Firewire and similar DMA attacks

Chris Buxton cbuxton at menandmice.com
Tue Mar 11 19:58:15 PDT 2008


On Mar 11, 2008, at 4:21 PM, Kevin Day wrote:
> On Tue, Mar 11, 2008 at 3:34 PM, Chris Buxton  
> <cbuxton at menandmice.com> wrote:
>> I've been reading about the effectiveness of attacks from devices  
>> with
>> DMA access such as Firewire mass storage devices.
>> http://www.eweek.com/c/a/Security/Firewire-The-Skeleton-Keyhole-Into-Your-System/?kc=EWKNLSTE031108FEA1
>>
>> The article states that this affects Mac, Windows, and Linux machines
>> with FW ports, because the device that is granted DMA access through
>> the FW interface is given read/write access to all memory. It can  
>> then
>> apparently determine the OS type and start doing things to memory,
>> outside of the control of the CPU and therefore of the kernel. This
>> includes reading encryption keys, writing to executable memory, etc.
>> The very flexibility of Firewire to hook up different machines, with
>> different operating systems, and have one see the other as a mass
>> storage device appears to be one source of the risk.
>>
>> Does anything in the hardened toolchain, kernel with grsec, etc.,
>> protect against this?
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>> --
>
> Grsecurity would be the way to fix the problem, but...
>
> The article above does not directly say anything about linux being
> effected, it only points in the general direction.
> Looking further I found: http://storm.net.nz/projects/16
>
> After reading the notes available on the page, the security flaw is in
> the hardware. As a result, your solution is to physically remove the
> firewire devices from the system

But then you run into problems with hotplug, if someone plugs in a hot- 
pluggable firewire controller (e.g. cardbus). Of course, for an  
appliance, you can simply disable hotplug.

(Someone actually demonstrated using a cardbus or pc-card firewire  
controller to take over a Windows XP laptop.)

> or have the kernel disable DMA for
> the firewire.  With DMA, the hardware is able to ignore the OS and
> talk straight to memory, such that the OS can do nothing.

And that's the basic problem. It's not so much a firewire problem as a  
DMA problem, and the fact that Firewire requires (mandates, in the  
standard, iirc) DMA.

> This also begs the question on some sort of exploit via a wireless
> firewire device! Are there any wireless firewire devices?

No, there are no wireless firewire devices, nor wireless USB. Besides,  
a wireless device likely wouldn't gain any real benefit from DMA.

> I don't
> really use firewire, I prefer e-Sata (goooo! my almost fiberchannel
> speeds go!).

e-Sata has the same issue, if a device with a CPU can fool the target  
into thinking it's just an e-Sata mass storage device. Probably a bit  
harder than with Firewire, which was designed to be able to connect  
computers, but probably still possible. Same goes for USB 2, probably.

> Of course, there should be a way to mask the true hardware from the
> device with DMA such that only certain blocks of memory are visible to
> the device with DMA. Linux Bios anyone?

Doing so with Firewire is apparently not really possible.

Chris Buxton
Professional Services
Men & Mice




More information about the hlfs-dev mailing list