A computer components & hardware forum. HardwareBanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » HardwareBanter forum » General Hardware & Peripherals » Homebuilt PC's
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Snowden didn't tell us this one ...



 
 
Thread Tools Display Modes
  #11  
Old August 5th 13, 08:35 AM posted to alt.comp.hardware.pc-homebuilt
Paul
external usenet poster
 
Posts: 13,364
Default Snowden didn't tell us this one ...

DevilsPGD wrote:
In the last episode of , Paul
said:

This is why I seek a concrete example of how the "trojan" would
be inserted. Realtek audio chip ? What good would that do ?
The Trojan has to be in a location that "controls things". Not
all chips (especially cheesy peripherals) are in a position to
do that. That's why this attack is as far fetched, as a million
man army, hiding on the dark side of the moon.


A compromised Realtek audio chip could be more creative than you'd
expect. First off, nearly any peripheral can involve itself in the boot
process, which would let it inject code into memory before passing
control to the bootloader.

However, what could be more useful would be for a compromised audio chip
to be part of a more complicated exploit. Hardware is in a position to
access all RAM, potentially obtaining and recording things like
encryption keys. With some creativity, an audio chip might be able to
periodically observe known locations in RAM to find a BitLocker key, TPM
owner password or similar and record it in some non-volatile,
unencrypted location which could allow full-disk encryption to be broken
by an attacker that can gain physical access to the machine.

It's not likely, and it's insanely complicated, but it's probably
possible for any DMA-enabled hardware.

Also remember that the driver is a factor too, the hardware bug might
only be enough to read/write any part of memory, with the malware logic
lying in the driver (which lives outside the kernel, but has TCP/IP
access), using the hardware as a route to privilege escalation.

This seems far more likely, both because it could be explained as an
error in design (at the hardware level) and because it could be
dynamically updated in the field.


Actually, come to think of it, the RealTek chip is on the wrong bus :-)
(HDAudio). The Azalia interface gates anything an HDAudio chip could do.
Buffer management would be part of Azalia, and the SDI and SDO information
is just a "content stream". So RealTek is off the hook (my mistake :-) ).

http://m.eet.com/media/1063252/BoycePt4Fig4.JPG

As for PCI Express, you can't talk on it immediately. The link
has to be trained up, the lane mapping arranged so the interleaved
bytes are in order. Still, eventually, the PCI Express will go live.
The attacking chip will have to wait until the link comes up.
And presumably there are control bits in the PCI Express hub,
to turn on the links. No reason not to do that. Might be a
second or two before the attack can begin. At that point in time, the
BIOS is initializing memory (write to zero).

Things to get in your way, for a PCI Express attack,
would be things like IOMMU. So as time passes, the possibility of
unfettered access becomes less and less. (Not every design has
an IOMMU, so this is coincidental.) Before IOMMU, you'd be in
physical address space, and more things would be possible.
(That's how Firewire could be used for RDMA attacks
on a second machine. And the entire memory could be
swept with RDMA.)

I think we can agree, the architecture is far from secure, as
anything connected inside the computer is "trusted". So if I
were to disagree with you, it would be when some thing "accidentally"
provides a measure of protection, when it wasn't meant to.
I don't think, when these architectures were put together,
people considered "rogue hardware" to be a possibility.
The range of their thinking, probably stopped at
"interrupt storm" or "jabbering", needing to be stopped.

This is why, I want to hear *them* describe this attack,
rather than dreaming up "half an attack" on my own.

I still think a location inside the chipset is ideal, and
the Q-series chipset in business laptops is an example
of exactly how to do it.

See if the concepts in here don't scare you...
This is what is inside a Q-series chipset.

http://pds4.egloos.com/pds/200706/04/57/ps_adts003.pdf

Paul
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OT Edward Snowden conversation about NSA and other western governments John Doe Homebuilt PC's 0 July 9th 13 01:37 AM
eBay: Now why didn't I think of that? ScottL Nvidia Videocards 8 August 16th 06 01:12 AM
Oh, c'mon, didn't anyone buy a Seagate U6? nutso fasst Storage (alternative) 4 May 16th 04 07:23 PM
For Those of you who didn't believe me Spajky Overclocking 6 July 3rd 03 08:02 AM
Of course .... why didn't I think of that before ? Dave Overclocking AMD Processors 0 June 23rd 03 07:01 AM


All times are GMT +1. The time now is 08:18 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 HardwareBanter.
The comments are property of their posters.