If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
Snowden didn't tell us this one ...
DevilsPGD wrote:
In the last episode of , Paul said: This is why I seek a concrete example of how the "trojan" would be inserted. Realtek audio chip ? What good would that do ? The Trojan has to be in a location that "controls things". Not all chips (especially cheesy peripherals) are in a position to do that. That's why this attack is as far fetched, as a million man army, hiding on the dark side of the moon. A compromised Realtek audio chip could be more creative than you'd expect. First off, nearly any peripheral can involve itself in the boot process, which would let it inject code into memory before passing control to the bootloader. However, what could be more useful would be for a compromised audio chip to be part of a more complicated exploit. Hardware is in a position to access all RAM, potentially obtaining and recording things like encryption keys. With some creativity, an audio chip might be able to periodically observe known locations in RAM to find a BitLocker key, TPM owner password or similar and record it in some non-volatile, unencrypted location which could allow full-disk encryption to be broken by an attacker that can gain physical access to the machine. It's not likely, and it's insanely complicated, but it's probably possible for any DMA-enabled hardware. Also remember that the driver is a factor too, the hardware bug might only be enough to read/write any part of memory, with the malware logic lying in the driver (which lives outside the kernel, but has TCP/IP access), using the hardware as a route to privilege escalation. This seems far more likely, both because it could be explained as an error in design (at the hardware level) and because it could be dynamically updated in the field. Actually, come to think of it, the RealTek chip is on the wrong bus :-) (HDAudio). The Azalia interface gates anything an HDAudio chip could do. Buffer management would be part of Azalia, and the SDI and SDO information is just a "content stream". So RealTek is off the hook (my mistake :-) ). http://m.eet.com/media/1063252/BoycePt4Fig4.JPG As for PCI Express, you can't talk on it immediately. The link has to be trained up, the lane mapping arranged so the interleaved bytes are in order. Still, eventually, the PCI Express will go live. The attacking chip will have to wait until the link comes up. And presumably there are control bits in the PCI Express hub, to turn on the links. No reason not to do that. Might be a second or two before the attack can begin. At that point in time, the BIOS is initializing memory (write to zero). Things to get in your way, for a PCI Express attack, would be things like IOMMU. So as time passes, the possibility of unfettered access becomes less and less. (Not every design has an IOMMU, so this is coincidental.) Before IOMMU, you'd be in physical address space, and more things would be possible. (That's how Firewire could be used for RDMA attacks on a second machine. And the entire memory could be swept with RDMA.) I think we can agree, the architecture is far from secure, as anything connected inside the computer is "trusted". So if I were to disagree with you, it would be when some thing "accidentally" provides a measure of protection, when it wasn't meant to. I don't think, when these architectures were put together, people considered "rogue hardware" to be a possibility. The range of their thinking, probably stopped at "interrupt storm" or "jabbering", needing to be stopped. This is why, I want to hear *them* describe this attack, rather than dreaming up "half an attack" on my own. I still think a location inside the chipset is ideal, and the Q-series chipset in business laptops is an example of exactly how to do it. See if the concepts in here don't scare you... This is what is inside a Q-series chipset. http://pds4.egloos.com/pds/200706/04/57/ps_adts003.pdf Paul |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OT Edward Snowden conversation about NSA and other western governments | John Doe | Homebuilt PC's | 0 | July 9th 13 01:37 AM |
eBay: Now why didn't I think of that? | ScottL | Nvidia Videocards | 8 | August 16th 06 01:12 AM |
Oh, c'mon, didn't anyone buy a Seagate U6? | nutso fasst | Storage (alternative) | 4 | May 16th 04 07:23 PM |
For Those of you who didn't believe me | Spajky | Overclocking | 6 | July 3rd 03 08:02 AM |
Of course .... why didn't I think of that before ? | Dave | Overclocking AMD Processors | 0 | June 23rd 03 07:01 AM |