Hardware Exploits and Bugs

These are attacks on computer systems and networks based on exploiting hardware design or manufacturing bugs, or "not playing by the rules" in dealing with the hardware. The idea of violating the "rules" by freezing the semiconductors or overwriting Ethernet firmware data seems analogous to the very common software vulnerabilities caused by not fully validating user input. Well, maybe not just analogous, maybe we should consider frigid liquids or Firewire signals or Ethernet signals as user-supplied input just like packet contents or form data submitted to web servers.

What makes these different is that we don't generally have control of the hardware design and manufacturing. Yes, you could choose to buy an Ethernet card or CPU or motherboard from a different manufacturer, but you have to choose from what the existing market.

Furthermore, while there are some interesting open-source hardware projects, they are the exception and do not generally provide the features and performance needed. Enthusiasts must not forget that the features required by corporations and government agencies include a well-known and trusted hardware manufacturer.

Hardware Exploits

Turn off the NX bit while running:

• The NX bit, also called the XD bit, is used by CPUs to enforce memory segregation into instructions versus data. Intel calls it XD for eXecute Disable, AMD calls it Enhanced Virus Protection, and ARM processors call it XN for eXecure Never. This feature is enabled as a BIOS setting, and so it would appear to be down in the hardware where it might appear that neither applications nor the operating system can reach it. But... The NX bit is simply a hardware feature that may or may not be available. Even if available, the operating system may not use it.
• For example, in Windows, Data Execution Prevention or DEP is Microsoft's name for support of this technology in the operating system. This page explains how to turn it for for specific programs or for all programs.
• See the Wikipedia page on the NX bit for detailed descriptions of the technology and its support on various combinations of operating systems and processors.

Modify the TPM (Trusted Platform Module) chip:

• In February, 2010, Christopher Tarnovsky announced a successful hardware exploit of an Infineon TPM chip.
  • Background: What is TPM?
  • Short overview at hackaday.com
  • Associated Press story
  • More technical article at Dark Reading, with links to more detail

Modify the processing hardware:

• University of Illinois researchers exploited a system by modifying its processing hardware. With Linux running on a programmable LEON processor, based on Sun's Sparc design, they changed 1,341 of the over 1 million logic gates. A carefully crafted network packet injected the malicious firmware, and the attacker could then login as a legitimate user. Note that this would require a processor programmed with an OS with malicious hooks — this seems far-fetched but US DOD warned of this very attack in February 2005 because a shift toward overseas integrated circuit manufacturing could present a security problem. This was reported at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in April 2008, and described in this IDG News article.

Freeze the memory:

• Princeton researchers reported cold boot attacks — literally cold boot. The problem — sensitive information such as passwords used for file system encryption and some file contents themselves may remain in RAM for surprising amounts of time, especially if the RAM is chilled.
  • Original from Princeton
  • Discussion —
    • New York Times 22 Feb 2008
    • Bruce Schneier's blog
    • Wired magazine, February 2008

Break in through the Firewire port:

• Winlockpwn is a tool where the attacker connects a Linux machine to the Firewire port. The attacker gets full read-write access to memory and the tool deactivates Window's password protection residing in local memory. Steal passwords, drop malware on the system, and so on. Similar hacks have been demonstrated against Linux and MacOS X.
  • Story — Dark Reading story
  • Winlockpwn — Winlockpwn site

Break in through the network interface hardware:

• There's been some work on attacking the firmware on network interface cards, some of which focuses on permanently damaging the card. But more interesting work looks at attacking the NICs on a firewall so they do PCI-to-PCI data transfers, moving information down at a hardware level where firewalls don't look. There is speculation this might allow reading the disk device through its PCI-based controller. See this discussion, referencing an excerpt from the Robust Open Source mailing list.

Is Your Hardware Really What You Think It Is?

There have been stories of counterfeit hardware from Cisco modules down to integrated circuits for some time. The first thing I noticed explaining just how these parts get into the parts supply stream was this Business Week article, "Dangerous Fakes", subtitled "How counterfeit, defective computer components from China are getting into U.S. warplanes and ships".

Given the horror stories it contains of entirely unmonitored suppliers chosen for U.S. military parts based largely if not entirely on their status as "disadvantaged", "woman and minority owned", and so on, I can see why the government didn't explain the details immediately....

Even If You Have AMD Hardware, Is It Really What You Thought It Was?

All AMD processors made during 2000-2010 included a secret debugging feature well outside the standard x86 architecture definition. All processors starting with the Athlon XP have a firmware-controlled feature that can put the CPU into debugging mode. See the article the The Register for an overview, the announcement by the discoverer for far more details, and this list of undocumented Machine Specific Registers in AMD processors.

Hardware Bugs

If the hardware won't even do what it's supposed to, there are big problems!

There were some interesting short articles about Intel Core 2 bugs, see here and here for the articles, and also see the background on Intel's quiet patch release. Affected CPUs were the Core 2 Duo E4000/E6000, Core 2 Quad Q6600, Core 2 Xtreme QX6800, QX6700, and QX6800.

Historical notes:

• Remember the Pentium CPU's that were bad at floating-point division?
• For some Pentium CPU's, a block of machine code starting 0xF00F will just plain halt it.

Virtualization / Emulation Bugs

VirtualBox is a virtualization product that used to be from Innobox, which was purchased by Sun, which was purchased by Oracle.

See this message from the OpenBSD project leader reporting that CPU registers become corrupted under VirtualBox. "We don't know how other operating system products continue running when the userland ecx register gets clobbered on a return from a page fault, but at least people should be aware that there is likely some security risk from running that product. That VM does not emulate the x86 correctly, (either)."

Back to the Security Page

Home Unix/Linux Networking Cybersecurity Travel Technical Radio Site Map Contact

Tweet