Switch of DMA altogether..?

[neilh...@gmail.com]

Qubes uses VT-D and a Net VM to attempt to isolate buggy WiFi adapters from the rest of the Qubes system.

But this isolation still depends on Xen not having bugs... And we know that Xen has bugs, and will likely continue to have more going forward.

So, instead of VT-D, why not just switch off DMA altogether..?

In Debian, you can edit "/etc/hdparms.conf", and do stuff like this:

/dev/hdc {
dma = on
}

Why not just do this for WiFi and Ethernet chips in Qubes, and thus, not have to rely on Xen for isolation?

[Grzesiek Chodzicki]

How exactly are PCIe devices going to communicate with the rest of the system without DMA?

[neilh...@gmail.com]

Presumably through the CPU.

We know this option exists for hard drives for a facts.

So I see no reason you couldn't get Ethernet + WiFi chips without DMA.

Not all devices support switching off DMA, so I can see why Qubes decided to use VT-D + Xen instead.

But certainly, I think there are devices out there without DMA. I think you just need to search the market for a Ethernet/WiFi that supports non-DMA.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I don't think any modern network adapter support non-DMA mode, with
decent performance (if at all). Using CPU for just transferring the data
is horrible waste of resources (few hundreds of instructions for 1KB).

Regarding Xen and VT-d - Xen responsibility is only to setup allowed
memory areas for given device. Actual enforcement is done by the
hardware.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX9+agAAoJENuP0xzK19cspTcH/2vRRR+gkaBXw0yf04BXSkA/
ooAGvCEV/If/gVXs0LiLyGLoBw/SC6HSEFu9WUEiXUnTrmY41M/H4WCDx5oXAOwP
/cO0Wa0anq9QG5AkxEaJvySI043wQiBi0ZIBLxSMNGRbqi+jxr09Fvf/E31sBClh
t0duS2RCJK4v1AiWh6SrGYUrWh4ijGxMwlHjyUPT/931aCLb9YRp8Hszg19lQ95i
JituYaAVmQNZ+Rh8VMOKhgdViLLIYAHuswTQt/wKfsjxx79nPbOGRfyEVgYofJ7I
mv6doHzzWfds5hnR1WkPxiLI67yk0AJ7QD6zpvvuGYPEpWIVvSHOjGW4JauIP7M=
=NTct
-----END PGP SIGNATURE-----

[neilh...@gmail.com]

So are you saying that VT-D does not actually depend on Xen...?

With a Xen bug, couldn't a hacked WiFi device just break out of sys-net..?

Or not..?

[Achim Patzner]

Am 07.10.2016 um 16:57 schrieb neilh...@gmail.com:
>
> Presumably through the CPU.

I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in the cellar – how much do you want to offer?

> So I see no reason you couldn’t get Ethernet + WiFi chips without DMA.

I do; those doing IO with CPU IO transfers have died out in the beginning of the 100 MBit age.

> But certainly, I think there are devices out there without DMA. I think you just need to search the market for a Ethernet/WiFi that supports non-DMA.

Please post the result of your research – if possible including the sustainable bandwidth with these devices.


Achim

[neilh...@gmail.com]

On Friday, 7 October 2016 19:37:50 UTC+1, Achim Patzner wrote:
> I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in the cellar – how much do you want to offer?

Are you saying that these devices are non-DMA...?

[Achim Patzner]

Am 07.10.2016 um 20:40 schrieb neilh...@gmail.com:

> On Friday, 7 October 2016 19:37:50 UTC+1, Achim Patzner wrote:
>> I think I’ve still got a bunch of NE2000 and early RealTekNICs somewhere in the cellar – how much do you want to offer?
>

> Are you saying that these devices are non-DMA…?

Let me wiki that for you. There you go: https://en.wikipedia.org/wiki/NE2000

By the way, your “.” key seems to be broken.


