From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 16:54:07 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CEC84A1F for ; Thu, 19 Feb 2015 16:54:07 +0000 (UTC) Received: from fs.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "NewFS.denninger.net", Issuer "NewFS.denninger.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7846CF20 for ; Thu, 19 Feb 2015 16:54:06 +0000 (UTC) Received: from [192.168.1.40] (localhost [127.0.0.1]) by fs.denninger.net (8.14.9/8.14.8) with ESMTP id t1JGmmlR080992 for ; Thu, 19 Feb 2015 10:48:51 -0600 (CST) (envelope-from karl@denninger.net) Received: from [192.168.1.40] (TLS/SSL) [192.168.1.40] by Spamblock-sys (LOCAL/AUTH); Thu Feb 19 10:48:51 2015 Message-ID: <54E613DE.5090204@denninger.net> Date: Thu, 19 Feb 2015 10:48:30 -0600 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: [Cryptography] trojans in the firmware References: <54E2B04C.9080707@av8n.com> <54E436FB.9000709@deadhat.com> In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050805090107030104010400" X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2015 16:54:08 -0000 This is a cryptographically signed message in MIME format. --------------ms050805090107030104010400 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 2/18/2015 5:12 PM, grarpamp wrote: > On Wed, Feb 18, 2015 at 5:16 PM, Tom Mitchell wrot= e: >> The critical stage is the boot ROM (BIOS) and the boot device. >> Once Linux has booted a lot is possible but too much has already taken= >> place. >> A BIOS that allows booting from a Flash memory card must be trusted. >> >> Virtual machines may help or hinder. >> >> The VM is sitting where the man in the middle wants to be and if it wa= nts >> can protect or expose >> the OSs that it hosts. A VM can protect a hard drive from being infe= cted >> by blocking vendor >> codes that might try to update or corrupt modern disks of boot flash m= emory. > Afaik, all vm's today simply pass through all drive commands. > > It seems a move all the BSD's and Linux could make today, > without waiting on untrustable hardware vendors to roll out signature > verification in hardware, is to simply kernel block all commands > unnecessary to actual production use of the disk. Permit only > from a list of READ, WRITE, ERASE, INQ, TUR, RST, and so on. > Thus every other command component, including firmware update, > vendor specific, and binary fuzzing, gets dropped and logged. > > It could be done as a securelevel, or compiled in. > > It's definitely not bulletproof, but it does force adversaries > to add that much more exploit code and effort to > get root and go around the driver interface to access > the hardware directly. Defense in depth. > > Similar tactics could be applied to other areas where > firmware and vendor/fuzzable opcodes are involved... > usb, bios and cpu. The basic problem with this is that it makes two assumptions, both of=20 which are dangerous. 1. The BIOS (which reads the boot sector) has not been compromised. If=20 it has been you're hosed. Most if not all BIOS chips are=20 field-programmable today which is both good and bad. It's good when you = want to swap in a newer stepping CPU that wasn't formerly supported,=20 it's bad when someone comes along and tampers with it. Hardware=20 protection (e.g. a physical write-enable jumper on the board) would=20 largely address this in terms of FIELD tampering (although not at the=20 OEM level) but I know of nobody doing that right now. All my SuperMicro = systems, for example, require nothing physical (e.g. a jumper to be=20 installed) to enable a BIOS update. 