Re: NetApp Filer software versions 5.x: potential hardware killer

[kragen () POBOX COM (Kragen Sitaker)]

On Fri, 12 Feb 1999, Daniel Quinlan wrote:
> Jason Downs <downsj () DOWNSJ COM> writes:
> > If this host is compromised it's obviously bad news for the filer.
> > But now, apparently new with the 5.x revisions of the filer operating
> > system, a malicious individual can likely destroy the disk drive
> > hardware itself.
>
> How is this different from any host (Unix, Windows, DOS, network
> equipment) that has one or more components with upgradeable firmware?

IMHO, having software-upgradeable firmware without having a physical
lockout is a very bad idea.  A well-labeled physical switch that must
be set by hand to upgrade the firmware, and reset for normal operation,
would suffice -- it would ensure that upgrading the firmware required
physical access to the machine.

> I asked NetApp quite a few questions about this before I upgraded our F630
> FC disk firmware -- according to them, it's nearly impossible to turn
> disks into expensive bricks.

My biggest concern with upgradable firmware is much more severe.  If
you can "upgrade" the firmware on the disk somebody boots their machine
from, you can theoretically do unbelievably devilish things.  You can
insert arbitrary code into the OS kernel, for example, but only when
you boot off that disk; if you boot off a floppy to check the disk with
Tripwire or L5, you can give the unmodified kernel.

Most disks have plenty of spare space on them -- reserved for remapping
bad blocks -- and you would have plenty of space to store whatever
malicious code you wanted.  You could, for instance, insert nonstandard
options into IP headers and use them as a covert channel to alert you
of the existence and configuration of infected machines.  You could
send extra packets during times of heavy traffic.  You could insert
extra queries into DNS packets -- queries that would ultimately be
forwarded to malicious DNS servers.

Once you'd found infected machines, you could exert complete control
over them.  A particularly obnoxious possibility: you could insert
"logic bombs" into the disk firmware that would activate only when
certain (long and rather improbable, perhaps a few hundred bytes) were
read from the disk.  Then spam people with a .gif containing that
sequence, along with steganographically-encoded machine code.  They
extract the .gif onto their disk, nicely aligned with the beginning of
a sector, and load it up with Netscape.

And if your breakin was spotted and the machine reinstalled from
scratch, it wouldn't matter.  The machine would still be compromised,
and there would be no way to tell that it was compromised, since you
can't check the firmware with L5.

I know these feats would be technically difficult and narrowly
applicable, requiring detailed knowledge of particular disk designs and
operating systems.  But the threat is much more severe than the mere
threat of someone breaking into your machine and stealing or deleting
your data.

Firmware that is flashable without requiring inconvenient physical
access really scares me.

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
Computers are the tools of the devil. It is as simple as that. There is no
monotheism strong enough that it cannot be shaken by Unix or any Microsoft
product. The devil is real. He lives inside C programs. -- philg () mit edu