LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-27-2013, 01:24 PM   #1
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Malware that attacks DMA and hides in peripherals


This technically applies to all OSs, not just Linux:
http://www.scmagazine.com.au/News/35...ripherals.aspx
Quote:
A Berlin researcher has demonstrated the capability to detect previously undetectable stealthy malware that resides in graphics and network cards.

Patrick Stewin's proof of concept demonstrated that a detector could be built to find the sophisticated malware that ran on dedicated devices and attacked direct memory access (DMA).

The attacks launched by the malware dubbed DAGGER targeted host runtime memory using DMA provided to hardware devices. These attacks were not within scope of antimalware systems and therefore not detected.

DAGGER, also developed by Stewin and Iurii Bystrov of the FGSect Technical University of Berlin research group, attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation.
Now that's something completely different for ya. I sure have never heard of such a possibility.
 
Old 09-28-2013, 02:41 AM   #2
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbang
Posts: 605
Blog Entries: 1

Rep: Reputation: 139Reputation: 139
I'm confused!?!?
Doesn't the firmware for peripherals get loaded at boot time? How would malware survive in there?
 
Old 09-28-2013, 04:22 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by H_TeXMeX_H View Post
Now that's something completely different for ya. I sure have never heard of such a possibility.
If you've read the related docs then you can only conclude OpenCL, CUDA and such are enablers and therefore this was something waiting to happen IMHO...


Quote:
Originally Posted by qlue View Post
I'm confused!?!? Doesn't the firmware for peripherals get loaded at boot time? How would malware survive in there?
With the DAGGER PoC the code isn't stored in GPU flash ROM but loaded into the GPGPU on boot.
 
Old 09-28-2013, 05:01 AM   #4
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbang
Posts: 605
Blog Entries: 1

Rep: Reputation: 139Reputation: 139
Quote:
Originally Posted by unSpawn View Post
With the DAGGER PoC the code isn't stored in GPU flash ROM but loaded into the GPGPU on boot.
So either the firmware or the firmware loader would need to be compromised first then, right?
If that's the case, wouldn't it be reasonable to run a malware check on firmware before it's loaded into the GPU?
On the other hand, it seems that anyone who could replace the firmware with malware either has access to the target system or to the repos. In the former case, the administrator of the target system has serious problems anyway and in the latter case, the entire community has a major problem. (at least, whichever community is using that repo)
 
Old 09-28-2013, 06:00 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by qlue View Post
So either the firmware or the firmware loader would need to be compromised first then, right?
Not if you can load it via a 3rd part DMA transfer?


Quote:
Originally Posted by qlue View Post
wouldn't it be reasonable to run a malware check on firmware before it's loaded into the GPU?
How would you envision doing that?
 
Old 09-28-2013, 07:51 AM   #6
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbang
Posts: 605
Blog Entries: 1

Rep: Reputation: 139Reputation: 139
Quote:
Originally Posted by unSpawn View Post
Not if you can load it via a 3rd part DMA transfer?
Actually, DAGGER specifically uses first party DMA to avoid alerting the CPU to the transfer and maintain stealth. Third party transfers use a DMA controller as the third party which, by design, alerts the CPU to the transfer.

Either way, however, you still have to get the malicious code loaded into the GPU before it can execute and effect any transfers.

Quote:
Originally Posted by unSpawn View Post
How would you envision doing that?
The same way as any other virus scan works, by checking for signatures of known malware. Granted, this will not detected unknown malware.
Keep this in mind;
a.) only firmware files need be checked
b.) only signature of malware capable of 'stealthy' operation need be checked.




You can read the full paper by Patrick Stewin and Iurii Bystrov to get a better understanding of how this malware would operate.
 
Old 09-28-2013, 10:58 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by qlue View Post
Actually, DAGGER specifically uses first party DMA
Sure but the PoC currently still requires bootstrapping and a control process, right?


Quote:
Originally Posted by qlue View Post
The same way as any other virus scan works, by checking for signatures of known malware.
So how would GPU-backed encryption affect checking signatures?
 
Old 09-28-2013, 05:47 PM   #8
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbang
Posts: 605
Blog Entries: 1

Rep: Reputation: 139Reputation: 139
Quote:
Originally Posted by unSpawn View Post
Sure but the PoC currently still requires bootstrapping and a control process, right?
Apparently not. From the paper I linked to;
"DMA Malware Fulfillment. We designed and implemented our DAGGER
prototypes according to the DMA malware definition described in Section 4.
(C1) is clearly fulfilled since it implements working keystroke logger functionality.
DAGGER needs no physical access for the infiltration process (C2). We infiltrate
the ME environment using a software based exploit during runtime. DAGGER
exploits dedicated hardware to implement rootkit properties (C3)."



Quote:
Originally Posted by unSpawn View Post
So how would GPU-backed encryption affect checking signatures?
This is irrelevant if the files are checked before they can be loaded as a signature must still exist.
However, after going through the paper a bit, I noted this;
"Checking firmware images at load time, as proposed by the
Trusted Computing Group [32], does not prevent runtime attacks."

So scanning the firmware files would not prevent all instances of such malware. Though it would still be pretty good start.
 
Old 10-01-2013, 04:07 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by qlue View Post
Apparently not.
Well the 2102 version did ;-p And I think you missed the part where it says they had to subvert GRUB2?..


Quote:
Originally Posted by qlue View Post
This is irrelevant
Never mind the fact that AV scanning on a CPU would be costly simply because of the massively parallel processing a GPU offers...


Quote:
Originally Posted by qlue View Post
So scanning the firmware files would not prevent all instances of such malware. Though it would still be pretty good start.
Heh, why would the author of the document H_TeXMeX_H article links to say
Quote:
Anti-virus software cannot detect malicious code stored in separate memory and executed on a different processor. (..) DAGGER operates stealthily. It is undetectable by anti-virus software etc.
 
Old 10-02-2013, 12:43 AM   #10
qlue
Member
 
Registered: Aug 2009
Location: Umzinto, South Africa
Distribution: Crunchbang
Posts: 605
Blog Entries: 1

Rep: Reputation: 139Reputation: 139
Quote:
Originally Posted by unSpawn View Post
Heh, why would the author of the document H_TeXMeX_H article links to say
""Anti-virus software cannot detect malicious code stored in separate memory and executed on a different processor. (..) DAGGER operates stealthily. It is undetectable by anti-virus software etc.""
He is not talking about scanning files there, he is talking about the Anti-virus daemon processes that attempt to detect a virus that is already running. (storage vs ram)

You would not need, or even use, an anti-virus program during boot-up. I'm thinking more along the lines of a file integrity scanning routine as part of the booting process. We already run fsck on the hard drive, would a scan of firmware files be so much of an extra burden?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Symantec finds Linux wiper malware used in S. Korean attacks LXer Syndicated Linux News 1 03-23-2013 03:21 AM
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
Tibetan Hacking Attacks - Targeted Malware on Linux? ironcove Linux - Security 7 04-29-2008 05:05 PM


All times are GMT -5. The time now is 10:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration