Can DMA attacks work against Ethernet... or just WiFi/wireless...?
neilh...@gmail.com
But are there any proven DMA attacks against wired networking, i.e. Ethernet..?
Hackers can exploit a buffer overflow on the network card's firmware, and use that to take control of the network card, and issue a DMA attack to take control of the entire host computer.
I previously posted a thread about this on qubes-users ("Question on DMA attacks")
... and Marek mentioned WiFi when speaking of DMA attacks.
Is Ethernet also vulnerable...? Or just WiFi..?
I say this because I wanted to build a Tor router that sits between Qubes and my main router... so that even if Qubes gets hacked, they can only see what I'm doing, and not WHO I am. The theory being, that there are no exploits for Tor itself, and only for the Firefox browser. Thus, the IP address is always obscured behind the Tor router.
So my router box is going to have Ethernet only, because if my Qubes is hacked, then it could just use WiFi to scan for nearby routers, including my own WiFi router, and thus identify me.
So, wired networking is a must.
And thus, I wanted to know if Ethernet is vulnerable to DMA attacks, because if it is, then I would have to use Qubes for the Tor box in the middle.. or at least, use some OS that supports VT-D, even if it's not Qubes.
Qubes has high system requirements, thus I'd prefer to have a cheap computer as the Tor router in the middle.. But if there truly are exploits against Ethernet, then I'll just have to use Qubes.
jkitt
DMA is a privilege given to PCI(e) devices (DMA controllers) - eNIC's run over the PCI(e) bus - a lot of eNICs have DMA controllers. RDMA is a specification that relies solely on DMA.
neilh...@gmail.com
But DMA is different from a DMA Attack
A DMA attack is when a hacker exploits a software error in the Ethernet firmware, and uses that to take over the device and issue malicious DMA attacks.
So I guess I'm asking whether any such software errors have been found in Ethernet firmware before.
Things like you could get with ordinary software, like buffer overflow, heap overflow etc.
Vít Šesták
When Qubes is compromised, attacker can:
* Learn something from your timezone and DST mode (which is also partially leaked by your activity over day).
* Learn potentially pretty much from what you type etc.
* Record audio (including your voice) from microphone if connected
* Abuse any wireless capabilities for geolocation. Most usable seems to be WiFi (Google location services) and mobile networks (even if there is no SIM inserted), but others (e.g. Bluetooth) might be also abused.
This list is not complete, but it indicates that compromised Qubes can be easily game over even with your separate Tor setup. This is true especially for laptops, where it might be hard to remove all the bad input devices.
Note that you would also have to manage security of the Tor bridge, including security updates.
neilh...@gmail.com
2. With typing, you would keep that to a minimum. I'd mostly use it for web lookups. I could also use a special keyboard system that sends all keys in a consistent speed, so it's more like robotic typing than human typing.
3. With audio, you just disconnect the mic, and webcam. Easy.
4. With abusing WiFi, that's why I said I would use a WIRED connection.
The only point I agree with you is the WiFi. That's why I say, use Ethernet.
jkitt
Vít Šesták
Removing wireless radio, microphone and camera might be hard on laptops, so it depends on hardware you have. I wanted to note that staying anonymous with whole physical (or even a virtual) machine compromised might be hard, but is depends on your usage, your hardware and on your threat model. BTW, various deanonymization attacks are described on Whonix wiki. Some of them are rather trivial and target on nonskilled users, some are more advanced.
ludwig jaffe
VT-d can do memory insulation, and should assign a memory range (pci-address space of a pci device) exclusively to one VM, so the attacker of that hw can do DMA into that VM, if done properly.
But there is that evil ME in the Northbridge. How does the ME-processor behave regarding VT-d? Can it be assigned exclusively to a honey-pot-vm that runs windows2000?
johny...@sigaint.org
>> Qubes uses VT-D to protect against DMA attacks on things such as WiFi
>> chip.
>>
>> But are there any proven DMA attacks against wired networking, i.e.
>> Ethernet..?
>>
>> Hackers can exploit a buffer overflow on the network card's firmware,
>> and use that to take control of the network card, and issue a DMA attack
>> to take control of the entire host computer.
I figured that most modern operating systems didn't use any device BIOS,
but used their own (e.g. Linux) drivers instead.
But if any internal firmware of a network card, say, is compromised
through some buffer overflow or whatever, it can just go ahead and
initiate DMA operations at will?
In my (ancient) experience with DMA, a driver would typically set things
up to be transferred via DMA when the data is available, or whatever,
indicating where the transfer should occur, and so forth.
(I guess that memory address is likely given to the device to use when the
time comes, and not necessarily needed by the OS for the transfer?)
But if you're not running any (potentially compromised) BIOS ROM or
compromised driver, is it possible for a rogue Net card to just start
writing to memory at will without any OS support/setup?
