Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Black Hat Demonstrations Shatter Hardware Hacking Myths



 By: Lisa Vaas
2007-03-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Black Hat Demonstrations Shatter Hardware Hacking Myths
  2. ' 2 '

Rate This Article:
Poor Best
Black Hat Demonstrations Shatter Hardware Hacking Myths
( Page 1 of 2 )

At the Black Hat Briefings, two prominent security researchers show that long-held notions of hardware resistance to hacking are nothing more than folklore.

ARLINGTON, Va.—Unless you were at Black Hat on Feb. 28, you probably woke up safe in the assumption that if a rootkit hit your system, reimaging would remove it. You probably also thought that the best way to search a PCs volatile memory, or RAM, was by grabbing it with a PCI card or a FireWire bus.

You were wrong.

At the Black Hat Briefings here on Jan. 28, two breakthrough hardware hacks were demonstrated. One shocker was Coseinc Senior Security Researcher Joanna Rutkowskas demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that "going to hardware" to secure incident response is a security failsafe.

Security professionals at the show called it the "attainment of the holy grail," particularly since the only way to fix the systems memory corruption is to reboot—thus erasing all tracks of the subversion.

Resource Library:
Its a digital forensic teams worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your companys PCs, for good or evil?

Hardware heresy didnt stop there. John Heasman from NGSS (Next Generation Security Software) proved that rootkits can persist on a device—on firmware—rather than on disk, and can thus survive a machine being reimaged. Even reformatting wont save us these days.

These hacks are esoteric, but theyre proving that much of what we thought of as hardware unassailability is pure folklore.

Jamie Butler, principal software engineer at security services provider Mandiant, explained the significance of Rutkowskas hack in an interview with eWEEK at Black Hat here. "The significance of it is theres been this folklore, this legend that if you do hardware acquisition of memory, its not subvertible," Butler said. "But if youre running software and youre accessing memory, you can be subverted."

Read more here about whats in store at Black Hat.

Heres how Rutkowska herself described our current beliefs about hardware unassailability on her blog: "We all know that any software-based system compromise detector can always be cheated if malware runs at the same privilege level as the detector (usually both run in kernel mode)," she writes. "This is what I call Implementation Specific Attacks (ISA). Because of that, mankind has tried to find some better, more reliable ways for analyzing systems, which would not be subject to interference from malware. "And we all know what weve come up with as a solution—hardware-based devices for obtaining the image of volatile memory (RAM), usually in the form of a PCI card."

Those devices include a proof-of-concept called Tribble (PDF), from security professionals Brian Carrier and Joe Grand, as well as BBN Technologies CoPilot, a device you cant get unless youre doing research for the U.S. government. The idea behind these devices is to access physical memory by using DMA (Direct Memory Access). This method doesnt touch the CPU when it accesses memory, so its been considered a reliable way to read physical memory that hasnt been mucked up by whatever havoc malware has been playing with the operating system. Not.

"The point is: once we get the memory image, we can analyze it for signs of compromises on a trusted machine or we can have the PCI device do some checks itself," Rutkowska said. "So, it seems to be a very reliable way for reading the physical memory …. But it is not! At least in some cases ...."

Butler explained it this way: "Because the CPU accesses physical memory through a different channel than DMA access, she was able to redirect DMA access somewhere else. The significance is that people were using DMA-based acquisition, either with FireWire or PCI, to get physical memory from a machine. Then they could search for processes, ports, whatever was happening at the time of acquisition. Now shes redirected that access, that read of memory, to some other place. She just filled in all that memory with [the character F, repeated multiple times: FFFFFFFF]. Now theyre reading something completely different than whats actually running."

Click here to read about the dissection of a rootkit.

In her demonstration at Black Hat, Rutkowska showed her work on x86/x64 architecture, specifically AMD64-based systems. Not that this hack wouldnt necessarily work on 32-bit systems, but, Rutkowska said, AMD is what she had on hand.

Bear in mind, you wont hear from AMD or Intel about patches for your hardware, because theres nothing wrong with it. Rutkowska pulled everything she needed out of AMD manuals. So yes, she shattered beliefs in hardware architecture, but in essence she just played with what was already known.

