure, that your BIOS has password protection, this
is only to be considered as a mild deterrent.
A more useful protection is achieved by installing extra firmware, which requires a password before
booting from a local device. This firmware should be written in a way which prevents the system BIOS
from disabling it. This is the default configuration for the "etherboot" BOOT-Prom, but it might still be
circumvented, if your system BIOS allows for disabling certain memory areas from being scanned for
ROMs. If this is the case, then complain to your system vendor and replace the machine; it is unsuitable
for being used in a publically accessible place. Also, in a security conscious environment, there must be
no way of escaping from the control of the BOOT-Prom; this means, that you must not enable the
"-DEMERGENCYDISKBOOT" option when compiling the "etherboot" software and you must never
offer an empty image name in the image menu (c.f. README.VendorTags). If you want to offer booting
41