OPERATING SYSTEMS SUCH as Windows, Linux, and
macOS have kernels. The kernel controls access to
system resources. It contains the logic for allowing
multiple processes to share hardware mechanisms
such as CPU, memory, disk I/O, and networking.
When a computer boots, the main interface for
initializing the DRAM, silicon, and devices is the
firmware. The firmware initializes the operating
system with a bootloader. You might have heard of
GRUB (derived from Grand Unified Bootloader), a
common bootloader for Linux distros.
Every computer or server typically comes with firmware
produced by the vendor that manufactured it. Firmware
lives in the SSD/HD (solid state drive/hard drive),
keyboard, mouse, CPU, network card,
and other devices.
Exploits in firmware can cause a
lot of harm because of the many privileged operations for which firmware
is responsible. For example, consider
the hack on SoftLayer, 3 a bare-metal
cloud, where the base management
controller (BMC) was hacked to leave
a backdoor so when a server was reprovisioned after a customer used it,
the hacker could still have access to
that server. The minimum bar for any
cloud provider is to provide a machine
for a user that gets wiped cleanly and
completely after use. This is a clear
violation of that promise.
Making matters worse, most firmware is proprietary. The code that runs
with the most privilege has the least
visibility. This leads to breaches and incidents that have the capacity to affect
users on multiple platforms simultaneously. To hackers this is like catnip.
Open source firmware can help
bring computing to a more secure place
by making the actions of firmware more
visible and less likely to do harm. The
goal of this article is to make readers
feel empowered to demand more from
vendors who can help drive this change.
This is an introduction to a complicated topic; some sections just touch
the surface, but the intention is to provide a full picture of the world of open
Computers today have various levels of
˲ Ring 3—Userspace. This ring has
the fewest privileges. This is where user
programs run. Userspace sandboxes
can restrict privileges further.
˲ Ring 0—Kernel. This is the operating-system kernel; open source operating systems allow visibility into the
code behind the kernel.
˲Ring – 1—Hypervisor. This VMM
(virtual machine monitor) creates and
runs virtual machines. Open source
hypervisors such as Xen, KVM, bhyve,
among others, provide visibility into
the code behind this ring.
Article development led by
Step into the world
behind the kernel.
BY JESSE FRAZELLE