"Its about design," she said during her demonstration. [PCs] werent designed for security. They were designed to do complex work."

Next Page: Firmware rootkits.





  Reader Comments: Black Hat Demonstrations Shatter Hardware Hacking Myths
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r㶲s\@♵M"b{lɶXgRJEĘ"H'g~u~|.dLb["h4y$ W7-gB9)ٝ0O,zIj|ݻPAezAUM JԶO7RM3ĩ /4w7vGlJ{'A :#:@PL5uΚMH]ٚ7'x2)Xm$8kzZC'AjZw$lZ/P8$H.wH~Thge}ǮJ;ߣWFn3pa_ʞ0ɾM"x<&j>vB'gxGd #BE=x:Q/M+lᐌl׸ڮb'Uƞͨ*{ /B1r!f-[BM*-M Dƞ4HC d!̒JK^`:rm3k> NRY Z3ˆ辥{$)5= \o4QL1H6}~8MZ QK68Q)Kk0~b[4Ip\.* }= :ҍۉ}4 .j.s&"U-wS>Cɤ:Zdq}9e,f4öۢCCٰo4\>jrTW#gQxo9{ؖ3lTzEÝ|k7_(Uۿ_HQPwÑ;@ږV`(^w: 틋wq@.{A~$Fj}&KDeR)fi& 0h!5tt򰚅:AXsEF n|%rPH+).##-b|+0#ƌ_8rriZ򳹥}9h__]wm2h_wڧ>ߘecfy3ժ?T2ؕgxg4X:nN[77VON{פ9i>sو&lXaV|YkU[_lxm&w@"rVJZ@R ?#3 >]4ZW/:' MD[|н | ,-)Tthi"A[8 .+J!bN3̤"ȅQ.% >Ć>LbO૦yx|uwެ.Uմ޹/~龂KwI|nHwnoa$шf",$M}sQV1*exsvU9-b(7ZdL,5,{LtlA`::g>QӚ#qRO#Gs>H2胎6mb8-ƹ" ,70}Hg@zqI4 qx٭mE%_¤<  zA;=H:}mP`~5$'@ ̀s'08 ɝ5E0ݻ#i`y1&=զA{ Tg ,zu}   @lgk6G\[-[Y6x O͹A QP|'sZ( 7^`" EEKy3@ $h-4az.?  #!be6ODs@PG҅;qjvn23,BV-KїPf%i2khƪń(VFN1|(0Vf)L˄Fr=6:{mQHtuK\:u`漇d:Nk'hm7?>{@O-\nb4դ/4<3_O#kۖs7Me jJ=WsFA|5 i!sL&Ze on<GyoM'WVV{)Ud+b*q (uP\O ō4BЊO}=lYJb-Y~k%fcP.KúJj'~d7Bɶ/^[aa6E]Q^RKHD@CR)ҵ ҊaY^`(! "x ӡEAچzCTCSk u > \Re࿚Ȕmm1ʚU9,Wfn ()r?-j5 SXS:hM>vI{{L-ϐwP9s?磔YTp$4hQ*}a5)403yb|Fȸ>qm?XĞ?x8[0,Y\.']65&@0mE"a`iNR} ز^z`޴ 2RXO%}T5!Cl ԑq,YriL*wڶ{O>QȺ@POK-C MqNW hPU+ bI,(t=(UF+ay@Y*#܊k Bo` 2l3sG/.zrĦyP2~2j&8x_ℯ? q+zSAqf -4,~R`>sn.,|pZEN[O`cV av05;?Ur9MEdѮ\rRk}L˧Fxtoգ)u;uav9Aخ kqAmY1pW' (k0qי5 '& ~Bg%:!pwC):2,np{]0XAG5h0qHG&{+E689 n:+@%lr Z+::jnM=WG$*X  d5}u*ՃZIe߯yU/^> (&Lu0Ȉ%=WlTj1՞m$R*C01^*== 7S_)-ʖ~gɲ Ϣ+bIۛh#|5}@mvf36V=_`tmAؙY%7Cb۴s:i&2106E-0P>O\մr ,09W>|6Œu8YW[?