hacking in physically addressable memory a proof of
play

hacking in physically addressable memory a proof of concept David - PowerPoint PPT Presentation

Mar 05, 2024 •745 likes •1.51k views

Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Seminar of Advanced Exploitation Techniques, WS 2006/2007 hacking in physically addressable memory a proof of concept David

  1. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Seminar of Advanced Exploitation Techniques, WS 2006/2007 hacking in physically addressable memory a proof of concept David Rasmus Piegdon Supervisor: Lexi Pimenidis Lehrstuhl für Informatik IV, RWTH Aachen http://www-i4.informatik.rwth-aachen.de February 21st 2006 losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  2. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Table of Contents 1 Introduction 2 Accessing memory 3 Virtual address spaces 4 Gathering information 5 Injecting code 6 Prospects, Conclusion losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  3. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Table of Contents 1 Introduction 2 Accessing memory 3 Virtual address spaces 4 Gathering information 5 Injecting code 6 Prospects, Conclusion losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  4. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion physical addressable memory “hacking in physically addressable memory” • Hacking: using a technique for something it has not been designed for • Physically addressable memory: direct memory access, “DMA” losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  5. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion hacking • I will show mostly attacks • So actually I will be cracking a systems security • Exploiting et al is not hacking by definition • “to hack” is mostly misused by media losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  6. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion hacking • I will show mostly attacks • So actually I will be cracking a systems security • Exploiting et al is not hacking by definition • “to hack” is mostly misused by media losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  7. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA • DMA = Direct Memory Access • Basic requirement for introduced approach • Known for a long time: attacker has DMA -> 0wn3d • 0wn3d by an iPod [ 1 ] • and others [ 2 , 3 ] • This is a proof of concept losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  8. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Table of Contents 1 Introduction 2 Accessing memory 3 Virtual address spaces 4 Gathering information 5 Injecting code 6 Prospects, Conclusion losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  9. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Methods Methods Many ways to gain access to memory: • special PCI cards (forensic, remote management cards) • special PCMCIA cards • FireWire (IEEE1394) DMA feature • anything with DMA • /dev/mem (Linux) • memory dumps • Suspend2Disk images • Virtual machines • . . . losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  10. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Methods Generic problems of DMA attacks • Swapping • Multiple accessors at any time • Caching (?) losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  11. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware DMA hardware Hardware we may use is • expensive • specially crafted • selfmade (some) • rare • not hot-pluggable (depends) • one exception: FireWire (IEEE1394) losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  12. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware FireWire overview FireWire a.k.a. iLink a.k.a. IEEE1394 • Hot-pluggable • Wide-spread (even among laptops) • Expansion Bus (like PCI or PCMCIA) • Has DMA (if enabled by driver) • Guaranteed bandwith feature • Used alot for media-crunching • Most people are not aware of abuse-factor losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  13. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware FireWire DMA • DMA only enabled if driver says so • Linux, BSD, MacOSX: by default (can be disabled) • Windows: only for devices that “deserve” it (more later) • If DMA -> full access, no restrictions losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  14. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware Windows DMA Devices that “deserve” DMA on Windows: SBP2 (storage) devices, like • external disks • iPod (has a disk) The iPod can run Linux. . . losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  15. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware Windows DMA Devices that “deserve” DMA on Windows: SBP2 (storage) devices, like • external disks • iPod (has a disk) The iPod can run Linux. . . losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  16. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware How to identify SBP2 devices • Identify devices and features from their CSR config ROM • Config ROM contains • GUID: 8 byte globally unique ID (like MAC address) • Identifier of driver • List of supported features • List of supported speeds • . . . • CSR config ROM can be faked (see [2]) • Copy config ROM from iPod and install it on any system ( → 1394csrtool ) • Magically Windows permits DMA for any device losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  17. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware How to identify SBP2 devices • Identify devices and features from their CSR config ROM • Config ROM contains • GUID: 8 byte globally unique ID (like MAC address) • Identifier of driver • List of supported features • List of supported speeds • . . . • CSR config ROM can be faked (see [2]) • Copy config ROM from iPod and install it on any system ( → 1394csrtool ) • Magically Windows permits DMA for any device losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

  18. Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion DMA hardware How to identify SBP2 devices • Identify devices and features from their CSR config ROM • Config ROM contains • GUID: 8 byte globally unique ID (like MAC address) • Identifier of driver • List of supported features • List of supported speeds • . . . • CSR config ROM can be faked (see [2]) • Copy config ROM from iPod and install it on any system ( → 1394csrtool ) • Magically Windows permits DMA for any device losTrace A.K.A. David R. Piegdon <david.rasmus.piegdon@rwth-aachen.de> RWTH Aachen University of Technology hacking in physically addressable memory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Better I/O Through Byte-Addressable, Persistent Memory Jeremy Condit , Ed Nightingale, Chris

Better I/O Through Byte-Addressable, Persistent Memory Jeremy Condit , Ed Nightingale, Chris

Better I/O Through Byte-Addressable, Persistent Memory Jeremy Condit , Ed Nightingale, Chris Frost, Engin Ipek, Ben Lee, Doug Burger, Derrick Coetzee A New World of Storage DRAM + Fast + Byte-addressable - Volatile Disk / Flash +

907 views • 71 slides
Consistent, Durable, and Safe Memory Management for Byte-Addressable Non-Volatile Main Memory

Consistent, Durable, and Safe Memory Management for Byte-Addressable Non-Volatile Main Memory

Consistent, Durable, and Safe Memory Management for Byte-Addressable Non-Volatile Main Memory Iulian Moraru*, David Andersen*, Michael Kaminsky, Niraj Tolia , Nathan Binkert, Partha Ranganathan *Carnegie Mellon

961 views • 85 slides
IEE5009 Autumn 2012 Memory Systems Ternary Content Addressable Memory Chiao-Ying, Huang

IEE5009 Autumn 2012 Memory Systems Ternary Content Addressable Memory Chiao-Ying, Huang

IEE5009 Autumn 2012 Memory Systems Ternary Content Addressable Memory Chiao-Ying, Huang Department of Electronics Engineering National Chiao Tung University saomyhunag@gmail.com Chiao-Ying, Huang 2012 Outline Introduction Core

473 views • 22 slides
Consistent and Durable Data Structures for Non-Volatile Byte-Addressable Memory Shivaram

Consistent and Durable Data Structures for Non-Volatile Byte-Addressable Memory Shivaram

Consistent and Durable Data Structures for Non-Volatile Byte-Addressable Memory Shivaram Venkataraman* , Niraj Tolia , Parthasarathy Ranganathan* and Roy H. Campbell *HP Labs, Palo Alto, Maginatics, and University of Illinois,

422 views • 27 slides
Energy Efficient Content-Addressable Memory Advanced Seminar Computer Engineering Institute of

Energy Efficient Content-Addressable Memory Advanced Seminar Computer Engineering Institute of

Energy Efficient Content-Addressable Memory Advanced Seminar Computer Engineering Institute of Computer Engineering Heidelberg University Fabian Finkeldey 26.01.2016 Fabian Finkeldey, Energy Efficient Content-Addressable Memory 1 Table of

498 views • 33 slides
Virtually Cool Ternary Content Addressable Memory Suparna Bhattacharya, K Gopinath IBM, Indian

Virtually Cool Ternary Content Addressable Memory Suparna Bhattacharya, K Gopinath IBM, Indian

Virtually Cool Ternary Content Addressable Memory Suparna Bhattacharya, K Gopinath IBM, Indian Institute of Science HotOS XIII, May, 2011 Thanks to Bob Montoye, Vijaylakshmi Srinivasan, Bipin Rajendran, Richard Freitas, John Karidis, C Mohan

250 views • 13 slides
Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua

Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua

Large-Scale Adaptive Mesh Simulations Through Non-Volatile Byte-Addressable Memory Bao Nguyen Hua Tan Xuechen Zhang Kei Davis* * Octree Meshing is Widely Used in HPC Simulation Droplet breakup Micro-boiling Droplet ejection 2

691 views • 31 slides
Content Addressable Memory Using B-Tree Jack Dennis MIT Computer Science and Artificial

Content Addressable Memory Using B-Tree Jack Dennis MIT Computer Science and Artificial

Content Addressable Memory Using B-Tree Jack Dennis MIT Computer Science and Artificial Intelligence Laboratory 13 April 2008 1 Multi-Thread, Multi-Core Chip Instr Association Data Association Thread Scheduler CAM CAM MTP MTP MTP

1.53k views • 9 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
CENG 4480 L10 Memory 3 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA

CENG 4480 L10 Memory 3 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA

CENG 4480 L10 Memory 3 Bei Yu Reference : Chapter 11 Memories CMOS VLSI DesignA Circuits and Systems Perspective by H.E.Weste and D.M.Harris 1 Memory Arrays Memory Arrays Content Addressable Memory Random Access Memory Serial

485 views • 34 slides
Cache Example Main memory: Byte addressable memory of size 4GB = 2 32 bytes Cache size: 64KB = 2 16

Cache Example Main memory: Byte addressable memory of size 4GB = 2 32 bytes Cache size: 64KB = 2 16

Cache Example Main memory: Byte addressable memory of size 4GB = 2 32 bytes Cache size: 64KB = 2 16 bytes Block (line) size : 64 bytes = 2 6 bytes Number of memory blocks = 2 32 / 2 6 = 2 26 Number of cache blocks = 2 16 / 2 6 = 2 10 Is the

