Computer security compromised by hardware failure: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 19:38, 19 September 2023 edit Arjayay (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, Pending changes reviewers, Rollbackers 678,111 edits m simplify wording ← Previous edit		Latest revision as of 00:21, 21 January 2024 edit undo BD2412 (talk \| contribs) Autopatrolled, Administrators 2,528,047 edits m clean up spacing around commas and other punctuation fixes, replaced: ; → ; (12) Tag: AWB
(One intermediate revision by one other user not shown)
Line 13: ==== Electromagnetic emanations ==== Video display units radiate: * narrowband harmonics of the digital clock signals ; * broadband harmonics of the various 'random' digital signals such as the video signal.<ref name="Eck1">[[#Eck1\|Eck, 1985, p.2]]</ref> Known as compromising emanations or [[Tempest (codename)\|TEMPEST]] radiation, a code word for a U.S. government programme aimed at attacking the problem, the electromagnetic broadcast of data has been a significant concern in sensitive computer applications. Eavesdroppers can reconstruct video screen content from radio frequency emanations.<ref name="Kuhn1">[[#Kuhn1\|Kuhn,1998, p.1]]</ref> Each (radiated) harmonic of the video signal shows a remarkable resemblance to a broadcast TV signal. It is therefore possible to reconstruct the picture displayed on the video display unit from the radiated emission by means of a normal television receiver.<ref name="Eck1"/> If no preventive measures are taken, eavesdropping on a video display unit is possible at distances up to several hundreds of meters, using only a normal black-and-white TV receiver, a directional antenna and an antenna amplifier. It is even possible to pick up information from some types of video display units at a distance of over 1 kilometer. If more sophisticated receiving and decoding equipment is used, the maximum distance can be much greater.<ref name="Eck2">[[#Eck1\|Eck, 1985, p.3]]</ref> ==== Compromising reflections ==== Line 104: ==== Acoustic emanations ==== With acoustic emanations, an attack that recovers what a dot-matrix printer processing English text is printing is possible. It is based on a record of the sound the printer makes, if the microphone is close enough to it. This attack recovers up to 72% of printed words, and up to 95% if knowledge about the text are done, with a microphone at a distance of 10 cm from the printer.<ref name="[Back10]">[[#Back1\|Backes, 2010, p.1]]</ref> After an upfront training phase ("a" in the picture below), the attack ("b" in the picture below) is fully automated and uses a combination of machine learning, audio processing, and speech recognition techniques, including spectrum features, Hidden Markov Models and linear classification.<ref name="[Back1]"/> The fundamental reason why the reconstruction of the printed text works is that, the emitted sound becomes louder if more needles strike the paper at a given time.<ref name="[Back2]"/> There is a correlation between the number of needles and the intensity of the acoustic emanation.<ref name="[Back2]"/> Line 153: So, any device connected by FireWire can read and write data on the computer memory. For example, a device can : * Grab the screen contents ; * Just search the memory for strings such as login, passwords ; * Scan for possible key material ; * Search cryptographic keys stored in RAM ; * Parse the whole physical memory to understand logical memory layout. or * Mess up the memory ; * Change screen content ; * Change UID/GID of a certain process ; * Inject code into a process ; * Inject an additional process. Line 188: A simple and generic processor backdoor can be used by attackers as a means to privilege escalation to get to privileges equivalent to those of any given running operating system.<ref name="Dufl21">[[#Dufl2\|Duflot, 2008, p.1]]</ref> Also, a non-privileged process of one of the non-privileged invited ___domain running on top of a virtual machine monitor can get to privileges equivalent to those of the virtual machine monitor.<ref name="Dufl21"/> Loïc Duflot studied Intel processors in the paper "[[#Dufl2\|CPU bugs, CPU backdoors and consequences on security]]" ; he explains that the processor defines four different privilege rings numbered from 0 (most privileged) to 3 (least privileged). Kernel code is usually running in ring 0, whereas user-space code is generally running in ring 3. The use of some security-critical assembly language instructions is restricted to ring 0 code. In order to escalate privilege through the backdoor, the attacker must :<ref name="Dufl22">[[#Dufl2\|Duflot, 2008, p.5]]</ref> # activate the backdoor by placing the CPU in the desired state ; # inject code and run it in ring 0 ; # get back to ring 3 in order to return the system to a stable state. Indeed, when code is running in ring 0, system calls do not work : Leaving the system in ring 0 and running a random system call (exit() typically) is likely to crash the system. The backdoors Loïc Duflot presents are simple as they only modify the behavior of three assembly language instructions and have very simple and specific activation conditions, so that they are very unlikely to be accidentally activated. [[#Waks1\|Recent inventions]] have begun to target these types of processor-based escalation attacks. Line 243: {{Computer science}} [[Category:Computer security]] [[Category:Risk analysis]]