Black Hat Demonstrations Shatter Hardware Hacking Myths

By Lisa Vaas  |  Posted 2007-03-01 Print this article Print

At the Black Hat Briefings, two prominent security researchers show that long-held notions of hardware resistance to hacking are nothing more than folklore.

ARLINGTON, Va.—Unless you were at Black Hat on Feb. 28, you probably woke up safe in the assumption that if a rootkit hit your system, reimaging would remove it. You probably also thought that the best way to search a PCs volatile memory, or RAM, was by grabbing it with a PCI card or a FireWire bus. You were wrong.
At the Black Hat Briefings here on Jan. 28, two breakthrough hardware hacks were demonstrated. One shocker was Coseinc Senior Security Researcher Joanna Rutkowskas demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that "going to hardware" to secure incident response is a security failsafe.
Security professionals at the show called it the "attainment of the holy grail," particularly since the only way to fix the systems memory corruption is to reboot—thus erasing all tracks of the subversion. Its a digital forensic teams worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your companys PCs, for good or evil? Hardware heresy didnt stop there. John Heasman from NGSS (Next Generation Security Software) proved that rootkits can persist on a device—on firmware—rather than on disk, and can thus survive a machine being reimaged. Even reformatting wont save us these days. These hacks are esoteric, but theyre proving that much of what we thought of as hardware unassailability is pure folklore. Jamie Butler, principal software engineer at security services provider Mandiant, explained the significance of Rutkowskas hack in an interview with eWEEK at Black Hat here. "The significance of it is theres been this folklore, this legend that if you do hardware acquisition of memory, its not subvertible," Butler said. "But if youre running software and youre accessing memory, you can be subverted." Read more here about whats in store at Black Hat. Heres how Rutkowska herself described our current beliefs about hardware unassailability on her blog: "We all know that any software-based system compromise detector can always be cheated if malware runs at the same privilege level as the detector (usually both run in kernel mode)," she writes. "This is what I call Implementation Specific Attacks (ISA). Because of that, mankind has tried to find some better, more reliable ways for analyzing systems, which would not be subject to interference from malware. "And we all know what weve come up with as a solution—hardware-based devices for obtaining the image of volatile memory (RAM), usually in the form of a PCI card." Those devices include a proof-of-concept called Tribble (PDF), from security professionals Brian Carrier and Joe Grand, as well as BBN Technologies CoPilot, a device you cant get unless youre doing research for the U.S. government. The idea behind these devices is to access physical memory by using DMA (Direct Memory Access). This method doesnt touch the CPU when it accesses memory, so its been considered a reliable way to read physical memory that hasnt been mucked up by whatever havoc malware has been playing with the operating system. Not. "The point is: once we get the memory image, we can analyze it for signs of compromises on a trusted machine or we can have the PCI device do some checks itself," Rutkowska said. "So, it seems to be a very reliable way for reading the physical memory …. But it is not! At least in some cases ...." Butler explained it this way: "Because the CPU accesses physical memory through a different channel than DMA access, she was able to redirect DMA access somewhere else. The significance is that people were using DMA-based acquisition, either with FireWire or PCI, to get physical memory from a machine. Then they could search for processes, ports, whatever was happening at the time of acquisition. Now shes redirected that access, that read of memory, to some other place. She just filled in all that memory with [the character F, repeated multiple times: FFFFFFFF]. Now theyre reading something completely different than whats actually running." Click here to read about the dissection of a rootkit. In her demonstration at Black Hat, Rutkowska showed her work on x86/x64 architecture, specifically AMD64-based systems. Not that this hack wouldnt necessarily work on 32-bit systems, but, Rutkowska said, AMD is what she had on hand. Bear in mind, you wont hear from AMD or Intel about patches for your hardware, because theres nothing wrong with it. Rutkowska pulled everything she needed out of AMD manuals. So yes, she shattered beliefs in hardware architecture, but in essence she just played with what was already known. "Its about design," she said during her demonstration. [PCs] werent designed for security. They were designed to do complex work." Next Page: Firmware rootkits.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel