Integrating DMA attacks in exploitation frameworks Rory Breuk - PowerPoint PPT Presentation

Integrating DMA attacks in exploitation frameworks Rory Breuk Albert Spruyt University of Amsterdam February 7, 2012 Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 1 / 15

Introduction Research Question: How can DMA attacks be integrated into an exploitation framework? Previous work FTWAutopwn libforensic1394 Payloads Why? Huge potential, but under utilized Widespread awareness is lacking Making it easy Different from buffer overflows Lots of possibilities Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 2 / 15

Usecase Local attacker Target IEEE1394 Internet Remote attacker Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 3 / 15

Computer architecture Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 4 / 15

DMA - protocol analysis FireWire eSATA USB - On The Go Thunderbolt PCMCIA Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 5 / 15

Exploitation frameworks Core Impact Metasploit Framework CANVAS Volatility Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 6 / 15

Metasploit concepts Local attacker Target IEEE1394 Exploits Payloads Internet Sessions Remote attacker Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 7 / 15

Integration libforensic1394 Inserting code Metasploit reverse shell Cleaning up FireWire data connection Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 8 / 15

Userspace FireWire data connection - DEMO Runs in userspace Injectable Cache coherency Local attacker Target IEEE1394 Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 9 / 15

Payloads What to patch Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 10 / 15

Clean up - Act normal Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 11 / 15

Metasploit demo Choose exploit and payload Change the settings for the modules Run exploit Load payload into target Depending on payload: achieve session between target and attacker Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 12 / 15

Mitigation Mitigation for end-users Don’t buy them Destroy them / glue them Disable them Deny physical access Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 13 / 15

Conclusion Achievements: Show DMA vulnerabilities exist on different ports Port libforensic1394 bindings to Ruby Integrate FireWire exploit into Metasploit Clean payload execution Proof of concept FireWire data session Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 14 / 15

Questions? Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 15 / 15