The FailSafe® Agent implementation is based on Phoenix's 25+ years of experience implementing the core BIOS firmware and other security products. FailSafe mechanisms start operating as soon as the first instruction executes on the computer, so there is no timeframe in which an alternate software stack may take over and override the FailSafe operation.
Because FailSafe is rooted in the trusted firmware/BIOS layer of the computer system, it is extremely hard to subvert using software-attacks. FailSafe also protects against hardware attacks to the point where subverting it requires one to effectively physically destroy the computer system. The FailSafe solution is far superior to Windows® or Linux® solutions that rely solely on the operating system, its applications, or Option ROMs.
Weaknesses in Existing Solutions
Phoenix continues to build on core strengths of BIOS leadership of 25+ years to introduce FailSafe category of products. Existing solutions present myriad of weaknesses. They don't operate at the BIOS layer; hence precise control of BIOS load and boot functions and command control is lacking. Often, the application doesn't run in highly secure memory, making it susceptible to simple subversion attacks ranging from OPROM subversion attacks to ungraceful tampering, disablement or uninstallation of the application. In addition, integration with advanced BIOS functions such as bricking/un-bricking, Hard Disk Drive (HDD) locking, and encryption performed at the BIOS layer is missing. Hence current solutions provide an offering with a relatively weaker security posture. The current state of theft detection technology is also reactive in nature, involving a human action to report the theft incident. While this is good, often too much time passes between the time a theft report is filed and the time when the theft actually happened.
The single most important concern after a laptop theft is the protection of data. The complete backup and restore of data on client devices, ranging from specific files, folders, to a complete file-system and from/to cloud are not fully integrated with current Anti-Theft solutions; hence the current state of technology is often limited to retrieval of few single files only often with serious size limits imposed.
The core technology components don't perform complex correlation of client agent state events to distinguish between normal, well-behaved and accepted anomalies vs. an indication of an actual theft. As a result, current solutions are prone to lots of false-positives (FPs), leading to expensive support calls and disruption in normal work. The technology elements need to proactively track client(s) behavior, correlate it with past behaviors to precisely identify normal states and anomaly states, and identify potential theft scenarios without possibly requiring a human intervention.
The current GEO location solutions are also not dependable, often producing imprecise results. The triangulation algorithms used are relatively weak in identifying the precise location of the stolen laptop. In addition, rich, remote, command-control support to track a stolen device from a hybrid set of form factors, such as Web, mobile, WiFi, BlueTooth, SMS extensions, etc,. is not available.
FailSafe Technology Advantages – Current
(I) Operates at the BIOS Layer
FailSafe core differentiation comes from the fact that it runs directly from the BIOS, even before a traditional operating system (OS) such as Windows or Linux boots up. This provides more immense control, reliability and security than the traditional solutions that require native OS to boot can offer today. By operating at the BIOS level, FailSafe can provide a richer set of BIOS capabilities, such as Bricking/ Unbricking, HDD locking, degrade mode support, GeoFencing. FailSafe can also integrate with alternative technologies provided by chip vendors, such as Intel® Anti-Theft Technology (ATT). Because the core BIOS always executes first, it is immune to traditional OPROM subversion techniques that current solutions running at OS layer suffer. The core runtime modules also run in highly secure SMRAM memory.
BIOS Design Considerations
Core BIOS Advantages
Full Control over Load and Boot Order
FailSafe is loaded early in POST, giving it full control over subsequent module loads, boot order, and boot devices. This control enables boot policy enforcement and degraded mode support. It also prevents OPROM subversion techniques, providing greater security and policy enforcement capabilities.
Degraded Mode Support
FailSafe also supports a policy-based degraded mode enforcement capability that, among other things, can prevent a device from booting from any type of secondary boot media other than the primary boot drive (e.g., when a PC does not connect to the Internet and communicate with the FailSafe server within some pre-defined interval of time).
Secure and Reliable Policy Enforcement from Core BIOS
- BIOS hardware initialization execution is sequential and always executes in the same pre-defined sequence.
- Execution of policy enforcement (i.e., Disable the PC) in the Core BIOS is the most secure and reliable implementation.
- Policy enforcement in OPROM can be subverted (i.e., instructions skipped or altered).
(II) Greater Security
SMM Code Execution
FailSafe leverages SMM technology such that the BIOS is able to receive commands from the OS level and execute them in the BIOS. Features such as GeoFencing, degraded mode support, and disable depend upon this capability. In addition, BIOS is in control of the OS components to ensure the integrity of the FailSafe agent.
Intelligent Client Functionality
FailSafe delegates intelligence to the FailSafe agent, which is important when the device is running without a connection to the FailSafe server. This allows the agent to enforce policies such as Geofencing and degraded mode support even when no server connection is present. This capability requires runtime communication with the BIOS, which FailSafe performs using the SMM.
GeoFence A GeoFence is a rectangular area defined by a set of longitudinal and latitudinal coordinates in which a device is allowed. It is enabled based on GPS readings from the device and policy-based coordinates on the server. A GeoFence can be defined in terms of a City, State, or other geographic region (may have multiple GeoFences). The FailSafe agent is able to detect the violation of the GeoFence policy and directly instruct the BIOS to disable the device. Again, this feature relies on the BIOS runtime communication via the SMI. |  |
Hard Disk Device (HDD) Locking
FailSafe provides the remote capability to lock / unlock the hard disk drive using a security password right at the BIOS level without requiring any OS intervention. This provides complete control of any software to have direct disk access.(III) Theft Deterrent Complements
| The FailSafe security solution complements laptop theft detection and recovery methods with proactive theft-deterrent solutions. The Phoenix Freeze™ solution is designed to lock the computer when the user walks away and unlock it when the user comes back, effectively minimizing vulnerability to line of sight. The product establishes a zone of safety for the end user where there is a strong Bluetooth signal. If the end user leaves the zone of safety with their paired mobile phone for a meeting or coffee, the Freeze-enabled computer will lock at the windows level. For the user, this eliminates the worry and risk of exposing sensitive data and also provides theft prevention, as there is now less reason for anyone to take the computer. Another benefit is reduced power consumption, as Phoenix Freeze offers the option to power off a laptop screen and put the system to sleep. In addition, advanced SMS controls and auto theft deterrent capabilities are provided, such as SMS-lock, SMS-unlock, SMS-GPS, SMS-Photo, SMS-Alarm, SMS-Saver and SMS-Hibernate. |  |
FailSafe Technology Advantages – Tomorrow
The FailSafe security solution continues to the build on the promise of providing the utmost security to user, whether it is (1) Recovery of a stolen device, (2) Recovery of critical data, (3) Providing the seamless and rich user experience around Always-On, Always-Connected and Always-Secure properties, or (4) Protection against potential Data Leakage and Identity-based attacks ranging from Identity Theft, False Identities to Fraud filings.Phoenix FailSafe Vision
