Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!news.uu.net!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: walker@aedc-vax.af.mil (William Walker C60223 x4570)
Newsgroups: comp.virus
Subject: Software Upgradable BIOS (PC)
Message-ID: <0002.9105221524.AA01619@ubu.cert.sei.cmu.edu>
Date: 20 May 91 20:22:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 32
Approved: krvw@sei.cmu.edu

Here's something that should make the anti-virus community cringe.
Intel has announced a chip which would allow users to upgrade their
BIOS using a floppy disk.  The term I saw was "erasable programmable
read-only memory (EPROM)," but more likely the actual technology in
the chip is EEPROM (electrically erasable programmable ROM) or EAROM
(electrically alterable ROM).  But the technology is beside the point.

Up until now, the only trusted portion of the computer has been the
ROM BIOS, while the partition table, boot sectors, DOS, and program
files have been prone to virus attack (or merely unintentional
changes).  Software-upgradable BIOS would change that, making even the
most trusted part of the computer "subject to change without notice."

It does make sense to simplify the BIOS field upgrade, but to do it
using something as transient as software in this day and age probably
would not be wise.  More logical would be a small cartridge, not
unlike an HP font cartridge, which can be changed without having to
open the case.  Sure, it would be more expensive up front, but
compared to the possibility of a "BIOS resident" virus, it would be
much less expensive overall.  The same type of thing could be used for
a ROM-based DOS cartridge, which could have a switch that selects
booting from cartridge or disk, much as Krishna E. Bera suggests.

I feel that the prominent anti-virus researchers (and some of us
others) ought to collectively rise up and protest the software-
upgradable BIOS before it gets any acceptance.

Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) |
OAO Corporation                        |
Arnold Engineering Development Center  | "I'd like to solve the puzzle, Pat"
M.S. 120                               |
Arnold Air Force Base, TN  37389-9998  |