Firewire and similar DMA attacks
cbuxton at menandmice.com
Tue Mar 11 19:58:15 PDT 2008
On Mar 11, 2008, at 4:21 PM, Kevin Day wrote:
> On Tue, Mar 11, 2008 at 3:34 PM, Chris Buxton
> <cbuxton at menandmice.com> wrote:
>> I've been reading about the effectiveness of attacks from devices
>> DMA access such as Firewire mass storage devices.
>> The article states that this affects Mac, Windows, and Linux machines
>> with FW ports, because the device that is granted DMA access through
>> the FW interface is given read/write access to all memory. It can
>> apparently determine the OS type and start doing things to memory,
>> outside of the control of the CPU and therefore of the kernel. This
>> includes reading encryption keys, writing to executable memory, etc.
>> The very flexibility of Firewire to hook up different machines, with
>> different operating systems, and have one see the other as a mass
>> storage device appears to be one source of the risk.
>> Does anything in the hardened toolchain, kernel with grsec, etc.,
>> protect against this?
>> Chris Buxton
>> Professional Services
>> Men & Mice
> Grsecurity would be the way to fix the problem, but...
> The article above does not directly say anything about linux being
> effected, it only points in the general direction.
> Looking further I found: http://storm.net.nz/projects/16
> After reading the notes available on the page, the security flaw is in
> the hardware. As a result, your solution is to physically remove the
> firewire devices from the system
But then you run into problems with hotplug, if someone plugs in a hot-
pluggable firewire controller (e.g. cardbus). Of course, for an
appliance, you can simply disable hotplug.
(Someone actually demonstrated using a cardbus or pc-card firewire
controller to take over a Windows XP laptop.)
> or have the kernel disable DMA for
> the firewire. With DMA, the hardware is able to ignore the OS and
> talk straight to memory, such that the OS can do nothing.
And that's the basic problem. It's not so much a firewire problem as a
DMA problem, and the fact that Firewire requires (mandates, in the
standard, iirc) DMA.
> This also begs the question on some sort of exploit via a wireless
> firewire device! Are there any wireless firewire devices?
No, there are no wireless firewire devices, nor wireless USB. Besides,
a wireless device likely wouldn't gain any real benefit from DMA.
> I don't
> really use firewire, I prefer e-Sata (goooo! my almost fiberchannel
> speeds go!).
e-Sata has the same issue, if a device with a CPU can fool the target
into thinking it's just an e-Sata mass storage device. Probably a bit
harder than with Firewire, which was designed to be able to connect
computers, but probably still possible. Same goes for USB 2, probably.
> Of course, there should be a way to mask the true hardware from the
> device with DMA such that only certain blocks of memory are visible to
> the device with DMA. Linux Bios anyone?
Doing so with Firewire is apparently not really possible.
Men & Mice
More information about the hlfs-dev