Hardware Exploits

Modified 17 April 2008

Hardware Exploits

Modify the processing hardware:

• University of Illinois researchers exploited a system by modifying its processing hardware. With Linux running on a programmable LEON processor, based on Sun's Sparc design, they changed 1,341 of the over 1 million logic gates. A carefully crafted network packet injected the malicious firmware, and the attacker could then login as a legitimate user. Note that this would require a processor programmed with an OS with malicious hooks — this seems far-fetched but US DOD warned of this very attack in February 2005 because a shift toward overseas integrated circuit manufacturing could present a security problem. This was reported at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in April 2008, and described at http://www.techworld.com/security/news/index.cfm?newsID=11993

Freeze the memory:

• Princeton researchers reported cold boot attacks — literally cold boot. The problem — sensitive information such as passwords used for file system encryption and some file contents themselves may remain in RAM for surprising amounts of time, especially if the RAM is chilled.
  • Original work — http://citp.princeton.edu/memory/
  • Discussion —
    • New York Times 22 Feb 2008 — http://www.nytimes.com/2008/02/22/technology/22chip.html?_r=1
    • http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html
    • http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

Break in through the Firewire port:

• Winlockpwn is a tool where the attacker connects a Linux machine to the Firewire port. The attacker gets full read-write access to memory and the tool deactivates Window's password protection residing in local memory. Steal passwords, drop malware on the system, and so on. Similar hacks have been demonstrated against Linux and MacOS X.
  • Story — http://www.darkreading.com/document.asp?doc_id=147713
  • Winlockpwn — http://storm.net.nz/projects/16
  • Linux / MacOS X exploits — http://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/

Hardware Bugs

If the hardware won't even do what it's supposed to, there are big problems!

• Here is an interesting post about Intel Core 2 bugs: http://kerneltrap.org/node/8472
• Historical notes:
  • Remember the Pentium CPU's that were bad at floating-point division?
  • For some Pentium CPU's, a block of machine code starting 0xF00F will just plain halt it.

For a list of 80x86 bugs, see:

• Intel 80x86 bugs: http://www.x86.org
• CPU bugs: http://www.computerhope.com/help/cpu.htm

Security Page

© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here