Re: [qubes-users] Switch of DMA altogether..?
OK, so how about using PIO purely..? A device which can do PIO and PIO only. Would this then be more secure..? Or would the attack just be carried out by the CPU rather than RAM..? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e9f6d8d-901f-42dc-9571-58f832f23a33%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On 10/08/2016 07:05 PM, Ilpo Järvinen wrote: > On Sat, 8 Oct 2016, neilhard...@gmail.com wrote: > >> DMA allows network card to read/write RAM. >> >> DMA attack allows one already-compromised VM to read the RAM of another >> VM, thus breaching Qubes isolation... unless you use VT-D, although >> flaws in VT-D have been shown. >> >> Remote DMA attack allows packets sent to the network card directly over >> the web, not even having to compromise your VM first... as demonstrated >> in the paper by the French intel agency. >> >> That is what I understand so far. Hence, why I am asking if using PIO >> rather than DMA would prevent such attacks. > So if a driver won't use DMA, how that would prevent device itself > from initiating DMA transactions? I'm somewhat doubtful that it > would be so simple as I suspect the compromized device need not > to care what the driver uses, be it PIO or DMA (but I'm not a PCI > expert so I could be wrong too). Bingo. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8dc3ed85-c755-1ded-fbd5-d53caef5d941%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On Sat, 8 Oct 2016, neilhard...@gmail.com wrote: > DMA allows network card to read/write RAM. > > DMA attack allows one already-compromised VM to read the RAM of another > VM, thus breaching Qubes isolation... unless you use VT-D, although > flaws in VT-D have been shown. > > Remote DMA attack allows packets sent to the network card directly over > the web, not even having to compromise your VM first... as demonstrated > in the paper by the French intel agency. > > That is what I understand so far. Hence, why I am asking if using PIO > rather than DMA would prevent such attacks. So if a driver won't use DMA, how that would prevent device itself from initiating DMA transactions? I'm somewhat doubtful that it would be so simple as I suspect the compromized device need not to care what the driver uses, be it PIO or DMA (but I'm not a PCI expert so I could be wrong too). -- i.
Re: [qubes-users] Switch of DMA altogether..?
DMA allows network card to read/write RAM. DMA attack allows one already-compromised VM to read the RAM of another VM, thus breaching Qubes isolation... unless you use VT-D, although flaws in VT-D have been shown. Remote DMA attack allows packets sent to the network card directly over the web, not even having to compromise your VM first... as demonstrated in the paper by the French intel agency. That is what I understand so far. Hence, why I am asking if using PIO rather than DMA would prevent such attacks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d3ffc8d-8658-4a32-b3aa-7c486b653e15%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On 10/08/2016 04:36 PM, neilhard...@gmail.com wrote: > I've been going through some of the networking modules on my Qubes system. > [...] > Let's start from the beginning. Can you explain to us how a DMA attack works? -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3b89601-472d-6f94-72a9-2aea28b82495%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
I've been going through some of the networking modules on my Qubes system. Some of them would indicate that DMA can be switched off entirely, and PIO used instead. For example: b43.ko modinfo -F parm /lib/modules/4.4.14-11.pvops.qubes.x86_64/kernel/drivers/net/wireless/b43/b43.ko pio:Use PIO accesses by default: 0=DMA, 1=PIO (int) --- so.. PIO here would suggest that it's possible to use non-DMA. --- I guess my real question is... would switching off DMA make you safer anyway..? For example, PIO is just going to transfer it to the CPU. At this point, couldn't the CPU just infect your device rather than DMA..? So I'm not even entirely convinced that uaing PIO would make you safer anyway. What do people think..? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4d79b94e-2180-4ff5-95e7-6f01ecec14ab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On 10/08/2016 04:06 PM, neilhard...@gmail.com wrote: > This paper suggests it is definitely possible to attack a network card > remotely > > This is written by the French intelligence agency, "ANSSI - French Network > and Information Security Agency" > > http://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf Yes, we all know this paper. I was referring to your idea of how things work w.r.t. DMA. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/63f5bb58-16df-aade-ee70-96dfbd3b2182%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
This paper suggests it is definitely possible to attack a network card remotely This is written by the French intelligence agency, "ANSSI - French Network and Information Security Agency" http://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf " In [8], we demonstrated how it is possible for an attacker to take full control of a computer by exploiting a vulnerability in the network adapter. This proof of concept shows how it is possible for an attacker to take full control of the adapter and to add a backdoor in the OS kernel using DMA accesses. The vulnerability was unconditionally exploitable when the ASF function was enabled on the network card to any attacker that would be able to send UDP packets to the victim. " -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a6da0988-1749-4b72-adb7-2e87f6df68ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On 10/07/2016 11:25 PM, neilhard...@gmail.com wrote: > OK. This is getting confusing. > > So you are now saying that you can't do a DMA attack over the web..? > > If I had one computer connected to another via Ethernet crossover, could one > computer infect the other via DMA by sending the DMA attack over the > crossover cable..? > > Or can a computer only launch a DMA attack on itself? > That's not how any of this works at all. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c1283576-3d8f-5e56-876f-8567a1161299%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
