Vulnerability Development mailing list archives
Re: Modern hw-killing virus feasible
From: Daniel Newby <dnewby () NOMADICS COM>
Date: Fri, 9 Mar 2001 19:00:07 -0600
Mike A. Harris wrote (Wed, 7 Mar 2001):
A dead motherboard that has had it's BIOS wiped out by a virus, is a dead motherboard. The cost of repairing this problem is significant enough to most people that it would basically mean purchasing a new motherboard. In other words, the "problem" caused, has a pricetag associated with it. While no physical
^^^^^^^^^^^^^^^^^
damage is done, and the BIOS could certainly be replaced, the
^^^^^^^^^^^^^^
cost factors basically equivilate that the hardware is destroyed for all practical purposes for 99% of the general case.
Nobody has mentioned this yet, but most nonvolatile memory devices *are* permanently physically damaged by being reprogrammed. The damage to a particular memory cell is cumulative, and increases each time the cell is reprogrammed. The wear-out process shows up as a decrease in margin (the voltage difference between a logical zero and one). When the margin gets small enough, the memory bit will occassionally read out incorrectly. As it is damaged more, errors will occur more often. Some devices can withstand only a few thousand programming cycles before they exhibit errors; others can safely take millions of cycles. For various reasons (fabrication process, chip design, and quantum mechanics), wear out is often not symmetrical: logical zeros will always read out correctly, while logical ones begin to be falsely read. Or vice versa, depending on the chip design. Or maybe they both exhibit wear-out but one starts before the other. And some newer devices store more than one bit in a memory cell -- who knows how they wear out. Read-back errors are also dependent on the ambient electrical noise on the board. The upshot is that wear-out problems are often data- and activity-dependent, and it might be possible for a device to pass the checksumming process but fail when the CD-ROM drive spins up. Here's how to use memory wear-out in an attack: 1. Read chunk of BIOS and save it in RAM. 2. Erase chunk of BIOS. 3. Reprogram chunk of BIOS from saved copy. 4. Read out chunk of BIOS and compare to saved copy. 5. Repeat step 4 1000 times. 6. If bit error rate is too low, goto step 2. (I.e., keep wearing out BIOS until sufficiently flaky.) 7. Return to regularly scheduled program. Besides the BIOS, what else could be attacked this way? Offhand, I can think of Ethernet cards, which often store the MAC in EEPROM. A malicious program could wear out the least-significant byte of the MAC: machines would occassionally jump DHCP leases or get MAC collisions when rebooted. Heterogenous thin clients might randomly boot from the wrong firmware. Multi-homed hosts might have trouble binding the proper IP addresses to the proper NICs. The potential for creeping low-intensity flakiness should be obvious. Tracing this type of problem to its root cause is difficult and expensive. The tendency will be to think "Maybe it's just a bad batch of Ethernet cards. Maybe the machines in that building were just damaged by a lightning strike." -- Daniel Newby (speaking for myself)
Current thread:
- Re: Modern hw-killing virus feasible, (continued)
- Re: Modern hw-killing virus feasible Robert Collins (Mar 06)
- Re: Modern hw-killing virus feasible Bart (Mar 06)
- Re: Modern hw-killing virus feasible Ma Gores (Mar 06)
- Re: Modern hw-killing virus feasible fejed (Mar 07)
- Re: Modern hw-killing virus feasible Mike A. Harris (Mar 07)
- Re: Modern hw-killing virus feasible A T (Mar 07)
- Re: Modern hw-killing virus feasible Juan M. Courcoul (Mar 08)
- Re: Modern hw-killing virus feasible Syzop (Mar 08)
- Re: Modern hw-killing virus feasible Crist Clark (Mar 08)
- Re: Modern hw-killing virus feasible Gregor Binder (Mar 09)
- Re: Modern hw-killing virus feasible Ma Gores (Mar 06)
- Re: Modern hw-killing virus feasible Daniel Newby (Mar 09)
- Re: Modern hw-killing virus feasible Blue Boar (Mar 07)
- Re: Modern hw-killing virus feasible Lincoln Yeoh (Mar 08)
- Re: Modern hw-killing virus feasible Vitaly McLain (Mar 08)
- Re: Modern hw-killing virus feasible Blue Boar (Mar 08)
- Re: Modern hw-killing virus feasible Vortex (Mar 25)
- Re: Modern hw-killing virus feasible Jonathan James (Mar 25)
- Re: Modern hw-killing virus feasible fejed (Mar 08)