Memory Attacks Addendum

Back in 2006, Adam Boileau, a New Zealand security researches and consulting announced an attack that let a Linux computer read another computers memory over firewire. His initial attack was targeted toward Windows, and allowed an attacker to unlock a locked system or bypass a login prompt. After two years, the attack still works, and Bolieau decided to post the code to the attack.

While Bolieau only approaches this from the direction of unlocking a locked system, this would work equally well as an alternative to the memory swap trick discussed recently. However, in this case, almost every Operating System is equally to blame for this, as it is the OHCI-1394 Specification which dictates this as acceptable behavior.

Firewire devices are supposed to be given direct memory access in order to ensure good performance, which is an admirable goal. Firewire devices are designed to move an enormous amount of data, and people want it to move quickly. Unfortunately, spoofing a valid device in order to get full illegitimate access to a systems memory is trivial.

Bolieau was not the first person to approach this danger of Firewire, and actually Linux, Macs and BSD were attacked successfully with this before Windows was due to a technical issue (basically, only Windows required you to claim that you were allowed DMA access, a trivial thing). Still, why was Firewire designed this way in the first place? And why do the majority of users, who don’t even use Firewire, have this dangerous behaviour enabled by default?

All I can figure is that the developers of Firewire were hardware geeks more concerned with high performance than with security. Provide DMA access, sure, but relegate it to a negotiated size and span of memory, not completely unrestricted access to everything. Hell, the OS and CPU aren’t even involved in this transfer. Mac BIOSes take advantage of this by allowing you to boot a Mac into a special “disk” mode where they act just like a firewire disk, great for when you need to get data off a Mac who’s hardware is starting to fail.

While this is a great forensic tool, since Memory images are typically hard to get from a running system, it’s also an interesting security risk. On the one hand, it’s just another example of physical access meaning complete access, but it’s also one of the most effective data gathering techniques I’ve seen, in that it only requires plugging in a simple cable.

These tools are already a part of my incident response toolkit, and I suspect they will remain so for some time.