On Mar 11, 2008, at 4:21 PM, Kevin Day wrote: > On Tue, Mar 11, 2008 at 3:34 PM, Chris Buxton > <[EMAIL PROTECTED]> wrote: >> I've been reading about the effectiveness of attacks from devices >> with >> DMA access such as Firewire mass storage devices. >> http://www.eweek.com/c/a/Security/Firewire-The-Skeleton-Keyhole-Into-Your-System/?kc=EWKNLSTE031108FEA1 >> >> The article states that this affects Mac, Windows, and Linux machines >> with FW ports, because the device that is granted DMA access through >> the FW interface is given read/write access to all memory. It can >> then >> apparently determine the OS type and start doing things to memory, >> outside of the control of the CPU and therefore of the kernel. This >> includes reading encryption keys, writing to executable memory, etc. >> The very flexibility of Firewire to hook up different machines, with >> different operating systems, and have one see the other as a mass >> storage device appears to be one source of the risk. >> >> Does anything in the hardened toolchain, kernel with grsec, etc., >> protect against this? >> >> Chris Buxton >> Professional Services >> Men & Mice >> -- > > Grsecurity would be the way to fix the problem, but... > > The article above does not directly say anything about linux being > effected, it only points in the general direction. > Looking further I found: http://storm.net.nz/projects/16 > > After reading the notes available on the page, the security flaw is in > the hardware. As a result, your solution is to physically remove the > firewire devices from the system
But then you run into problems with hotplug, if someone plugs in a hot- pluggable firewire controller (e.g. cardbus). Of course, for an appliance, you can simply disable hotplug. (Someone actually demonstrated using a cardbus or pc-card firewire controller to take over a Windows XP laptop.) > or have the kernel disable DMA for > the firewire. With DMA, the hardware is able to ignore the OS and > talk straight to memory, such that the OS can do nothing. And that's the basic problem. It's not so much a firewire problem as a DMA problem, and the fact that Firewire requires (mandates, in the standard, iirc) DMA. > This also begs the question on some sort of exploit via a wireless > firewire device! Are there any wireless firewire devices? No, there are no wireless firewire devices, nor wireless USB. Besides, a wireless device likely wouldn't gain any real benefit from DMA. > I don't > really use firewire, I prefer e-Sata (goooo! my almost fiberchannel > speeds go!). e-Sata has the same issue, if a device with a CPU can fool the target into thinking it's just an e-Sata mass storage device. Probably a bit harder than with Firewire, which was designed to be able to connect computers, but probably still possible. Same goes for USB 2, probably. > Of course, there should be a way to mask the true hardware from the > device with DMA such that only certain blocks of memory are visible to > the device with DMA. Linux Bios anyone? Doing so with Firewire is apparently not really possible. Chris Buxton Professional Services Men & Mice -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
