Hello,
In the light of recent discussions about firewire / DMA hacks, we would
like to throw in some of the results of our past research on this topic
(done mainly by Peter Panholzer) in the form of a short whitepaper. In
this paper, we demonstrate that the firewire unlock attack (as
implemented i
Dear All,
That said the original work on this from metlstorm is in the news [1]
and can be found here : http://storm.net.nz/projects/16
[1] http://it.slashdot.org/article.pl?sid=08/03/04/1258210&from=rss
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
y-Securing-Malicious/dp/0470101555
*
-Original Message-
From: Bernhard Mueller [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 05, 2008 10:54 AM
To: Full Disclosure; Bugtraq
Subject: Firewire Attack on Windows Vista
Hel
On Wed, Mar 05, 2008 at 04:30:35PM -0500, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical DMA
> attacks are possible against any PC-based OS, not just Windows. If that's
> true, why is the paper titled around Windows Vista?
>
> I guess it makes headlin
On Thu, 6 Mar 2008, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical
> DMA attacks are possible against any PC-based OS, not just Windows.
> If that's true, why is the paper titled around Windows Vista?
>
> I guess it makes headlines faster. But isn't as
Salut, Roger,
On Wed, 5 Mar 2008 16:30:35 -0500, Roger A. Grimes wrote:
> As somewhat indicated in the paper itself, these types of physical
> DMA attacks are possible against any PC-based OS, not just Windows.
> If that's true, why is the paper titled around Windows Vista?
That's very easy: beca
Actually they can be prevented by instructing the controller to filter the
adresses the devices send. Then again, that's work, and physical attacks
are typically considered low-risk, so I guess it's not found worth it.
The obvious reason to mention Vista is of course that Microsoft likes
to ta
>>Roger, you should note that Adam's "Hit by a Bus" paper includes
information about how Linux users can load their OS' Firewire driver in
a way that should disallow physical memory DMA access, and close this
attack vector.
What are the implications for firewire device compatibility of doing
this
> -Original Message-
> From: Larry Seltzer [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 06, 2008 9:51 AM
> To: Peter Watkins; Roger A. Grimes
> Cc: Bernhard Mueller; Full Disclosure; Bugtraq
> Subject: RE: Firewire Attack on Windows Vista
>
> >>Roger, yo
Salut,
On Thu, 6 Mar 2008 11:01:45 +0100 (CET), [EMAIL PROTECTED]
wrote:
> Actually they can be prevented by instructing the controller to
> filter the adresses the devices send. Then again, that's work, and
> physical attacks are typically considered low-risk, so I guess it's
> not found worth it
Tonnerre Lombard wrote:
There is a quite viable technical solution in the form of a patch which
solves most of these problems.
Tonnerre
To what are you referring?
I am aware of only a few defenses against firewire attacks:
1) disable firewire - ideally
Larry Seltzer wrote:
> I actually do have a response fom Microsoft on the broader issue, but it
> doesn't address these issues or even concded that there's necessarily
> anything they can do about it. They instead speak of the same
> precautions for physical access that they spoke of a couple wee
Stefan Kanthak wrote:
2. The typical user authentication won't help, we're at hardware
level here, and no OS needs to be involved.
So, if I understand you correctly, if I boot my machine into DOS the
memory can be read over Firewire? Or does the machine need a Firewire
driver loaded to be vu
Steve Shockley wrote:
> Stefan Kanthak wrote:
>> 2. The typical user authentication won't help, we're at hardware
>> level here, and no OS needs to be involved.
>
> So, if I understand you correctly, if I boot my machine into DOS the
> memory can be read over Firewire?
If DMA is enabled on the
> >>...Windows would not do this. It would only open up access to devices
> that it thought needed DMA. This is why Metlstorm had to make his Linux
> machine behave like an iPod to fool Windows into spreading it's legs.
>
> So the iPod software opens up the whole address space? I don't get it.
No
>>No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
>>Other disk device signatures would likely work the same way, that's
just the one he happened to emulate.
Is it not possible for Windows (or any OS) to ope
>>...Windows would not do this. It would only open up access to devices
that it thought needed DMA. This is why Metlstorm had to make his Linux
machine behave like an iPod to fool Windows into spreading it's legs.
So the iPod software opens up the whole address space? I don't get it.
Larry Seltze
] Behalf Of Larry
Seltzer
Sent: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
>>No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it a
> What are the implications for firewire device compatibility of doing
> this?
