Assessing firmware vulnerability
Could the memory in expansion components be the new place to install stealth rootkits? Possibly, though pinpointing loose memory may be a tad tougher than initially assumed.
Yesterday, GCN reporter William Jackson filed an intriguing story,
from Black Hat Federal Briefings in Arlington, Va., about how a researcher suggested surreptitious code could be placed on the PCI Bus Expansion ROM. John Heasman
, the researcher who made the presentation, also mentioned that I/O devices may themselves be vulnerable to this approach as well.
Oddly enough, this is an issue we stumbled across a few months back after covering
a new type of Ethernet adapter, called iWarp Ethernet. iWarp NIC cards come with a chip that takes over the packet processing from the CPU, lowering the potentially crippling processing overhead incurred on the main processor during heavy transfers.
We didn't think about the security implications of this new NIC architecture. However, alert reader Peter Colsch pointed out the potential weakness, namely that the new chip could introduce vulnerabilities because it provides 'new backchannels into memory which completely bypass the OS.' For instance, the article made no mention if the firmware makes any distinction between memory allocated for user applications and memory for system applications-a distinction necessary to ensure data-allocated memory isn't used for running malicious programs.
We caught up with the first manufacturer of iWarp cards
, NetEffect Inc. of Austin, Texas, for a response. Brian Hausauer, chief architect for the company, noted that the design engineers did indeed address the issue. The iWARP adapter does this by supporting multiple programming interfaces: One for non-privileged (user) applications, one for privileged applications and one for a privileged resource manager.
'User applications are enabled to issue commands directly to the adapter, but said commands can only use memory buffers previously registered with the iWarp adapter through the privileged resource manager,' Hausauer e-mailed. "This extra step of buffer registration addresses the perceived security issue described by the reader."
To do this, the iWarp design uses Direct Data Placement Protocol and Remote Direct Memory Access Protocol, both of which were defined by
the Internet Engineering Task Force. Working in tandem, the two protocols describe how to place data directly from the network card into application buffers in a way that 'will not enable new attacks on systems,' according to the DDPP charter
Of course, each kind of peripheral card, be it a graphics card or TV tuner, probably has its own way of interacting with system memory, and some will be more sophisticated than others when it comes to security. As such expansion cards amass ever more computational power (and associated supporting memory), such security issues may be of greater concern. One thing for sure, the Heasman's presentation
certainly has opened a new can of worms'maybe even literally.
Posted by Joab Jackson on Mar 01, 2007 at 9:39 AM