Achim

[neilh...@gmail.com]

"
The original cards, the NE1000 (8-bit ISA; announced as "E-Net adapter" in February 1987 for 495 USD) and NE2000 (16-bit ISA), and the corresponding use of limited 8-bit and later 16-bit DMA in the NE2000
"

That seems to say that DMA is in fact used in the NE2000.

By the way, will these cards support modern Ethernet cables, like cat5e...?

Do they support Ethernet crossover?

Thanks

[neilh...@gmail.com]

Another question...

Are DMA attacks on Ethernet are even plausible....?

WiFi seems much more vulnerable than Ethernet, due to more complexity.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I think there is misunderstanding here about "DMA attack". It have
nothing to do with breaking to the system from the outside. It is only
about spreading from _already compromised VM_ to other parts of the
system. Any DMA-capable device can be used for this, regardless of its
complexity. Using VT-d effectively block such attacks.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX+ApMAAoJENuP0xzK19cskZwH/inLEGvBCKqCa6eigQwVJeVT
ILXrTt4oBMlfB3KMPjNwKmxjNkDWZ1yDVx7G9WUQZD/aJRwkmD23NyW5cTFf4mvZ
pfTRrH8iz3Ass+++y3m1ttDxcn09KHBNYEa+qY+rkjj9cbLv9hygKk0xphsnUAtD
HZjKAWEl/FiDB1wyGRYhfdUaSOKInngYXd2y1+UyYsnG0OYPmnDoDVZRgRedxNxr
mdop0Ah0I1shFitbKzw+tyVdmpBJnfJIIbRYa/NSeXFGs8tk/gnQ0pnkscNtWLuf
DZ5eiV2P7jLaMQ7G0Izei2hqcy7C/PPg57gaIV8yAHG37ybJsY8FJ8SejkW/CbE=
=VwqX
-----END PGP SIGNATURE-----

[neilh...@gmail.com]

OK. This is getting confusing.

So you are now saying that you can't do a DMA attack over the web..?

If I had one computer connected to another via Ethernet crossover, could one computer infect the other via DMA by sending the DMA attack over the crossover cable..?

Or can a computer only launch a DMA attack on itself?

[Wojtek Porczyk]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"DMA attack" means that some device on DMA-enabled bus accesses memory or
register of another device (typically system's RAM, because that's where are
the processess, which manipulate passwords, encryption keys etc.). Ethernet
port isn't directly conneted to PCI bus, but via adapter ("network card").
You'd first have to somehow exploit this adapter, which may or may not be
possible (this is hard, because the NICs barely touch the data, if at all).
Only then you'd commandeer the NIC to issue malicious DMA requests.
It is probably much easier to exploit some code running on the CPU.


- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+LynAAoJEL9r2TIQOiNRHHYQAJQVv3spem8lUJnB9IGkYrS1
X2B3pyOODC/pQ4XziZc/Uk6pPX7bNXPgZEZxDqT4x0+NO+8aCKrZpOp0uY1t+cqp
1tkVVN95N5RTZmcd02kaxTaTto6DvwGxhMK0S2xUG6QBeIcvExryNQf5YnI8Z6Ri
vgwLWsTjSLQ+yksoQfFtJL3CO7hgTXdTxnGpNR4gUiMKddxUTmz4YX/B7EfeI7eV
hP0/zGpmslUj7BaOvetlodwPdLxQ3liun7u/+jPC2B1eSI0mI2D9CHpNqO92YN6x
eBPT0ClupMyOHq2KxQtuZFC+GHrEIjCHyRA6CfHpeJ15RsYCAT3Em0Je6dOxcRxw
PPqZMHYF33rwdOkXlqcoGVUjQBwTF91s033Xl0SA5mWCgGFT65gyOEw24nDnYIJ7
W3cNAvqrZzQ2epgS757Sr4pgcHufD+8OR4ciJt+H3au7woliVA6MnCqHaQFM2rFx
vsbosV7JHnstaNDiwnhZCsQThg0uxBMkFUIKOpGWvCpqWDmcz9fxIGiWc9SoPHCC
j9EhIT2Z0Linc2VPXcaFca8z73b/+ni61NkX/hY6NIChfXwijAWAAz6IN4xzZYMt
JuDONDqOa9Ijs4EksWmaP+1HcSUNblF1Yq/8TO5rUd1UUHHbGqfwFmofX75wbi4Q
hleQgxao9A8Ir4xqQnJi
=vh6W
-----END PGP SIGNATURE-----

[neilh...@gmail.com]

OK, so we've gone from not do-able remotely, to "may or may not be possible", and "this is hard"
Are there any proven such attacks on Ethernet? Any proof of concepts?