I am no expert on ieee1394, but I have read up a bit on this and tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets allow drivers to configure a particular memory range
which is op
> Is it not possible for Windows (or any OS) to open up DMA for a device
> only to a certain range?
>
> If not, what options are available?
I have various forms of RSI and don't feel like typing it again:
On Thu, Mar 06, 2008 at 12:00:09PM -0800, Tim wrote:
> [...]
> Of course this is not an
nt: Thursday, March 06, 2008 12:00 PM
> To: Larry Seltzer
> Cc: Full Disclosure; Bugtraq
> Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
>
> > What are the implications for firewire device compatibility of doing
> > this?
>
> I am no expert on ieee139
Hi Glenn,
> It should be realized though that fixing this is not necessarily a simple
> thing, nor are architectural considerations missing.
I most probably understated the difficulty of implementing a safe
ieee1394 DMA driver earlier. However, it's one of those things where
the drivers ought
Let's say the computer is off. You can turn it on, but that gets you to
a login screen. What can the Firewire device do?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
> key, then don't have autorun (which is default) automatically enabled
> for the device.
Thanks to Blue Boar for pointing out that autorun doesn't have anything
to do with it if the attack device can have the drivers automatically
installed (and, of course, that the host controller is enabled).
Original Message-
> From: [EMAIL PROTECTED] [mailto:full-
> [EMAIL PROTECTED] On Behalf Of Larry Seltzer
> Sent: Friday, March 07, 2008 11:51 AM
> To: Bugtraq; Full Disclosure
> Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
>
> >>Let's say the
>>Let's say the computer is off. You can turn it on, but that gets you
to a login screen. What can the Firewire device do?
OK, I guess I misunderstood the original paper
(http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks
.pdf). It now looks to me like they are claiming they
>>The funniest is using hibernate...
>>Did you perchance read: http://www.eff.org/press/archives/2008/02/21-0
??
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is powered off. Even if the memory
>>What points are you trying to stab at for an article?
You've hit on them pretty well. My own experience with DMA programming
was 20 years ago with real mode DOS drivers, but I was surprised to
learn from this thread that a DMA mass storage device on Linux, Mac and
Windows gets unimpeded access
Hi Larry,
> - use drive
> encryption, use 2-factor authentication, use hibernate instead of sleep,
> use group policy to enforce them.
Uh... yeah. So how again does drive encryption help you against this
attack? Certain forms of 2-factor auth might help you, but all of the
kinds I've seen would
> Yeah, I made specific reference to that attack in my message. There's a
> big difference between sleep mode and hibernate mode. In hibernate the
> system is powered off. Even if the memory has some residual charge I'm
> sure it's far less reliable than with sleep.
Yeah, but the whole point is i
Larry Seltzer wrote:
>>> The funniest is using hibernate...
>>> Did you perchance read: http://www.eff.org/press/archives/2008/02/21-0
> ??
>
> Yeah, I made specific reference to that attack in my message. There's a
> big difference between sleep mode and hibernate mode. In hibernate the
> system
>>WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
>>1. Drive encryption won't help against reading the memory.
>>2. The typical user authentication won't help, we're at hardware level
>> here, and no OS needs to be involved.
>>3. The computer is up (and ru
Larry Seltzer wrote:
>>>WRT the DMA access over FireWire it's but a bad response since it
>doesn't get the point!
>>>1. Drive encryption won't help against reading the memory.
>>>2. The typical user authentication won't help, we're at hardware level
>>> here, and no OS needs to be involved.
>>>3
>>You're mistaken in thinking that we're conflating sleep and hibernate
modes.
>>Microsoft's response of using two factor authentication is silly. It
doesn't actually stop our attacks. In certain circumstances, it may
shorten the window of attack for a specific type of user but it's mostly
irreleva
On 2008-03-09 Larry Seltzer wrote:
>>> WRT the DMA access over FireWire it's but a bad response since it
>>> doesn't get the point!
>>> 1. Drive encryption won't help against reading the memory.
>>> 2. The typical user authentication won't help, we're at hardware level
>>>here, and no OS needs
Larry Seltzer wrote:
>>> You're mistaken in thinking that we're conflating sleep and hibernate
> modes.
>>> Microsoft's response of using two factor authentication is silly. It
> doesn't actually stop our attacks. In certain circumstances, it may
> shorten the window of attack for a specific type o
> How much should the average user worry about this? Not very much. Most
> notebooks from average users don't even have Firewire on them and you
> would have an easier time cracking them with a dictionary attack on
> the password and other such things, which means that this attack
> makes you no mo
37 matches
Mail list logo