1.53k views • 34 slides
Architectural Principles for Database Systems on Storage-Class Memory Dr.-Ing. Ismail Oukid

Architectural Principles for Database Systems on Storage-Class Memory Dr.-Ing. Ismail Oukid

Architectural Principles for Database Systems on Storage-Class Memory Dr.-Ing. Ismail Oukid Dissertationspreis Vortrag BTW Rostock, March 8, 2019 Storage-Class Memory SCM is byte-addressable non-volatile memory Main Memory High Performance

600 views • 25 slides
Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory (PM/NVM) CPU Byte Addressable Persistent Cache Low Latency Capacity Cost effective PM DRAM 2 Many PM Work, but All in Single Machine

712 views • 33 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel

Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel

Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel Corporation Persistent Memory 3 Properties of Persistent Memory Byte-addressable like DRAM Direct user-level access Lowers DRAM

503 views • 23 slides
Physically Based Shading Diana Algma 29.03.17 I will talk about What is Physically Based

Physically Based Shading Diana Algma 29.03.17 I will talk about What is Physically Based

Physically Based Shading Diana Algma 29.03.17 I will talk about What is Physically Based Shading? Why is it good? Light physics Diffusion and reflection ( Why does snow appear white?) Fresnel effect Microsurface

724 views • 43 slides
CS 61: Database Systems Data persistence, file organization, indexing Adapted from Silberschatz,

CS 61: Database Systems Data persistence, file organization, indexing Adapted from Silberschatz,

CS 61: Database Systems Data persistence, file organization, indexing Adapted from Silberschatz, Korth, and Sundarshan unless otherwise noted Big picture: find a needle in a big data haystack quickly Find data on Morris Park Bake Shop in

590 views • 40 slides
CSCI 2132 Software Development Lecture 28: Structures and Dynamic Memory Allocation Instructor:

CSCI 2132 Software Development Lecture 28: Structures and Dynamic Memory Allocation Instructor:

CSCI 2132 Software Development Lecture 28: Structures and Dynamic Memory Allocation Instructor: Vlado Keselj Faculty of Computer Science Dalhousie University 9-Nov-2018 (28) CSCI 2132 1 Previous Lecture prj-dec2bin and stack example

784 views • 8 slides
Virtual Memory Logical address space can therefore be much larger than physical address

Virtual Memory Logical address space can therefore be much larger than physical address

CSC 4103 - Operating Systems Background Spring 2007 Virtual memory separation of user logical memory from physical memory. Only part of the program needs to be in memory for Lecture - XIII execution. Virtual Memory Logical

309 views • 7 slides
Welcome to CENG! What is Computer Engineering Computer Engineering is Developing

Welcome to CENG! What is Computer Engineering Computer Engineering is Developing

0.1 0.2 Welcome to CENG! What is Computer Engineering Computer Engineering is Developing efficient systems that combine hardware, software, and networking to interact with the physical world and/or solve information-based problems

248 views • 12 slides
Welcome to the SNAP-Ed Steps to Health Better Food Better Health program or in Spanish, Mejores

Welcome to the SNAP-Ed Steps to Health Better Food Better Health program or in Spanish, Mejores

Welcome to the SNAP-Ed Steps to Health Better Food Better Health program or in Spanish, Mejores Alimentos para una Mejor Salud. This webinar is one component of the Facilitator training that you will be required to complete on your checklist. We

925 views • 65 slides
Pathways to Lifelong Wellness: Progress to Date and Challenges Ahead Rosa Palacios, Department of

Pathways to Lifelong Wellness: Progress to Date and Challenges Ahead Rosa Palacios, Department of

Pathways to Lifelong Wellness: Progress to Date and Challenges Ahead Rosa Palacios, Department of Health Education &amp; Caregiver Training Vision on Healthy Aging My personal vision for healthy aging is living your life as fully as you

423 views • 10 slides
Coordinated Cross-Sector Approach to Sustaining Evidence-Based Health Education Programming

Coordinated Cross-Sector Approach to Sustaining Evidence-Based Health Education Programming

Coordinated Cross-Sector Approach to Sustaining Evidence-Based Health Education Programming OREGON PUBLIC HEALTH ASSOCIATION CONFERENCE OCTOBER 8 TH , 2018 1 2 Why Health Education? For patients with chronic conditions, evidence based

679 views • 21 slides
The Covid-19 Challenge to European Financial Markets: Lessons from Italy Nicola Borri LUISS

The Covid-19 Challenge to European Financial Markets: Lessons from Italy Nicola Borri LUISS

The Covid-19 Challenge to European Financial Markets: Lessons from Italy Nicola Borri LUISS University, Rome INQUIRE UK Inaugural Webinar Anywhere on Earth, 22 April 2020 1 / 43 Outline Evolution of outbreak in Italy Lockdown, economic

803 views • 43 slides

More recommend