(I guess a rogue netcard firmware is free to modify any network payload,
which is powerful as well; but short of that, can it actually compromise a
system or a VM?)
JJ
Marek Marczykowski-Górecki
Hash: SHA256
On Tue, Sep 13, 2016 at 03:57:00PM -0000, johny...@sigaint.org wrote:
> > Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com:
> >> Qubes uses VT-D to protect against DMA attacks on things such as WiFi
> >> chip.
> >>
> >> But are there any proven DMA attacks against wired networking, i.e.
> >> Ethernet..?
> >>
> >> Hackers can exploit a buffer overflow on the network card's firmware,
> >> and use that to take control of the network card, and issue a DMA attack
> >> to take control of the entire host computer.
>
> I've often wondered this.
>
> I figured that most modern operating systems didn't use any device BIOS,
> but used their own (e.g. Linux) drivers instead.
>
> But if any internal firmware of a network card, say, is compromised
> through some buffer overflow or whatever, it can just go ahead and
> initiate DMA operations at will?
> In my (ancient) experience with DMA, a driver would typically set things
> up to be transferred via DMA when the data is available, or whatever,
> indicating where the transfer should occur, and so forth.
that on memory address xyz. But device can act on its own without such
request. In normal cases device would not know where is the buffer
prepared by the driver, but in malicious case it is no longer about such
prepared buffer.
VT-d act as a kind of firewall allowing device to access only certain
memory areas.
> (I guess that memory address is likely given to the device to use when the
> time comes, and not necessarily needed by the OS for the transfer?)
>
> But if you're not running any (potentially compromised) BIOS ROM or
> compromised driver, is it possible for a rogue Net card to just start
> writing to memory at will without any OS support/setup?
> (I guess a rogue netcard firmware is free to modify any network payload,
> which is powerful as well; but short of that, can it actually compromise a
> system or a VM?)
>
> JJ
>
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJX2CSIAAoJENuP0xzK19csNQUH/0mq+bChVYdVEW7c18oackFH
bDjsY43jWO/o7IoPd7ejl8YijpDZBYBoo0nGlP1ATV7xERiA5IS1WamnSYj7tWFH
9+8MIYxtN1CgAdYWKH70+GL6tjZtUrPNyHw8sB+hAofJOrSmAwuxgE3CkPvC9Yvk
4d5wvHFThrmk4qQzoAyB8tQG06t3oY49sOsxU0unaXTD1PAyPUYWEkEFZczv/dM3
CJozmwSemG9WI5X8HG+yoaJCkZ64yNtyzV5s5YAs00SLHw+A0kCDnF/0+wBO11BC
uWC7dXnDQcUISavIKoOTdoZv5bGu1jNNZtlqRVTK9pKhz0PqsD7IlM5m+s0XOEE=
=PTDa
-----END PGP SIGNATURE-----
pixel fairy
> > Am Montag, 12. September 2016 01:29:14 UTC+2 schrieb neilh...@gmail.com:
> >> Qubes uses VT-D to protect against DMA attacks on things such as WiFi
> >> chip.
by having a separate tor gateway, you now have two machines to worry about. depending on your threat model, your probably better off just using whonix in qubes.
> >>
> >> But are there any proven DMA attacks against wired networking, i.e.
> >> Ethernet..?
this is what VT-D is for.
> But if any internal firmware of a network card, say, is compromised
> through some buffer overflow or whatever, it can just go ahead and
> initiate DMA operations at will?
we have to assume yes.
> But if you're not running any (potentially compromised) BIOS ROM or
> compromised driver, is it possible for a rogue Net card to just start
> writing to memory at will without any OS support/setup?
have you seen the exploits of fancy graphics cards? especially nvidia! same bus.
> (I guess a rogue netcard firmware is free to modify any network payload,
> which is powerful as well; but short of that, can it actually compromise a
> system or a VM?)
should just be the vm, unless the exploit can break out of it.
> JJ
Marek Marczykowski-Górecki
Hash: SHA256
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
T+PTZyoupW+MVYCAyruNn476iz5wKlFEzmNpyNl2M7tKp13zThyZ80QYFBXcL3dX
gSfIRAG1o5/e6UJBkGEu6XHo2YdH1agr8Yv1UL5s46ptOMJqzG0z5yJjFxU6CfAU
FCKSwo+YlYMmXjEkGyoBtOfLGdNKiSUJKjZutwYzYw2dIAToJhRAliWEjoXoLdFG
9eSBVIq/OUmeRS5LOSw0KVCoFHnHI8li+DOW/OD43tFdeJR5p+tbYMbI0AVA55pw
x6tjyw96DnXTefBcqqSb9hfjc3jWVG4f7wl/IgQ597cdI4kE0W8Zka0Nw9O3xZ8=
=gv/y
-----END PGP SIGNATURE-----