Also, would USB Ethernet make this attack any easier..? Something like a USB Ethernet dongle?

http://i.imgur.com/l5ntqFe.jpg

[Manuel Amador (Rudd-O)]

That's not how any of this works at all.


--
Rudd-O
http://rudd-o.com/

[neilh...@gmail.com]

This paper suggests it is definitely possible to attack a network card remotely

This is written by the French intelligence agency, "ANSSI - French Network and Information Security Agency"

http://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf

"

In [8], we demonstrated how it is possible for an attacker to take full control of a computer by exploiting a vulnerability in the network adapter. This proof of concept shows how it is possible for an attacker to take full control of the adapter and to add a backdoor in the OS kernel using DMA accesses. The vulnerability was unconditionally exploitable when the ASF function was enabled on the network card to any attacker that would be able to send UDP packets to the victim.

"

[Manuel Amador (Rudd-O)]

On 10/08/2016 04:06 PM, neilh...@gmail.com wrote:
> This paper suggests it is definitely possible to attack a network card remotely
>
> This is written by the French intelligence agency, "ANSSI - French Network and Information Security Agency"
>
> http://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf

Yes, we all know this paper. I was referring to your idea of how things
work w.r.t. DMA.

--
Rudd-O
http://rudd-o.com/

[neilh...@gmail.com]

I've been going through some of the networking modules on my Qubes system.

Some of them would indicate that DMA can be switched off entirely, and PIO used instead.

For example:

b43.ko

modinfo -F parm /lib/modules/4.4.14-11.pvops.qubes.x86_64/kernel/drivers/net/wireless/b43/b43.ko

pio:Use PIO accesses by default: 0=DMA, 1=PIO (int)

---

so.. PIO here would suggest that it's possible to use non-DMA.

---

I guess my real question is... would switching off DMA make you safer anyway..?

For example, PIO is just going to transfer it to the CPU.

At this point, couldn't the CPU just infect your device rather than DMA..?

So I'm not even entirely convinced that uaing PIO would make you safer anyway.

What do people think..?

[Manuel Amador (Rudd-O)]

On 10/08/2016 04:36 PM, neilh...@gmail.com wrote:
> I've been going through some of the networking modules on my Qubes system.

> [...]
>

Let's start from the beginning.

Can you explain to us how a DMA attack works?

--
Rudd-O
http://rudd-o.com/

[neilh...@gmail.com]

DMA allows network card to read/write RAM.

DMA attack allows one already-compromised VM to read the RAM of another VM, thus breaching Qubes isolation... unless you use VT-D, although flaws in VT-D have been shown.

Remote DMA attack allows packets sent to the network card directly over the web, not even having to compromise your VM first... as demonstrated in the paper by the French intel agency.

That is what I understand so far. Hence, why I am asking if using PIO rather than DMA would prevent such attacks.

[Ilpo Järvinen]

So if a driver won't use DMA, how that would prevent device itself
from initiating DMA transactions? I'm somewhat doubtful that it
would be so simple as I suspect the compromized device need not
to care what the driver uses, be it PIO or DMA (but I'm not a PCI
expert so I could be wrong too).


--
i.

[Manuel Amador (Rudd-O)]

Bingo.


--
Rudd-O
http://rudd-o.com/

[neilh...@gmail.com]

OK, so how about using PIO purely..?

A device which can do PIO and PIO only.

Would this then be more secure..? Or would the attack just be carried out by the CPU rather than RAM..?