`gsk`p1\EAnc>֍۹'~@^3_?J} [L4@V1-0=̞̝A mۨX9)6ʐkxG2g7(Ъ6#iB/%e.N1)Q>?/$,RQv+Հ΀Ld_V8C+`-XRjj#L*"o&ŏ[o(5rv=HGP*~J%UHUگjYIz, :*i7xџ6YD+(++i-Y2ǽa m.E9[& 4˷ʨK3[*X.DД4Ϩ;Rb h kxG c[,e!r ]N7._Tj vQ ^`| @-c'd1s<œo =$Ԅ7xpLaV*S7oA!Rē#+cI`I`w0kR6ǟM1Շݽ]g=J _BQ`о(&ю0pmOɪO@T ~1tc1μYV̶Rf~Gw74}ڻHn!2a^G #W~g]ab>" N0/5.šJVCR>"yvpْ:Y]Fya8F&{PvB,& oHŤ}v|{{l:g5ð]OQ區҈FU{A+tgK%E;"˶uoл9"Q!5/:g, YE#B\ȧ5Ak3d4) 3`X#axK#&WDH[(`u}͙B9ki.Dz=t_5g0YT h-)cgE1w}eYLoH:|XbHH\R ~tDӿh~Olgu؋^s  m D78C*QW"2Eh%iA&'&g <"@&9FxDw~mGpE,}+)Fy*}y:}_exL+%BY3gIGһ#$$E >]9/wbPBn1x-6ؾN9$S4sJd":A%;)~ڰOy{do&})'AΚuhaXKofw6bO07+۝l9nia[nǡ8 0Nl"4P$EUՊZʶFr,"2NIJa'>dM#}%3ٌՏk^d̠t`p9frIךiA~je|eml[CĚ3i&iv[ʾv12:=әߒ9&bH4~mWCtsM nY<:fpHNo/txlzjV5EKXo0P!5:wr&뻍Ct G;ydwQan)Zej OxZS/r)!%py#H?a[HQ1T=$LF~6ʌ}ڟ=`@Rw 51)Y^7 =#˲T1%G(J#0 Iq^s9Ҕ\iHx^ vW6ހV%UߦO尥tӖ[*QGX^疧-*G&$(1g#G@׳k1S%MQolVu lYRx]-CYJr ]?v7 n79DI D "w!į.~r-OP7ꫬsG:hf+EiX3JjQ󫚥G8lccK;y47o7o7o7oWmT+}mh 0]zOJ8eqS?!}s1bo Wb}fV&IFOyA&>B|Cl1M'@L0a!RbLmy75XUbu K,cttu5݆\*ҥ3ݙHa5z Sa1j+0와Gt`Pùge:h4K!$IMkk~5dcô.[S*u \+pyhBH\`Oˮ,Bj&5_m+r9 1ǻto\7hq0;ւ`jUj />D[=;1v@jQD{!\ԴX2@zB:vg#j 90II ,AT<4U}c)J;ɍg /}sz X^n^ aFtg ko%?^wA=rSQ3tI8OXD2E! <7&ͅ+PGt$wKJē{.5~G%ňk)'>?׃HP.%$7w1y @8Qvp '+j  w-r㐝C|xd80h C +^V"WA$1 -:s_ai;t]kt s>^d3B;w(+ 1߯m9d0؞`-&a̎<-Yqc[VjJYb0 ":;K z2>sK8@$}/Hk4DAd#nϪaD5Tbtb fZ*F&#Zikxo< 4J| E3&PxcLW<0Մ0t#gfٝ7gFm^}RVSvrC*6;m[6KJgm25+ St$#?)){ꞪߒϞi4<>{}A6ڄyiǥ4YgMr'ǯ_\ixcO׀gȢxBW7˽}D['ٍI+62 1՘^_Ѿi#?4;}ӿh>zx d{P_[{/{u.4>z(4:r$`]Q szS?