Integrating DMA attacks in exploitation frameworks Rory Breuk - - PowerPoint PPT Presentation

integrating dma attacks in exploitation frameworks
SMART_READER_LITE
LIVE PREVIEW

Integrating DMA attacks in exploitation frameworks Rory Breuk - - PowerPoint PPT Presentation

Jul 28, 2023 244 likes •410 views

Integrating DMA attacks in exploitation frameworks Rory Breuk Albert Spruyt University of Amsterdam February 7, 2012 Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 1 / 15 Introduction Research Question: How can

slide-1
SLIDE 1

Integrating DMA attacks in exploitation frameworks

Rory Breuk Albert Spruyt

University of Amsterdam

February 7, 2012

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 1 / 15

slide-2
SLIDE 2

Introduction

Research Question: How can DMA attacks be integrated into an exploitation framework? Previous work

FTWAutopwn libforensic1394 Payloads

Why?

Huge potential, but under utilized Widespread awareness is lacking Making it easy Different from buffer overflows Lots of possibilities

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 2 / 15

slide-3
SLIDE 3

Usecase

IEEE1394 Internet Local attacker Target Remote attacker

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 3 / 15

slide-4
SLIDE 4

Computer architecture

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 4 / 15

slide-5
SLIDE 5

DMA - protocol analysis

FireWire eSATA USB - On The Go Thunderbolt PCMCIA

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 5 / 15

slide-6
SLIDE 6

Exploitation frameworks

Core Impact Metasploit Framework CANVAS Volatility

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 6 / 15

slide-7
SLIDE 7

Metasploit concepts

Exploits Payloads Sessions

IEEE1394 Internet Local attacker Target Remote attacker

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 7 / 15

slide-8
SLIDE 8

Integration

libforensic1394 Inserting code Metasploit reverse shell Cleaning up FireWire data connection

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 8 / 15

slide-9
SLIDE 9

Userspace FireWire data connection - DEMO

Runs in userspace Injectable Cache coherency

IEEE1394 Local attacker Target

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 9 / 15

slide-10
SLIDE 10

Payloads

What to patch

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 10 / 15

slide-11
SLIDE 11

Clean up - Act normal

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 11 / 15

slide-12
SLIDE 12

Metasploit demo

Choose exploit and payload Change the settings for the modules Run exploit

Load payload into target Depending on payload: achieve session between target and attacker

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 12 / 15

slide-13
SLIDE 13

Mitigation

Mitigation for end-users Don’t buy them Destroy them / glue them Disable them Deny physical access

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 13 / 15

slide-14
SLIDE 14

Conclusion

Achievements:

Show DMA vulnerabilities exist on different ports Port libforensic1394 bindings to Ruby Integrate FireWire exploit into Metasploit Clean payload execution Proof of concept FireWire data session

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 14 / 15

slide-15
SLIDE 15

Questions?

Rory Breuk, Albert Spruyt (UvA) Integrating DMA attacks February 7, 2012 15 / 15