On 02/05/2017 07:30 AM, Stickstoff wrote:
Hello everybody,
I have been thinking about the risks involved using different kinds of
dock or dockingstation.
[I'll recap what I think I found out about the docking situation, skip
if you know how docks, usb type c and DMA works]
Most business notebooks have proprietary docking connectors, like the
traditional connector on the underside of notebooks or the big connector
on the sides of some newer, thinner notebooks.
These seem to be just "breakout connectors", like routing the signals of
an internal usb or display adapter to the outside. Nothing with DMA
seems to be on the outer side of the notebook. I checked on a Lenovo
machine with an "onelink" connector, and couldn't see any new pci devices.
Now more and more notebooks come with a usb type c connector as an
universal connector. This by itself only defines the physical conenctor,
not the protocol used. There are two kinds: usb 3 and thunderbolt. Both
protocols allow alternate modes, where some pins of the cable are used
for power, video or other signals.
The first case, with usb 3, could be a monitor which connects to the
notebook with that one usb type c cable, receives usb & video & audio
from the notebok and charges it simultaneously.
With thunderbolt all of this is possible too, in addition you have two
pcie lanes. With this, you could theoretically connect any device,
including desktop grafic adapters for example.
Also, pcie has DMA, direct memory access, where a device can
"physically" read and write the entire memory, on a level below regular
operating system or cpu intervention.
This, if course, is a huge and nasty security risk.
Attacks via DMA were demonstrated via firewire for example, where a
firewire device plugs in, reads the memory, and extracts encryption
passwords right away. Potentially completely unnoticed too. Thank you,
invisible things lab, for your spearhead work on this topic.
[/recap]
Regular dockingstations don't seem to be a huge security problem,
besides the old "I trust my usb-vm with all keystrokes".
Any pcie or other DMA bus reachable from outside has huge security
problems though.
- Can DMA be tamed completely? Wikipedia [1] suggests IOMMU can limit
DMA. As I understand it, Qubes currently does not protect against a
malicious DMA device?
The linux kernel *should* properly activate the iommu and protect you,
unless you are using drivers or firmware attached to that device.
- Can an entire PCI bridge, which has thunderbolt or an express card or
any other DMA connector-to-the-outside be assigned to a VM, even with no
device connected yet? At least 2012 it didn't seem possible [2] at all.
More recently, trials with thunderbolt were done [3]. As I read it,
thunderbolt itself works, USB makes more problems with assigning. DMA
wasn't scope on that thread.
The idea isn't assigning the bridge, it is assigning all the devices
behind it.
Although I assume you could theoretically assign a bridge device itself
to a VM, no idea if that currently works though.
- Can PCI bridges be deactivated/reactivated on-the-fly? Like, asking
for confirmation when a device is connected, or deactivating the bridge
when the screen is locked?
Software dependent, you would need a team of computer engineers to pull
this off (I know some reputable ones if you have extra cash, probably
would be around 5-10K to do this)
- It seems like (thunderbolt) dockingstations with ethernet will all
connect it via usb. So I would have to trust my usb-vm with both my
unencrypted keystrokes and "physical" network traffic. In worst case all
on the same usb hub too. Can such a machine be reasonably secure at all?
- Is thunderbolt a complete no-go from a security perspective?
No more than any other port with DMA, such as ExpressCard
- Are we preparing for a world where most new notebooks only have a usb
type c conector, and maybe one, two other ports?
For the average laptop at a store yes, because the people who buy them
(apple types) aren't doing real work. But those laptops were always shit
anyway.
There will always be industrial and embedded applications OEM's that
produce stuff with real ports, getac company for instance makes new
laptops with serial ports.
The side issue is that almost every new laptop is x86, and they all have
ME/PSP (besides novena and the lenovo G505S)
Stickstoff
[1] https://en.wikipedia.org/wiki/DMA_attack
[2] https://groups.google.com/forum/#!topic/qubes-devel/zkPTk4tjWBM
[3] https://groups.google.com/forum/#!topic/qubes-users/uk11tSeu5yU
https://groups.google.com/forum/#!topic/qubes-users/xbtacWEVt7g
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/46c2ecb3-f7a9-c7c1-506a-c4cc79db2f63%40gmx.com.
For more options, visit https://groups.google.com/d/optout.