Firewire and similar DMA attacks

Kevin Day thekevinday at gmail.com
Tue Mar 11 16:21:34 PDT 2008


On Tue, Mar 11, 2008 at 3:34 PM, Chris Buxton <cbuxton at menandmice.com> wrote:
> I've been reading about the effectiveness of attacks from devices with
>  DMA access such as Firewire mass storage devices.
>  http://www.eweek.com/c/a/Security/Firewire-The-Skeleton-Keyhole-Into-Your-System/?kc=EWKNLSTE031108FEA1
>
>  The article states that this affects Mac, Windows, and Linux machines
>  with FW ports, because the device that is granted DMA access through
>  the FW interface is given read/write access to all memory. It can then
>  apparently determine the OS type and start doing things to memory,
>  outside of the control of the CPU and therefore of the kernel. This
>  includes reading encryption keys, writing to executable memory, etc.
>  The very flexibility of Firewire to hook up different machines, with
>  different operating systems, and have one see the other as a mass
>  storage device appears to be one source of the risk.
>
>  Does anything in the hardened toolchain, kernel with grsec, etc.,
>  protect against this?
>
>  Chris Buxton
>  Professional Services
>  Men & Mice
>  --

Grsecurity would be the way to fix the problem, but...

The article above does not directly say anything about linux being
effected, it only points in the general direction.
Looking further I found: http://storm.net.nz/projects/16

After reading the notes available on the page, the security flaw is in
the hardware. As a result, your solution is to physically remove the
firewire devices from the system or have the kernel disable DMA for
the firewire.  With DMA, the hardware is able to ignore the OS and
talk straight to memory, such that the OS can do nothing.

This also begs the question on some sort of exploit via a wireless
firewire device! Are there any wireless firewire devices? I don't
really use firewire, I prefer e-Sata (goooo! my almost fiberchannel
speeds go!).

Of course, there should be a way to mask the true hardware from the
device with DMA such that only certain blocks of memory are visible to
the device with DMA. Linux Bios anyone?

-- 
Kevin Day



More information about the hlfs-dev mailing list