Wikipedia

Computer security compromised by hardware failure: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Rescuing 1 sources and tagging 0 as dead. #IABot (v1.5beta)
m Rep typographic ligatures like "fi" with plain text; minimal ref cleanup; WP:GenFixes on, replaced: fi → fi (2) using AWB
Line 152:
==== Read/Write exploits thanks to FireWire ====
Maximillian Dornseif presented a technique in [[#Dorn1|these slides]], which let him take the control of an Apple computer thanks to an iPod. The attacks needed a first generic phase where the iPod software was modified so that it behaves as master on the FireWire bus. Then the iPod had full read/write access on the Apple Computer when the iPod was plugged into a FireWire port.<ref name="Dorn1">[[#Dorn1|Dornseif, 2004]]</ref> FireWire is used by : audio devices, printers, scanners, cameras, gps, etc. Generally, a device connected by FireWire has full access (read/write). Indeed, OHCI Standard (FireWire standard) reads :
{{cquote|Physical requests, including physical read, physical write and lock requests to some CSR registers (section 5.5), are handled directly by the Host Controller without assistance by system software.
|4=OHCI Standard}}
 
Line 191:
A simple and generic processor backdoor can be used by attackers as a means to privilege escalation to get to privileges equivalent to those of any given running operating system.<ref name="Dufl21">[[#Dufl2|Duflot, 2008, p.1]]</ref> Also, a non-privileged process of one of the non-privileged invited ___domain running on top of a virtual machine monitor can get to privileges equivalent to those of the virtual machine monitor.<ref name="Dufl21"/>
 
Loïc Duflot studied Intel processors in the paper "[[#Dufl2|CPU bugs, CPU backdoors and consequences on security]]" ; he explains that the processor definesdefines four different privilege rings numbered from 0 (most privileged) to 3 (least privileged). Kernel code is usually running in ring 0, whereas user-space code is generally running in ring 3. The use of some security-critical assembly language instructions is restricted to ring 0 code. In order to escalate privilege through the backdoor, the attacker must :<ref name="Dufl22">[[#Dufl2|Duflot, 2008, p.5]]</ref>
# activate the backdoor by placing the CPU in the desired state ;
# inject code and run it in ring 0 ;
# get back to ring 3 in order to return the system to a stable state. Indeed, when code is running in ring 0, system calls do not work : Leaving the system in ring 0 and running a random system call (exit() typically) is likely to crash the system.
The backdoors Loïc Duflot presents are simple as they only modify the behavior of three assembly language instructions and have very simple and specificspecific activation conditions, so that they are very unlikely to be accidentally activated. [[#Waks1|Recent inventions]] have begun to target these types of processor-based escalation attacks.
 
== References ==
Retrieved from "https://en.wikipedia.org/wiki/Computer_security_compromised_by_hardware_failure"