Re: [Full-disclosure] Firewire Attack on Windows Vista



Certainly in VMS there is DMA opened up, but only to buffers that are known
and checked to be legal for such. This is a source of considerable complexity
in the drivers, and depending on hardware architecture (number of control registers
available, for example, to control DMA channels) limits both number of concurrent
operations and size of some operations. For example, the max size of magtape
records is limited, in part to conserve such bandwidth for use with disks.

If driver writers adopt a "wild-west" approach where the DMA space is left wide
open, obviously the security of anything within memory is totally open to
whatever a smart peripheral may do.

It should be realized though that fixing this is not necessarily a simple
thing, nor are architectural considerations missing. But with the advent of
more and more smart "peripherals" (at least some of which are commonly user
programmable), open DMA access amounts to peek/poke control over all of memory
and the abdication by the OS involved of any pretense of security whatever.

As for what can be done by Windows (as opposed to "any OS"), that is perhaps
limited by the great range of underlying hardware. A compromise which might allow
DMA to/from disks, tapes, or CDs but disallow it for most other peripherals
might turn out to be the best general solution available, or something
comparably ugly.

Glenn Everhart


-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx]On Behalf Of Larry
Seltzer
Sent: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista


No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures would likely work the same way, that's
just the one he happened to emulate.

Is it not possible for Windows (or any OS) to open up DMA for a device
only to a certain range?

If not, what options are available?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: BIOS - COULD THERE A PROBLEM WITH MY PCS BIOS?
    ... You can access Event Viewer by selecting Start, Control Panel, ... View and Manage Event Logs in Event Viewer in Windows XP ... with a Master - DMA off, Slave DMA on, Secondary IDE channel with a ... I have hibernation turned off on both drives ...
    (microsoft.public.windowsxp.basics)
  • Re: Powewrpoint 2004 Chart problems
    ... DMA wrote: ... >>picture PowerPoint now obeys the setting. ... >>for Windows has updates to improve compatibility and to fix a critical ... Anyone using a Windows version of Office is risking ...
    (microsoft.public.mac.office.powerpoint)
  • Re: SEAGATE forced PIO instead of UDMA mode
    ... primary master device. ... still the same results under Windows. ... way until you fix the reason its decided to turn DMA off. ... fresh on the new seagate but still its PIO mode. ...
    (comp.sys.ibm.pc.hardware.storage)
  • Re: BIOS - COULD THERE A PROBLEM WITH MY PCS BIOS?
    ... Master - DMA off, Slave DMA on, Secondary IDE channel with a Master DMA on, ... I have hibernation turned off on both drives ... Norton to work I uninstalled it and tried the Windows live One care trial ... not know how to back up, but read about it and ended up installing Windows ...
    (microsoft.public.windowsxp.basics)
  • Re: Opening files from within Explorer takes a long time
    ... Set Performance Options in Windows XP ... DMA mode, but the default in XP is still PIO. ... Computer", select the Hardware tab, and select Device Manager. ... Select System Restore & untick> Turn off System Restore on all drives. ...
    (microsoft.public.windowsxp.perform_maintain)