RE: [Full-disclosure] Firewire Attack on Windows Vista
Certainly in VMS there is DMA opened up, but only to buffers that are known=
=0D=0Aand checked to be legal for such=2E This is a source of considerable=
complexity=0D=0Ain the drivers, and depending on hardware architecture (nu=
mber of control registers=0D=0Aavailable, for example, to control DMA chann=
els) limits both number of concurrent=0D=0Aoperations and size of some oper=
ations=2E For example, the max size of magtape=0D=0Arecords is limited, in =
part to conserve such bandwidth for use with disks=2E =0D=0A=0D=0AIf driver=
writers adopt a "wild-west" approach where the DMA space is left wide=0D=
=0Aopen, obviously the security of anything within memory is totally open t=
o=0D=0Awhatever a smart peripheral may do=2E=0D=0A=0D=0AIt should be realiz=
ed though that fixing this is not necessarily a simple=0D=0Athing, nor are =
architectural considerations missing=2E But with the advent of=0D=0Amore an=
d more smart "peripherals" (at least some of which are commonly user=0D=0Ap=
rogrammable), open DMA access amounts to peek/poke control over all of memo=
ry=0D=0Aand the abdication by the OS involved of any pretense of security w=
hatever=2E=0D=0A=0D=0AAs for what can be done by Windows (as opposed to "an=
y OS"), that is perhaps=0D=0Alimited by the great range of underlying hardw=
are=2E A compromise which might allow=0D=0ADMA to/from disks, tapes, or CDs=
but disallow it for most other peripherals=0D=0Amight turn out to be the b=
est general solution available, or something =0D=0Acomparably ugly=2E=0D=0A=
=0D=0AGlenn Everhart=0D=0A=0D=0A=0D=0A-----Original Message-----=0D=0AFrom:=
full-disclosure-bounces@lists=2Egrok=2Eorg=2Euk=0D=0A[mailto:full-disclosu=
re-bounces@lists=2Egrok=2Eorg=2Euk]On Behalf Of Larry=0D=0ASeltzer=0D=0ASen=
t: Thursday, March 06, 2008 3:36 PM=0D=0ATo: Tim=0D=0ACc: Full Disclosure; =
Bugtraq=0D=0ASubject: Re: [Full-disclosure] Firewire Attack on Windows Vist=
a=0D=0A=0D=0A=0D=0A>>No, the iPod device signature makes Windows drivers th=
ink it should=0D=0Aallow DMA access for that device because it detect it as=
a disk device=2E=0D=0A>>Other disk device signatures would likely work the=
same way, that's=0D=0Ajust the one he happened to emulate=2E=0D=0A=0D=0AIs=
it not possible for Windows (or any OS) to open up DMA for a device=0D=0Ao=
nly to a certain range? =0D=0A=0D=0AIf not, what options are available? =0D=
=0A=0D=0ALarry Seltzer=0D=0AeWEEK=2Ecom Security Center Editor=0D=0Ahttp://=
security=2Eeweek=2Ecom/=0D=0Ahttp://blogs=2Epcmag=2Ecom/securitywatch/=0D=
=0AContributing Editor, PC Magazine=0D=0Alarry=2Eseltzer@ziffdavisenterpris=
e=2Ecom=0D=0A=0D=0A_______________________________________________=0D=0AFul=
l-Disclosure - We believe in it=2E=0D=0ACharter: http://lists=2Egrok=2Eorg=
=2Euk/full-disclosure-charter=2Ehtml=0D=0AHosted and sponsored by Secunia -=
http://secunia=2Ecom/=0D=0A=0D=0A-----------------------------------------=
=0D=0AThis transmission may contain information that is privileged,=0Aconfi=
dential, legally privileged, and/or exempt from disclosure=0Aunder applicab=
le law=2E If you are not the intended recipient, you=0Aare hereby notified=
that any disclosure, copying, distribution, or=0Ause of the information co=
ntained herein (including any reliance=0Athereon) is STRICTLY PROHIBITED=2E=
Although this transmission and=0Aany attachments are believed to be free =
of any virus or other=0Adefect that might affect any computer system into w=
hich it is=0Areceived and opened, it is the responsibility of the recipient=
to=0Aensure that it is virus free and no responsibility is accepted by=0AJ=
PMorgan Chase & Co=2E, its subsidiaries and affiliates, as=0Aapplicable, fo=
r any loss or damage arising in any way from its use=2E=0A If you received =
this transmission in error, please immediately=0Acontact the sender and des=
troy the material in its entirety,=0Awhether in electronic or hard copy for=
mat=2E Thank you=2E
討論串 (同標題文章)
完整討論串 (本文為第 2 之 10 篇):