OK, so we've gone from not do-able remotely, to "may or may not be possible", and "this is hard" Are there any proven such attacks on Ethernet? Any proof of concepts? Also, would USB Ethernet make this attack any easier..? Something like a USB Ethernet dongle? http://i.imgur.com/l5ntqFe.jpg -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bcdf1789-0d36-4fd7-bc1c-4dbfb930beb4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
OK, so we've gone from not do-able remotely, to "may or may not be possible", and "this is hard" Are there any proven such attacks on Ethernet? Any proof of concepts? Also, would USB Ethernet make this attack any easier..? Something like a USB Ethernet dongle? http://i.imgur.com/l5ntqFe.jpg -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c874d29-01ff-462b-8dde-6d37dec9cbda%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
OK. This is getting confusing. So you are now saying that you can't do a DMA attack over the web..? If I had one computer connected to another via Ethernet crossover, could one computer infect the other via DMA by sending the DMA attack over the crossover cable..? Or can a computer only launch a DMA attack on itself? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a7e0a00-72a4-4939-804b-0687e08bad4f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 07, 2016 at 01:31:56PM -0700, neilhard...@gmail.com wrote: > Another question... > > Are DMA attacks on Ethernet are even plausible? > > WiFi seems much more vulnerable than Ethernet, due to more complexity. I think there is misunderstanding here about "DMA attack". It have nothing to do with breaking to the system from the outside. It is only about spreading from _already compromised VM_ to other parts of the system. Any DMA-capable device can be used for this, regardless of its complexity. Using VT-d effectively block such attacks. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJX+ApMAAoJENuP0xzK19cskZwH/inLEGvBCKqCa6eigQwVJeVT ILXrTt4oBMlfB3KMPjNwKmxjNkDWZ1yDVx7G9WUQZD/aJRwkmD23NyW5cTFf4mvZ pfTRrH8iz3Ass+++y3m1ttDxcn09KHBNYEa+qY+rkjj9cbLv9hygKk0xphsnUAtD HZjKAWEl/FiDB1wyGRYhfdUaSOKInngYXd2y1+UyYsnG0OYPmnDoDVZRgRedxNxr mdop0Ah0I1shFitbKzw+tyVdmpBJnfJIIbRYa/NSeXFGs8tk/gnQ0pnkscNtWLuf DZ5eiV2P7jLaMQ7G0Izei2hqcy7C/PPg57gaIV8yAHG37ybJsY8FJ8SejkW/CbE= =VwqX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161007204917.GL15776%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
Another question... Are DMA attacks on Ethernet are even plausible? WiFi seems much more vulnerable than Ethernet, due to more complexity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/999d2ee0-f6aa-4617-80de-9264d87be87e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
" The original cards, the NE1000 (8-bit ISA; announced as "E-Net adapter" in February 1987 for 495 USD) and NE2000 (16-bit ISA), and the corresponding use of limited 8-bit and later 16-bit DMA in the NE2000 " That seems to say that DMA is in fact used in the NE2000. By the way, will these cards support modern Ethernet cables, like cat5e...? Do they support Ethernet crossover? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a4eb75f1-3a78-48f5-addf-063e014f79fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
Am 07.10.2016 um 20:40 schrieb neilhard...@gmail.com: > On Friday, 7 October 2016 19:37:50 UTC+1, Achim Patzner wrote: >> I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in >> the cellar – how much do you want to offer? > > Are you saying that these devices are non-DMA…? Let me wiki that for you. There you go: https://en.wikipedia.org/wiki/NE2000 By the way, your “.” key seems to be broken. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/DADFC01C-FDE8-4A05-9FBE-210AEC121A6F%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
On Friday, 7 October 2016 19:37:50 UTC+1, Achim Patzner wrote: > I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in > the cellar – how much do you want to offer? Are you saying that these devices are non-DMA...? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e30f1d83-efa0-468d-a1a0-6032f70d7f0a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Switch of DMA altogether..?
Am 07.10.2016 um 16:57 schrieb neilhard...@gmail.com: > > Presumably through the CPU. I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in the cellar – how much do you want to offer? > So I see no reason you couldn’t get Ethernet + WiFi chips without DMA. I do; those doing IO with CPU IO transfers have died out in the beginning of the 100 MBit age. > But certainly, I think there are devices out there without DMA. I think you > just need to search the market for a Ethernet/WiFi that supports non-DMA. Please post the result of your research – if possible including the sustainable bandwidth with these devices. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ACA86453-9322-4C46-AABE-64AA72421A89%40noses.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Switch of DMA altogether..?
Qubes uses VT-D and a Net VM to attempt to isolate buggy WiFi adapters from the
rest of the Qubes system.
But this isolation still depends on Xen not having bugs... And we know that Xen
has bugs, and will likely continue to have more going forward.
So, instead of VT-D, why not just switch off DMA altogether..?
In Debian, you can edit "/etc/hdparms.conf", and do stuff like this:
/dev/hdc {
dma = on
}
Why not just do this for WiFi and Ethernet chips in Qubes, and thus, not have
to rely on Xen for isolation?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7da00a1d-df99-46fd-8f22-efb638d4f463%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
