Content deleted Content added
m Disambiguating links to Tempest (link changed to Tempest (codename)) using DisamAssist. |
m clean up spacing around commas and other punctuation fixes, replaced: ; → ; (12) |
||
Line 13:
==== Electromagnetic emanations ====
Video display units radiate:
* narrowband harmonics of the digital clock signals
* broadband harmonics of the various 'random' digital signals such as the video signal.<ref name="Eck1">[[#Eck1|Eck, 1985, p.2]]</ref>
Line 104:
==== Acoustic emanations ====
With acoustic emanations, an attack that recovers what a dot-matrix printer processing English text is printing is possible. It is based on a record of the sound the printer makes, if the microphone is close enough to it. This attack recovers up to 72% of printed words, and up to 95% if knowledge about the text are done, with a microphone at a distance of 10 cm from the printer.<ref name="[Back10]">[[#Back1|Backes, 2010, p.1]]</ref>
After an upfront training phase ("a" in the picture below), the attack ("b" in the picture below) is fully automated and uses a combination of machine learning, audio processing, and speech recognition techniques, including spectrum features, Hidden Markov Models and linear classification.<ref name="[Back1]"/> The fundamental reason why the reconstruction of the printed text works is that, the emitted sound becomes louder if more needles strike the paper at a given time.<ref name="[Back2]"/> There is a correlation between the number of needles and the intensity of the acoustic emanation.<ref name="[Back2]"/>
Line 153:
So, any device connected by FireWire can read and write data on the computer memory. For example, a device can :
* Grab the screen contents
* Just search the memory for strings such as login, passwords
* Scan for possible key material
* Search cryptographic keys stored in RAM
* Parse the whole physical memory to understand logical memory layout.
or
* Mess up the memory
* Change screen content
* Change UID/GID of a certain process
* Inject code into a process
* Inject an additional process.
Line 188:
A simple and generic processor backdoor can be used by attackers as a means to privilege escalation to get to privileges equivalent to those of any given running operating system.<ref name="Dufl21">[[#Dufl2|Duflot, 2008, p.1]]</ref> Also, a non-privileged process of one of the non-privileged invited ___domain running on top of a virtual machine monitor can get to privileges equivalent to those of the virtual machine monitor.<ref name="Dufl21"/>
Loïc Duflot studied Intel processors in the paper "[[#Dufl2|CPU bugs, CPU backdoors and consequences on security]]"
# activate the backdoor by placing the CPU in the desired state
# inject code and run it in ring 0
# get back to ring 3 in order to return the system to a stable state. Indeed, when code is running in ring 0, system calls do not work : Leaving the system in ring 0 and running a random system call (exit() typically) is likely to crash the system.
The backdoors Loïc Duflot presents are simple as they only modify the behavior of three assembly language instructions and have very simple and specific activation conditions, so that they are very unlikely to be accidentally activated. [[#Waks1|Recent inventions]] have begun to target these types of processor-based escalation attacks.
Line 243:
{{Computer science}}
[[Category:Computer security]]
[[Category:Risk analysis]]
| |||