How to gain access to computers and virtual machines - Hacker Halted

How to gain access to computers
and virtual machines
(through the physical memory)
Csaba Barta - Hungary

DEMO

IEEE1394 - History
• 1986 – Apple starts to design the standard
• 1995 – Standard is ready
• 2000 – 1394a (FireWire S400)
• 2002 – 1394b (FireWire S800)
• 2006 – 1394c (FireWire S1600)

IEEE1394 – design goals
• Main goal
– Connect multimedia devices
– Really high speed data transfer
• How is it achieved?
– DMA – Direct Memory Access
– Security consequences?

DMA – The vulnerability
• DMA – Direct Memory Access
– Connected devices can directly access each
other’s memory => faster data transfer
– CPU is not involved
READ / WRITE access
without control

Requirements
• The target OS will give us DMA only when we
can pretend to be a storage device
• This requires tricks
– Add SBP-2 unit directory to the bus
• Well documented
– The method is different on each platform
• FireWire stack differences

History of the vulnerability
• 2004 PacSec
– Maximillian Dornseif
– Own by an iPod
• 2005 CanSecWest
– Maximillian Dornseif and others
– All your memory belong to us
• 2006 Ruxcon
– Adam Boileau
– Hit by a bus
– Winlockpwn (release – 2008)
Not
0day!

Protection - Linux
• Old stack
– FireWire driver parameter
• Phys_dma = 0
• New stack (aka. “Juju”)
– No driver parameters
– Dirver blacklist (modprobe.d)
• firewire_core
• firewire_ohci
• firewire_sbp2

Protection – Windows
• XP and older versions
– 3 rd party software needed
• Not always the best solution
• Vista and newer versions
– GPO device installation control
• http://support.microsoft.com/kb/2516445
• d48179be-ec20-11d1-b6b8-00c04fa372a7

Back to DEMO

http://en.wikipedia.org/wiki/Lockheed_Martin_F-22_Raptor

Thank you for the attention!
Contact info:
Csaba Barta
csaba.barta@gmail.com