Full Disclosure mailing list archives
Re: Firewire Attack on Windows Vista
From: Erik Trulsson <ertr1013 () student uu se>
Date: Fri, 7 Mar 2008 22:38:43 +0100
On Fri, Mar 07, 2008 at 02:44:12PM -0500, Larry Seltzer wrote:
Let's say the computer is off. You can turn it on, but that gets you to a login screen. What can the Firewire device do?
Just about anything it wants to. It uses DMA (Direct Memory Access) which can be initiated by any device on the Firewire bus. This means a device connected to the Firewire bus can read and/or modify any part of RAM of any other device connected to that bus. It can (at least in principle) modify the OS, and insert any number of viruses or other malware - or of course modify the login program so it lets anybody in. It is also very useful as a debug aid for developers, since one can inspect memory contents even if the OS has crashed completely. The only protection against this (other than to completely disable Firewire) is to program the Firewire controller in the computer to either not accept any DMA commands at all, or program it so it can only perform DMA to certain known, safe, memory areas. To what extent one can restrict the operations allowed for any given controller can probably vary between different chips, and if one restricts it too much, then some legitimate devices might stop working. I wonder what other expansion ports can allow such control over the host computer. What about SCSI (which Firewire is partly based on in some aspects)? Or eSATA? Or PCMCIA/PCCard? USB is probably safe. I think all operations must be initiated by the host computer when using USB. (USB is a much simpler and more "stupid" interface than Firewire. This is one reason why Firewire devices usually give perform better than equivalent USB devices, despite running at a lower nominal bitrate (400 Mbit/s for Firewire compared to 480 Mbit/s for USB.) -- <Insert your favourite quote here.> Erik Trulsson ertr1013 () student uu se _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firewire Attack on Windows Vista, (continued)
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 08)
- Re: Firewire Attack on Windows Vista Tim (Mar 08)
- Message not available
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 09)
- Re: Firewire Attack on Windows Vista Stefan Kanthak (Mar 09)
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 09)
- Re: Firewire Attack on Windows Vista Jardel Weyrich (Mar 09)
- Re: Firewire Attack on Windows Vista Kern (Mar 10)
- Re: Firewire Attack on Windows Vista Stefan Kanthak (Mar 10)
- Re: Firewire Attack on Windows Vista FD (Mar 12)
- Re: Firewire Attack on Windows Vista Eric Rachner (Mar 12)
- Re: Firewire Attack on Windows Vista Erik Trulsson (Mar 09)
- Re: Firewire Attack on Windows Vista Pavel Kankovsky (Mar 15)
- Re: Firewire Attack on Windows Vista Thor (Hammer of God) (Mar 06)
- Re: Firewire Attack on Windows Vista Daniel O'Connor (Mar 05)
- Re: Firewire Attack on Windows Vista Tonnerre Lombard (Mar 05)
- Re: Firewire Attack on Windows Vista Tim (Mar 06)