#ᘭ#!+%A H3vkQo߼+J ԝ8p4.pgj9U%H9 dU ?M />nrnR-i`Ik„@J!ƒpbZSxH' 19SӦ^INo{cs%H"V|8snj}J"rβA)W ¨b)c(bU 7T,G,(Ϗpk2ꧦa/xnf4`ynF"O-x}))? |4BrkQ.閣zUQpV#ߛ~Sg8XKSHmݜ(8c$Ѕ:x,@#!9ωJkc 7úޛZF ``p3W VjjU)GO"ӡRs]j9u]]ÀˠYQ^&*ӸӔ^*BI] / P/HZ W{Pɾe{$$ ͈u0՝fKh^]]|"k$68\w%9n_noWj[utһtڹl_]w.ƩL·_ }e)|Q)X7OGYFm3;eNq(gg:ͅf1.y.r8,tG_04e\c$:G(%^ٌ/!jbҫSi0L̗7[vS+yk! >=Bƫx]jy5sλmx9n0zIgos@1@C|o_Ow.4"J6//rC_לk(^_~NmS>X_9'P~sC3YN>@B㼳*4:r_'\C;9/4s?A">vntn]̓з Ч wsvs O/?Bǜs(?)# ݜr˜̑K˜A{9^~+S:?>7/P_r#+>1~7P~W{ÿ7MN779$)gf5pv8\hK"~)P9P* ~2*ΕR+@~W~ kJ+ťfW*7KL쵆cn5:AbCa/! c|*,xW& )htVydS˼=>w懴Ixմ] &J2˯-cENZ9.~QFxdB$dZ+mFDt"X5½q>eybAR-c#]q8GfNArr mHn+0 4` .nsOkz>s"[~r^<^ȬuUW5VlNA6KֈE>Yݩ7 xЧx.؅O WY>-KaaP$ zY~8#a}3Ğ~ebx5C7$ꑨ~5d]M4pޣi7w&2n :)xT״} J\ߑNx?\GDp1|9̈ɪ"+5w9 8]V(*D`I9#2B4|[Wu 8tS+r詓<+Lp-}"z•>XxߵcEx+c"AV7/ ~*ev3:؏d S7ʄ,5vW;SЫ!AJ΃sraE1`˙B0H_tI{׿$0y."6'oże @ @8cşL VNΊt4^"̼XJ"hcЁu4b Hm7g@oJ`Xkt(JV7Bg3Σ/dڞ3G5i;ݹ)a<<T#Me AnﺳcX00wUW -MbAK5 D =b7е݄̄%u%лx^3/GN*S0P2#0' M̮+fAj̮jd{/,4sLxE,' ?Z˽JLEN$~ 5WTг˽Yo@d!X3W]dA_d|bOh[o.TLHd v"ѱy$hn8Yxk1¢躂M^犱̀ogF۹"}מ 7V]Ѐ?n7 (T'z >yϐR8K9H%)~xjA߮ed#W B㑸| ,* +HQ0^R smqSunTj;<~"lE a'_B X戄=$y1|w,GggS#^Πo'b_wv7eŁ&PL1)Žc)VȥIG‹=$vDJE{)ߠ(b;<% *`> ,CR6L`>Nc? `vwj9x'e纖9cbV)qmeGF-[$@#5E`1|4aehDP0T6y6 *>% , -i%^HPWWݜO ,Xo|8j/d6CF|'Lo! 9D/7a{J B ϱɮx63@ƷD0k"66iVDR*,l'f , ~sf㿶稅BWvwz ?;7x>;vGLWe؋$| _[0~; _ږ+yL1e~}J<3G(u",@Sq7ݦt3#Wo,^zeXٿ"PshՆG0^q۷SR|@sxS as=Vcm;p3z2 Qm`-xa[An`P%hw2bo _ ($ʓ}E.tqeQ*g T.Ov P.i۹tC*G꛺UNG'Ўί}B}FBl4.$7pEIw#[7nyqueK^Q(Zu V,"׳o 6A|>Ǩy6gn&_1!?[eUUSq$ᑭ7}M1uc*@ٯ6vFًᷞfSذM*d.%r R۬_gЧLN&ZJ܄;B6BKslt6Iֵ)