2. Once the drive code has been tampered with you're in trouble because=20 it is trivial for the drive to detect that the boot sector is being read = and, if it is, to return something other than the real (unmolested) boot = sector. That can then retrieve more corrupted things and now you're cook= ed. I like barrier-protecting the I/O subsystem when running, but then again = how many of these attacks are going to be loaded into your machine=20 through a _*running*_ modern BSD-style system? I suspect the answer is=20 "few" and a false sense of security is worse than none at all. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ --------------ms050805090107030104010400 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFTzCC BUswggQzoAMCAQICAQgwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkqhkiG9w0BCQEWIGN1c3Rv bWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0MB4XDTEzMDgyNDE5MDM0NFoXDTE4MDgyMzE5 MDM0NFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExFzAVBgNVBAMTDkthcmwg RGVubmluZ2VyMSEwHwYJKoZIhvcNAQkBFhJrYXJsQGRlbm5pbmdlci5uZXQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC5n2KBrBmG22nVntVdvgKCB9UcnapNThrW1L+dq6th d9l4mj+qYMUpJ+8I0rTbY1dn21IXQBoBQmy8t1doKwmTdQ59F0FwZEPt/fGbRgBKVt3Quf6W 6n7kRk9MG6gdD7V9vPpFV41e+5MWYtqGWY3ScDP8SyYLjL/Xgr+5KFKkDfuubK8DeNqdLniV jHo/vqmIgO+6NgzPGPgmbutzFQXlxUqjiNAAKzF2+Tkddi+WKABrcc/EqnBb0X8GdqcIamO5 SyVmuM+7Zdns7D9pcV16zMMQ8LfNFQCDvbCuuQKMDg2F22x5ekYXpwjqTyfjcHBkWC8vFNoY 5aFMdyiN/Kkz0/kduP2ekYOgkRqcShfLEcG9SQ4LQZgqjMpTjSOGzBr3tOvVn5LkSJSHW2Z8 Q0dxSkvFG2/lsOWFbwQeeZSaBi5vRZCYCOf5tRd1+E93FyQfpt4vsrXshIAk7IK7f0qXvxP4 GDli5PKIEubD2Bn+gp3vB/DkfKySh5NBHVB+OPCoXRUWBkQxme65wBO02OZZt0k8Iq0i4Rci WV6z+lQHqDKtaVGgMsHn6PoeYhjf5Al5SP+U3imTjF2aCca1iDB5JOccX04MNljvifXgcbJN nkMgrzmm1ZgJ1PLur/ADWPlnz45quOhHg1TfUCLfI/DzgG7Z6u+oy4siQuFr9QT0MQIDAQAB o4HWMIHTMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF4DAsBglg hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHw4 +LnuALyLA5Cgy7T5ZAX1WzKPMB8GA1UdIwQYMBaAFF3U3hpBZq40HB5VM7B44/gmXiI0MDgG CWCGSAGG+EIBAwQrFilodHRwczovL2N1ZGFzeXN0ZW1zLm5ldDoxMTQ0My9yZXZva2VkLmNy bDANBgkqhkiG9w0BAQUFAAOCAQEAZ0L4tQbBd0hd4wuw/YVqEBDDXJ54q2AoqQAmsOlnoxLO 31ehM/LvrTIP4yK2u1VmXtUumQ4Ao15JFM+xmwqtEGsh70RRrfVBAGd7KOZ3GB39FP2TgN/c L5fJKVxOqvEnW6cL9QtvUlcM3hXg8kDv60OB+LIcSE/P3/s+0tEpWPjxm3LHVE7JmPbZIcJ1 YMoZvHh0NSjY5D0HZlwtbDO7pDz9sZf1QEOgjH828fhtborkaHaUI46pmrMjiBnY6ujXMcWD pxtikki0zY22nrxfTs5xDWGxyrc/cmucjxClJF6+OYVUSaZhiiHfa9Pr+41okLgsRB0AmNwE f6ItY3TI8DGCBQowggUGAgEBMIGjMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk YTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRwwGgYD VQQDExNDdWRhIFN5c3RlbXMgTExDIENBMS8wLQYJKoZIhvcNAQkBFiBjdXN0b21lci1zZXJ2 aWNlQGN1ZGFzeXN0ZW1zLm5ldAIBCDAJBgUrDgMCGgUAoIICOzAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTAyMTkxNjQ4MzBaMCMGCSqGSIb3DQEJBDEW BBSYAE2PgZQFi1HfCM5jvnBEfF+qczBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG0BgkrBgEEAYI3EAQxgaYwgaMwgZ0xCzAJBgNV BAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoT EEN1ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkq hkiG9w0BCQEWIGN1c3RvbWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0AgEIMIG2BgsqhkiG 9w0BCRACCzGBpqCBozCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNV BAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3Vk YSBTeXN0ZW1zIExMQyBDQTEvMC0GCSqGSIb3DQEJARYgY3VzdG9tZXItc2VydmljZUBjdWRh c3lzdGVtcy5uZXQCAQgwDQYJKoZIhvcNAQEBBQAEggIAZX2HLXtcOET7ouL+o+6Eq7PTbtpw hoOVy8lueaRTOnKIs80mvB5XrOLwcuGsysf2qZpRRy9sdBoMA9x93ApNZnd4dlrj6bAez8OD 1Rjg9U4gBobF82o3OXjaE7OiYIgaw2JNuckrHN7rfgPnRWtwJTXPMt816aa/UIcB8oTf3zeI rpvZ913qAB0imop/KUrf3Gg+jykrcN0zTMHcaBDMLTian8rKgAuixY3dq0IQdgj5mjs/4f2l WDvp6nuC2kK7z7EQ551vkcChPR96icaDQXCgDdjBXxSJIgG3ubk+DWwjWepc4a54by0zNXpu GOXyO+MKW19IOxHJz6DhPJSV0oUE7dpre/jZmgdAz1GtPXjIENlpkTH4E+nvB/4YMQyr89Tr BAQ6VSTvvJNC2RnyImokArjfwQ4TzNFQ+TDHvpDyWA1+mQSjoyaNjEXtKhBiCnHofbQOQa2/ R9U1aFJOZuM1rmMnoexOCoOYZWGsPbxEIyfeNDtitq2Ks7OO2EFccL79HIlXntWx39ysxZkX XCGa1ckSAt+Vu5Kx3bBjMGYepOqLQs6bDGFKFFdQsvtCtFDIBzG1ndnRXa/k7RLOStb6OUHV aCgjaT4akPK0rTxcL5qXEXL4JvSOFQ6iF3IXb4Ky3n3BHsU3K6VqcbPfzFamXt4D1bEaIJQX 3OesLS8AAAAAAAA= --------------ms050805090107030104010400--